From: Daniel J Walsh <dwalsh@redhat.com>
To: jwcart2@tycho.nsa.gov
Cc: qingtao.cao@windriver.com, Eric Paris <eparis@parisplace.org>,
cpebenito@tresys.com, slawrence@tresys.com,
selinux@tycho.nsa.gov
Subject: Re: v0 Separate tunables from booleans
Date: Fri, 26 Aug 2011 10:28:38 -0400 [thread overview]
Message-ID: <4E57AD96.3080004@redhat.com> (raw)
In-Reply-To: <1314279347.11929.6.camel@moss-lions.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 2912 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/25/2011 09:35 AM, James Carter wrote:
> On Thu, 2011-08-25 at 09:04 -0400, Daniel J Walsh wrote:
>> On 08/25/2011 02:17 AM, Harry Ciao wrote:
>>> Hi Eric,
>>>
>>> Eric Paris 写道:
>>>> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao
>>>> <qingtao.cao@windriver.com> wrote:
>>>>
>>>>
>>>>> With this patchset, the size of policy.X would drop
>>>>> significantly from 600+k down to 322+k bytes(since most of
>>>>> tunables are default to false, and there is no else branch
>>>>> of most conditionals).
>>>>>
>>>>
>>>> I should point out that I think you're off by one order of
>>>> magnitude. You went from a 6M policy to a 3.2M policy. But
>>>> still.
>>>>
>>>> I decided to do a little playing with this yesterday in
>>>> Fedora policy (where Dan already DRASTICALLY reduced the
>>>> policy size by changing from type sets with removal to using
>>>> all attributes. My numbers weren't quite as impressive as
>>>> yours (and I'm not certain I did one thing correctly)
>>>>
>>>> Pre Patch: 2148552 bytes 89383 allow rules 193 booleans
>>>> Post Patch (no policy changes) 2166328 bytes 89383 allow
>>>> rules 193 booleans Post Patch WITH policy changes 2031150
>>>> bytes 79685 allow rules 4 booleans
>>>>
>>>> So our policy grows 0.8% with only the tools change. Our
>>>> policy shrinks 5.5% with this change. So it certainly
>>>> doesn't look like bad news.
>>>>
>>>>
>>>>
>>> No problem. I am using refpolicy from tresys tree and I have
>>> applied my test patch to introduce a new keyword of "tunable"
>>> and change tunable_policy() to use this tunable keyword rather
>>> than the current "bool" keyword. Since your number of booleans
>>> has jumped from 193 down to 4, you must have applied this patch
>>> correctly :-)
>>>
>>> Since most tunables declared by tunable_policy() would default
>>> to false and most of these tunable_policy() just has one if
>>> branch, then in practice none rules would ever be expanded and
>>> written to raw policy for them, that's why I have witnessed a
>>> significant drop from 6M to 3.22M.
>>>
>>> So I could only guess in Fedora policy perhaps most tunables
>>> default to true, or many tunable conditionals have two
>>> branches, then the logically true branch would be expanded as
>>> normal. By whatever, the size of policy.X would decrease when
>>> all disabled branch of rules are discarded.
>>>
>>
>> The Fedora policy has removed all calls that do stuff like
>>
>> allow XYZ_t { file_type -shadow_t }:file read;
>>
<<snip>>
I left the interfaces but I stopped using them.
I replaced them with files calls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5XrZYACgkQrlYvE4MpobMBhQCeMu/rdbhb6c17fgZeGbQW0I1I
OkYAoNW5RAAyiCTvtwz4KO5FuK1NEnx+
=u+94
-----END PGP SIGNATURE-----
[-- Attachment #2: eliminate_except_auth.patch --]
[-- Type: text/plain, Size: 12246 bytes --]
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 633d2fc..8d62407 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
-auth_relabel_all_files_except_auth_files(dpkg_t)
-auth_manage_all_files_except_auth_files(dpkg_t)
+files_relabel_non_security_files(dpkg_t)
+files_manage_non_security_files(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
@@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
-auth_manage_all_files_except_auth_files(dpkg_script_t)
+files_manage_non_security_files(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 7d964bf..ba6e400 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
-auth_relabel_all_files_except_auth_files(rpm_t)
-auth_manage_all_files_except_auth_files(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
@@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
-auth_manage_all_files_except_auth_files(rpm_script_t)
-auth_relabel_shadow(rpm_script_t)
+files_manage_all_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index ebaff2f..de6b197 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
# some config files do not have configfile attribute
# sosreport needs to read various files on system
-auth_read_all_files_except_auth_files(sosreport_t)
+files_read_non_security_files(sosreport_t)
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 045fb86..a51a92d 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
-auth_read_all_files_except_auth_files(sxid_t)
+files_read_non_security_files(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..225c263 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
read_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
## <summary>
+## Manage all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Relabel all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ allow $1 { non_security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
@@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index eac9961..797f131 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -336,7 +336,7 @@ optional_policy(`
