From: Joshua Brindle <jbrindle@tresys.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux <selinux@tycho.nsa.gov>
Subject: Re: [PATCH] disallow * and ~ in rules
Date: Thu, 23 Jun 2005 15:29:07 -0400 [thread overview]
Message-ID: <200506231529.07106.jbrindle@tresys.com> (raw)
In-Reply-To: <1119553228.28493.197.camel@moss-spartans.epoch.ncsc.mil>
On Thursday 23 June 2005 15:00, Stephen Smalley wrote:
> On Thu, 2005-06-23 at 14:47 -0400, Joshua Brindle wrote:
> > I agree that neverallow has very legitimate reasons for * but dontaudit
> > and auditallow are a little less clear. Perhaps auditallow should allow
> > *, it's conceivable that someone would want to audit all access to an
> > object (though in the current policies and reference policy * would have
> > the same net effect as domain with fewer avtab entries). This may not be
> > the case for all policies though. The attached patch disallows it in all
> > rule types but neverallow.
>
> Yes, I think requiring people to use an attribute like domain or
> file_type is preferable anyway; otherwise you end up with massive
> explosion in the set of rules for a lot of types that can't possibly be
> used in that manner anyway.
>
agreed.
> > I forgot to mention constraints, which currently allow * and ~, any
> > thoughts on this?
>
> I'd exclude * and ~ entirely in type sets except for neverallow. In
> every other case, we should be using type attributes (like domain or
> file_type) and type set exclusion rather than * or ~. For permission
> sets, I think they are useful. For role sets, I'm not sure - we don't
> have a parallel to attributes for roles, so there is no easy way to say
> all roles or all roles except X,Y,Z in any other way.
in the constraint case * seems to be entirely unnecessary. However I'm not
convinced that a compliment would never be useful in a constraint.
As for roles, it certainly isn't an issue now but one can easily concieve a
policy that creates a role for each user on the system. Then something like
allow system_r * would actually make sense (err, more sense than now) but
still isn't the best way, which would be adding the allow when the role is
created. I don't think it's a problem to remove * and ~ from role sets, at
least not yet.
Joshua
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-06-23 19:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-23 16:17 [PATCH] disallow * and ~ in rules Joshua Brindle
2005-06-23 17:54 ` Stephen Smalley
2005-06-23 18:47 ` Joshua Brindle
2005-06-23 19:00 ` Stephen Smalley
2005-06-23 19:29 ` Joshua Brindle [this message]
2005-06-23 20:19 ` Stephen Smalley
2005-06-23 20:36 ` Joshua Brindle
2005-06-24 13:59 ` Stephen Smalley
2005-06-24 6:29 ` Russell Coker
2005-06-24 11:35 ` Stephen Smalley
2005-06-24 13:24 ` Russell Coker
2005-06-24 13:29 ` Stephen Smalley
2005-06-24 14:29 ` Karl MacMillan
2005-06-27 15:06 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200506231529.07106.jbrindle@tresys.com \
--to=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.