SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List TE Policy Modules for SELinux policies This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Serge Hallyn <serge.hallyn_at_gmail.com> Date: Mon, 10 Jan 2005 22:35:42 -0600 Hi, Three or four years ago I started using "policy modules" to write DTE policies. A year or two ago I considered porting/extending the policy modules to support selinux. I've played on and off, and finally decided this weekend to get it to a state where I could send it out. The attached tarball contains sel_pc.py (and supporting code), which converts policy modules to an selinux policy. A sample module is in selinux_policy_modules/modules/basic, which compiled to bootable policies - under enforcing mode. I have not added sufficient permisssions (ie to class lnkfile, process, etc) to bother trying to use enforcing. One way in which this differs from writing selinux policy by hand, is that access rules are actually grants and requests (and denials) by specific domains and types. As such, priorities can be used to resolve conflicts in intuitive ways. For instance, if we have type etc_t access boot_d f:r access user_d none end domain user_d type etc_t f:r end Then domain user_d will not receive the f:r to etc_t, because the "incoming" permission grant (into etc_t) trumps the "outgoing" permission request (from user_d). Of course this example isn't very useful, but it becomes useful with grouping, ie domain user_d can simply ask for 'f:r' to 'bin." or "all", even if etc_t is defined as "bin.etc_t". The DTE module compiler code had support for automatic policy analysis. I have not yet tested this under sel_pc, but will do plan to do so. One class which I had written, for instance, checked for maintenance of Bell-LaPadula dominates relations among pre-existing types when a new module was applied to a policy. (an idea I took from TIS' live policy extension paper) Usage: tar jxf selinux_policy_modules.03.tar.bz2 cd selinux_policy_modules/modules ../src/sel_pc.py -f list -o policy -c file_contexts checkpolicy policy -o policy.bin install policy.bin and set file_contexts (I installed under /etc/selinux/serge/, for instance)* TODO: general debugging write better policies test under enforcing test policy consistency classes (blp, mod_blp, etc) incorporate booleans into module language thanks, -serge PS - For more information, usenix members can read http://www.usenix.org/events/usenix04/tech/freenix/hallyn.html. Sorry it's not publically available... -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. application/octet-stream attachment: selinux_policy_modules.03.tar.bz2 Received on Mon 10 Jan 2005 - 23:35:48 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: root and change of passwords" Previous message: Lee: "Re: audit ... denied messages" Next in thread: Serge Hallyn: "Re: TE Policy Modules for SELinux policies" Reply: Serge Hallyn: "Re: TE Policy Modules for SELinux policies" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom