Re: I am working to further shrink the size of policy in Fedora 17.

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
> On 10/12/11 10:15, Daniel J Walsh wrote:
>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>> Right now, every domain that transitions to another domain
>>>> gets the following rule written.
>>>> 
>>>> dontaudit SOURCE TARGET : process { noatsecure siginh
>>>> rlimitinh } ;
>>>> 
>>>> In Fedora 17 policy right now we have 2152 rules, out of 
>>>> Dontaudit: 9415
>>>> 
>>>> 
>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>> 
>>>> We could rewrite this with one rule.
>>>> 
>>>> dontaudit domain domain:process { noatsecure siginh rlimitinh
>>>> } ;
>>>> 
>>>> Of course this is more lenient then what we have now,
>>>> although since it is dontaudit rules, not sure it matters.
>>>> 
>>>> Comments?
>> 
>>> I'm on the fence.  On one hand, I hate to overspecify the
>>> policy, but on the other hand, these perms can only be hit on a
>>> domain transition.  How much does this save?
>> 
>> 
>> 2000/90000
>> 
>> 2% of the size of policy.
> 
> Based on my test of all Refpolicy modules compiled in, the size
> went from 4687381 to 4667101, a 20kB difference.  If someone was
> trying to squeeze everything out for an embedded system policy, I
> could see this change, but otherwise, it doesn't seem very
> compelling.
> 
That is because you have not already shrunk your policy to the degree
that Fedora has.  F17 is down to this.
seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.26
Policy Version & Type: v.26 (binary, mls)

   Classes:            82    Permissions:       241
   Sensitivities:       1    Categories:       1024
   Types:            3546    Attributes:        291
   Users:               9    Roles:              13
   Booleans:          203    Cond. Expr.:       240
   Allow:           83205    Neverallow:          0
   Auditallow:         10    Dontaudit:        6079
   Type_trans:       8632    Type_change:       116
   Type_member:        36    Role allow:         23
   Role_trans:        287    Range_trans:      3068
   Constraints:        81    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           85    Portcon:           429
   Netifcon:            0    Nodecon:             0
   Permissives:        33    Polcap:              2


With I would figure many more domains confined.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6V2AUACgkQrlYvE4MpobOj+ACffF2NDUP/RDI1ccuWGi1/NxYn
oVIAn1G3o2LkWpKpihU+kBt9GAH1idev
=K573
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.