[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [PATCH] disallow * and ~ in rules

To: "'Stephen Smalley'" <sds@xxxxxxxxxxxxx>, <russell@xxxxxxxxxxxx>
Subject: RE: [PATCH] disallow * and ~ in rules
From: "Karl MacMillan" <kmacmillan@xxxxxxxxxx>
Date: Fri, 24 Jun 2005 10:29:00 -0400
Cc: "'Joshua Brindle'" <jbrindle@xxxxxxxxxx>, "'selinux'" <selinux@xxxxxxxxxxxxx>
In-reply-to: <1119612908.12865.11.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx
Thread-index: AcV4sxsnPNu21pTYTUSE3XnOZjkMnAAFcNgQ

> -----Original Message-----
> From: owner-selinux@xxxxxxxxxxxxx [mailto:owner-selinux@xxxxxxxxxxxxx] On
> Behalf Of Stephen Smalley
> Sent: Friday, June 24, 2005 7:35 AM
> To: russell@xxxxxxxxxxxx
> Cc: Joshua Brindle; selinux
> Subject: Re: [PATCH] disallow * and ~ in rules
> 
> On Fri, 2005-06-24 at 16:29 +1000, Russell Coker wrote:
> > I agree for dontaudit, but disagree for auditallow.
> >
> > Sometimes when debugging policy issues I want to see all the accesses to an
> > object.  Writing rules that cover everything can be a drag, and running apol
> > also takes time.  It's a lot easier to just do: auditallow * foo_t:file *;
> 
> But that can just as easily be written as:
> 	auditallow domain foo_t:file *;
> with no loss in what it truly provides (and definite improvement in the
> size of the resulting policy).  Note that we aren't eliminating use of *
> in permission sets, just in type sets and role sets.  The problem with *
> in type sets is that you never truly want all types (except in
> assertions checking for policy errors); you only want "all process
> types, i.e. domain" or "all file types, i.e. file_type", etc.
> 
> > Having role attributes would be handy.
> >
> > The in_user_role() macro is a gross hack, role attributes would remove the
> > need for it.
> 
> Hmm...need a list somewhere that tracks all requests for improvements to
> the policy language...
> 

We can put this on the policy server sf site as long as everyone knows that we
can't address all of these requests as part of that project.

Karl

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

> --
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: [PATCH] disallow * and ~ in rules
  - From: Joshua Brindle

References:
- Re: [PATCH] disallow * and ~ in rules
  - From: Stephen Smalley

Prev by Date: RE: file contexts and modularity
Next by Date: Re: mdadm policy
Previous by thread: Re: [PATCH] disallow * and ~ in rules
Next by thread: Re: [PATCH] disallow * and ~ in rules
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.