[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XML Based Policy Configuration for SELinux

To: Joshua Brindle <jbrindle@xxxxxxxxxx>
Subject: Re: XML Based Policy Configuration for SELinux
From: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Date: Wed, 22 Jun 2005 23:38:42 +0100
Cc: alexander-barclay@xxxxxxxxxx, Brandon Pollet <brandon@xxxxxxxxxx>, SELinux@xxxxxxxxxxxxx, John Hale <john-hale@xxxxxxxxxx>
In-reply-to: <42B94A03.8020508@xxxxxxxxxx>
Mail-followup-to: Joshua Brindle <jbrindle@xxxxxxxxxx>, alexander-barclay@xxxxxxxxxx, Brandon Pollet <brandon@xxxxxxxxxx>, SELinux@xxxxxxxxxxxxx, John Hale <john-hale@xxxxxxxxxx>
References: <7D1D591C-7CB7-4FAA-82DF-0CA87BE3372F@xxxxxxxxxx> <20050621184940.GA8354@xxxxxxxx> <1119383982.42b871aef1898@xxxxxxxxxxxxx> <20050621212059.GA9434@xxxxxxxx> <42B8A699.206@xxxxxxxxxx> <20050622004114.GH9859@xxxxxxxx> <42B8DF16.3060108@xxxxxxxxxx> <20050622053327.GB14480@xxxxxxxx> <42B94A03.8020508@xxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: Mutt/1.5.5.1+cvs20040105i

On Wed, Jun 22, 2005 at 07:22:43AM -0400, Joshua Brindle wrote:
> Luke Kenneth Casson Leighton wrote:

> The bottom line is that the tools would be great 

 i agree with that.

> but the XML has nothing 
> to do with that.

 then we will have to agree to disagree on that point, because
 there are far more XML parsing libraries in virtually every known
 useable language under the sun.

 here are the options, as i see them:

 * a tool, written in i-don't-really-care-what-language-but-i-like-python,
   which takes `find /etc/selinux/src/*` and turns it into formally-defined,
   well-structured XML format which has a formal DTD representing users,
   *.te, *.fc, macros, etc.

   then utilities and programs written which understand the DTD
   and therefore can "manipulate" selinux policy for any purpose
   can be written in any programming language which has an XML library.

 * a library, written in [probably] c and then wrapped with swig,
   which understands and provides access to the contents of
   /etc/selinux/*

   then, utilities and programs which "manipulate" selinux policy can
   conveniently be written in c and with some awkwardness [due to swig]
   written in any other programming language.

 some questions for you:

	 which of these two options is less of a maintenance headache?

 and

	 which of these two options provides the most flexibility?

 and

 	which of these two options would be most acceptable to
	non-expert selinux admins and developers for writing their
	own home-grown tools?

 most people look at the /etc/selinux/src and go "yukk".

 oh - btw - the idea about "function definitions" in the m4 language?
 GREAT idea - i believe it would make the "formal definition" in XML
 format that much easier.

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: XML Based Policy Configuration for SELinux
  - From: Ivan Gyurdiev

References:
- XML Based Policy Configuration for SELinux
  - From: Brandon Pollet
- Re: XML Based Policy Configuration for SELinux
  - From: Luke Kenneth Casson Leighton
- Re: XML Based Policy Configuration for SELinux
  - From: alexander-barclay
- Re: XML Based Policy Configuration for SELinux
  - From: Luke Kenneth Casson Leighton
- Re: XML Based Policy Configuration for SELinux
  - From: Joshua Brindle
- Re: XML Based Policy Configuration for SELinux
  - From: Luke Kenneth Casson Leighton
- Re: XML Based Policy Configuration for SELinux
  - From: Joshua Brindle
- Re: XML Based Policy Configuration for SELinux
  - From: Luke Kenneth Casson Leighton
- Re: XML Based Policy Configuration for SELinux
  - From: Joshua Brindle

Prev by Date: Re: general selinux questions
Next by Date: http://www.securityfocus.com/columnists/334/3
Previous by thread: Re: XML Based Policy Configuration for SELinux
Next by thread: Re: XML Based Policy Configuration for SELinux
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.