SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Patch to cleanup audit handling in policy. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Karl MacMillan <kmacmillan_at_mentalrootkit.com> Date: Tue, 01 May 2007 11:21:04 -0400 On Tue, 2007-05-01 at 13:31 +0000, Christopher J. PeBenito wrote: > On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote: > > On Mon, 2007-04-30 at 16:53 +0000, Christopher J. PeBenito wrote: > > > On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote: > > > > <snip> > > > > > > > > > The interfaces that Dan created allows the exact kind of permission to be applied > > > > without having to copy and paste individual permissions which is error prone. > > > > (There are only 4 use cases of the audit system.) Part of what makes it error > > > > prone is the naming convention for all the pieces. Example: "audit_write" is that > > > > for the capability, the netlink interface, or audit logs? > > > > > > This is the reason policy patterns exist. > > > > > > > So far the policy patterns have been very hard to automatically generate > > using sepolgen. Note that this deficiency is not something that I can > > address - it is a problem with the patterns themselves. > > I don't see how it could be any more complex than matching rules to an > interface. > /research/selinux/list-archive/0701/18939.shtml Summary - patterns that contain unrelated types cannot be reliably generated. This - to me - is a major drawback. Whether that will apply here is not clear. > > Given that and > > my concerns over their clarity I would prefer that no more patterns be > > introduced. > > > > Can I ask why you are so against these audit interfaces and would prefer > > patterns? > > I don't agree with the assertions which means the attributes are > dropped, so that just leaves the rules, which don't refer to any types > in the logging module. They only refer to resources in the current > module (all self rules), so its not an interface, its a pattern. > I think that distinction is not useful to a policy writer. As a policy writer I think it would be natural to look for audit interfaces in logging - by making these patterns they are harder to find. So - why make this distinction? Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 1 May 2007 - 11:28:45 EDT This message: [ Message body ] Next message: Xavier Toth: "Re: launching apps at level (MLS) and polyinstantiation" Previous message: Daniel J Walsh: "patch to allow modification of prefix via semanage" In reply to: Christopher J. PeBenito: "Re: Patch to cleanup audit handling in policy." Next in thread: Christopher J. PeBenito: "Re: Patch to cleanup audit handling in policy." Reply: Christopher J. PeBenito: "Re: Patch to cleanup audit handling in policy." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom