[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [ANN] Madison policy generation tools



Rahul Sundaram wrote:
Karl MacMillan wrote:
The first public release of the Madison SELinux policy generation tools can be found at http://et.redhat.com/madison/. Madison is a new project to create command line and GUI policy generation tools that:

  * Create more readable and secure policy by leveraging the reference
    policy development environment.
  * Provide administrators with guidance and information to help them
    make good security decisions.

This release focuses on the creation of a foundation library (in python). It only includes a single tool - audit2policy - that is a drop in replacement for audit2allow with better reference policy interface call generation (using the undocumented -R audit2allow flag).

Contributions are very welcome. I'm looking for help with:

  * Testing (particularly interface call generation and module
    generation)
  * Documenation
  * Unit test creation
  * Code / tool development

See the website for more details on contributing.

To the authors of other policy generation tools: I would like to avoid duplication of effort where possible. The current release focuses on areas that other tools have not explored thoroughly. Moving forward I would to discuss how we can best work together.

Please send any feedback to the selinux development list.

I dont want to subscribe to yet another list so I will send in my comments here. I have put in a announcement in fedoraproject.org. A few questions.


Sorry for the delay in answering.

* I installed the FC6 version. audit2policy is the only tool in this package as of now. Do you plan to include it within a existing package or introduce a new one?

I am currently planning to submit this code to the upstream selinux project. If it is accepted then this will ultimately be included there.

Do you plan to replace audit2allow with this?

If it is accepted upstream, yes.

What are the specific differences between them?


The main user visible difference is more accurate reference policy interface generation with audit2policy. Otherwise, the bulk of the difference is in the code behind them - madison is designed to be capable of much more and will hopefully be the basis for other tools in the future.

* What is the plan for the GUI application? Is this connected to system-config-selinux or semanage?


I have two tools in mind:

1) Local policy modifications - allow the user to make small policy tweaks without having to build modules by hand. It will also help them review the changes and suggest other ways to solve the problems (like booleans). This will hopefully be part of system-config-selinux.

2) New policy module creation - help people create new policy modules for applications, including things like cgi-scripts run by apache. This is longer term.

* There is absolutely no documentation on the madison package and

I know - the audit2allow man page is most applicable.

running audit2policy on its own doesnt return the prompt (that probably should return some basic help and we need a man page).

This is, unfortunately, inherited from audit2policy. By default it reads from standard input.

 I can help with
writing documentation if someone can explain the details to me.


Thanks - right now the audit2allow man page is sufficient. As more tools are created I'll let you know so you can contribute to documentation if you are still interested.

Thanks - Karl

Rahul




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]