[RFC] Cascade: a high level SELinux policy language
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: selinux@xxxxxxxxxxxxxxx, Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, Chris PeBenito <pebenito@xxxxxxxx>
- Subject: [RFC] Cascade: a high level SELinux policy language
- From: Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 4 Nov 2021 14:13:28 -0400
- User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1
We have been working over the past few months on a new high level
language for specifying SELinux policy, in line with the original intent
of CIL, to enable the creation of high level languages that compile into
CIL.
Our objective is to create a language that enables the efficient
creation of useful abstractions by policy experts while enabling those
abstractions to be easily usable by non-experts who may contribute to
portions of the policy.
The design is heavily influenced by Object Oriented principles, with a
goal of enabling the efficient creation of type hierarchies and
eliminating boilerplate through the use of inheritance. The use of
"virtual" types, (which compile into attributes) allows both attribute
like behavior, and also the creation of inherited member functions,
allowing for interfaces as in refpolicy without the redundant
boilerplate. Another key feature is "resource association" which makes
explicit the connections between domains and associated types such as
tmp files. This feature allows for common patterns (such as setting up
a tmp file with a domain transition rule and manage access) to be done
automatically behind the scenes, minimizing the chance of mistakes and
allowing policy developers to focus more on security decisions.
The core language functionality is written as a library, which will
hopefully enable the easy creation of associated tooling and plugins
that build on top of that library. It is our hope that this
architecture will assist an expansion of available tooling to aid policy
developers in their work.
This is still a very early prototype and so some functionality may be
missing or incomplete, but we wanted to make what we have so far
available for community feedback and discussion as we continue development.
You can find the code and associated documentation at
https://github.com/dburgener/cascade
I hope this is something that people will find useful and welcome
feedback and contributions as we aim towards the goal of enabling
smoother policy development.
-Daniel
[Index of Archives]
[Selinux Refpolicy]
[Linux SGX]
[Fedora Users]
[Fedora Desktop]
[Yosemite Photos]
[Yosemite Camping]
[Yosemite Campsites]
[KDE Users]
[Gnome Users]
