[redhat-lspp] LSPP Development Telecon 11/28/2005 Minutes

[Steve Grubb]

On Tuesday 29 November 2005 09:31, Stephen Smalley wrote:
> Not sure where this idea originated, but changing SIDs is neither
> necessary nor desirable for audit by role.

I've been thinking about this problem since its not being solved. I was hoping 
to discuss this idea. My concern is that strcmp will not be accepted as its 
too slow. I was thinking that if we could get it down to an "and" operation 
and a compare, it will be high performance.

> 1) pass the filter rule to SELinux to compile to an internal form (this
> _may_ include conversion to an integer id value for the role, but that
> isn't the same as the SID), and later call SELinux when the filter rule
> needs to be evaluated, or

How easy is this? Is this a performance hit? It will affect every single 
syscall.

> 2) retain the rule with the role still in string form, and only use
> SELinux to split security contexts into components as needed to compare
> the strings.

I'm thinking this is not going to be acceptable due to performance. This 
affects every single syscall.

The basic idea that I was thinking about was to loosely add meaning to the SID 
- a bit map perhaps. Not a strict definition of say bits 4-8 will always be 
the role...but a loose definition where the compiler looks to see how many 
roles are actually called for and how many bits it takes to express that. 
Then an interface would be needed to get that bit map. auditctl code would 
query selinux to see what the role definition is. The kernel would then "and" 
with bit mask, shift bits, and compare to see if its a role we want.

Whatever we do needs to be high performance.

-Steve