From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>, SE Linux <selinux@tycho.nsa.gov>
Subject: Re: [RFC] 0/4 - Hierarchal apache policy for reference policy
Date: Fri, 19 Jan 2007 11:55:22 -0500 [thread overview]
Message-ID: <45B0F7FA.1000506@mentalrootkit.com> (raw)
In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015887B9E64@exchange.columbia.tresys.com>
Joshua Brindle wrote:
>> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
>>
>> Joshua Brindle wrote:
>>> If one added the same rule to another module they'd get a hierarchy
>>> violation error, however. So the user would experience different
>>> errors depending on how they added the rule to the policy.
>> I don't follow - I thought that the typing meant that it
>> didn't matter where the rule came from, only what the source
>> and destination types were. If you added additional rules via
>> the module, the target types should have the same type as
>> they do in the original module.
>>
>
> What I was saying was how it would behave differently if you generated
> rules for all the parents of a child at build time within a single
> module. If you automatically did that then adding a rule to a child
> would get propagated to the parent which would result in an access
> violation at insert time. If you added the rule from another module it
> would show up as a hierarchy violation instead.
Ah - I see what you are saying. I was assuming that this would be a
development tool manually invoked to aid policy developers. Not
something that would always happen as part of the build.
Also, I assume that for the most part the container types will be given
very broad privileges rather than the fine-grained approach taken with
the apache policy. Otherwise chances are that most updates will fail
from hierarchy violations because you forgot one small access. In other
words, the closer the container type policy to the subtypes the less
useful it actually is (because you would just not delegate access to
someone else to update it).
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-01-19 16:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-18 16:30 [RFC] 0/4 - Hierarchal apache policy for reference policy Joshua Brindle
2007-01-18 17:18 ` Karl MacMillan
2007-01-18 17:53 ` Joshua Brindle
2007-01-18 18:40 ` Karl MacMillan
2007-01-18 19:40 ` Stephen Smalley
2007-01-18 19:55 ` Karl MacMillan
2007-01-18 20:00 ` Joshua Brindle
2007-01-18 20:24 ` Stephen Smalley
2007-01-18 20:31 ` Stephen Smalley
2007-01-18 21:16 ` Joshua Brindle
2007-01-18 21:24 ` Karl MacMillan
2007-01-18 21:44 ` Joshua Brindle
2007-01-19 16:55 ` Karl MacMillan [this message]
2007-01-25 21:17 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45B0F7FA.1000506@mentalrootkit.com \
--to=kmacmillan@mentalrootkit.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.