From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: SELinux Mail List <selinux@tycho.nsa.gov>,
"Christopher J. PeBenito" <cpebenito@tresys.com>
Subject: New policy patterns and policy generation
Date: Thu, 18 Jan 2007 15:59:46 -0500 [thread overview]
Message-ID: <45AFDFC2.2080000@mentalrootkit.com> (raw)
I was looking into supporting the new policy patterns refpolicy work for
policy generation. Looking at many of the patterns, they include a
container type, e.g.,
create_files_pattern(foo_t, var_log_t, foo_log_t)
This is going to be difficult to generate based on audit logs because
there is no way to correlate the directory access with files. An audit
log might show the following access denied:
allow foo_t foo_log_t : file create_file_perms;
allow foo_t var_log_t : dir rw_dir_perms;
allow foo_t etc_t : dir rw_dir_perms;
There is no real way to determine which of the directory permissions
should be paired with the file creation (path is too unreliable to use I
think).
Not being able to generate these is not a huge deal, but I think that it
exposes a deeper problem. I suggest that these permissions should remain
decoupled, as the current patterns imply access that is different from
what is actually allowed. For example,
create_files_pattern(foo_t, var_log_t, foo_log_t)
create_files_pattern(foo_t, etc_t, foo_etc_t)
This - to me - implies that foo_t can create files of type foo_log_t in
directories of type var_log_t and files of type foo_etc_t in directories
of type etc_t. Of course, that is not what is allowed - foo_t can create
either file type in either directory type.
I think that policy writers - even fairly experienced policy writers -
are going to be surprised at the "additional" permissions allowed. The
old permissions, for example
allow foo_t { var_log_t foo_etc_t } : file create_file_perms;
allow foo_t { etc_t var_log_t } : dir rw_dir_perms;
much more correctly convey the access that is granted (at least to me)
and are easy to generate from audit data.
Comments?
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
reply other threads:[~2007-01-18 20:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45AFDFC2.2080000@mentalrootkit.com \
--to=kmacmillan@mentalrootkit.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.