[refpolicy] Question: and the policy grows...

Stephen Smalley sds at tycho.nsa.gov
Fri Mar 18 08:37:44 CDT 2011 

On Thu, 2011-03-17 at 18:56 -0400, Mark Montague wrote:
> - I've always struggled with policy file syntax.  What is allowed?  
> Where?  The M4 macros make things more mysterious for me, rather than 
> easier.  I'm find having to "pre-declare" everything in a require stanza 
> to be frustrating, especially as I'm constantly leaving things out.  
> I've still no understanding of the differences between .if and .te files 
> (e.g., apache.if versus apache.te in the targeted policy)

.if files are for interface/macro definitions.  Similar to a header
file.

> - Roles, in particular, could be better documented, in my opinion.  At 
> least, I have not found any great documentation that addresses everyday 
> situations with roles.  I'd like to make more use of roles in order to 
> run more secure servers, but am a bit lost.

Agreed, but have you looked at:
http://selinuxproject.org/page/RefpolicyBasicRoleCreation

It is far from everything one might want, but at least it is a starting
point.

> - I've got little to no understanding of what the SELinux code in the 
> kernel does or how it does it.  It's a black box on which I twiddle 
> knobs and hope I get the result I want.  I see AVC denial messages but 
> have no idea what the Access Vector Cache is.

The following is a nice walk through the SELinux kernel code by someone
other than its developers:
http://www.imperialviolet.org/2009/07/14/selinux.html

There are also the official docs:
http://www.nsa.gov/research/selinux/docs.shtml

> - Finding and installing the "right" Fedora / Red Hat RPMs for what 
> needs to be done (e.g., building policies).  (It's simple once you know, 
> but I had a great deal of trouble finding out): setools setools-devel 
> libsemanage-devel policycoreutils-python selinux-policy-devel 
> selinux-policy-doc.   policycoreutils-python was a big problem for me in 
> particular here, since the name of the RPM implies -- to me -- that it 
> is a set of policy core utilities for *use* with python, rather than 
> tools *written* in python (normally, when installing an RPM, I don't 
> care about what language was used to write the programs that it contains).

Maybe we need a yum group for all of this?  Dan?  PolicyDevel or
similar?

-- 
Stephen Smalley
National Security Agency

More information about the refpolicy mailing list