Re: apol permission map weights

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joshua Brindle <method@manicmethod.com>
To: Hayawardh Vijayakumar <hvijay@cse.psu.edu>
Cc: SELinux@tycho.nsa.gov
Subject: Re: apol permission map weights
Date: Mon, 01 Oct 2012 22:21:54 -0400	[thread overview]
Message-ID: <506A4FC2.5010802@manicmethod.com> (raw)
In-Reply-To: <CALS9afXC2gZGXyHupkGRySakK+Rmu1qBZ1FYNHSDiyynZqQSZQ@mail.gmail.com>

Hayawardh Vijayakumar wrote:
> Dear all,
>
> This is a question regarding the weights for the permission mappings
> from APOL (the file apol_perm_mapping_ver24 at e.g.,
> http://oss.tresys.com/repos/setools/trunk/apol/perm_maps/apol_perm_mapping_ver24).
> The documentation on page
> http://oss.tresys.com/projects/setools/wiki/helpFiles/iflow_help says
>
> "In addition to mapping each permission to read, write, both, or none,
> it is possible to assign the permission a weight between 1 and 10 (the
> default is 10).  Apol uses this weight to rate the importance of the
> information flow this permission represents and allows the user to
> make fine-grained distinctions between high-bandwidth, overt
> information flows and low-bandwidth, or difficult to exploit, covert
> information flows.  For example, the permissions "read" and "write" on
> the file object could be given a weight of 10 because they are very
> high-bandwidth information flows.  Additionally, the "use" permission
> on the fd object (file descriptor) would probably be given a weight of
> 1 as it is a very low-bandwidth covert flow at best. "
>
> However, the append permission on class file is given a weight of only
> 1, whereas write is given 10:
>
> class file 21
> ...
>              append	 w           1
> ...
>              write	         w          10
>
> Appending to a file causes a flow of as big a bandwidth as write. Can
> someone please explain why append is given so low a weight?

Probably an over site, I'll see about getting it fixed. Thanks for 
reporting it.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2012-10-02  2:21 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-30 23:42 apol permission map weights Hayawardh Vijayakumar
2012-10-02  2:21 ` Joshua Brindle [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=506A4FC2.5010802@manicmethod.com \
    --to=method@manicmethod.com \
    --cc=SELinux@tycho.nsa.gov \
    --cc=hvijay@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.