On Mon, Aug 26, 2013 at 9:55 AM, Stephen Smalley <[email protected]> wrote:
> On 08/26/2013 12:22 PM, William Roberts wrote: > > I started a thread with Stephen about implementing a way to adjust the > > sensitivity portion of the MLS field in seapp_contexts. We have differing > > ideologies on the implementation (I should have put this public from day > > one): > > > > Below is the thread in detail, Ill summarize here though: > > > > Goal: > > Given a policy that supports multiple sensitivities, be able to place > apps > > in different sensitivities while preserving a way to maintain the > categorie > > assignments as originally designed. > > > > Constraints: > > Backwards compatible > > > > Implementation 1: > > > > We keep the level and levelFrom keywords mutually exclusive, as is the > > current design. > > > > We allow the following expressions in the level keyword: > > 1. level = <cats> > > 2. level = <sens:cats> > > 3. level = keyword > > 4. level = <sens:cats> > > > > Pros: > > 1. We could actually deprecate level from > > 2. Reduces the amount of output selectors, or minimally keeps it the > same. > > 3. allows us to set a sens and still preserve category mappings > > > > Cons: > > 1. Adds complexity to the level keyword > > > > Implementation 2: > > We add a new sens category > > > > Sense would be a new field that can work with either level OR levelFrom > but > > not Both (XOR) > > > > in this case doing: > > sens=s1 > > level=c0,c87 > > > > would result in s1:c0,c87 > > This isn't quite right. > Currently if you specify level=, it uses the value as the entire level. > It does not assume it is just a category set and inherit sensitivity > from the zygote in that case. So what you have above would be > incompatible. level= is to fully specify a complete level (or even a > range, e.g. you could say level=s0:c0-s15:c0.c10 and it would work just > fine presently). > > That's why I suggested just adding a sens= output selector that could be > combined with levelFrom= but not with level=. Yes my summary is wrong. > If you want to fully > specify both sensitivity and categories, you use level=. If you want to > explicitly specify sensitivity and automatically generate categories, > you use sens= and levelFrom=. If you want to leave sensitivity alone > and automatically generate categories, you use levelFrom=. > it should really be catsFrom then > > At present there is no interpretation of the level= value at all by the > libselinux code, and it can contain anything that valid as a MLS range > in a SELinux security context. > > > > > doing: > > sens=s1 > > levelFrom=app > > > > s1:(app cat mapping) > > > > Pros: > > 1. allows us to set a sens and still preserve category mappings > > 2. Keeps level usage exactly the same > > > > Cons: > > 1. adds a new output selector, which means more of specified sens over > > unspecified sens...etc > > > > > > So the point of this is, what do people prefer and why, and what other > > things should be considered? > > -- Respectfully, William C Roberts
