excessively verbose policy

Daniel J Walsh dwalsh at redhat.com
Fri Feb 22 16:57:26 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcelo Klein wrote:
> Is there any possibility of writing bundles of policies that can be
> "imported" into other configurations?
> Such as defining a package for a set of policies like "shared-libs", and
> then when writing the policy putting "import shared-libs" or something like
> that?
> Is this too much complex to do?
> 
> Marcelo.
>
No, this is what interfaces do, although they are more like functions calls.

We have two ways of grouping access to a domain, either directory though
 allow rules, or by adding an attribute.

For example

type httpd_t, domain;
allow domain self:file read;

or

allow httpd_t self:file read;

Both generate the same policy.

In refpolicy we have a interface domain_type() which adds the domain
attribute.

So we could move all

libs_use_ld_so(domain)
libs_use_shared_libs(domain)

And eliminate these rules from all te files.

The question is what granularity do you do this at.

Almost every confined domain needs to read etc_t so if we added
files_read_etc_files(domain)

We could remove those, but now if someone wanted to write a confined
domain without access to etc_t, his policy is a lot harder to write.


> 2008/2/22, Daniel J Walsh <dwalsh at redhat.com>:
> 
> Bill Nottingham wrote:
>>>> I was writing policy today, and I couldn't help notice a lot of
>>>> repetitiveness in our policy:
>>>>
>>>>       libs_use_ld_so(...)
>>>>       libs_use_shared_libs(...)
>>>>
>>>> These are needed by, well, everything. Can't they be
> assumed-unless-denied?
>>>> Similarly, 99% of confined apps need:
>>>>
>>>>       miscfiles_read_localization()
>>>>       files_read_etc_files(.)
>>>>         pipes & stream sockets
>>>>
>>>> Is there a way to streamline policy so there is a lot less
>>>> repetition?
>>>>
>>>> Bill
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> We have talked about this in the past, and so far it has not gone
> anywhere.  The original goal when refpolicy policy was first written was
> to allow more fine grained control then the example policy, which
> grouped large amounts of access rules within a single macro.
> (can_network) for example.  So we wanted to avoid this, and perhaps the
> pendulum swung too far to the opposite degree.
> 
> 
>>
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>

> ------------------------------------------------------------------------

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke+/vYACgkQrlYvE4MpobODXgCgqIz5SV2TRH9LIt3LFePsQkXa
tjsAoNACxe2ftqUHZhxRyDo70/c3Oa4Q
=MJG/
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list