* [refpolicy] Patch: Create non_security_file_type attribute
@ 2008-06-27 18:55 James Carter
2008-07-18 14:15 ` Christopher J. PeBenito
0 siblings, 1 reply; 9+ messages in thread
From: James Carter @ 2008-06-27 18:55 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux
This patch eliminates the expansion of the file_type attribute (due to
the "-" set operation) for the *_non_security interfaces by creating a
non_security_file_type attribute.
On my system the resulting binary policy is almost 20% smaller. The
difference is so large because there are over 1000 types labeled with
the file_type attribute.
files.if | 61 ++++++++++++++++++++++++++++++-------------------------------
files.te | 2 ++
2 files changed, 32 insertions(+), 31 deletions(-)
Index: policy/modules/kernel/files.if
===================================================================
--- policy/modules/kernel/files.if (revision 2739)
+++ policy/modules/kernel/files.if (working copy)
@@ -32,10 +32,10 @@
#
interface(`files_type',`
gen_require(`
- attribute file_type;
+ attribute file_type, non_security_file_type;
')
- typeattribute $1 file_type;
+ typeattribute $1 file_type, non_security_file_type;
')
########################################
@@ -217,11 +217,10 @@
#
interface(`files_security_file',`
gen_require(`
- attribute security_file_type;
+ attribute file_type, security_file_type;
')
- files_type($1)
- typeattribute $1 security_file_type;
+ typeattribute $1 file_type, security_file_type;
')
########################################
@@ -316,10 +315,10 @@
#
interface(`files_list_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- list_dirs_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
+ list_dirs_pattern($1,non_security_file_type,non_security_file_type)
')
########################################
@@ -335,10 +334,10 @@
#
interface(`files_dontaudit_list_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
+ dontaudit $1 non_security_file_type:dir list_dir_perms;
')
########################################
@@ -354,11 +353,11 @@
#
interface(`files_mounton_non_security',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir mounton;
- allow $1 { file_type -security_file_type }:file mounton;
+ allow $1 non_security_file_type:dir mounton;
+ allow $1 non_security_file_type:file mounton;
')
########################################
@@ -373,10 +372,10 @@
#
interface(`files_write_non_security_dirs',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 non_security_file_type:dir write;
')
########################################
@@ -430,10 +429,10 @@
#
interface(`files_dontaudit_getattr_non_security_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:file getattr;
+ dontaudit $1 non_security_file_type:file getattr;
')
########################################
@@ -498,11 +497,11 @@
#
interface(`files_read_non_security_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- read_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
- read_lnk_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
+ read_files_pattern($1,non_security_file_type,non_security_file_type)
+ read_lnk_files_pattern($1,non_security_file_type,non_security_file_type)
')
########################################
@@ -648,10 +647,10 @@
#
interface(`files_dontaudit_getattr_non_security_symlinks',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+ dontaudit $1 non_security_file_type:lnk_file getattr;
')
########################################
@@ -667,10 +666,10 @@
#
interface(`files_dontaudit_getattr_non_security_blk_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+ dontaudit $1 non_security_file_type:blk_file getattr;
')
########################################
@@ -686,10 +685,10 @@
#
interface(`files_dontaudit_getattr_non_security_chr_files',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+ dontaudit $1 non_security_file_type:chr_file getattr;
')
########################################
@@ -763,10 +762,10 @@
#
interface(`files_dontaudit_getattr_non_security_pipes',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+ dontaudit $1 non_security_file_type:fifo_file getattr;
')
########################################
@@ -820,10 +819,10 @@
#
interface(`files_dontaudit_getattr_non_security_sockets',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+ dontaudit $1 non_security_file_type:sock_file getattr;
')
########################################
@@ -4763,8 +4762,8 @@
#
interface(`files_manage_non_security_dirs',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute non_security_file_type;
')
- allow $1 { file_type -security_file_type }:dir manage_dir_perms;
+ allow $1 non_security_file_type:dir manage_dir_perms;
')
Index: policy/modules/kernel/files.te
===================================================================
--- policy/modules/kernel/files.te (revision 2739)
+++ policy/modules/kernel/files.te (working copy)
@@ -26,6 +26,8 @@
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
+# and its opposite
+attribute non_security_file_type;
attribute tmpfile;
attribute tmpfsfile;
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-06-27 18:55 [refpolicy] Patch: Create non_security_file_type attribute James Carter
@ 2008-07-18 14:15 ` Christopher J. PeBenito
2008-07-18 15:42 ` James Carter
0 siblings, 1 reply; 9+ messages in thread
From: Christopher J. PeBenito @ 2008-07-18 14:15 UTC (permalink / raw)
To: jwcart2; +Cc: SELinux
On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> This patch eliminates the expansion of the file_type attribute (due to
> the "-" set operation) for the *_non_security interfaces by creating a
> non_security_file_type attribute.
>
> On my system the resulting binary policy is almost 20% smaller. The
> difference is so large because there are over 1000 types labeled with
> the file_type attribute.
I'm hesitant to attach non_security_file_type to the files_type
attribute, since its not clear to me that it makes conceptual sense. In
fact a sediff of the policy reveals that auidtd_log_t gains
non_security_file_type while it already has security_file_type, which
results in rule additions with this patch added.
> files.if | 61 ++++++++++++++++++++++++++++++-------------------------------
> files.te | 2 ++
> 2 files changed, 32 insertions(+), 31 deletions(-)
>
> Index: policy/modules/kernel/files.if
> ===================================================================
> --- policy/modules/kernel/files.if (revision 2739)
> +++ policy/modules/kernel/files.if (working copy)
> @@ -32,10 +32,10 @@
> #
> interface(`files_type',`
> gen_require(`
> - attribute file_type;
> + attribute file_type, non_security_file_type;
> ')
>
> - typeattribute $1 file_type;
> + typeattribute $1 file_type, non_security_file_type;
> ')
>
> ########################################
> @@ -217,11 +217,10 @@
> #
> interface(`files_security_file',`
> gen_require(`
> - attribute security_file_type;
> + attribute file_type, security_file_type;
> ')
>
> - files_type($1)
> - typeattribute $1 security_file_type;
> + typeattribute $1 file_type, security_file_type;
> ')
>
> ########################################
> @@ -316,10 +315,10 @@
> #
> interface(`files_list_non_security',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - list_dirs_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> + list_dirs_pattern($1,non_security_file_type,non_security_file_type)
> ')
>
> ########################################
> @@ -335,10 +334,10 @@
> #
> interface(`files_dontaudit_list_non_security',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
> + dontaudit $1 non_security_file_type:dir list_dir_perms;
> ')
>
> ########################################
> @@ -354,11 +353,11 @@
> #
> interface(`files_mounton_non_security',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - allow $1 { file_type -security_file_type }:dir mounton;
> - allow $1 { file_type -security_file_type }:file mounton;
> + allow $1 non_security_file_type:dir mounton;
> + allow $1 non_security_file_type:file mounton;
> ')
>
> ########################################
> @@ -373,10 +372,10 @@
> #
> interface(`files_write_non_security_dirs',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - allow $1 { file_type -security_file_type }:dir write;
> + allow $1 non_security_file_type:dir write;
> ')
>
> ########################################
> @@ -430,10 +429,10 @@
> #
> interface(`files_dontaudit_getattr_non_security_files',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:file getattr;
> + dontaudit $1 non_security_file_type:file getattr;
> ')
>
> ########################################
> @@ -498,11 +497,11 @@
> #
> interface(`files_read_non_security_files',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - read_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> - read_lnk_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> + read_files_pattern($1,non_security_file_type,non_security_file_type)
> + read_lnk_files_pattern($1,non_security_file_type,non_security_file_type)
> ')
>
> ########################################
> @@ -648,10 +647,10 @@
> #
> interface(`files_dontaudit_getattr_non_security_symlinks',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
> + dontaudit $1 non_security_file_type:lnk_file getattr;
> ')
>
> ########################################
> @@ -667,10 +666,10 @@
> #
> interface(`files_dontaudit_getattr_non_security_blk_files',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:blk_file getattr;
> + dontaudit $1 non_security_file_type:blk_file getattr;
> ')
>
> ########################################
> @@ -686,10 +685,10 @@
> #
> interface(`files_dontaudit_getattr_non_security_chr_files',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:chr_file getattr;
> + dontaudit $1 non_security_file_type:chr_file getattr;
> ')
>
> ########################################
> @@ -763,10 +762,10 @@
> #
> interface(`files_dontaudit_getattr_non_security_pipes',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
> + dontaudit $1 non_security_file_type:fifo_file getattr;
> ')
>
> ########################################
> @@ -820,10 +819,10 @@
> #
> interface(`files_dontaudit_getattr_non_security_sockets',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - dontaudit $1 { file_type -security_file_type }:sock_file getattr;
> + dontaudit $1 non_security_file_type:sock_file getattr;
> ')
>
> ########################################
> @@ -4763,8 +4762,8 @@
> #
> interface(`files_manage_non_security_dirs',`
> gen_require(`
> - attribute file_type, security_file_type;
> + attribute non_security_file_type;
> ')
>
> - allow $1 { file_type -security_file_type }:dir manage_dir_perms;
> + allow $1 non_security_file_type:dir manage_dir_perms;
> ')
> Index: policy/modules/kernel/files.te
> ===================================================================
> --- policy/modules/kernel/files.te (revision 2739)
> +++ policy/modules/kernel/files.te (working copy)
> @@ -26,6 +26,8 @@
> # sensitive security files whose accesses should
> # not be dontaudited for uses
> attribute security_file_type;
> +# and its opposite
> +attribute non_security_file_type;
>
> attribute tmpfile;
> attribute tmpfsfile;
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 14:15 ` Christopher J. PeBenito
@ 2008-07-18 15:42 ` James Carter
2008-07-18 15:49 ` Christopher J. PeBenito
0 siblings, 1 reply; 9+ messages in thread
From: James Carter @ 2008-07-18 15:42 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux
On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
> On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> > This patch eliminates the expansion of the file_type attribute (due to
> > the "-" set operation) for the *_non_security interfaces by creating a
> > non_security_file_type attribute.
> >
> > On my system the resulting binary policy is almost 20% smaller. The
> > difference is so large because there are over 1000 types labeled with
> > the file_type attribute.
>
> I'm hesitant to attach non_security_file_type to the files_type
> attribute, since its not clear to me that it makes conceptual sense.
The primary goal here is a smaller binary policy. But it still makes
sense conceptually to me because the security_file_type attribute is
never used by itself as far as I can tell. It is always used as
{file_type-security_file_type}.
> In
> fact a sediff of the policy reveals that auidtd_log_t gains
> non_security_file_type while it already has security_file_type, which
> results in rule additions with this patch added.
That's not good. There are only a handful of types labeled with
security_file_type, I don't know how I missed that. Sorry.
The following line is the problem: files_mountpoint(auditd_log_t).
So, a files_mountpoint_security interface would have to be created.
It's not a big deal to me. If there is no interest in creating a
non_security_file_type attribute, I won't pursue this any farther.
Jim
>
> > files.if | 61 ++++++++++++++++++++++++++++++-------------------------------
> > files.te | 2 ++
> > 2 files changed, 32 insertions(+), 31 deletions(-)
> >
> > Index: policy/modules/kernel/files.if
> > ===================================================================
> > --- policy/modules/kernel/files.if (revision 2739)
> > +++ policy/modules/kernel/files.if (working copy)
> > @@ -32,10 +32,10 @@
> > #
> > interface(`files_type',`
> > gen_require(`
> > - attribute file_type;
> > + attribute file_type, non_security_file_type;
> > ')
> >
> > - typeattribute $1 file_type;
> > + typeattribute $1 file_type, non_security_file_type;
> > ')
> >
> > ########################################
> > @@ -217,11 +217,10 @@
> > #
> > interface(`files_security_file',`
> > gen_require(`
> > - attribute security_file_type;
> > + attribute file_type, security_file_type;
> > ')
> >
> > - files_type($1)
> > - typeattribute $1 security_file_type;
> > + typeattribute $1 file_type, security_file_type;
> > ')
> >
> > ########################################
> > @@ -316,10 +315,10 @@
> > #
> > interface(`files_list_non_security',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - list_dirs_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> > + list_dirs_pattern($1,non_security_file_type,non_security_file_type)
> > ')
> >
> > ########################################
> > @@ -335,10 +334,10 @@
> > #
> > interface(`files_dontaudit_list_non_security',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
> > + dontaudit $1 non_security_file_type:dir list_dir_perms;
> > ')
> >
> > ########################################
> > @@ -354,11 +353,11 @@
> > #
> > interface(`files_mounton_non_security',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - allow $1 { file_type -security_file_type }:dir mounton;
> > - allow $1 { file_type -security_file_type }:file mounton;
> > + allow $1 non_security_file_type:dir mounton;
> > + allow $1 non_security_file_type:file mounton;
> > ')
> >
> > ########################################
> > @@ -373,10 +372,10 @@
> > #
> > interface(`files_write_non_security_dirs',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - allow $1 { file_type -security_file_type }:dir write;
> > + allow $1 non_security_file_type:dir write;
> > ')
> >
> > ########################################
> > @@ -430,10 +429,10 @@
> > #
> > interface(`files_dontaudit_getattr_non_security_files',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:file getattr;
> > + dontaudit $1 non_security_file_type:file getattr;
> > ')
> >
> > ########################################
> > @@ -498,11 +497,11 @@
> > #
> > interface(`files_read_non_security_files',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - read_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> > - read_lnk_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
> > + read_files_pattern($1,non_security_file_type,non_security_file_type)
> > + read_lnk_files_pattern($1,non_security_file_type,non_security_file_type)
> > ')
> >
> > ########################################
> > @@ -648,10 +647,10 @@
> > #
> > interface(`files_dontaudit_getattr_non_security_symlinks',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
> > + dontaudit $1 non_security_file_type:lnk_file getattr;
> > ')
> >
> > ########################################
> > @@ -667,10 +666,10 @@
> > #
> > interface(`files_dontaudit_getattr_non_security_blk_files',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:blk_file getattr;
> > + dontaudit $1 non_security_file_type:blk_file getattr;
> > ')
> >
> > ########################################
> > @@ -686,10 +685,10 @@
> > #
> > interface(`files_dontaudit_getattr_non_security_chr_files',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:chr_file getattr;
> > + dontaudit $1 non_security_file_type:chr_file getattr;
> > ')
> >
> > ########################################
> > @@ -763,10 +762,10 @@
> > #
> > interface(`files_dontaudit_getattr_non_security_pipes',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
> > + dontaudit $1 non_security_file_type:fifo_file getattr;
> > ')
> >
> > ########################################
> > @@ -820,10 +819,10 @@
> > #
> > interface(`files_dontaudit_getattr_non_security_sockets',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - dontaudit $1 { file_type -security_file_type }:sock_file getattr;
> > + dontaudit $1 non_security_file_type:sock_file getattr;
> > ')
> >
> > ########################################
> > @@ -4763,8 +4762,8 @@
> > #
> > interface(`files_manage_non_security_dirs',`
> > gen_require(`
> > - attribute file_type, security_file_type;
> > + attribute non_security_file_type;
> > ')
> >
> > - allow $1 { file_type -security_file_type }:dir manage_dir_perms;
> > + allow $1 non_security_file_type:dir manage_dir_perms;
> > ')
> > Index: policy/modules/kernel/files.te
> > ===================================================================
> > --- policy/modules/kernel/files.te (revision 2739)
> > +++ policy/modules/kernel/files.te (working copy)
> > @@ -26,6 +26,8 @@
> > # sensitive security files whose accesses should
> > # not be dontaudited for uses
> > attribute security_file_type;
> > +# and its opposite
> > +attribute non_security_file_type;
> >
> > attribute tmpfile;
> > attribute tmpfsfile;
> >
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 15:42 ` James Carter
@ 2008-07-18 15:49 ` Christopher J. PeBenito
2008-07-18 16:03 ` James Carter
0 siblings, 1 reply; 9+ messages in thread
From: Christopher J. PeBenito @ 2008-07-18 15:49 UTC (permalink / raw)
To: jwcart2; +Cc: SELinux
On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
> On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
> > On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> > > This patch eliminates the expansion of the file_type attribute (due to
> > > the "-" set operation) for the *_non_security interfaces by creating a
> > > non_security_file_type attribute.
> > >
> > > On my system the resulting binary policy is almost 20% smaller. The
> > > difference is so large because there are over 1000 types labeled with
> > > the file_type attribute.
> >
> > I'm hesitant to attach non_security_file_type to the files_type
> > attribute, since its not clear to me that it makes conceptual sense.
>
> The primary goal here is a smaller binary policy. But it still makes
> sense conceptually to me because the security_file_type attribute is
> never used by itself as far as I can tell. It is always used as
> {file_type-security_file_type}.
>
> > In
> > fact a sediff of the policy reveals that auidtd_log_t gains
> > non_security_file_type while it already has security_file_type, which
> > results in rule additions with this patch added.
> That's not good. There are only a handful of types labeled with
> security_file_type, I don't know how I missed that. Sorry.
>
> The following line is the problem: files_mountpoint(auditd_log_t).
> So, a files_mountpoint_security interface would have to be created.
>
> It's not a big deal to me. If there is no interest in creating a
> non_security_file_type attribute, I won't pursue this any farther.
I think the binary policy size savings is a good enough reason to pursue
it. Brainstorming for a second, another way to address this problem
would be to change how checkpolicy handles negations. It could make a
new attribute with the resultant type set from the negation; however,
that might be bad for analysis since an attribute would magically appear
out of nowhere.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 15:49 ` Christopher J. PeBenito
@ 2008-07-18 16:03 ` James Carter
2008-07-18 17:26 ` Daniel J Walsh
2008-07-18 18:09 ` Christopher J. PeBenito
0 siblings, 2 replies; 9+ messages in thread
From: James Carter @ 2008-07-18 16:03 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux
On Fri, 2008-07-18 at 11:49 -0400, Christopher J. PeBenito wrote:
> On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
> > On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
> > > On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> > > > This patch eliminates the expansion of the file_type attribute (due to
> > > > the "-" set operation) for the *_non_security interfaces by creating a
> > > > non_security_file_type attribute.
> > > >
> > > > On my system the resulting binary policy is almost 20% smaller. The
> > > > difference is so large because there are over 1000 types labeled with
> > > > the file_type attribute.
> > >
> > > I'm hesitant to attach non_security_file_type to the files_type
> > > attribute, since its not clear to me that it makes conceptual sense.
> >
> > The primary goal here is a smaller binary policy. But it still makes
> > sense conceptually to me because the security_file_type attribute is
> > never used by itself as far as I can tell. It is always used as
> > {file_type-security_file_type}.
> >
> > > In
> > > fact a sediff of the policy reveals that auidtd_log_t gains
> > > non_security_file_type while it already has security_file_type, which
> > > results in rule additions with this patch added.
> > That's not good. There are only a handful of types labeled with
> > security_file_type, I don't know how I missed that. Sorry.
> >
> > The following line is the problem: files_mountpoint(auditd_log_t).
> > So, a files_mountpoint_security interface would have to be created.
> >
> > It's not a big deal to me. If there is no interest in creating a
> > non_security_file_type attribute, I won't pursue this any farther.
>
> I think the binary policy size savings is a good enough reason to pursue
> it. Brainstorming for a second, another way to address this problem
> would be to change how checkpolicy handles negations. It could make a
> new attribute with the resultant type set from the negation;
It would need to make sure that the resultant set is not already covered
by an attribute, or much of the value would be lost.
> however,
> that might be bad for analysis since an attribute would magically appear
> out of nowhere.
You already have that problem when analyzing a binary policy, since the
attribute names aren't preserved.
