Re: Help with SELinux policy for Usability Study

[Cliffe <cliffe@ii.net>]

[-- Attachment #1: Type: text/plain, Size: 2595 bytes --]

Daniel J Walsh wrote:
> BTW, if you use the sepolgen command line that is in F11 and Rawhide, it has new features to examine the executable and rpm information to generate more data automatigically.  It is using the same framework that polgengui is using. 
>
> You can execute
>
> sepolgen /usr/sbin/myapp
>
> And it will generate the myapp,te, if, fc, sh file automatically, No gui to walk though.
>
> For example it will look for paths in the rpm that match /var/run/myapp, /var/lib/myapp ... and create proper types.
> It also runs nm -D /usr/sbin/myapp looking for function calls that it knows require certain interfaces,  If it find syslog it will add the 
>
> logging_send_syslog_msg(myapp_t) 
>
> call.
>
> I have not merged this stuff back into the GUI yet.
>   

Thanks. They sound like helpful features. They sound similar to some of 
the techniques my own tool uses.

I tested sepolgen with a few apps. Since the results still require a 
very similar amount of manual editing it is probably fairest to use the 
gui tool as much as possible as the other systems participants will use 
all use gui policy management tools.

Some information about the study:
    - Participants will be shown a prerecorded explanation and 
demonstration of SELinux
    - And have a limited amount of time to confine some programs
    - I don't want to go into too much detail here until the study is 
complete

Justification for using polgengui:
    - It ships standard with fedora
    - It has a gui (like the other tools they will be using)
    - It has a short learning curve (as opposed to perhaps SLIDE, which 
appears to be a more comprehensive tool for policy design but maybe not 
as suited to the average user)

Some questions:
Does SLIDE automate more of the process, such as adding to the created 
policy?
Is there a tool or command to put a domain into enforcing mode rather 
than manually editing the .te file? (system-config-selinux seems to 
think it is already in enforcing mode)

Some suggestions:
It might be a good idea to make the gui tools such as setroubleshoot 
aware of permissive domains, as it simply says that selinux enforcing 
mode is on.
It may be a good idea to create a gui tool which steps users through the 
process of adding to a .te file using audit2allow (if one doesn't exist 
already).

Christopher Pardy wrote:
> Please CC me any results you find as well as any issues with the gui tools as I'm revamping them for F12.
>   
Sure. Participants will give feedback such as suggestions for improvement.

Thanks again everyone for your advice and suggestions,

Cliffe.

[-- Attachment #2: Type: text/html, Size: 3171 bytes --]