From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: Announcing SPAN: SELinux Policy Analysis Notebook
Date: Mon, 8 May 2017 10:55:55 +0200 [thread overview]
Message-ID: <20170508085555.GA3701@julius> (raw)
In-Reply-To: <590F78BA.5040800@quarksecurity.com>
[-- Attachment #1: Type: text/plain, Size: 2219 bytes --]
On Sun, May 07, 2017 at 03:42:50PM -0400, Joshua Brindle wrote:
> Dominick Grift wrote:
> > On Sun, May 07, 2017 at 11:22:00AM -0400, Joshua Brindle wrote:the
> > > Dominick Grift wrote:
> > > <snip>
> > >
> > > > The idea is nice, unfortunately its inflexible and it has hard-references to reference policy all-over. It has potential but it is still rough.
> > > >
> > > Of course, it is an analysis of a refpolicy-based policy. If you want to
> > > analyze a different policy (e.g., Android or home-rolled) you will have to
> > > change out all of the type sets, etc.
> > >
> > > You can't make a magic generic analysis script without knowing how key parts
> > > of the system work and what types are associated with those components.
> >
> > What do you mean? that for example that hard-coded array of "trusted" types. Is that not just redundant.
> >
>
> you mean the example trusted types? I'm not sure I understand your concern.
>
> > Can't i just create that array myself and use it to exlude rules with types in that array? That was one does not have to hard-code it.
> >
>
> It is python, you can do anything you want. The example notebook is a
> starting point, anyone doing an analysis would probably make major changes
> for their analysis, which is the point. You modify the notebook to build a
> usable analysis between the starting policy and the policy you are
> analyzing.
>
> I've thought about trying this on an Android policy but haven't made it a
> priority.
>
> > Also with regard to hardcoding the refpolicy file system (ps.load_policy_source). I mean if youre just going to `grep -r` then why do we have to assume anything there and hard code file suffixed, directory structures etc etc?
>
>
ahh.. sorry. I just noticed that it can be overriden:
p, ps, bp, bps = se.load_policies_from_config("policy_paths.config")
so i suppose i should be able to add that file to the notebook dir and specify my own paths.
although that still doesnt deal with any file suffixes? (.cil)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2017-05-08 9:02 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-05 18:27 Announcing SPAN: SELinux Policy Analysis Notebook Karl MacMillan
2017-05-06 14:03 ` Dominick Grift
2017-05-06 16:19 ` Dominick Grift
2017-05-06 17:19 ` Dominick Grift
2017-05-07 9:39 ` Dominick Grift
2017-05-08 19:23 ` Karl MacMillan
2017-05-08 19:32 ` Dominick Grift
2017-05-08 19:40 ` Karl MacMillan
2017-05-07 15:22 ` Joshua Brindle
2017-05-07 15:47 ` Dominick Grift
2017-05-07 19:42 ` Joshua Brindle
2017-05-07 19:53 ` Dominick Grift
2017-05-08 19:41 ` Karl MacMillan
2017-05-08 8:55 ` Dominick Grift [this message]
2017-05-08 9:32 ` Dominick Grift
2017-05-08 19:36 ` Karl MacMillan
2017-05-08 19:49 ` Dominick Grift
2017-05-08 20:09 ` Karl MacMillan
2017-05-08 20:40 ` Dominick Grift
2017-05-08 21:47 ` Dominick Grift
2017-05-08 22:01 ` Dominick Grift
2017-05-09 15:25 ` Karl MacMillan
2017-05-09 16:12 ` Joshua Brindle
2017-05-09 15:21 ` Karl MacMillan
2017-05-09 16:15 ` Dominick Grift
2017-05-09 16:47 ` Dominick Grift
2017-05-09 17:45 ` Dominick Grift
2017-05-07 16:24 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170508085555.GA3701@julius \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.