What's a 'permission map'?

What's a 'permission map'?

[dE]

This seems to be required by apol sometimes. Loading the default policy 
as the permission map works, but what is permission map?

Re: What's a 'permission map'?

[Christopher J. PeBenito]

On 7/8/2014 12:53 AM, dE wrote:
> This seems to be required by apol sometimes. Loading the default policy
> as the permission map works, but what is permission map?

In apol, it is required by an information flow analysis.  A permission
map describes each permission in the policy as an abstract "read",
"write", "both", or "none" information flow permission used in the
analysis.  The apol help text has a full description of information flow
analysis and the permission map (Help->Information Flow Analysis).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: What's a 'permission map'?

[dE]

On 07/08/14 17:53, Christopher J. PeBenito wrote:
> On 7/8/2014 12:53 AM, dE wrote:
>> This seems to be required by apol sometimes. Loading the default policy
>> as the permission map works, but what is permission map?
> In apol, it is required by an information flow analysis.  A permission
> map describes each permission in the policy as an abstract "read",
> "write", "both", or "none" information flow permission used in the
> analysis.  The apol help text has a full description of information flow
> analysis and the permission map (Help->Information Flow Analysis).
>

So a permission map is basically a high level abstraction for various 
classes of permissions so apol can present the information flow between 
types.

Re: What's a 'permission map'?

[Richard Haines]

This file is only required when using the "Analysis" tab features. It is fully described
in the "Help" - "Information Flow Analysis" tab.


APOL will try to find a default in your home directory called .apol_perm_mapping

There are various versions in usr/share/setools-3.3 (apol_perm_mapping_*). Best to
select the latest one and copy to home dir as .apol_perm_mapping to stop it
complaining.

It will be loaded when you do the first analysis, and can then be modified using
"Tools - "View Perm Map".



----- Original Message -----
> From: dE <de.techno@gmail.com>
> To: selinux@tycho.nsa.gov
> Cc: 
> Sent: Tuesday, 8 July 2014, 5:53
> Subject: What's a 'permission map'?
> 
>T his seems to be required by apol sometimes. Loading the default policy 
> as the permission map works, but what is permission map?
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to 
> Selinux-request@tycho.nsa.gov.
> 

Re: What's a 'permission map'?

[dE]

On 07/08/14 17:57, Richard Haines wrote:
> This file is only required when using the "Analysis" tab features. It is fully described
> in the "Help" - "Information Flow Analysis" tab.
>
>
> APOL will try to find a default in your home directory called .apol_perm_mapping
>
> There are various versions in usr/share/setools-3.3 (apol_perm_mapping_*). Best to
> select the latest one and copy to home dir as .apol_perm_mapping to stop it
> complaining.
>
> It will be loaded when you do the first analysis, and can then be modified using
> "Tools - "View Perm Map".
>
>
>
> ----- Original Message -----
>> From: dE <de.techno@gmail.com>
>> To: selinux@tycho.nsa.gov
>> Cc:
>> Sent: Tuesday, 8 July 2014, 5:53
>> Subject: What's a 'permission map'?
>>
>> T his seems to be required by apol sometimes. Loading the default policy
>> as the permission map works, but what is permission map?
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>

After reading these file I've realized that a permission map is 
basically a map of various permissions of various classes to a high 
level r/w/n/b.

Next apol has to convert allow statements in the loaded policy which 
contain class specific permissions to a high level r/w/n/b set of 
permission between types.

But what does apol do when I just feed it the binary policy instead of a 
real permission map?

Re: What's a 'permission map'?

[Christopher J. PeBenito]

On 7/10/2014 12:12 PM, dE wrote:
> On 07/08/14 17:57, Richard Haines wrote:
>> This file is only required when using the "Analysis" tab features. It
>> is fully described
>> in the "Help" - "Information Flow Analysis" tab.
>>
>>
>> APOL will try to find a default in your home directory called
>> .apol_perm_mapping
>>
>> There are various versions in usr/share/setools-3.3
>> (apol_perm_mapping_*). Best to
>> select the latest one and copy to home dir as .apol_perm_mapping to
>> stop it
>> complaining.
>>
>> It will be loaded when you do the first analysis, and can then be
>> modified using
>> "Tools - "View Perm Map".
>>
> After reading these file I've realized that a permission map is
> basically a map of various permissions of various classes to a high
> level r/w/n/b.
> 
> Next apol has to convert allow statements in the loaded policy which
> contain class specific permissions to a high level r/w/n/b set of
> permission between types.
> 
> But what does apol do when I just feed it the binary policy instead of a
> real permission map?

It always uses the abstract r/w/n/b permissions for the information flow
analysis.  The permission map is only used in the information flow
analysis, which is why tools like sesearch don't have permission map
options.  If you run an information flow analysis without explicitly
loading a permission map, apol will try to load one, like Richard
describes above, so that the analysis can be performed.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com