constraints and subtraction

constraints and subtraction

[Joshua Brindle]

I was wondering if there was a specific reason that constraints don't 
support subtraction but support attributes, sets, * and ~. For example 
the following might be useful:

constrain dir_file_class_set { create relabelto relabelfrom }
         ( u1 == u2 or t1 == { privowner -sysadm_t } );

Thanks.

Joshua Brindle

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: constraints and subtraction

[Stephen Smalley]

On Mon, 2004-08-23 at 17:04, Joshua Brindle wrote:
> I was wondering if there was a specific reason that constraints don't 
> support subtraction but support attributes, sets, * and ~. For example 
> the following might be useful:
> 
> constrain dir_file_class_set { create relabelto relabelfrom }
>          ( u1 == u2 or t1 == { privowner -sysadm_t } );

Laziness and fear ;)  Feel free to change it, but it may be more
complicated than you expect.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: constraints and subtraction

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

On Tue, 24 Aug 2004 09:54:43 EDT, Stephen Smalley said:
> On Mon, 2004-08-23 at 17:04, Joshua Brindle wrote:
> > I was wondering if there was a specific reason that constraints don't 
> > support subtraction but support attributes, sets, * and ~. For example 
> > the following might be useful:
> > 
> > constrain dir_file_class_set { create relabelto relabelfrom }
> >          ( u1 == u2 or t1 == { privowner -sysadm_t } );
> 
> Laziness and fear ;)  Feel free to change it, but it may be more
> complicated than you expect.

Oh yes, fear.. ;)

Attributes and sets are easy, * and ~ have reasonable definitions as well...

Given two sets F1 = {A, B, C} and F2 = {B, D}, it's unclear to me
what The Right Thing to do for (F1-F2) is.  Should the attempt to subtract
D throw an error, or fail silently and create {A, C}, or create the set {A, C, ~D}?

I can make a case for any one of the three.  I'll even hypothesize that none of
the 3 is clearly correct unless the reasons for both other alternatives being wrong
are clear-cut enough even for an idiot like me to understand....

Anybody got a 4th alternative? :)

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: constraints and subtraction

[Russell Coker]

On Wed, 25 Aug 2004 04:47, Valdis.Kletnieks@vt.edu wrote:
> Given two sets F1 = {A, B, C} and F2 = {B, D}, it's unclear to me
> what The Right Thing to do for (F1-F2) is.  Should the attempt to subtract
> D throw an error, or fail silently and create {A, C}, or create the set {A,
> C, ~D}?

F1 - F2 = { A C }

~D == { A B C }, so the set { A C ~A } would not make sense.

The subtraction operator just removes things if they happen to be there.  
Items which didn't already exist mean that the removal operation is a noop.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.