On Wed, Jan 12, 2005 at 04:27:16PM -0500, Stephen Smalley wrote:

> single security equivalence class for analysis purposes. Think: policy
> says allow P1 F1:file read; allow P2 F2:file write;, policy analysis
> says that there is no allowed information flow from P2 to P1, but
> someone does a chcon -t F1,F2 foobar and now P2 can write to foobar and
> P1 can read from it, so information flow is now possible.

 yep - and the policy analysis tools would need to understand the  new format.

1. if someone does a "chcon -t F2 foobar" all bets would be off as far as static analysis is concerned.

 2 ) even if they did chcon -t "F1,F2" foobar, you would still expect

     them to be doing that as an "interim" measure whilst they were
     testing something _pending_ formal analysis by putting that
     into the policy files.

 ... and once they did that, i would rationally expect the  analysis tools to be able to cope, to "combine"  allow P1 F1:file read; allow P2 F2:file write; into some sort of  pseudo-thing ... mmm... mmm...

 *thinks*...

 the analysis would need the macro-munging approach _anyway_ in  order to "grok" the new syntax - an intermediate preprocessing  stage that "notices" multiple-file-applications (including  possibly expanding regexps!) and ending up with something  like this:

 filetype Files_with_F1_and_F2_applied_t;

 allow P1 F1:file read;
 allow P1 Files_with_F1_and_F2_applied_t:file read;  allow P2 F2:file write;
 allow P2 Files_with_F1_and_F2_applied_t:file write;

 it'd be yeurk - but doable, i think.

 l.  

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.