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 16:03 ` James Carter
@ 2008-07-18 17:26 ` Daniel J Walsh
2008-07-18 17:33 ` Stephen Smalley
2008-07-18 18:09 ` Christopher J. PeBenito
1 sibling, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2008-07-18 17:26 UTC (permalink / raw)
To: jwcart2; +Cc: Christopher J. PeBenito, SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Carter wrote:
> On Fri, 2008-07-18 at 11:49 -0400, Christopher J. PeBenito wrote:
>> On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
>>> On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
>>>> On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
>>>>> This patch eliminates the expansion of the file_type attribute (due to
>>>>> the "-" set operation) for the *_non_security interfaces by creating a
>>>>> non_security_file_type attribute.
>>>>>
>>>>> On my system the resulting binary policy is almost 20% smaller. The
>>>>> difference is so large because there are over 1000 types labeled with
>>>>> the file_type attribute.
>>>> I'm hesitant to attach non_security_file_type to the files_type
>>>> attribute, since its not clear to me that it makes conceptual sense.
>>> The primary goal here is a smaller binary policy. But it still makes
>>> sense conceptually to me because the security_file_type attribute is
>>> never used by itself as far as I can tell. It is always used as
>>> {file_type-security_file_type}.
>>>
>>>> In
>>>> fact a sediff of the policy reveals that auidtd_log_t gains
>>>> non_security_file_type while it already has security_file_type, which
>>>> results in rule additions with this patch added.
>>> That's not good. There are only a handful of types labeled with
>>> security_file_type, I don't know how I missed that. Sorry.
>>>
>>> The following line is the problem: files_mountpoint(auditd_log_t).
>>> So, a files_mountpoint_security interface would have to be created.
>>>
>>> It's not a big deal to me. If there is no interest in creating a
>>> non_security_file_type attribute, I won't pursue this any farther.
>> I think the binary policy size savings is a good enough reason to pursue
>> it. Brainstorming for a second, another way to address this problem
>> would be to change how checkpolicy handles negations. It could make a
>> new attribute with the resultant type set from the negation;
>
> It would need to make sure that the resultant set is not already covered
> by an attribute, or much of the value would be lost.
>
>> however,
>> that might be bad for analysis since an attribute would magically appear
>> out of nowhere.
>
> You already have that problem when analyzing a binary policy, since the
> attribute names aren't preserved.
>
Speaking of which, I thought we were looking into adding that back in?
It could help out tools like audit2why...
Constraint violation, go though list of all attributes and see if one
fixes the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiA0j4ACgkQrlYvE4MpobOKMACaAmk9NZvQJIhgNlztBARgLlxL
dL8An0PPozwFr1hf0QRncfpWQvZuKd1A
=C4Bl
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 17:26 ` Daniel J Walsh
@ 2008-07-18 17:33 ` Stephen Smalley
2008-07-18 17:50 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2008-07-18 17:33 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: jwcart2, Christopher J. PeBenito, SELinux
On Fri, 2008-07-18 at 13:26 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James Carter wrote:
> > On Fri, 2008-07-18 at 11:49 -0400, Christopher J. PeBenito wrote:
> >> On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
> >>> On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
> >>>> On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> >>>>> This patch eliminates the expansion of the file_type attribute (due to
> >>>>> the "-" set operation) for the *_non_security interfaces by creating a
> >>>>> non_security_file_type attribute.
> >>>>>
> >>>>> On my system the resulting binary policy is almost 20% smaller. The
> >>>>> difference is so large because there are over 1000 types labeled with
> >>>>> the file_type attribute.
> >>>> I'm hesitant to attach non_security_file_type to the files_type
> >>>> attribute, since its not clear to me that it makes conceptual sense.
> >>> The primary goal here is a smaller binary policy. But it still makes
> >>> sense conceptually to me because the security_file_type attribute is
> >>> never used by itself as far as I can tell. It is always used as
> >>> {file_type-security_file_type}.
> >>>
> >>>> In
> >>>> fact a sediff of the policy reveals that auidtd_log_t gains
> >>>> non_security_file_type while it already has security_file_type, which
> >>>> results in rule additions with this patch added.
> >>> That's not good. There are only a handful of types labeled with
> >>> security_file_type, I don't know how I missed that. Sorry.
> >>>
> >>> The following line is the problem: files_mountpoint(auditd_log_t).
> >>> So, a files_mountpoint_security interface would have to be created.
> >>>
> >>> It's not a big deal to me. If there is no interest in creating a
> >>> non_security_file_type attribute, I won't pursue this any farther.
> >> I think the binary policy size savings is a good enough reason to pursue
> >> it. Brainstorming for a second, another way to address this problem
> >> would be to change how checkpolicy handles negations. It could make a
> >> new attribute with the resultant type set from the negation;
> >
> > It would need to make sure that the resultant set is not already covered
> > by an attribute, or much of the value would be lost.
> >
> >> however,
> >> that might be bad for analysis since an attribute would magically appear
> >> out of nowhere.
> >
> > You already have that problem when analyzing a binary policy, since the
> > attribute names aren't preserved.
> >
> Speaking of which, I thought we were looking into adding that back in?
>
> It could help out tools like audit2why...
>
> Constraint violation, go though list of all attributes and see if one
> fixes the problem.
I'm not opposed, but requires a policy version bump and kernel patch.
Alternative is to make tools like audit2why read the modular policy like
modern setools does and thus have the attribute info from it.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 17:33 ` Stephen Smalley
@ 2008-07-18 17:50 ` Daniel J Walsh
0 siblings, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2008-07-18 17:50 UTC (permalink / raw)
To: Stephen Smalley; +Cc: jwcart2, Christopher J. PeBenito, SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Fri, 2008-07-18 at 13:26 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> James Carter wrote:
>>> On Fri, 2008-07-18 at 11:49 -0400, Christopher J. PeBenito wrote:
>>>> On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
>>>>> On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
>>>>>> On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
>>>>>>> This patch eliminates the expansion of the file_type attribute (due to
>>>>>>> the "-" set operation) for the *_non_security interfaces by creating a
>>>>>>> non_security_file_type attribute.
>>>>>>>
>>>>>>> On my system the resulting binary policy is almost 20% smaller. The
>>>>>>> difference is so large because there are over 1000 types labeled with
>>>>>>> the file_type attribute.
>>>>>> I'm hesitant to attach non_security_file_type to the files_type
>>>>>> attribute, since its not clear to me that it makes conceptual sense.
>>>>> The primary goal here is a smaller binary policy. But it still makes
>>>>> sense conceptually to me because the security_file_type attribute is
>>>>> never used by itself as far as I can tell. It is always used as
>>>>> {file_type-security_file_type}.
>>>>>
>>>>>> In
>>>>>> fact a sediff of the policy reveals that auidtd_log_t gains
>>>>>> non_security_file_type while it already has security_file_type, which
>>>>>> results in rule additions with this patch added.
>>>>> That's not good. There are only a handful of types labeled with
>>>>> security_file_type, I don't know how I missed that. Sorry.
>>>>>
>>>>> The following line is the problem: files_mountpoint(auditd_log_t).
>>>>> So, a files_mountpoint_security interface would have to be created.
>>>>>
>>>>> It's not a big deal to me. If there is no interest in creating a
>>>>> non_security_file_type attribute, I won't pursue this any farther.
>>>> I think the binary policy size savings is a good enough reason to pursue
>>>> it. Brainstorming for a second, another way to address this problem
>>>> would be to change how checkpolicy handles negations. It could make a
>>>> new attribute with the resultant type set from the negation;
>>> It would need to make sure that the resultant set is not already covered
>>> by an attribute, or much of the value would be lost.
>>>
>>>> however,
>>>> that might be bad for analysis since an attribute would magically appear
>>>> out of nowhere.
>>> You already have that problem when analyzing a binary policy, since the
>>> attribute names aren't preserved.
>>>
>> Speaking of which, I thought we were looking into adding that back in?
>>
>> It could help out tools like audit2why...
>>
>> Constraint violation, go though list of all attributes and see if one
>> fixes the problem.
>
> I'm not opposed, but requires a policy version bump and kernel patch.
