From: sds@tycho.nsa.gov (Stephen Smalley) Date: Fri, 18 Mar 2011 09:37:44 -0400 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <4D829196.2070804@catseye.org> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> <4D829196.2070804@catseye.org> Message-ID: <1300455464.25429.10.camel@moss-pluto> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2011-03-17 at 18:56 -0400, Mark Montague wrote: > - I've always struggled with policy file syntax. What is allowed? > Where? The M4 macros make things more mysterious for me, rather than > easier. I'm find having to "pre-declare" everything in a require stanza > to be frustrating, especially as I'm constantly leaving things out. > I've still no understanding of the differences between .if and .te files > (e.g., apache.if versus apache.te in the targeted policy) .if files are for interface/macro definitions. Similar to a header file. > - Roles, in particular, could be better documented, in my opinion. At > least, I have not found any great documentation that addresses everyday > situations with roles. I'd like to make more use of roles in order to > run more secure servers, but am a bit lost. Agreed, but have you looked at: http://selinuxproject.org/page/RefpolicyBasicRoleCreation It is far from everything one might want, but at least it is a starting point. > - I've got little to no understanding of what the SELinux code in the > kernel does or how it does it. It's a black box on which I twiddle > knobs and hope I get the result I want. I see AVC denial messages but > have no idea what the Access Vector Cache is. The following is a nice walk through the SELinux kernel code by someone other than its developers: http://www.imperialviolet.org/2009/07/14/selinux.html There are also the official docs: http://www.nsa.gov/research/selinux/docs.shtml > - Finding and installing the "right" Fedora / Red Hat RPMs for what > needs to be done (e.g., building policies). (It's simple once you know, > but I had a great deal of trouble finding out): setools setools-devel > libsemanage-devel policycoreutils-python selinux-policy-devel > selinux-policy-doc. policycoreutils-python was a big problem for me in > particular here, since the name of the RPM implies -- to me -- that it > is a set of policy core utilities for *use* with python, rather than > tools *written* in python (normally, when installing an RPM, I don't > care about what language was used to write the programs that it contains). Maybe we need a yum group for all of this? Dan? PolicyDevel or similar? -- Stephen Smalley National Security Agency