All of lore.kernel.org
 help / color / mirror / Atom feed
From: guttman@mitre.org (Joshua D. Guttman)
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: "John D. Ramsdell" <ramsdell@mitre.org>,
	Karl MacMillan <kmacmillan@tresys.com>,
	selinux@tycho.nsa.gov, Amy L Herzog <aherzog@mitre.org>,
	guttman@mitre.org (Joshua D. Guttman)
Subject: Re: Fedora Core 2 setools RPM
Date: 18 Jun 2004 14:18:13 -0400	[thread overview]
Message-ID: <nhafz8s3f2y.fsf@malabar.mitre.org> (raw)
In-Reply-To: <1087581080.27697.132.camel@moss-spartans.epoch.ncsc.mil>

Stephen Smalley <sds@epoch.ncsc.mil> writes:

>   
>   > I take it that "flow among types" is a bit less precise than
>   > "flow among security contexts".  Presumably there's flow from
>   > t_1 to t_2 if there exist any u_1,r_1 and u_2,r_2 such that
>   > there's flow
>   > 
>   >         u_1:r_1:t_1 --> u_2:r_2:t_2.  
>   > 
>   > Is this an accurate interpretation?
>   
>   If there is a flow from t_1 to t_2 in the TE policy, but no
>   corresponding flow among contexts that include t_1 and t_2 in the
>   policy, then that is likely a bug in the policy.

Really?  Consider the case r_1=r_2, where the role-type relation
permits r_1 to execute with type t_1 but not with type t_2.  If the
arrow is created by an execve_secure, then isn't it important for the
policy to prevent this event?  

Whereas with some powerful role r_3, permitted to execute with types
t_1 and t_2, the event should be permitted.

Are you saying that you don't think policy analysis should be
sensitive to these questions?  (Ever?)

Or are you saying that you don't usually think of these events as
"information flow" relations?  If the latter, well OK, but maybe
that's mainly a verbal point.  There's certainly some causal
interaction here, and presumably policy analysis needs to be able to
talk about it using some terminology or other.

>   constructing a complete graph among entire security contexts seems
>   costly and unnecessary.

Well, yes, if you do it the obvious way by enumerating all the
(tupled) nodes and the arrows between them.  However, lots of model
checking work has invented representations under which conceptually
you're working with that big graph, although the representation is
vastly more compact because it's sensitive to uniformities in how the
components of the nodes are related.

I'm just trying to check that all the conceptually relevant info is
available somehow, if we get our data via libapol.

        Joshua 



-- 
	Joshua D. Guttman		<guttman@mitre.org>
	MITRE, Mail Stop S119		Office:	+1 781 271 2654
	202 Burlington Rd.		Fax:	+1 781 271 8953
	Bedford, MA 01730-1420 USA	Cell:	+1 781 526 5713



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  reply	other threads:[~2004-06-18 18:18 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-15 21:07 Fedora Core 2 policy source Kratzer, James R.
2004-06-15 23:26 ` Fedora Core 2 setools RPM John D. Ramsdell
2004-06-16 13:37   ` Stephen Smalley
2004-06-16 16:58     ` Daniel J Walsh
2004-06-17  9:47       ` SE Linux enhanced strace for Fedora Core 2 John D. Ramsdell
2004-06-17 15:36   ` Fedora Core 2 setools RPM Karl MacMillan
2004-06-17 15:58     ` Stephen Smalley
2004-06-17 18:47       ` Karl MacMillan
2004-06-18 13:00         ` John D. Ramsdell
2004-06-18 14:13           ` Stephen Smalley
2004-06-18 17:26             ` Joshua D. Guttman
2004-06-18 17:51               ` Stephen Smalley
2004-06-18 18:18                 ` Joshua D. Guttman [this message]
2004-06-18 18:43                   ` Stephen Smalley
2004-06-18 19:31                     ` Joshua D. Guttman
2004-06-18 20:09                       ` Stephen Smalley
2004-06-21 13:16                         ` Frank Mayer
2004-06-21 13:14                       ` Frank Mayer
2004-06-21 13:43                         ` Joshua D. Guttman
2004-06-21 15:26                           ` Frank Mayer
2004-06-21 15:28                           ` Frank Mayer
2004-06-19  5:33                     ` Russell Coker
2004-06-19 13:09                       ` Serge E. Hallyn
2004-06-18 13:09       ` John D. Ramsdell
2004-06-21 13:04         ` Frank Mayer
2004-06-21 15:43           ` John D. Ramsdell
2004-06-17 18:31     ` John D. Ramsdell
2004-06-15 23:33 ` Fedora Core 2 policy source John D. Ramsdell
2004-06-16  1:25   ` John D. Ramsdell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=nhafz8s3f2y.fsf@malabar.mitre.org \
    --to=guttman@mitre.org \
    --cc=aherzog@mitre.org \
    --cc=kmacmillan@tresys.com \
    --cc=ramsdell@mitre.org \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.