Re: Announcing SPAN: SELinux Policy Analysis Notebook

[Dominick Grift <dac.override@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 8737 bytes --]

On Mon, May 08, 2017 at 10:40:53PM +0200, Dominick Grift wrote:
> On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
> > 
> > > On May 8, 2017, at 3:49 PM, Dominick Grift <dac.override@gmail.com> wrote:
> > > 
> > > On Mon, May 08, 2017 at 03:36:21PM -0400, Karl MacMillan wrote:
> > >> 
> > >>> 
> > >> 
> > >> I think it’s best to think of these as having three basic layers:
> > >> 
> > >> 1. Basic tools for SELinux policy analysis in Jupyter - these are usable for any policy and make no assumptions about the presence of any types, attributes, object classes, or permissions. So things like the rule searching and information flow analysis fit into this group. This is a large part of the value of SPAN.
> > >> 
> > >> 2. Higher-level policy analysis methods - these are things like the domain_types method and the domain / type summaries. These make some minimal assumptions about attributes like domain. I’ll just mention that these assumptions are very minimal and have been around for a _long_ time. Domain long pre-dates the reference policy, for example. More than attributes this layer is tied to the Linux object classes and permissions.
> > >> 
> > >> 3. Example notebooks - the two example notebooks are just that - examples. They probably provide a useful starting point, but as Josh points out, should simply be modified for your specific use case.
> > >> 
> > >> So the question, then, is should the second layer (the higher-level policy analysis methods) be made configurable. Honestly I think it would be more work than just creating your own versions for a policy that breaks the assumptions. To me, that’s the great advantage of this versus other analysis tools. It’s so simple to create quick tools that meet your needs. And given that the vast majority of Linux and Android systems meet the assumptions I think that this is a reasonable approach.
> > > 
> > > I don't think it will work with android. Some of it maybe but not all of it. for example the source functionality appends "modules" to the search path. So i suspect that will break that functionality for Android.
> > 
> > We’ve not tested it for Android policies so I’m sure there will be some breakage. But I hope it will be fixed to work by us or someone soon.
> > 
> > > Thank you for giving me your opinion. At least now I know where I stand.
> > 
> > Where you stand? I’m not certain what you mean and was not trying to say something about you personally.
> 
> I didnt take it personal, That is not what I meant. To me SELinux is bigger then any single policy be it refpolicy, sepolicy, or dssp
> The perfect tool would support any policy (setools goes a long way there). From your comments I sensed that you might not fully agree with that or that you might not have the ambition for SPAN to be perfect.
> What I am saying is that after your comment I no longer have any illusions that SPAN will ever be perfect (or close to perfect)
> 
> > 
> > I was not familiar with DSSP before (I’ve not done much with SELinux for a while), but Josh pointed it out to me. From looking at it very briefly and thinking through the assumptions in SPAN my guess is that it would take very few changes to make SPAN work with DSSP, even the source policy stuff (which, honestly, is just a very small part mainly useful for diffing constraints).
> > 
> > And as a side note - it’s nice to see someone trying to write a policy from scratch in CIL. Do you have a “domain” attribute or at least a similar concept?
> 
> Sure, but i cannot use "domain" for this because DSSP leverages namespaces. The equivalent in DSSP is "subj.subj_type_attribute"
> 
> So if the configuration file would have something like:
> 
> # process_types = domain
> 
> Then i would be happy because then i could edit it like:
> 
> process_types = subj.subj_type_attribute
> 
> > 
> > > I will not be able to leverage this solution to any significant extend, and the notebook and its depenedencies are pretty expensive to have just for something that only works to some extent.
> > 
> > I’m curious what you mean by “only works to some extent”. Any bug reports would be welcome.
> 
> Let me rephrase then: "not to the fullest extent"
> 
> But you gave me the impression that not all bug reports would be "welcome" when you said: "the vast majority of Linux and Android systems meet the assumptions I think that this is a reasonable approach."
> 
> > 
> > And if you mean specifically in the context of DSSP, like I said I bet the changes would be minimal. So if you are interested in giving it a try I’ll be happy to look at the changes needed and give you a hand.
> 
> I agree, and ive said that when I said: "a few rough edges" Its close the usable with DSSP. It just needs to deal with some of the current assumptions:
> 
> ill point out some:
> 
> 1. return self.grep(name, "*.te", self.modules_path) # what about .cil suffixed files?

We should make this customizable something like: source_policy_suffix =

Because we would need to catch *.conf , *.te , *.cil and any future high level source policy files that leverage cil

> 2. return self.find_def("attribute " + name) # in CIL this is typeattribute

CIL is a native language so we use a statement for something then we need to make sure that also its CIL equivalent is caught

> 3. return self.grep(type_name, "*.fc", self.modules_path) # CIL has its context specs in the .cil suffixed file

We should make this customizable: file_contexts_suffix =
to catch *.fc as well as *.cil and any future high level file_context suffixes
When this suffix is used we should also alway take "file_contexts" into account as this is where to look in monolitic policy

> 4. 
> return self.diff_relative("/policy/mls", other_source) # these should be customizable

mls_constraints =

> return self.diff_relative("/policy/mcs", other_source) # these should be customizable

mcs_constraints =

> return self.diff_relative("/policy/constraints", other_source) # these should be customizable

constraints =

or maybe dont even differentiate between the various different constraints and just pile them all together in:

constraints = [ "", "", "", ... ]

This is because there may be other constraints (for example i have role-base access control seperation constraints)

> 5. any references to type attributes should be customizable: ie. process_types = ... filesystem_types = ... etc

I do not consider Linux access vectors to be customizable, unlike types ,attributes, booleans, tunables etc)

So one does not have to worry about the hard coding of classes and permission, However i would probably still try to find a way
make that more easily customizable. Because new permissions get added to existing classes and if you have you access vector declarations in a single place then that is easier to maintain then when you have to add then in code scathered accross the project

> 
> > 
> > Thanks - Karl
> > 
> > > Atleast this inspired me to implement policy for pip and notebook in my personal security policy. So it was not all in vain.
> > > 
> > >> 
> > >> Thanks - Karl
> > >> 
> > >>> 
> > >>>> 
> > >>>> -- 
> > >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02> <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02>>
> > >>>> Dominick Grift
> > >>> 
> > >>> 
> > >>> 
> > >>> -- 
> > >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02> <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02>>
> > >>> Dominick Grift
> > >> 
> > > 
> > > -- 
> > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02>
> > > Dominick Grift
> > 
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]