Re: [RFC] Source Policy, CIL, and High Level Languages

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Dominick Grift <dominick.grift@gmail.com>,
	Steve Lawrence <slawrence@tresys.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: [RFC] Source Policy, CIL, and High Level Languages
Date: Thu, 10 Jul 2014 08:35:40 -0400	[thread overview]
Message-ID: <53BE889C.9050909@tycho.nsa.gov> (raw)
In-Reply-To: <1404975079.31209.11.camel@x220.localdomain>

On 07/10/2014 02:51 AM, Dominick Grift wrote:
> On Wed, 2014-07-09 at 15:21 -0400, Steve Lawrence wrote:
>> In January, we sent an RFC [1] to update userspace to integrate CIL
>> [2] and source policy. And in April, we sent an updated RFC [3] which
>> added support for high level languages and a tool to convert policy
>> package (pp) files to CIL. After getting some good feedback, we have
>> made some more changes, mostly to maintain ABI compatibility. The
>> major changes made since the last patchset are:
> 
> <snip>
> 
> I just spent a few hours playing with this and i am impressed.
> 
> Everything i tested just works.
> 
> What did i test?
> 
> 1. disabling/enabling existing modules
> 2. toggling booleans with semanage
> 3. adding and removing port and file contexts with semanage
> 4. adding/removing a policy module with semodule, checkmodule,
> semodule_package
> 5. adding/removing a (cil) policy module with semodule
> 6. associating a (new) user with staff_t identity
> 
> Comments?
> 
> if i do restorecon -R -v -F /home it resets contexts *every* time (from
> s0 to s0-s0). No noticable side effects because of this
> 
> After associating user john with staff_u, johns home directory is
> properly labeled (staff_u associated with /home/john). However, what is
> strange here is that i cannot see staff_u home dir context specs
> in /var/lib/selinux/targeted/active/modules/file_contexts.homedirs
> 
> Am i looking in the wrong place? How does SELinux know that staff_u
> needs to be associated with /home/john
> 
> When you remove a custom module (semodule -r mycustmodule) semodule is a
> little verbose. (one line gets printed)
> 
> Other than that it looks flawless. Ofcourse i only tested it for a few
> hours but on the surface everything looks ok
> 
> I recorded the whole testing session for reference and submitted the
> video to youtube under the name of cil testday

Thanks for testing it.  How did it look from a performance POV, wrt
memory use and runtime?

next prev parent reply	other threads:[~2014-07-10 12:35 UTC|newest]

Thread overview: 85+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-09 19:21 [RFC] Source Policy, CIL, and High Level Languages Steve Lawrence
2014-07-10  6:51 ` Dominick Grift
2014-07-10 12:19   ` Steve Lawrence
2014-07-10 12:35   ` Stephen Smalley [this message]
2014-07-10 12:52     ` Dominick Grift
2014-07-10 13:09       ` Dominick Grift
2014-07-10 13:12         ` Stephen Smalley
2014-07-10 13:26           ` Dominick Grift
2014-07-10 13:38             ` Stephen Smalley
2014-07-10 13:45               ` Dominick Grift
2014-07-11 15:02                 ` Steve Lawrence
2014-07-15 20:11                   ` Steve Lawrence
2014-07-10 15:02             ` Stephen Smalley
2014-07-11 17:20   ` Steve Lawrence
2014-07-14 16:48     ` Stephen Smalley
2014-07-14 16:53       ` Stephen Smalley
2014-07-14 17:08         ` Stephen Smalley
2014-07-14 17:12           ` Steve Lawrence
2014-07-14 17:49             ` Stephen Smalley
2014-07-15 19:56               ` Steve Lawrence
2014-07-16 14:16                 ` Stephen Smalley
2014-07-16 14:21                   ` Stephen Smalley
2014-07-16 14:26                     ` Stephen Smalley
2014-07-16 14:33                       ` Stephen Smalley
2014-07-16 15:11                         ` Steve Lawrence
2014-07-16 15:53                           ` Dominick Grift
2014-07-16 15:58                             ` Dominick Grift
2014-07-16 19:00                             ` Stephen Smalley
2014-07-17 13:49                               ` Steve Lawrence
2014-07-17 14:02                                 ` Stephen Smalley
2014-07-17 18:02                                 ` Stephen Smalley
2014-07-17 18:58                                   ` Steve Lawrence
2014-07-17 19:10                                     ` Stephen Smalley
2014-07-17 19:48                                       ` Stephen Smalley
2014-07-17 20:04                                         ` Steve Lawrence
2014-07-17 20:37                                           ` Stephen Smalley
2014-07-17 20:50                                             ` Daniel J Walsh
2014-07-17 20:52                                             ` Daniel J Walsh
2014-07-23 19:24                                               ` Stephen Smalley
2014-07-24 12:48                                                 ` Daniel J Walsh
2014-07-18 12:59                                             ` Steve Lawrence
2014-07-18 14:30                                               ` Stephen Smalley
2014-07-18 15:57                                                 ` Steve Lawrence
2014-07-22 15:05                                               ` James Carter
2014-07-18 14:13                                             ` Christopher J. PeBenito
2014-07-17 19:51                                       ` Steve Lawrence
2014-07-22 14:47                                     ` James Carter
2014-07-16 15:43                 ` Steve Lawrence
2014-07-14 17:33           ` Dominick Grift
2014-07-18 16:00   ` Steve Lawrence
2014-07-18 18:10     ` Stephen Smalley
2014-07-21 14:34       ` Steve Lawrence
2014-07-21 14:51         ` Stephen Smalley
2014-07-21 17:50           ` Steve Lawrence
2014-08-01 14:51             ` Steve Lawrence
2014-08-01 17:46               ` Stephen Smalley
2014-08-04 14:07                 ` Steve Lawrence
2014-08-18 22:37                 ` Steve Lawrence
2014-07-10 13:52 ` Stephen Smalley
2014-07-10 14:06   ` Dominick Grift
2014-07-10 14:09   ` Steve Lawrence
2014-07-10 14:58     ` James Carter
2014-07-10 13:59 ` Stephen Smalley
2014-07-10 14:53   ` Steve Lawrence
2014-07-10 14:11 ` Stephen Smalley
2014-07-10 14:13   ` Stephen Smalley
2014-07-10 14:17   ` Steve Lawrence
2014-07-10 14:20     ` Stephen Smalley
2014-07-10 14:23   ` Dominick Grift
2014-07-10 14:25     ` Stephen Smalley
2014-07-10 14:34       ` Stephen Smalley
2014-07-10 14:50         ` Dominick Grift
2014-07-10 14:43       ` Dominick Grift
2014-07-10 14:30 ` Stephen Smalley
2014-07-10 14:50   ` Stephen Smalley
2014-07-10 15:05     ` Steve Lawrence
2014-07-10 15:08       ` Stephen Smalley
2014-07-10 16:04   ` Steve Lawrence
  -- strict thread matches above, loose matches on Subject: below --
2014-04-29 14:59 Steve Lawrence
2014-05-01 12:38 ` Dominick Grift
2014-05-01 12:57   ` Steve Lawrence
2014-05-01 13:24     ` Dominick Grift
2014-05-01 13:27       ` Dominick Grift
2014-05-01 13:31         ` Dominick Grift
2014-05-01 14:01           ` Steve Lawrence

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53BE889C.9050909@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=dominick.grift@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=slawrence@tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.