[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

unreasonably long SE Linux context display

To: "SE-Linux" <selinux@xxxxxxxxxxxxx>
Subject: unreasonably long SE Linux context display
From: Russell Coker <russell@xxxxxxxxxxxx>
Date: Mon, 31 Oct 2005 18:11:56 +1100
Reply-to: russell@xxxxxxxxxxxx
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: KMail/1.8.92

Would it be possible to use shorter names in the setrans.conf file than 
SystemLog and SystemHigh?  For example could we have "Low-High" or 
"sLow-sHigh" instead?

An 80 column display is the Unix standard, it's what xterm type programs 
default to, it's what generally works best with serial consoles, and it's the 
only option for Braille displays.

Currently in Fedora and RHEL (and probably the default installs of most 
distributions) the virtual consoles are 80 columns wide.  So anything that 
requires more than 80 columns in a display will not work well with the 
majority of Linux systems.

For "ps" output we have to fit 80 columns, everything else is truncated, this 
means that the increasing width of SE Linux output from "ps axZ" is reducing 
the amount of other data available.  Currently the sensitivity labels of 
"s0-s0:c0.c255" take up a significant part of the screen space and adding an 
extra 7 characters by translating it to "SystemLow-SystemHigh" will only make 
things worse (it will then take up 25% of the screen giving a total of almost 
75% of the screen for the SE Linux context).

Also I think we should consider making the various utility programs display 
part of the SE Linux context.  For example it's a common practice for an 
administrator to search for a listing of processes in a particular domain or 
role with commands such as the following:
ps axZ|grep kernel_t
ps axZ|grep system_r

It seems to me that one way of improving the situation with ps might be to 
allow specifying a regex for the context to match in a similar manner to 
killall (could probably take the same code).  Another possibility is to allow 
displaying partial contexts.  For example I might want to see the domains 
used by system processes (role==system_r) but not have the role or identity 
displayed (because they are not relevant).  Of course we may have great 
trouble trying to get such changes accepted upstream.

For ls it would be good to be able to display part of the context.  For the 
vast majority of invocations of "ls -Z" on a SE Linux system the identity and 
role are not desired in the output.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: unreasonably long SE Linux context display
  - From: Joe Nall
- Re: unreasonably long SE Linux context display
  - From: Stephen Smalley

Prev by Date: [ SEPOL ] [ SEMANAGE ] Fix record interfaces
Next by Date: [ SEMANAGE 3 ] Common database code
Previous by thread: [ SEPOL ] [ SEMANAGE ] Fix record interfaces
Next by thread: Re: unreasonably long SE Linux context display
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.