selinux April 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: refpolicy is missing on lots of hits with audit2all

Re: refpolicy is missing on lots of hits with audit2allow -R.

From: Karl MacMillan <kmacmillan_at_nospam>
Date: Wed Apr 28 2010 - 14:25:21 GMT
To: Daniel J Walsh <dwalsh@redhat.com>

On Fri, Apr 23, 2010 at 11:09 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I do not totally understand your matching, but I thought if you looked for
>
> allow TYPE etc_t:file getattr;
>
> You could get extra matches.
>

That's essentially what I do.

> I was thinking in terms of sepolgen-ifgen would take every type and
> expand the attributes for the type then if you find attribute that
> matches, not add weight.
>

I think you are missing what the core problem is - it's easy to find
interfaces that match this access. Many interfaces (including
files_read_etc_files) include a rule that directly matches getattr on
etc_t files. So I don't really need to do attribute expansion to get
enough matches.

The key problem is finding the _best_ match, which I define as the
interface that allows the requested access with the least amount of
"extra" access. That's what the distance measure is for - it is a
measure of extra access. So I add extra distance for access to
unrelated types, extra permissions, returning a write interface when a
read was requested, etc. So when you add access to a broad attribute
in files_read_etc_files the distance measure - as currently shipped -
adds more distance for 1 type (the attribute). However, when I expand
the attribute the distance goes up because it becomes clear that the
interface is in fact allowing a _lot_ of access.

This seems correct to me, hence my request to return what was intended
to be a narrow interface back to that narrow definition.

However, there are some things that I can do to make this distance
algorithm better:

1. Don't penalize as much for access that involves container object
classes, such as directory, in an attempt to not penalize for access
that is actually related.

2. Detect execute and add a big penalty for interfaces that allow
execute when it wasn't requested (similar to what I do with write).

I'm also open to other suggestions. I don't think that what I have is
perfect. However, none of this will fix the fact that the
files_read_etc_files shipped in Fedora grants broad access. If
everyone agrees that we want that interface to match regardless then I
think we are going to have to add some other mechanism to the matching
algorithm. Perhaps some "hinting" mechanism to let the policy author
to tell sepolgen to prefer certain interfaces. I might even be able to
automatically derive this from how popular the interface is in current
policies.

Karl

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.