From: Joshua Brindle <method@manicmethod.com>
To: Ryan Bradetich <rbradetich@gmail.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Karl MacMillan <kmacmillan@mentalrootkit.com>,
Yuichi Nakamura <ynakam@hitachisoft.jp>,
busybox@kaigai.gr.jp, selinux@tycho.nsa.gov,
Chad Sellers <csellers@tresys.com>
Subject: Re: Separating libselinux/libsepol (Was: Re: BusyBox: load_policy applet)
Date: Tue, 27 Mar 2007 16:35:48 -0400 [thread overview]
Message-ID: <46098024.1010003@manicmethod.com> (raw)
In-Reply-To: <e739902b0703271314o74ded51ek50cba90b6c3d@mail.gmail.com>
Ryan Bradetich wrote:
> On 3/27/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Ok, so what I'm hearing is that we don't need to preserve support for
>> local boolean and user definitions apart from managed policy. If anyone
>> disagrees, speak up please.
>
> Please excuse my ignorance, but I do not have a good handle on the
> terms "local boolean" and "user definitions".
>
> My guess at what you are referring to better encapsulation of booleans
> into the policy modules. For example:
>
> The squid_connect_any boolean/tunable is always present in the policy.
> It is not dependent upon if I had disabled squid support in the
> policy.conf file. One of the advancements I thought was occurring was
> to better encapsulate boolean support into policy modules. So the
> squid_connect_any boolean/tunable would only be present if the squid
> module was compiled in or as a loaded module.
>
> I personally like this idea, because it gives me less to review,
> audit, test, and document before system deployment. I am not sure if
> this encapsulation idea is what you are referring to as a "local
> boolean", but I can also live without this support. As Chris
> mentioned, I would just modify the policy to remove all the booleans
> that are not relevant to my system before deployment.
>
> Is this the support you are looking to remove? Or do you mean something
> else?
>
Something else. What you mentioned is a policy issue and the discussion
is about the toolchain/libraries. The local boolean support was added
before modular policy was added that lets users set boolean values
persistently locally and init/load_policy (through libselinux) read a
flat text file with the boolean values and set them in the in-memory
policydb before loading it into the kernel.
Modular policy has removed the need to modify policies at load time by
rebuilding the binary from the modules and all local settings (users,
ports, nodes, booleans, etc). We sought to remove the in-memory
modification to policies so that we could analyze the actual policy
binary being used on the system and not something that would be modified
before being loaded. It also allowed us to add more flexibility by way
of semanage that was not there previously.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2007-03-27 20:35 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-23 6:15 BusyBox: load_policy applet Yuichi Nakamura
2007-03-23 12:49 ` Stephen Smalley
2007-03-26 1:28 ` Yuichi Nakamura
2007-03-26 14:08 ` Separating libselinux/libsepol (Was: Re: BusyBox: load_policy applet) Stephen Smalley
2007-03-26 16:12 ` Christopher J. PeBenito
2007-03-26 16:35 ` Stephen Smalley
2007-03-27 0:59 ` Yuichi Nakamura
2007-03-27 12:15 ` Stephen Smalley
2007-03-28 1:57 ` KaiGai Kohei
2007-03-28 8:40 ` Yuichi Nakamura
2007-03-28 9:12 ` [busybox:00575] " KaiGai Kohei
2007-03-28 12:04 ` Stephen Smalley
2007-03-28 12:34 ` Joshua Brindle
2007-03-28 12:00 ` Stephen Smalley
2007-03-28 2:19 ` Yuichi Nakamura
2007-03-27 2:58 ` Ryan Bradetich
2007-03-27 12:32 ` Christopher J. PeBenito
2007-03-26 16:37 ` Karl MacMillan
2007-03-26 20:13 ` Christopher J. PeBenito
2007-03-27 12:45 ` Stephen Smalley
2007-03-27 15:42 ` Christopher J. PeBenito
2007-03-27 15:48 ` Stephen Smalley
2007-03-27 16:02 ` Karl MacMillan
2007-03-27 18:43 ` Christopher J. PeBenito
2007-03-27 18:47 ` Stephen Smalley
2007-03-27 19:09 ` Karl MacMillan
2007-03-27 19:32 ` Christopher J. PeBenito
2007-03-27 20:31 ` Ryan Bradetich
2007-03-28 10:26 ` Russell Coker
2007-03-28 12:06 ` Stephen Smalley
2007-03-28 14:11 ` Russell Coker
2007-03-28 12:17 ` Christopher J. PeBenito
2007-03-27 20:14 ` Ryan Bradetich
2007-03-27 20:35 ` Joshua Brindle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46098024.1010003@manicmethod.com \
--to=method@manicmethod.com \
--cc=busybox@kaigai.gr.jp \
--cc=cpebenito@tresys.com \
--cc=csellers@tresys.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=rbradetich@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=ynakam@hitachisoft.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.