* ANN: SELinux Policy Server Project
[not found] <20041210162047.HHLP7908.mm-ismta4.bizmailsrvcs.net@FLM800>
@ 2004-12-13 20:45 ` Joshua Brindle
2004-12-15 14:46 ` Steve G
0 siblings, 1 reply; 3+ messages in thread
From: Joshua Brindle @ 2004-12-13 20:45 UTC (permalink / raw)
To: selinux, selinux-dev
We at Tresys have started a project to design and implement an SELinux
policy server. This project, which builds on the recently completed
policy module project, will create a policy server that implements fine
grained access controls on the SELinux policy itself, as well as
implementing an infrastructure for userspace object managers and
eventually infrastructure for network policy management. The initial
release and design document is on the Tresys webpage at
http://www.tresys.com/selinux/.
The current release implements a hierarchal structure in policies
allowing, for example, types to have subtypes with less than or equal
permissions but not more. This was mentioned before on the SELinux list,
an archive of the thread is located at
http://marc.theaimsgroup.com/?l=selinux&m=109908469725763&w=2.
An application in policycoreutils/policy-verifier will verify that the
policy is internally consistant with the hierarchy. It is a standalone
application meant to be run on a kernel policy. Instructions for running
this verification step when a module is installed are included.
The compiler included in this release understands and stores hierarchal
symbols. This compiler is experimental, however. In order to gain
acceptance of this policy language change we have made a patch against
the existing policy compiler (included in this email). The patch allows
the '.' notation to be used for roles, types, object classes,
attributes, and aliases, which can then be verified with the
standalone verifier.
This project will be long term and experimental; therefore, we would
like to solicit community involvement, especially in the form of
feedback on the requirements, architecture, and design. A sourceforge
project for this has been created at
http://sourceforge.net/projects/sepolicy-server/ . We'll be keeping the
CVS repository there up to date with development and making regular
releases to the files area.
Joshua Brindle
Tresys Technology
diff -u -r1.6 policy_scan.l
--- checkpolicy/policy_scan.l 9 Aug 2004 18:12:29 -0000 1.6
+++ checkpolicy/policy_scan.l 10 Dec 2004 20:35:43 -0000
@@ -161,7 +161,7 @@
t2 |
T2 { return(T2); }
"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
-{letter}({letter}|{digit}|_)* { return(IDENTIFIER); }
+{letter}({letter}|{digit}|_|".")*("*")? { return(IDENTIFIER); }
{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
{digit}{digit}* { return(NUMBER); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* {
return(IPV6_ADDR); }
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ANN: SELinux Policy Server Project
2004-12-13 20:45 ` ANN: SELinux Policy Server Project Joshua Brindle
@ 2004-12-15 14:46 ` Steve G
2004-12-15 15:15 ` Joshua Brindle
0 siblings, 1 reply; 3+ messages in thread
From: Steve G @ 2004-12-15 14:46 UTC (permalink / raw)
To: Joshua Brindle, selinux, selinux-dev
Hi,
>We at Tresys have started a project to design and implement an
>SELinux policy server.
Simple question...when I untar the source, where exactly is the source code for
the daemon? I'll give it a going over.
Thanks,
-Steve Grubb
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ANN: SELinux Policy Server Project
2004-12-15 14:46 ` Steve G
@ 2004-12-15 15:15 ` Joshua Brindle
0 siblings, 0 replies; 3+ messages in thread
From: Joshua Brindle @ 2004-12-15 15:15 UTC (permalink / raw)
To: Steve G; +Cc: selinux, selinux-dev
This is just the project announcement and a very preliminary release.
There is no daemon yet, what this release provides is the initial
support for hierarchal policy structure and a way to verify the policy.
This is an important first step to being able to refer to yet-unknown
parts of the policy for access control.
In selinux-doc/README.MODULES there are instructions for using the
hierarchy checker with the semodule framework.
Joshua Brindle
On Wed, 2004-12-15 at 06:46 -0800, Steve G wrote:
> Hi,
>
> >We at Tresys have started a project to design and implement an
> >SELinux policy server.
>
> Simple question...when I untar the source, where exactly is the source code for
> the daemon? I'll give it a going over.
>
> Thanks,
> -Steve Grubb
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-12-15 15:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20041210162047.HHLP7908.mm-ismta4.bizmailsrvcs.net@FLM800>
2004-12-13 20:45 ` ANN: SELinux Policy Server Project Joshua Brindle
2004-12-15 14:46 ` Steve G
2004-12-15 15:15 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.