Re: Support for multiple types in typeattribute
On 02/24/2017 01:00 PM, Dominick Grift wrote: On 02/24/2017 06:39 PM, Alex Klyubin wrote: Hi, typeattribute currently accepts only a single type as its first argument. It associates the provided type with the attribute provided as the second argument. Is there a reason why typeattribute doesn't support multiple types specified as the first argument? The idea being that it would associate each of those types with the attribute. For example, the first argument to typeattribute could use the same syntax as used for the first argument of allow and neverallow. typeattribute could then expand this set of types, attributes, and exclusions into the set of matching types and then associate each of the types with the provided attribute. There is no reason (that I know of) why it couldn't be changed to work the way you suggest other than someone having the time and desire to make the change. I honestly don't know if it would be difficult to make the change or not. It doesn't seem like it would, but ... The reason I'm asking is because in Android SELinux policy we're bumping against the need to associate attribute A with the set of types which are grouped using attribute G. We could add a typeattribute for each type associated with G, but that (1) duplicates the grouping which is already expressed via G, and (2) makes it very cumbersome/brittle to keep both A and G associated with exactly the same set of types. In particular, because Android SELinux policy source tree is distributed between a large number of Android devices and organizations, requiring that any time you associate a type with G you must also associate it with A is suboptimal, not to mention that making such a change in the existing policies requires to change each policy. This is why, as Dominck mentions below, that CIL allows you to use an expression that can include types and attributes to associate types to an attribute. In November I added the ability to create a policy.conf from the CIL AST with the libsepol function cil_write_policy_conf() or from CIL policy using the program secil2conf. Those might be useful to you. Jim To make life more interesting, there's also a need to associate A with a subset of G, for example, G minus some type or two. CIL is a bit more flexible. You can associate type attributes with type attributes and do things like: (typeattributeset not_dyntransition_subj_type_or_unconfined_subj_type_attribute (not ( dyntransition_subj_type_attribute unconfined_subj_type_attribute ) ) ) and: (typeattributeset except_obj_type_attribute (and ( obj_type_attribute ) (not ( auth_obj_type_attribute exception_obj_type_attribute sec_obj_type_attribute ) ) ) ) Kind Regards, Alex ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. -- James CarterNational Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: Support for multiple types in typeattribute
On 02/24/2017 06:39 PM, Alex Klyubin wrote: > Hi, > > typeattribute currently accepts only a single type as its first argument. > It associates the provided type with the attribute provided as the second > argument. Is there a reason why typeattribute doesn't support multiple > types specified as the first argument? The idea being that it would > associate each of those types with the attribute. > > For example, the first argument to typeattribute could use the same syntax > as used for the first argument of allow and neverallow. typeattribute could > then expand this set of types, attributes, and exclusions into the set of > matching types and then associate each of the types with the provided > attribute. > > The reason I'm asking is because in Android SELinux policy we're bumping > against the need to associate attribute A with the set of types which are > grouped using attribute G. We could add a typeattribute for each type > associated with G, but that (1) duplicates the grouping which is already > expressed via G, and (2) makes it very cumbersome/brittle to keep both A > and G associated with exactly the same set of types. In particular, because > Android SELinux policy source tree is distributed between a large number of > Android devices and organizations, requiring that any time you associate a > type with G you must also associate it with A is suboptimal, not to mention > that making such a change in the existing policies requires to change each > policy. > > To make life more interesting, there's also a need to associate A with a > subset of G, for example, G minus some type or two. > CIL is a bit more flexible. You can associate type attributes with type attributes and do things like: (typeattributeset not_dyntransition_subj_type_or_unconfined_subj_type_attribute (not ( dyntransition_subj_type_attribute unconfined_subj_type_attribute ) ) ) and: (typeattributeset except_obj_type_attribute (and ( obj_type_attribute ) (not ( auth_obj_type_attribute exception_obj_type_attribute sec_obj_type_attribute ) ) ) ) > Kind Regards, > Alex > > > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: OpenPGP digital signature ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Support for multiple types in typeattribute
Hi, typeattribute currently accepts only a single type as its first argument. It associates the provided type with the attribute provided as the second argument. Is there a reason why typeattribute doesn't support multiple types specified as the first argument? The idea being that it would associate each of those types with the attribute. For example, the first argument to typeattribute could use the same syntax as used for the first argument of allow and neverallow. typeattribute could then expand this set of types, attributes, and exclusions into the set of matching types and then associate each of the types with the provided attribute. The reason I'm asking is because in Android SELinux policy we're bumping against the need to associate attribute A with the set of types which are grouped using attribute G. We could add a typeattribute for each type associated with G, but that (1) duplicates the grouping which is already expressed via G, and (2) makes it very cumbersome/brittle to keep both A and G associated with exactly the same set of types. In particular, because Android SELinux policy source tree is distributed between a large number of Android devices and organizations, requiring that any time you associate a type with G you must also associate it with A is suboptimal, not to mention that making such a change in the existing policies requires to change each policy. To make life more interesting, there's also a need to associate A with a subset of G, for example, G minus some type or two. Kind Regards, Alex ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.