fs_read_noxattr_fs_symlinks(kernel_t)
auth_read_all_dirs_except_auth_files(kernel_t)
- auth_read_all_files_except_auth_files(kernel_t)
+ files_read_non_security_files(kernel_t)
auth_read_all_symlinks_except_auth_files(kernel_t)
')
@@ -346,7 +346,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_manage_all_files_except_auth_files(kernel_t)
+ files_manage_non_security_files(kernel_t)
')
')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 89ddeaa..4b5119b 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
-auth_relabel_all_files_except_auth_files(secadm_t)
+files_relabel_non_security_files(secadm_t)
auth_relabel_shadow(secadm_t)
init_exec(secadm_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 02ffdfb..69c2d2c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_auth_files(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
@@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_auth_files(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 941f6e1..68985da 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
- auth_manage_all_files_except_auth_files(puppet_t)
+ files_manage_non_security_files(puppet_t)
')
optional_policy(`
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index c537000..52ec13b 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
#term_use_ptmx(rgmanager_t)
# needed by resources scripts
-auth_read_all_files_except_auth_files(rgmanager_t)
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 62fca97..6c6d18b 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_auth_files(nfsd_t)
+ files_manage_non_security_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
auth_read_all_dirs_except_auth_files(nfsd_t)
- auth_read_all_files_except_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
')
########################################
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 1c381e1..51cedbd 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_auth_files(rsync_t)
- auth_read_all_files_except_auth_files(rsync_t)
+ files_read_non_security_files(rsync_t)
auth_read_all_symlinks_except_auth_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index df830cf..d1f1a15 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_dirs_except_auth_files(smbd_t)
- auth_read_all_files_except_auth_files(smbd_t)
+ files_read_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_read_all_dirs_except_auth_files(nmbd_t)
- auth_read_all_files_except_auth_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
- auth_manage_all_files_except_auth_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_manage_all_files_except_auth_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 94e49e8..fd331b9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_auth_files(mount_t)
- auth_read_all_files_except_auth_files(mount_t)
+ files_read_non_security_files(mount_t)
files_mounton_non_security(mount_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 508b206..52a5442 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
-auth_relabel_all_files_except_auth_files(restorecond_t )
-auth_read_all_files_except_auth_files(restorecond_t)
+files_relabel_non_security_files(restorecond_t )
+files_read_non_security_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
next prev parent reply other threads:[~2011-08-26 14:28 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-23 10:08 v0 Separate tunables from booleans Harry Ciao
2011-08-23 10:08 ` [v0 PATCH 1/6] Indicate when boolean is indeed a tunable Harry Ciao
2011-08-23 10:08 ` [v0 PATCH 2/6] Separate tunable from boolean during compile Harry Ciao
2011-08-23 10:08 ` [v0 PATCH 3/6] Write and read TUNABLE flags in related data structures Harry Ciao
2011-08-23 10:08 ` [v0 PATCH 4/6] Permanently enable the if or else branch of a tunable during link Harry Ciao
2011-08-23 10:08 ` [v0 PATCH 5/6] Copy and check the cond_bool_datum_t.flags " Harry Ciao
2011-08-23 10:08 ` [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion Harry Ciao
2011-08-23 13:43 ` Daniel J Walsh
2011-08-23 13:58 ` Christopher J. PeBenito
2011-08-24 10:32 ` HarryCiao
2011-08-24 12:11 ` Christopher J. PeBenito
2011-08-24 18:00 ` Joshua Brindle
2011-08-25 10:36 ` Harry Ciao
2011-08-24 18:02 ` Joshua Brindle
2011-08-25 3:22 ` Harry Ciao
2011-08-25 4:22 ` Joshua Brindle
2011-08-25 10:38 ` Harry Ciao
2011-08-24 17:54 ` Joshua Brindle
2011-08-24 20:24 ` Daniel J Walsh
2011-08-24 20:34 ` Joshua Brindle
2011-08-24 21:04 ` Daniel J Walsh
2011-08-24 16:02 ` v0 Separate tunables from booleans Eric Paris
2011-08-25 6:17 ` Harry Ciao
2011-08-25 13:04 ` Daniel J Walsh
2011-08-25 13:35 ` James Carter
2011-08-26 14:28 ` Daniel J Walsh [this message]
2011-08-26 1:17 ` Harry Ciao
2011-08-26 2:22 ` Eric Paris
2011-08-26 12:59 ` Daniel J Walsh
2011-08-26 13:06 ` Christopher J. PeBenito
2011-08-26 13:08 ` Christopher J. PeBenito
2011-08-26 14:11 ` Christopher J. PeBenito
2011-08-24 17:38 ` Christopher J. PeBenito
2011-08-24 17:52 ` Joshua Brindle
2011-08-25 5:31 ` Harry Ciao
2011-08-25 12:56 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E57AD96.3080004@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=eparis@parisplace.org \
--cc=jwcart2@tycho.nsa.gov \
--cc=qingtao.cao@windriver.com \
--cc=selinux@tycho.nsa.gov \
--cc=slawrence@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.