From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: jwcart2@tycho.nsa.gov
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: [refpolicy] Patch: Create non_security_file_type attribute
Date: Fri, 18 Jul 2008 11:49:12 -0400 [thread overview]
Message-ID: <1216396152.21191.163.camel@gorn> (raw)
In-Reply-To: <1216395738.26625.45.camel@moss-lions.epoch.ncsc.mil>
On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
> On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
> > On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> > > This patch eliminates the expansion of the file_type attribute (due to
> > > the "-" set operation) for the *_non_security interfaces by creating a
> > > non_security_file_type attribute.
> > >
> > > On my system the resulting binary policy is almost 20% smaller. The
> > > difference is so large because there are over 1000 types labeled with
> > > the file_type attribute.
> >
> > I'm hesitant to attach non_security_file_type to the files_type
> > attribute, since its not clear to me that it makes conceptual sense.
>
> The primary goal here is a smaller binary policy. But it still makes
> sense conceptually to me because the security_file_type attribute is
> never used by itself as far as I can tell. It is always used as
> {file_type-security_file_type}.
>
> > In
> > fact a sediff of the policy reveals that auidtd_log_t gains
> > non_security_file_type while it already has security_file_type, which
> > results in rule additions with this patch added.
> That's not good. There are only a handful of types labeled with
> security_file_type, I don't know how I missed that. Sorry.
>
> The following line is the problem: files_mountpoint(auditd_log_t).
> So, a files_mountpoint_security interface would have to be created.
>
> It's not a big deal to me. If there is no interest in creating a
> non_security_file_type attribute, I won't pursue this any farther.
I think the binary policy size savings is a good enough reason to pursue
it. Brainstorming for a second, another way to address this problem
would be to change how checkpolicy handles negations. It could make a
new attribute with the resultant type set from the negation; however,
that might be bad for analysis since an attribute would magically appear
out of nowhere.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-07-18 15:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-27 18:55 [refpolicy] Patch: Create non_security_file_type attribute James Carter
2008-07-18 14:15 ` Christopher J. PeBenito
2008-07-18 15:42 ` James Carter
2008-07-18 15:49 ` Christopher J. PeBenito [this message]
2008-07-18 16:03 ` James Carter
2008-07-18 17:26 ` Daniel J Walsh
2008-07-18 17:33 ` Stephen Smalley
2008-07-18 17:50 ` Daniel J Walsh
2008-07-18 18:09 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1216396152.21191.163.camel@gorn \
--to=cpebenito@tresys.com \
--cc=jwcart2@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.