unreasonably long SE Linux context display

unreasonably long SE Linux context display

[Russell Coker]

Would it be possible to use shorter names in the setrans.conf file than 
SystemLog and SystemHigh?  For example could we have "Low-High" or 
"sLow-sHigh" instead?

An 80 column display is the Unix standard, it's what xterm type programs 
default to, it's what generally works best with serial consoles, and it's the 
only option for Braille displays.

Currently in Fedora and RHEL (and probably the default installs of most 
distributions) the virtual consoles are 80 columns wide.  So anything that 
requires more than 80 columns in a display will not work well with the 
majority of Linux systems.

For "ps" output we have to fit 80 columns, everything else is truncated, this 
means that the increasing width of SE Linux output from "ps axZ" is reducing 
the amount of other data available.  Currently the sensitivity labels of 
"s0-s0:c0.c255" take up a significant part of the screen space and adding an 
extra 7 characters by translating it to "SystemLow-SystemHigh" will only make 
things worse (it will then take up 25% of the screen giving a total of almost 
75% of the screen for the SE Linux context).

Also I think we should consider making the various utility programs display 
part of the SE Linux context.  For example it's a common practice for an 
administrator to search for a listing of processes in a particular domain or 
role with commands such as the following:
ps axZ|grep kernel_t
ps axZ|grep system_r

It seems to me that one way of improving the situation with ps might be to 
allow specifying a regex for the context to match in a similar manner to 
killall (could probably take the same code).  Another possibility is to allow 
displaying partial contexts.  For example I might want to see the domains 
used by system processes (role==system_r) but not have the role or identity 
displayed (because they are not relevant).  Of course we may have great 
trouble trying to get such changes accepted upstream.

For ls it would be good to be able to display part of the context.  For the 
vast majority of invocations of "ls -Z" on a SE Linux system the identity and 
role are not desired in the output.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: unreasonably long SE Linux context display

[Joe Nall]

On Oct 31, 2005, at 1:11 AM, Russell Coker wrote:

> Would it be possible to use shorter names in the setrans.conf file  
> than
> SystemLog and SystemHigh?  For example could we have "Low-High" or
> "sLow-sHigh" instead?

How about adding a capability to name ranges and shorten
  "SystemLow-SystemHigh"
to
  "all"
or even
  "*"

joe

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: unreasonably long SE Linux context display

[Stephen Smalley]

On Mon, 2005-10-31 at 10:18 -0600, Joe Nall wrote:
> On Oct 31, 2005, at 1:11 AM, Russell Coker wrote:
> 
> > Would it be possible to use shorter names in the setrans.conf file  
> > than
> > SystemLog and SystemHigh?  For example could we have "Low-High" or
> > "sLow-sHigh" instead?
> 
> How about adding a capability to name ranges and shorten
>   "SystemLow-SystemHigh"
> to
>   "all"
> or even
>   "*"

Originally, Dan was just mapping it to "SystemHigh", but that caused
problems on the reverse translation ("SystemHigh" ==
"SystemHigh-SystemHigh", not "SystemLow-SystemHigh").  I suppose you can
define "all" or "*" any way you want in setrans.conf, but it seems prone
to similar confusion.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: unreasonably long SE Linux context display

[Daniel J Walsh]

Joe Nall wrote:
>
> On Oct 31, 2005, at 1:11 AM, Russell Coker wrote:
>
>> Would it be possible to use shorter names in the setrans.conf file than
>> SystemLog and SystemHigh?  For example could we have "Low-High" or
>> "sLow-sHigh" instead?
>
> How about adding a capability to name ranges and shorten
>  "SystemLow-SystemHigh"
> to
>  "all"
> or even
>  "*"
setrans is under your control.  You can change SystemLow-SystemHigh to 
anything you want.

Russell is suggesting we change the default.
>
> joe
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: unreasonably long SE Linux context display

[Stephen Smalley]

On Mon, 2005-10-31 at 18:11 +1100, Russell Coker wrote:
> It seems to me that one way of improving the situation with ps might be to 
> allow specifying a regex for the context to match in a similar manner to 
> killall (could probably take the same code).  Another possibility is to allow 
> displaying partial contexts.  For example I might want to see the domains 
> used by system processes (role==system_r) but not have the role or identity 
> displayed (because they are not relevant).  Of course we may have great 
> trouble trying to get such changes accepted upstream.
> 
> For ls it would be good to be able to display part of the context.  For the 
> vast majority of invocations of "ls -Z" on a SE Linux system the identity and 
> role are not desired in the output.

James previously suggested introducing environment variables to control
the display of contexts, so that you could alter ls and ps -Z output
simply by adjusting such variables.  This could be implemented in the
utilities themselves (using the libselinux context_* functions to break
down the context), but that would be a fairly extensive set of changes.
It could also be implemented in libsetrans as part of the context
translation support, but that could have interesting side effects, e.g.
if one of these abbreviated contexts is then passed back into another
libselinux function, we can't necessarily determine the right values for
the omitted fields.

In any event, patches speak louder than words here...  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: unreasonably long SE Linux context display

[Russell Coker]

On Tuesday 01 November 2005 03:33, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > For ls it would be good to be able to display part of the context.  For
> > the vast majority of invocations of "ls -Z" on a SE Linux system the
> > identity and role are not desired in the output.
>
> James previously suggested introducing environment variables to control
> the display of contexts, so that you could alter ls and ps -Z output
> simply by adjusting such variables.

I don't think that's such a good idea.  As the output of such programs will be 
used by shell scripts it will have some interesting possibilities for 
breaking such scripts.

> In any event, patches speak louder than words here...

OK, as no-one seems to have a great objection I'll write some patches when I 
find time.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.