refpolicy interfaces (was RE: httpd can't send mails)

Shintaro Fujiwara shin216 at xf7.so-net.ne.jp
Wed Jul 4 15:39:37 UTC 2007 

> > From: Shintaro Fujiwara [mailto:shin216 at xf7.so-net.ne.jp]
> [text cut]
> > 
> > As a matter of fact, I printed every interfaces and felt at a loss,
> > because of its thickness.
> > 
> 
> Yes, not a good idea. :)

Everybody laughed at me, but I was so serious.

> > In what page or Software can I find those defined interfaces ?
> > SLIDE ?
> > 
> 
> SLIDE has multiple features that can help you find interfaces. Its
> default configuration brings up an Interfaces window on the right side.
> The interfaces are grouped by layer (e.g., kernel, services, apps, etc.)
> and then by module. If you left click on an interface name, SLIDE shows
> you the policy source for the interface in the Declaration tabbed window
> at the bottom. You do need to understand the convention used for
> interface names and have a general idea of where an interface might be
> found.
> 
> SLIDE gives you interface completion in the module editing window when
> you type <Ctrl><space>. The completion pop-up shows initial matches in
> module names up until the first underscore, '_'. For example, if I type
> "core" and hit <Ctrl><space>, SLIDE will show me the possible
> completions are "corecommands" and "corenetworks", and it will show me a
> summary comment for each one. If I pick "corecommands" SLIDE completes
> the first part of the interface, "corecmd_", and then it will show all
> of the interfaces that start with "corecmd_" and short descriptions of
> each one. I select which interface I want, let's say
> "corecmd_bin_domtrans", and SLIDE pastes the full name in with "()" and
> shows a hint about what arguments are required for the interface (in
> this case it shows, "domain, target_domain"). You can also press
> <Ctrl><Shift><space> between the parentheses to see the parameter popup
> again.
> 
> The descriptions are only as complete as the authors made them. The
> general format of interfaces and syntax conventions can be found on the
> Reference Policy pages, <http://oss.tresys.com/projects/refpolicy>, and
> I'm sure Chris PeBenito would welcome any Reference Policy patches that
> expand the interface documentation. SLIDE,
> <http://oss.tresys.com/projects/slide> has plenty of documentation and
> we would welcome any suggestions.
> 


Thanks for your lecture.
I think I can work on SLIDE and could find out what I really need.


> > I once wrote such a software named segatex...
> > 
> > Why audit2allow is just echoing raw access vectors and not interfaces
> ?
> 
> It is a simple tool designed to make it easy for people whose main
> objective is to get their application working. It is useful in providing
> a quick summary of the denials in the logs, but if you're trying to
> develop a strict policy you should not simply accept the output of
> audit2allow as your policy.
> 
> > I think if audit2allow has such an option, it would be more convenient
> > and rewarding.
> > 
> 
> I believe that is Karl's objective with Madison/sepolgen. Matching an
> appropriate interface is not an easy problem. 
> 
> Even if you have a tool that can suggest the appropriate interface you
> still need to consider if the access is really required (quite often
> applications ask for access they don't really need) and, if so, if you
> should allow the access or fix the application.

You're totally right.

We should reconsider what we echoed by audit2allow even if we could work
our own modules on our machines.
Surely, interfaces would provide more privileges than what is really
needed...

I rethought that httpd_t can execute bin_t would not be a good
solution...

I can co-operate any time on you guys work and want to make
a small bounce on computer security.

I recognized that what I want and you guys want is the same...

Thanks !
We're waiting you guys come to our country and talk on your beliefs.


##################################################
member, Secure-OS Users Group, JP
Officer, System-Information, Signal School, JGSDF
##################################################


> > Maybe I should rewrite my own program ...segatex...by this
> > summer,though.
> > Or are there other project doing the same thing?
> > Karl's project?
> > 
> > http://sourceforge.net/projects/segatex/
> > 
> > http://intrajp.no-ip.com    my homepage
> > 
> > 
> > Officer,System-Information,Signal School, JGSDF
> > 
> > 
> >

More information about the fedora-selinux-list mailing list