Re: [SECILC] does not seem to filter redundant attributes and rules

[Gary Tierney <gary.tierney@gmx.com>]

[-- Attachment #1: Type: text/plain, Size: 2731 bytes --]

On Wed, Nov 09, 2016 at 09:52:35AM -0500, James Carter wrote:
> On 11/09/2016 07:40 AM, Dominick Grift wrote:
> >I am in the process of a DSSP rewrite, taking a different approach this
> >time.
> >
> >However I encountered something that seems suboptimal:
> >
> >SECILC seems to not filter redundant attributes and rules
> >
> >Example i have a type attribute and it has rules associated with it.
> >However, the type attribute is not associated with any types.
> >
> >I was hoping that SECILC would be smart enough to determine that it
> >might as well filter both the type attribute as well as the rules
> >associated with it.
> >
> >To reproduce:
> >
> >git clone https://github.com/DefenSec/dssp1-base.git
> >cd dssp1-base
> >secilc `ls *.cil`
> >sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30
> >seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30
> >
> >
> >Am i expecting the impossible by expecting SECILC to be smart enough to
> >determine that something is redundant, and that it can be filtered out
> >until it becomes applicable?
> >
> >
> 
> I don't think that it would be too hard to remove attributes that have no
> types associated with them along with rules containing those attributes. I
> have this nagging feeling, though, that there is a reason that we didn't do
> that. I'll have to think about it a bit.
> 
> Jim
>

I had a hack 'n' slash attempt at this earlier for just avrules by adding
naive checks in avrule_write (libsepol/src/write.c) to check if both the
source and target type_set bitmaps have a cardinality of 0, though couldn't
help but think I was missing something else.  That didn't work in any case,
and didn't seem like the codepath is ever hit when a CIL policy is
written to disk (maybe it's only module policy avrule_write is called for?).

Any hints on where I can start prodding?  Would be nice to get an idea of how
the binary policy is serialized too.
> 
> >
> >_______________________________________________
> >Selinux mailing list
> >Selinux@tycho.nsa.gov
> >To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> >To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> >
> 
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]