Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRE: [RFC & PATCH] inherited type definition.
From: Karl MacMillan <kmacmillan_at_tresys.com>
Date: Thu, 17 Mar 2005 16:41:48 -0500
I know - I was hoping no one would notice. Seriously, I think that some things are better done as part of the development environment. Additionally, I think that the policy needs some better abstractions at the source level and that will address some of these issues - see below.
> > One of the stated uses for this patch is to allow naïve users to That's correct, but I argue that a complete union is seldom what is wanted. More often we want a partial union, which is what the @ syntax is supposed to express. I think, however, that macros can express this more directly and readably.
> > With the extends syntax the entire policy must be examined to Sure, and I think that attributes are somewhat evil as well. Again, my experience trying to understand policies leads me to say that more of the policy that can be expressed directly through allow rules on types the better. Automated analysis can unwind these indirections, but there is still significant advantages to being able to understand source policies.
> In effect, every type becomes an If this change does happen I hope that the @ prefix will be required to cause expansion. At this point, though, the amount of work required to change the policy to use the @ where needed is on the same order as abstracting these types into macros, and I think there would be additional benefits from the macro abstraction that the @ markup does not have.
> Other important point is Certainly, but it is potentially an impact on source policy readability.
> > Macros are not perfect, but there is some hope that a single macro Yes - and I have already complained about those in another email. I'll be happy to send a patch disallowing complement in allow rules if you would accept it :)
> > I think that it is better to only add policy syntax when it I disagree - macros allow this. Also, what we want, I think, is not a union of types but an abstract notion of access. Your earlier example of samba_http_content_t is better expressed through:
allow_samba_read(foo_t)
This is a direct statement of what we intend - allowing both samba and httpd to read files of type foo_t. This is also easier conceptually for those new to policy development. I think that we are fixing a symptom with the extends approach. The real problem is that the current policy is not structured to provide macros with well-defined access semantics. If policy was written with the abstractions, like above, the type union problem would not exist. Additionally, the macros provide more control (there can be multiple version with slightly different access - not possible with the extends even with the @) and provide a single point for documentation. I would like to see how some real world problems would be solved with the extends syntax. I feel confident that every example could be expressed more clearly through a set of well-thought out macros. Thanks, Karl --- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134Received on Thu 17 Mar 2005 - 16:48:38 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |