adding human understandable, and translatable description support to selinux

adding human understandable, and translatable description support to selinux

[Christopher Pardy]

I'm currently working on improving the gui tools for managing selinux(the ones that ship with fedora). One of the things that has already come up is a need for more plain English descriptions of various policy components. Currently this capability exists in the policy.xml for booleans however this file is not rebuilt at policy compile time so changes and even the installation of modules is not reflected in this. I'd like to propose that a documentation section be added to each policy directory, "/etc/selinux/<policyname>/docs/". This would contain locale specific documentation files that would store information in key-value pairs. ie: {users.guest_u:"A guest user who can only (etc)"}. An interface to this store would be built for libselinux and support for setting and getting documentation would be added to some of the command line tools or given it's own tool. Additionally a method would need to be created for policy authors to define descriptions in there policy (similar to
 the policy.xml method)
Before I get started on this I wanted to see what the general opinion on both the need and the best implementation would be. So what do you guys think?

Christopher Pardy <cpardy@redhat.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: adding human understandable, and translatable description support to selinux

[Remmolt G. Zwartsenberg]

[-- Attachment #1: Type: text/plain, Size: 2325 bytes --]

Hello Christopher,

I do have some x-windows, Apple OS-X Tiger and Microsoft Gui Runlibs in our
32 and 64 bit widget repository.

According to the General's opinion, Colonels have no say in this. Another
thing is the needs of the Quartermaster, who has her own issues in keeping
the cockroaches out of the pantries and field kitchens.

Do we need a license to practise this art? Or do we discuss ballistics with
kim young il's spouse. I remember at the Hubble Spacewebcam, we could not
mount '/' NFS as the root file system. 

Yours sincerely,

Remmolt G. Zwartsenberg <remmolt@zwartsenberg.eu>

Rocket Science Budgetteer

 

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Christopher Pardy
Sent: maandag 20 juli 2009 16:34
To: selinux@tycho.nsa.gov
Subject: adding human understandable, and translatable description support
to selinux

I'm currently working on improving the gui tools for managing selinux(the
ones that ship with fedora). One of the things that has already come up is a
need for more plain English descriptions of various policy components.
Currently this capability exists in the policy.xml for booleans however this
file is not rebuilt at policy compile time so changes and even the
installation of modules is not reflected in this. I'd like to propose that a
documentation section be added to each policy directory,
"/etc/selinux/<policyname>/docs/". This would contain locale specific
documentation files that would store information in key-value pairs. ie:
{users.guest_u:"A guest user who can only (etc)"}. An interface to this
store would be built for libselinux and support for setting and getting
documentation would be added to some of the command line tools or given it's
own tool. Additionally a method would need to be created for policy authors
to define descriptions in there policy (similar to
 the policy.xml method)
Before I get started on this I wanted to see what the general opinion on
both the need and the best implementation would be. So what do you guys
think?

Christopher Pardy <cpardy@redhat.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

Re: adding human understandable, and translatable description support to selinux

[Christopher J. PeBenito]

On Mon, 2009-07-20 at 10:34 -0400, Christopher Pardy wrote:
> I'm currently working on improving the gui tools for managing
> selinux(the ones that ship with fedora). One of the things that has
> already come up is a need for more plain English descriptions of
> various policy components. Currently this capability exists in the
> policy.xml for booleans however this file is not rebuilt at policy
> compile time so changes and even the installation of modules is not
> reflected in this. I'd like to propose that a documentation section be
> added to each policy directory, "/etc/selinux/<policyname>/docs/".
> This would contain locale specific documentation files that would
> store information in key-value pairs. ie: {users.guest_u:"A guest user
> who can only (etc)"}. An interface to this store would be built for
> libselinux and support for setting and getting documentation would be
> added to some of the command line tools or given it's own tool.
> Additionally a method would need to be created for policy authors to
> define descriptions in there policy (similar to the policy.xml method)
> Before I get started on this I wanted to see what the general opinion
> on both the need and the best implementation would be. So what do you
> guys think?

Why can't we just build on the policy.xml stuff instead of making a
whole new format?  Refpolicy devel headers already installs sufficient
xml to rebuild the policy.xml.  The xml portion of the headers could be
separated out into a -docs pakage.  Why not just formalize the
(re)building of the xml in the infrastructure?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding human understandable, and translatable description support to selinux

[Christopher Pardy]

> 
> Did you forget to do reply to all?
> 

yes!

If that's the best way to go fine, however the xml file is only
generated when I acutually compile the modules if I install a module
through semanage any data that module adds will be left out. I
certainly wouldn't be opposed to extending policy.xml as part of this
but there needs to be a way for installed modules to work too.
Additionally if we're going to continue the trend of using policy.xml
for management rather than development we really should move it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding human understandable, and translatable description support to selinux

[Daniel J Walsh]

Currently we need to be able to define and update user descriptions via modules or semanage

# semanage user -a -R unconfined_r -D'All powerfull user' dwalsh


Similarly we need to be able to define new booleans in policy modules and have the description show up.  We also want the massive policy update that ships the policy.xml not to hammer over the custom updates made by the user or any third party policies he installed.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding human understandable, and translatable description support to selinux

[Joshua Brindle]

Christopher Pardy wrote:
>> Did you forget to do reply to all?
>>
>
> yes!
>
> If that's the best way to go fine, however the xml file is only
> generated when I acutually compile the modules if I install a module
> through semanage any data that module adds will be left out. I
> certainly wouldn't be opposed to extending policy.xml as part of this
> but there needs to be a way for installed modules to work too.
> Additionally if we're going to continue the trend of using policy.xml
> for management rather than development we really should move it.
>

One of the things that we want CIL to do is have the ability to embed 
documentation for purposes such as debugging into the language. This would allow 
the documentation to make it all the way into the module store and would be 
retrievable by tools.

For reference we started talking about CIL here:
http://marc.info/?l=selinux&m=124784581623125&w=2

though we haven't gotten very far in the discussion.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.