> Alternative is to make tools like audit2why read the modular policy like
> modern setools does and thus have the attribute info from it.
>
of course there are trade-offs
# time sesearch --allow > /dev/null
WARNING: This policy contained disabled aliases; they have been removed.
real 0m1.495s
user 0m1.427s
sys 0m0.060s
# time sesearch --allow /etc/selinux/targeted/modules/active/*.pp >
/dev/null
real 0m10.666s
user 0m9.305s
sys 0m1.226s
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiA18kACgkQrlYvE4MpobPFsgCg5utU7uNNMU0r8vxMfvfHbOR9
GPAAn1eXVFRQDyyrFCahTOtmB+im5Wff
=hWfj
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [refpolicy] Patch: Create non_security_file_type attribute
2008-07-18 16:03 ` James Carter
2008-07-18 17:26 ` Daniel J Walsh
@ 2008-07-18 18:09 ` Christopher J. PeBenito
1 sibling, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2008-07-18 18:09 UTC (permalink / raw)
To: jwcart2; +Cc: SELinux
On Fri, 2008-07-18 at 12:03 -0400, James Carter wrote:
> On Fri, 2008-07-18 at 11:49 -0400, Christopher J. PeBenito wrote:
> > On Fri, 2008-07-18 at 11:42 -0400, James Carter wrote:
> > > On Fri, 2008-07-18 at 10:15 -0400, Christopher J. PeBenito wrote:
> > > > On Fri, 2008-06-27 at 14:55 -0400, James Carter wrote:
> > > > > This patch eliminates the expansion of the file_type attribute (due to
> > > > > the "-" set operation) for the *_non_security interfaces by creating a
> > > > > non_security_file_type attribute.
> > > > >
> > > > > On my system the resulting binary policy is almost 20% smaller. The
> > > > > difference is so large because there are over 1000 types labeled with
> > > > > the file_type attribute.
> > > >
> > > > I'm hesitant to attach non_security_file_type to the files_type
> > > > attribute, since its not clear to me that it makes conceptual sense.
> > >
> > > The primary goal here is a smaller binary policy. But it still makes
> > > sense conceptually to me because the security_file_type attribute is
> > > never used by itself as far as I can tell. It is always used as
> > > {file_type-security_file_type}.
> > >
> > > > In
> > > > fact a sediff of the policy reveals that auidtd_log_t gains
> > > > non_security_file_type while it already has security_file_type, which
> > > > results in rule additions with this patch added.
> > > That's not good. There are only a handful of types labeled with
> > > security_file_type, I don't know how I missed that. Sorry.
> > >
> > > The following line is the problem: files_mountpoint(auditd_log_t).
> > > So, a files_mountpoint_security interface would have to be created.
> > >
> > > It's not a big deal to me. If there is no interest in creating a
> > > non_security_file_type attribute, I won't pursue this any farther.
> >
> > I think the binary policy size savings is a good enough reason to pursue
> > it. Brainstorming for a second, another way to address this problem
> > would be to change how checkpolicy handles negations. It could make a
> > new attribute with the resultant type set from the negation;
>
> It would need to make sure that the resultant set is not already covered
> by an attribute, or much of the value would be lost.
Yes, that would make sense.
> > however,
> > that might be bad for analysis since an attribute would magically appear
> > out of nowhere.
>
> You already have that problem when analyzing a binary policy, since the
> attribute names aren't preserved.
Well what I mean is that you have your source policy which has X
attributes, but when you open up your binary policy in setools you have
X+1, so you wonder if something bad is happening in the compiler, since
the source and binary don't match up.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-07-18 18:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-27 18:55 [refpolicy] Patch: Create non_security_file_type attribute James Carter
2008-07-18 14:15 ` Christopher J. PeBenito
2008-07-18 15:42 ` James Carter
2008-07-18 15:49 ` Christopher J. PeBenito
2008-07-18 16:03 ` James Carter
2008-07-18 17:26 ` Daniel J Walsh
2008-07-18 17:33 ` Stephen Smalley
2008-07-18 17:50 ` Daniel J Walsh
2008-07-18 18:09 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.