[ANN] Madison policy generation tools

[Karl MacMillan]

Rahul Sundaram wrote:
> Karl MacMillan wrote:
>> The first public release of the Madison SELinux policy generation 
>> tools can be found at http://et.redhat.com/madison/. Madison is a new 
>> project to create command line and GUI policy generation tools that:
>>
>>   * Create more readable and secure policy by leveraging the reference
>>     policy development environment.
>>   * Provide administrators with guidance and information to help them
>>     make good security decisions.
>>
>> This release focuses on the creation of a foundation library (in 
>> python). It only includes a single tool - audit2policy - that is a 
>> drop in replacement for audit2allow with better reference policy 
>> interface call generation (using the undocumented -R audit2allow flag).
>>
>> Contributions are very welcome. I'm looking for help with:
>>
>>   * Testing (particularly interface call generation and module
>>     generation)
>>   * Documenation
>>   * Unit test creation
>>   * Code / tool development
>>
>> See the website for more details on contributing.
>>
>> To the authors of other policy generation tools: I would like to avoid 
>> duplication of effort where possible. The current release focuses on 
>> areas that other tools have not explored thoroughly. Moving forward I 
>> would to discuss how we can best work together.
>>
>> Please send any feedback to the selinux development list.
> 
>  I dont want to subscribe to yet another list so I will send in my 
> comments here. I have put in a announcement in fedoraproject.org. A few 
> questions.
> 

Sorry for the delay in answering.

> * I installed the FC6 version. audit2policy is the only tool in this 
> package as of now. Do you plan to include it within a existing package 
> or introduce a new one? 

I am currently planning to submit this code to the upstream selinux 
project. If it is accepted then this will ultimately be included there.

> Do you plan to replace audit2allow with this? 

If it is accepted upstream, yes.

> What are the specific differences between them?
> 

The main user visible difference is more accurate reference policy 
interface generation with audit2policy. Otherwise, the bulk of the 
difference is in the code behind them - madison is designed to be 
capable of much more and will hopefully be the basis for other tools in 
the future.

> * What is the plan for the GUI application? Is this connected to 
> system-config-selinux or semanage?
> 

I have two tools in mind:

1) Local policy modifications - allow the user to make small policy 
tweaks without having to build modules by hand. It will also help them 
review the changes and suggest other ways to solve the problems (like 
booleans). This will hopefully be part of system-config-selinux.

2) New policy module creation - help people create new policy modules 
for applications, including things like cgi-scripts run by apache. This 
is longer term.

> * There is absolutely no documentation on the madison package and 

I know - the audit2allow man page is most applicable.

> running audit2policy on its own doesnt return the prompt (that probably 
> should return some basic help and we need a man page).

This is, unfortunately, inherited from audit2policy. By default it reads 
from standard input.

  I can help with
> writing documentation if someone can explain the details to me.
> 

Thanks - right now the audit2allow man page is sufficient. As more tools 
are created I'll let you know so you can contribute to documentation if 
you are still interested.

Thanks - Karl

> Rahul
> 
>