I am working to further shrink the size of policy in Fedora 17.

I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Right now, every domain that transitions to another domain gets the
following rule written.

   dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh } ;

In Fedora 17 policy right now we have 2152 rules, out of Dontaudit:
     9415


sesearch --dontaudit -p noatsecure | wc -l
2152

We could rewrite this with one rule.

dontaudit domain domain:process { noatsecure siginh rlimitinh } ;

Of course this is more lenient then what we have now, although since
it is dontaudit rules, not sure it matters.

Comments?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6PQ80ACgkQrlYvE4MpobMn5ACeJMpRnEYe5nvpyWjhKbqpANw4
kB8AnA0ORPBkKS6Ww0AWzedMAnD+Teth
=Q6g9
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Christopher J. PeBenito]

On 10/07/11 14:24, Daniel J Walsh wrote:
> Right now, every domain that transitions to another domain gets the
> following rule written.
> 
>    dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh } ;
> 
> In Fedora 17 policy right now we have 2152 rules, out of Dontaudit:
>      9415
> 
> 
> sesearch --dontaudit -p noatsecure | wc -l
> 2152
> 
> We could rewrite this with one rule.
> 
> dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
> 
> Of course this is more lenient then what we have now, although since
> it is dontaudit rules, not sure it matters.
> 
> Comments?

I'm on the fence.  On one hand, I hate to overspecify the policy, but on the other hand, these perms can only be hit on a domain transition.  How much does this save?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
> On 10/07/11 14:24, Daniel J Walsh wrote:
>> Right now, every domain that transitions to another domain gets
>> the following rule written.
>> 
>> dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh }
>> ;
>> 
>> In Fedora 17 policy right now we have 2152 rules, out of
>> Dontaudit: 9415
>> 
>> 
>> sesearch --dontaudit -p noatsecure | wc -l 2152
>> 
>> We could rewrite this with one rule.
>> 
>> dontaudit domain domain:process { noatsecure siginh rlimitinh }
>> ;
>> 
>> Of course this is more lenient then what we have now, although
>> since it is dontaudit rules, not sure it matters.
>> 
>> Comments?
> 
> I'm on the fence.  On one hand, I hate to overspecify the policy,
> but on the other hand, these perms can only be hit on a domain
> transition.  How much does this save?
> 

2000/90000

2% of the size of policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6VoOYACgkQrlYvE4MpobP1owCfTdsEIG7MMy4PyOt05FfeANYx
U6UAmgKEgYIoER1S9qa7Ev3hxPH/73H4
=+vp+
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Christopher J. PeBenito]

On 10/12/11 10:15, Daniel J Walsh wrote:
> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>> Right now, every domain that transitions to another domain gets
>>> the following rule written.
>>>
>>> dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh }
>>> ;
>>>
>>> In Fedora 17 policy right now we have 2152 rules, out of
>>> Dontaudit: 9415
>>>
>>>
>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>
>>> We could rewrite this with one rule.
>>>
>>> dontaudit domain domain:process { noatsecure siginh rlimitinh }
>>> ;
>>>
>>> Of course this is more lenient then what we have now, although
>>> since it is dontaudit rules, not sure it matters.
>>>
>>> Comments?
> 
>> I'm on the fence.  On one hand, I hate to overspecify the policy,
>> but on the other hand, these perms can only be hit on a domain
>> transition.  How much does this save?
> 
> 
> 2000/90000
> 
> 2% of the size of policy.

Based on my test of all Refpolicy modules compiled in, the size went from 4687381 to 4667101, a 20kB difference.  If someone was trying to squeeze everything out for an embedded system policy, I could see this change, but otherwise, it doesn't seem very compelling.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
> On 10/12/11 10:15, Daniel J Walsh wrote:
>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>> Right now, every domain that transitions to another domain
>>>> gets the following rule written.
>>>> 
>>>> dontaudit SOURCE TARGET : process { noatsecure siginh
>>>> rlimitinh } ;
>>>> 
>>>> In Fedora 17 policy right now we have 2152 rules, out of 
>>>> Dontaudit: 9415
>>>> 
>>>> 
>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>> 
>>>> We could rewrite this with one rule.
>>>> 
>>>> dontaudit domain domain:process { noatsecure siginh rlimitinh
>>>> } ;
>>>> 
>>>> Of course this is more lenient then what we have now,
>>>> although since it is dontaudit rules, not sure it matters.
>>>> 
>>>> Comments?
>> 
>>> I'm on the fence.  On one hand, I hate to overspecify the
>>> policy, but on the other hand, these perms can only be hit on a
>>> domain transition.  How much does this save?
>> 
>> 
>> 2000/90000
>> 
>> 2% of the size of policy.
> 
> Based on my test of all Refpolicy modules compiled in, the size
> went from 4687381 to 4667101, a 20kB difference.  If someone was
> trying to squeeze everything out for an embedded system policy, I
> could see this change, but otherwise, it doesn't seem very
> compelling.
> 
That is because you have not already shrunk your policy to the degree
that Fedora has.  F17 is down to this.
seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.26
Policy Version & Type: v.26 (binary, mls)

   Classes:            82    Permissions:       241
   Sensitivities:       1    Categories:       1024
   Types:            3546    Attributes:        291
   Users:               9    Roles:              13
   Booleans:          203    Cond. Expr.:       240
   Allow:           83205    Neverallow:          0
   Auditallow:         10    Dontaudit:        6079
   Type_trans:       8632    Type_change:       116
   Type_member:        36    Role allow:         23
   Role_trans:        287    Range_trans:      3068
   Constraints:        81    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           85    Portcon:           429
   Netifcon:            0    Nodecon:             0
   Permissives:        33    Polcap:              2


With I would figure many more domains confined.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6V2AUACgkQrlYvE4MpobOj+ACffF2NDUP/RDI1ccuWGi1/NxYn
oVIAn1G3o2LkWpKpihU+kBt9GAH1idev
=K573
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Christopher J. PeBenito]

On 10/12/11 14:10, Daniel J Walsh wrote:
> On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
>> On 10/12/11 10:15, Daniel J Walsh wrote:
>>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>>> Right now, every domain that transitions to another domain
>>>>> gets the following rule written.
>>>>>
>>>>> dontaudit SOURCE TARGET : process { noatsecure siginh
>>>>> rlimitinh } ;
>>>>>
>>>>> In Fedora 17 policy right now we have 2152 rules, out of 
>>>>> Dontaudit: 9415
>>>>>
>>>>>
>>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>>>
>>>>> We could rewrite this with one rule.
>>>>>
>>>>> dontaudit domain domain:process { noatsecure siginh rlimitinh
>>>>> } ;
>>>>>
>>>>> Of course this is more lenient then what we have now,
>>>>> although since it is dontaudit rules, not sure it matters.
>>>>>
>>>>> Comments?
>>>
>>>> I'm on the fence.  On one hand, I hate to overspecify the
>>>> policy, but on the other hand, these perms can only be hit on a
>>>> domain transition.  How much does this save?
>>>
>>>
>>> 2000/90000
>>>
>>> 2% of the size of policy.
> 
>> Based on my test of all Refpolicy modules compiled in, the size
>> went from 4687381 to 4667101, a 20kB difference.  If someone was
>> trying to squeeze everything out for an embedded system policy, I
>> could see this change, but otherwise, it doesn't seem very
>> compelling.
> 
> That is because you have not already shrunk your policy to the degree
> that Fedora has.  F17 is down to this.
[...]
>    Allow:           83205    Neverallow:          0
>    Auditallow:         10    Dontaudit:        6079

I don't understand.  The change in Refpolicy was 1690 dontaudit rules.  If thats a 20kB change in Refpolicy, the 2151 rule change in the Fedora policy would probably be ~25kB.  What is the current size of the Fedora policy (policy.26 on disk)?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2011 02:45 PM, Christopher J. PeBenito wrote:
> On 10/12/11 14:10, Daniel J Walsh wrote:
>> On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
>>> On 10/12/11 10:15, Daniel J Walsh wrote:
>>>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>>>> Right now, every domain that transitions to another
>>>>>> domain gets the following rule written.
>>>>>> 
>>>>>> dontaudit SOURCE TARGET : process { noatsecure siginh 
>>>>>> rlimitinh } ;
>>>>>> 
>>>>>> In Fedora 17 policy right now we have 2152 rules, out of
>>>>>>  Dontaudit: 9415
>>>>>> 
>>>>>> 
>>>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>>>> 
>>>>>> We could rewrite this with one rule.
>>>>>> 
>>>>>> dontaudit domain domain:process { noatsecure siginh
>>>>>> rlimitinh } ;
>>>>>> 
>>>>>> Of course this is more lenient then what we have now, 
>>>>>> although since it is dontaudit rules, not sure it
>>>>>> matters.
>>>>>> 
>>>>>> Comments?
>>>> 
>>>>> I'm on the fence.  On one hand, I hate to overspecify the 
>>>>> policy, but on the other hand, these perms can only be hit
>>>>> on a domain transition.  How much does this save?
>>>> 
>>>> 
>>>> 2000/90000
>>>> 
>>>> 2% of the size of policy.
>> 
>>> Based on my test of all Refpolicy modules compiled in, the
>>> size went from 4687381 to 4667101, a 20kB difference.  If
>>> someone was trying to squeeze everything out for an embedded
>>> system policy, I could see this change, but otherwise, it
>>> doesn't seem very compelling.
>> 
>> That is because you have not already shrunk your policy to the
>> degree that Fedora has.  F17 is down to this.
> [...]
>> Allow:           83205    Neverallow:          0 Auditallow:
>> 10    Dontaudit:        6079
> 
> I don't understand.  The change in Refpolicy was 1690 dontaudit
> rules.  If thats a 20kB change in Refpolicy, the 2151 rule change
> in the Fedora policy would probably be ~25kB.  What is the current
> size of the Fedora policy (policy.26 on disk)?
> 

I just updated people.redhat.com and the libra.te policy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6V4V4ACgkQrlYvE4MpobPMtACfRwh0qPmXDPc2+HXFO0bW3Hdx
aRIAoOnt5iqmrEZ0gAr/s+Vqlh2I0PbG
=ZkPq
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2011 02:45 PM, Christopher J. PeBenito wrote:
> On 10/12/11 14:10, Daniel J Walsh wrote:
>> On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
>>> On 10/12/11 10:15, Daniel J Walsh wrote:
>>>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>>>> Right now, every domain that transitions to another
>>>>>> domain gets the following rule written.
>>>>>> 
>>>>>> dontaudit SOURCE TARGET : process { noatsecure siginh 
>>>>>> rlimitinh } ;
>>>>>> 
>>>>>> In Fedora 17 policy right now we have 2152 rules, out of
>>>>>>  Dontaudit: 9415
>>>>>> 
>>>>>> 
>>>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>>>> 
>>>>>> We could rewrite this with one rule.
>>>>>> 
>>>>>> dontaudit domain domain:process { noatsecure siginh
>>>>>> rlimitinh } ;
>>>>>> 
>>>>>> Of course this is more lenient then what we have now, 
>>>>>> although since it is dontaudit rules, not sure it
>>>>>> matters.
>>>>>> 
>>>>>> Comments?
>>>> 
>>>>> I'm on the fence.  On one hand, I hate to overspecify the 
>>>>> policy, but on the other hand, these perms can only be hit
>>>>> on a domain transition.  How much does this save?
>>>> 
>>>> 
>>>> 2000/90000
>>>> 
>>>> 2% of the size of policy.
>> 
>>> Based on my test of all Refpolicy modules compiled in, the
>>> size went from 4687381 to 4667101, a 20kB difference.  If
>>> someone was trying to squeeze everything out for an embedded
>>> system policy, I could see this change, but otherwise, it
>>> doesn't seem very compelling.
>> 
>> That is because you have not already shrunk your policy to the
>> degree that Fedora has.  F17 is down to this.
> [...]
>> Allow:           83205    Neverallow:          0 Auditallow:
>> 10    Dontaudit:        6079
> 
> I don't understand.  The change in Refpolicy was 1690 dontaudit
> rules.  If thats a 20kB change in Refpolicy, the 2151 rule change
> in the Fedora policy would probably be ~25kB.  What is the current
> size of the Fedora policy (policy.26 on disk)?
> 

ls -l /etc/selinux/targeted/policy/policy.26
- -rw-r--r--. 1 root root 1993514 Oct 11 11:14
/etc/selinux/targeted/policy/policy.26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6V5SgACgkQrlYvE4MpobMPbwCgpskAh3I/i7UX2dLUCk6y6tsY
uI4An1cbF0C9rPG3M0P4dKus/Mi1zGE3
=WTYs
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.