Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: Security policy analysis
From: Jon Crowley <jonathan_at_mitre.org>
Date: Wed, 10 Oct 2001 13:02:20 -0400
Yes, MITRE is developing tools for policy analysis. We intend on developing functions to do the following first:
For testing purposes, we implemented some of these functions (1-6, 7 under construction) as small, individual programs borrowing code from checkpolicy sources. Eventually we would like to combine these programs into one tool that provides policy analysis capabilities. Because we see the above list as growing and want it to be as flexible as possible to be able to handle tailored requests from the policy administrator, we plan on implementing an interactive query language front-end to this tool, as Steve suggested. Steve also suggested incorporating these functions into checkpolicy. With the interactive query front-end, this would become the policy analysis tool. However, our take on checkpolicy is that it is intended to compile policies and to assist in debugging specific to security identifiers. We are thinking it might be cleaner to keep policy analysis tools separate from a policy compiling/debugging tool. Though perhaps we have the wrong take on checkpolicy. More thoughts on this? The problem with building a separate tool is that both tools will share some of the same code. Does it makes sense to pull out commonly-used code in checkpolicy, specifically the code that reads in the binary and text versions of the policy into data structures, and put this code into some sort of library? It seems this code may be useful to future applications, and it would be easier to maintain and more accessible if it was in a library.
Jon Crowley
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 10 Oct 2001 - 13:10:56 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |