SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: concept of a permissive domain This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Thu, 13 Sep 2007 10:57:23 -0400 On Thu, 2007-09-13 at 10:46 -0400, Karl MacMillan wrote: > On Thu, 2007-09-13 at 10:08 -0400, Stephen Smalley wrote: > > On Tue, 2007-09-11 at 17:26 -0400, Karl MacMillan wrote: > > > On Tue, 2007-09-11 at 16:31 -0400, Daniel J Walsh wrote: > > > [...] > > > > One other feature/requirement would be to not override dontaudit rules. > > > > So if I have a domain in permissive mode and I have a dontaudit rule on > > > > reading /etc/shadow. The app should still be denied reading > > > > /etc/shadow. (This is not a show stopper, but would allow us to force > > > > apps to take the code paths they will take in enforcing mode.) > > > > > > This isn't specific to per-domain permissive, right? It would be useful > > > in general for permissive. > > > > I would be opposed to such a change, as it is a semantic change to what > > dontaudit means. > > > > Keep in mind that allow, auditallow, and dontaudit/auditdeny are all > > independent of one another today and none of them imply the other, e.g. > > allow a b:file read; > > auditallow a b:file ;* > > dontaudit a b:file ;* > > is perfectly valid and means: > > - Let a read files labeled b, > > - Audit all permission grantings from a to files labeled b, > > - Don't audit any permission denials from a to files labeled b. > > > > I agree that changing the dontaudit semantic has problems - however the > reason Dan suggested is still valid. Currently, generating policy in > permissive mode can lead to bogus or overly permissive policy. It would > be nice to have some solution to that problem. Can't you handle that in the tool, by giving matching interfaces with dontaudit rules precedence over ones with allow rules and asking the user? I'd actually rather see an improved capability for (more easily) generating policy incrementally in enforcing mode. That would make it more suitable for production use and avoid the problem above. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 13 Sep 2007 - 11:01:15 EDT This message: [ Message body ] Next message: Eric Paris: "[PATCH -v2] kernel: selinux: policy selectable handling of unknown classes and perms" Previous message: Karl MacMillan: "Re: concept of a permissive domain" In reply to: Karl MacMillan: "Re: concept of a permissive domain" Next in thread: Karl MacMillan: "Re: concept of a permissive domain" Reply: Karl MacMillan: "Re: concept of a permissive domain" Reply: Daniel J Walsh: "Re: concept of a permissive domain" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom