v0 Separate tunables from booleans

v0 Separate tunables from booleans

[Harry Ciao]

Comments
---------
Separate tunables from booleans.

The effective branch of an if-else conditional that controlled by a tunable
should be expanded and registered to te_avtab hashtab permanently; while the
whole if-else conditional that controlled by a boolean should be expaned and
registered to te_cond_avtab hashtab as normal.

Also nearly all tunables(exceptions see below) would be discarded from
policy.X.

With this patchset, the size of policy.X would drop significantly from 600+k
down to 322+k bytes(since most of tunables are default to false, and there is
no else branch of most conditionals).

Note, so far some tunable would be used along with some boolean in the
tunable_policy() macro(say pppd_can_insmod), this is not recommended and such
tunable would have to be transformed as boolean.


Tests I've done
----------------
1. Apply below patchset for refpolicy to cope with toolchain:

   0001-Add-the-definition-of-the-boolean_policy-marcro.patch
   0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch
   0003-mmap_low_allowed-is-a-tunable-use-tunable_policy-for.patch
   0004-secure_mode_insmod-is-a-boolean-use-boolean_policy-f.patch

   Mostly these patches would add a new boolean_policy() macro and make
   the tunable_policy() macro use "tunable" keyword rather than "bool".

2. The refpolicy could be built successfully.
   The following messages are triggered since the secure_mode_insmod boolean
   is used in tunable_policy() macro(along with pppd_can_insmod tunable):

   libsepol.bool_copy_callback: ppp: Mismatch between boolean/tunable definition and usage for secure_mode_insmod
   libsepol.bool_copy_callback: ppp: Mismatch between boolean/tunable definition and usage for secure_mode_insmod

3. We can see the size of policy.X dropped significantly:

   cao@cao-laptop:/etc/selinux/refpolicy/policy$ ls -l
   total 6312
   -rw-r--r--. 1 root root 3227130 2011-08-23 15:51 policy.24
   cao@cao-laptop:/etc/selinux/refpolicy/policy$ 

4. If the console_login tunable defaults to true, after booting up this
   policy.X, we can see that the type_change rule controlled by it are
   available, and the /dev/console would be re-labelled properly:
   
   [root/sysadm_r/@~]# sesearch -SCT -t console_device_t
   Found 11 semantic te rules:
      type_change unconfined_t console_device_t : chr_file user_tty_device_t; 
      type_change logadm_t console_device_t : chr_file user_tty_device_t; 
      type_change webadm_t console_device_t : chr_file user_tty_device_t; 
      type_change dbadm_t console_device_t : chr_file user_tty_device_t; 
      type_change user_t console_device_t : chr_file user_tty_device_t; 
      type_change staff_t console_device_t : chr_file user_tty_device_t; 
      type_change xguest_t console_device_t : chr_file user_tty_device_t; 
      type_change secadm_t console_device_t : chr_file user_tty_device_t; 
      type_change auditadm_t console_device_t : chr_file user_tty_device_t; 
      type_change guest_t console_device_t : chr_file user_tty_device_t; 
      type_change sysadm_t console_device_t : chr_file user_tty_device_t; 
   
   [root/sysadm_r/@~]# tty
   /dev/console
   [root/sysadm_r/@~]# ls -Z `tty`
   crw--w----  root tty root:object_r:user_tty_device_t  /dev/console
   [root/sysadm_r/@~]# 

5. Also only real booleans would be preserved for policy.X, except that
   pppd_can_insmod tunable is used along with secure_mode_insmod and it
   has been transformed as a boolean during link:
   
   [root/sysadm_r/@~]# ls /selinux/booleans/ -l
   total 0
   -rw-r--r-- 1 root root 0 Aug 23 07:57 pppd_can_insmod
   -rw-r--r-- 1 root root 0 Aug 23 07:57 secure_mode
   -rw-r--r-- 1 root root 0 Aug 23 07:57 secure_mode_insmod
   -rw-r--r-- 1 root root 0 Aug 23 07:57 secure_mode_policyload
   [root/sysadm_r/@~]# getsebool -a
   pppd_can_insmod --> off
   secure_mode --> off
   secure_mode_insmod --> off
   secure_mode_policyload --> off
   [root/sysadm_r/@~]# 
   
6. If the console_login tunable defaults to false, rebuild policy.X and
   we can see that it becomes smaller, with all type_change rule gone and
   /dev/console not re-labelled:
   
   cao@cao-laptop:/etc/selinux/refpolicy/policy$ ls -lt
   total 6312
   -rw-r--r--. 1 root root 3226998 2011-08-23 16:38 policy.24
   cao@cao-laptop:/etc/selinux/refpolicy/policy$ 
   
   [root/sysadm_r/@~]# sesearch -SCT -t console_device_t
   
   [root/sysadm_r/@~]# tty
   /dev/console
   [root/sysadm_r/@~]# ls -Z `tty`
   crw--w----  root tty root:object_r:console_device_t   /dev/console
   [root/sysadm_r/@~]# 
   
7. Build as monolithic, ok.
   
8. Trigger module downgrade, since the flags of cond_bool_datum_t won't
   be written to a downgraded module, all tunables are regarded as booleans,
   and we can see that the size of policy.X becomes what it is used to be:
   
   cao@cao-laptop:/etc/selinux/refpolicy/policy$ ls -lt
   total 12268
   -rw-r--r--. 2 root root 6086586 2011-08-23 17:06 policy.24
   cao@cao-laptop:/etc/selinux/refpolicy/policy$

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 1/6] Indicate when boolean is indeed a tunable.

[Harry Ciao]

Add flags to cond_bool_datum_t and cond_node_t structures to indicate
that the boolean and related if-else conditionals are about a tunable.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/include/sepol/policydb/conditional.h |    5 +++--
 libsepol/include/sepol/policydb/policydb.h    |    5 ++++-
 libsepol/src/policydb.c                       |   14 ++++++++++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/libsepol/include/sepol/policydb/conditional.h b/libsepol/include/sepol/policydb/conditional.h
index a8ed694..1fd1638 100644
--- a/libsepol/include/sepol/policydb/conditional.h
+++ b/libsepol/include/sepol/policydb/conditional.h
@@ -77,15 +77,16 @@ typedef struct cond_node {
 	/* these true/false lists point into te_avtab when that is used */
 	cond_av_list_t *true_list;
 	cond_av_list_t *false_list;
-	/* and these are using during parsing and for modules */
+	/* and these are used during parsing and for modules */
 	avrule_t *avtrue_list;
 	avrule_t *avfalse_list;
 	/* these fields are not written to binary policy */
 	unsigned int nbools;
 	uint32_t bool_ids[COND_MAX_BOOLS];
 	uint32_t expr_pre_comp;
-	/*                                               */
 	struct cond_node *next;
+#define	COND_NODE_FLAGS_TUNABLE	0x01	/* a tunable conditional */
+	uint32_t flags;
 } cond_node_t;
 
 extern int cond_evaluate_expr(policydb_t * p, cond_expr_t * expr);
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 5320bc8..1848a7b 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -210,6 +210,8 @@ typedef struct range_trans {
 typedef struct cond_bool_datum {
 	symtab_datum_t s;
 	int state;
+#define COND_BOOL_FLAGS_TUNABLE	0x01	/* is this a tunable? */
+	uint32_t flags;
 } cond_bool_datum_t;
 
 struct cond_node;
@@ -683,9 +685,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define MOD_POLICYDB_VERSION_FILENAME_TRANS	11
 #define MOD_POLICYDB_VERSION_ROLETRANS		12
 #define MOD_POLICYDB_VERSION_ROLEATTRIB		13
+#define MOD_POLICYDB_VERSION_TUNABLE_SEP	14
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLEATTRIB
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_TUNABLE_SEP
 
 #define POLICYDB_CONFIG_MLS    1
 
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 017aeca..136b450 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -221,6 +221,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_TUNABLE_SEP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -290,6 +297,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = 0,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_TUNABLE_SEP,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = 0,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
 };
 
 #if 0
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 2/6] Separate tunable from boolean during compile.

[Harry Ciao]

Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.

Note, when creating an if-else conditional, we can not know if the
tunable identifier is indeed a tunable(for example, boolean may be
used in tunable_policy(), optionally along with other tunables), thus
we can not know if the current if-else conditional is of tunable at
the compile time(but at link time when all boolean/tunable copied).

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 checkpolicy/module_compiler.c |   16 +++++++++++++++-
 checkpolicy/module_compiler.h |    1 +
 checkpolicy/policy_define.c   |    4 +++-
 checkpolicy/policy_define.h   |    2 +-
 checkpolicy/policy_parse.y    |    8 +++++++-
 checkpolicy/policy_scan.l     |    2 ++
 libsepol/src/conditional.c    |    1 +
 7 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 1c1d1d5..81ccb00 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -1045,7 +1045,7 @@ int require_user(int pass)
 	}
 }
 
-int require_bool(int pass)
+static int require_bool_tunable(int pass, int is_tunable)
 {
 	char *id = queue_remove(id_queue);
 	cond_bool_datum_t *booldatum = NULL;
@@ -1063,6 +1063,8 @@ int require_bool(int pass)
 		yyerror("Out of memory!");
 		return -1;
 	}
+	if (is_tunable)
+		booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
 	retval =
 	    require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
 			   &booldatum->s.value, &booldatum->s.value);
@@ -1094,6 +1096,16 @@ int require_bool(int pass)
 	}
 }
 
+int require_bool(int pass)
+{
+	return require_bool_tunable(pass, 0);
+}
+
+int require_tunable(int pass)
+{
+	return require_bool_tunable(pass, 1);
+}
+
 int require_sens(int pass)
 {
 	char *id = queue_remove(id_queue);
@@ -1328,6 +1340,8 @@ void append_cond_list(cond_list_t * cond)
 		     tmp = tmp->next) ;
 		tmp->next = cond->avfalse_list;
 	}
+
+	old_cond->flags |= (cond->flags & COND_NODE_FLAGS_TUNABLE);
 }
 
 void append_avrule(avrule_t * avrule)
diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
index 45a21cd..72c2d9b 100644
--- a/checkpolicy/module_compiler.h
+++ b/checkpolicy/module_compiler.h
@@ -58,6 +58,7 @@ int require_attribute(int pass);
 int require_attribute_role(int pass);
 int require_user(int pass);
 int require_bool(int pass);
+int require_tunable(int pass);
 int require_sens(int pass);
 int require_cat(int pass);
 
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index ded27f7..1bf669c 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1494,7 +1494,7 @@ avrule_t *define_cond_compute_type(int which)
 	return avrule;
 }
 
-int define_bool(void)
+int define_bool_tunable(int is_tunable)
 {
 	char *id, *bool_value;
 	cond_bool_datum_t *datum;
@@ -1524,6 +1524,8 @@ int define_bool(void)
 		return -1;
 	}
 	memset(datum, 0, sizeof(cond_bool_datum_t));
+	if (is_tunable)
+		datum->flags |= COND_BOOL_FLAGS_TUNABLE;
 	ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
 	switch (ret) {
 	case -3:{
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index fc8cd4d..92a9be7 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -21,7 +21,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
 int define_attrib(void);
 int define_attrib_role(void);
 int define_av_perms(int inherits);
-int define_bool(void);
+int define_bool_tunable(int is_tunable);
 int define_category(void);
 int define_class(void);
 int define_common_perms(void);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 0a17bdc..49ac15f 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -101,6 +101,7 @@ typedef int (* require_func_t)();
 %token ALIAS
 %token ATTRIBUTE
 %token BOOL
+%token TUNABLE
 %token IF
 %token ELSE
 %token TYPE_TRANSITION
@@ -269,6 +270,7 @@ te_decl			: attribute_def
                         | typeattribute_def
                         | typebounds_def
                         | bool_def
+			| tunable_def
                         | transition_def
                         | range_trans_def
                         | te_avtab_def
@@ -295,8 +297,11 @@ opt_attr_list           : ',' id_comma_list
 			| 
 			;
 bool_def                : BOOL identifier bool_val ';'
-                        {if (define_bool()) return -1;}
+                        { if (define_bool_tunable(0)) return -1; }
                         ;
+tunable_def		: TUNABLE identifier bool_val ';'
+			{ if (define_bool_tunable(1)) return -1; }
+			;
 bool_val                : CTRUE
  			{ if (insert_id("T",0)) return -1; }
                         | CFALSE
@@ -820,6 +825,7 @@ require_decl_def        : ROLE        { $$ = require_role; }
                         | ATTRIBUTE_ROLE   { $$ = require_attribute_role; }
                         | USER        { $$ = require_user; }
                         | BOOL        { $$ = require_bool; }
+			| TUNABLE     { $$ = require_tunable; }
                         | SENSITIVITY { $$ = require_sens; }
                         | CATEGORY    { $$ = require_cat; }
                         ;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index ed27bbe..a61e0db 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -92,6 +92,8 @@ TYPE |
 type				{ return(TYPE); }
 BOOL |
 bool                            { return(BOOL); }
+TUNABLE |
+tunable				{ return(TUNABLE); }
 IF |
 if				{ return(IF); }
 ELSE |
diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index 1482387..efdedb0 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -160,6 +160,7 @@ cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
 		for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
 			new_node->bool_ids[i] = node->bool_ids[i];
 		new_node->expr_pre_comp = node->expr_pre_comp;
+		new_node->flags = node->flags;
 	}
 
 	return new_node;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 3/6] Write and read TUNABLE flags in related data structures.

[Harry Ciao]

All flags in cond_bool_datum_t and cond_node_t structures are
written/read for policy modules which version is no less than
MOD_POLICYDB_VERSION_TUNABLE_SEP.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/conditional.c |   21 +++++++++++++++++++--
 libsepol/src/write.c       |   18 ++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index efdedb0..d9d4fee 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -564,8 +564,8 @@ static int bool_isvalid(cond_bool_datum_t * b)
 	return 1;
 }
 
-int cond_read_bool(policydb_t * p
-		   __attribute__ ((unused)), hashtab_t h,
+int cond_read_bool(policydb_t * p,
+		   hashtab_t h,
 		   struct policy_file *fp)
 {
 	char *key = 0;
@@ -597,6 +597,15 @@ int cond_read_bool(policydb_t * p
 	if (rc < 0)
 		goto err;
 	key[len] = 0;
+
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
+			goto err;
+		booldatum->flags = le32_to_cpu(buf[0]);
+	}
+
 	if (hashtab_insert(h, key, booldatum))
 		goto err;
 
@@ -810,6 +819,14 @@ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
 		if (avrule_read_list(p, &node->avfalse_list, fp))
 			goto err;
 	}
+	
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
+			goto err;
+		node->flags = le32_to_cpu(buf[0]);
+	}
 
 	return 0;
       err:
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 290e036..4284c93 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -607,6 +607,7 @@ static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	unsigned int items, items2;
 	struct policy_data *pd = ptr;
 	struct policy_file *fp = pd->fp;
+	struct policydb *p = pd->p;
 
 	booldatum = (cond_bool_datum_t *) datum;
 
@@ -621,6 +622,15 @@ static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	items = put_entry(key, 1, len, fp);
 	if (items != len)
 		return POLICYDB_ERROR;
+
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
+		buf[0] = cpu_to_le32(booldatum->flags);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+	}
+
 	return POLICYDB_SUCCESS;
 }
 
@@ -727,6 +737,14 @@ static int cond_write_node(policydb_t * p,
 			return POLICYDB_ERROR;
 	}
 
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {	
+		buf[0] = cpu_to_le32(node->flags);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+	}
+
 	return POLICYDB_SUCCESS;
 }
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 4/6] Permanently enable the if or else branch of a tunable during link.

[Harry Ciao]

For a cond_node_t in one decl->cond_list queue, append its
avtrue_list or avfalse_list to the avrules list of its home decl
depending on its state value, so that these effective rules would
be permanently added to te_avtab.

If tunables and booleans co-exist in one expression, then the tunables
would be "transformed" as boolean.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/link.c |   91 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 91 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 421c47b..de78916 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2451,6 +2451,92 @@ static int populate_roleattributes(link_state_t *state, policydb_t *pol)
 	return 0;
 }
 
+static void separate_tunables(link_state_t *state, policydb_t *pol)
+{
+	avrule_block_t *block;
+	avrule_decl_t *decl;
+	cond_node_t *cur_node;
+	cond_expr_t *cur_expr;
+	int cur_state;
+	avrule_t *tail, *to_be_appended;
+
+	if (state->verbose)
+		INFO(state->handle, "Separating tunables from booleans.");
+
+	/* Iterate through all cond_node of all enabled decls, if a cond_node
+	 * is about tunable, caculate its state value and concatenate one of
+	 * its avrule list to the current decl->avrules list.
+	 *
+	 * Note, such tunable cond_node would be skipped over in expansion,
+	 * so we won't have to worry about removing it from decl->cond_list
+	 * here :-)
+	 *
+	 * If tunables and booleans co-exist in the expression of a cond_node,
+	 * then tunables would be "transformed" as booleans.
+	 */
+	for (block = pol->global; block != NULL; block = block->next) {
+		decl = block->enabled;
+		if (decl == NULL || decl->enabled == 0)
+			continue;
+
+		tail = decl->avrules;
+		while (tail && tail->next)
+			tail = tail->next;
+
+		for (cur_node = decl->cond_list; cur_node != NULL;
+		     cur_node = cur_node->next) {
+			int booleans, tunables, i;
+			cond_bool_datum_t *booldatum;
+			cond_bool_datum_t *tmp[COND_EXPR_MAXDEPTH];
+
+			booleans = tunables = 0;
+			memset(tmp, 0, sizeof(cond_bool_datum_t *) * COND_EXPR_MAXDEPTH);
+
+			for (cur_expr = cur_node->expr; cur_expr != NULL;
+			     cur_expr = cur_expr->next) {
+				if (cur_expr->expr_type != COND_BOOL)
+					continue;
+				booldatum = pol->bool_val_to_struct[cur_expr->bool - 1];
+				if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE)
+					tmp[tunables++] = booldatum;
+				else
+					booleans++;
+			}
+			
+			if (tunables && booleans) {
+				/* Tunable mixed with boolean */
+				for (i = 0; i < tunables; i++)
+					tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
+			} else if (tunables && !booleans) {
+				/* Pure tunable conditional */
+				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
+				cur_state = cond_evaluate_expr(pol, cur_node->expr);
+				if (cur_state == -1) {
+					printf("Expression result was "
+						"undefined, skipping all"
+						"rules\n");
+					continue;
+				}
+
+				to_be_appended = (cur_state == 1) ?
+					cur_node->avtrue_list : cur_node->avfalse_list;
+
+				if (tail)
+					tail->next = to_be_appended;
+				else
+					tail = decl->avrules = to_be_appended;
+
+				/* Update the tail of decl->avrules for
+				 * further concatenation */
+				while (tail && tail->next)
+					tail = tail->next;
+
+				cur_node->avtrue_list = cur_node->avfalse_list = NULL;
+			}
+		}
+	}
+}
+
 /* Link a set of modules into a base module. This process is somewhat
  * similar to an actual compiler: it requires a set of order dependent
  * steps.  The base and every module must have been indexed prior to
@@ -2587,6 +2673,11 @@ int link_modules(sepol_handle_t * handle,
 			&state))
 		goto cleanup;
 
+	/* Append tunable's avtrue_list or avfalse_list to the avrules list
+	 * of its home decl depending on its state value, so that the effect
+	 * rules of a tunable would be added to te_avtab permanently. */
+	separate_tunables(&state, state.base);
+
 	retval = 0;
       cleanup:
 	for (i = 0; modules != NULL && i < len; i++) {
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 5/6] Copy and check the cond_bool_datum_t.flags during link.

[Harry Ciao]

Copy the TUNABLE flag for cond_bool_datum_t during link, and check
if there is a mismatch between boolean/tunable declaration and
usage among modules. In this case an information would be printed.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/link.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index de78916..35c075b 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -587,7 +587,17 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		}
 		state->base->p_bools.nprim++;
 		base_bool = new_bool;
-
+		base_bool->flags = booldatum->flags;
+	} else if ((booldatum->flags & COND_BOOL_FLAGS_TUNABLE) !=
+		   (base_bool->flags & COND_BOOL_FLAGS_TUNABLE)) {
+			/* A mismatch between boolean/tunable declaration
+			 * and usage(for example, a boolean used in the
+			 * tunable_policy macro), then the tunables would
+			 * be filtered out and only the effective branch
+			 * of the cond_node would be preserved. */
+			INFO(state->handle,
+			     "%s: Mismatch between boolean/tunable definition "
+			     "and usage for %s", state->cur_mod_name, id);
 	}
 
 	/* Get the scope info for this boolean to see if this is the declaration, 
@@ -595,9 +605,12 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	scope = hashtab_search(state->cur->policy->p_bools_scope.table, id);
 	if (!scope)
 		return SEPOL_ERR;
-	if (scope->scope == SCOPE_DECL)  
+	if (scope->scope == SCOPE_DECL) {
 		base_bool->state = booldatum->state;
-
+		/* Only the declaration rather than requirement
+		 * decides if it is a boolean or tunable. */
+		base_bool->state = booldatum->state;
+	}
 	state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value;
 	return 0;
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

The effective branch of a tunable has been appended to its home
decl->avrules list during link, in expansion we should just skip
tunable from expanding its rule into te_cond_avtab and adding to
the out->cond_list queue.

Also if tunables are ever combined with booleans in one expression,
they would be "transformed" as booleans and the cond_node_t would still
be regarded as of "boolean" style, so no tunable identifier would ever
be needed again during expansion.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/expand.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 06f11f4..ff8a214 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1014,6 +1014,11 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		return 0;
 	}
 
+	if (bool->flags & COND_BOOL_FLAGS_TUNABLE) {
+		/* Skip tunables */
+		return 0;
+	}
+
 	if (state->verbose)
 		INFO(state->handle, "copying boolean %s", id);
 
@@ -1046,6 +1051,7 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	state->boolmap[bool->s.value - 1] = new_bool->s.value;
 
 	new_bool->state = bool->state;
+	new_bool->flags = bool->flags;
 
 	return 0;
 }
@@ -1940,6 +1946,13 @@ static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
 	if (cond_node_copy(state, cn->next)) {
 		return -1;
 	}
+	
+	/* If current cond_node_t is of tunable, its effective branch
+	 * has been appended to its home decl->avrules list during link
+	 * and now we should just skip it. */
+	if (cn->flags & COND_NODE_FLAGS_TUNABLE)
+		return 0;
+
 	if (cond_normalize_expr(state->base, cn)) {
 		ERR(state->handle, "Error while normalizing conditional");
 		return -1;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eliminating booleans would be great and replacing them with tunables,
but the tunables must be discoverable, and it must be easy for the
administrator to discover the "tunable" and turn it on.

Currently audit2allow/audit2why turns on all booleans in a policy and
checks to see if an AVC would be allowed with any boolean.  Then it
prints out the booleans that would have allowed the access.  We use
this functionality within setroubleshoot.  This is critical to making
selinux policy usable.

User wants to allow ftp to access homedirs, he sets up ftp and SELinux
blocks the access.  Setroubleshoot comes up and says turn on the
ftp_home_dir boolean to allow this access.


If we can not duplicate this functionality then I NAK the change from
booleans to tunables.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5TrowACgkQrlYvE4MpobPNxgCfZjsoX+jBRoIdG9IT+MfsHmn7
EjwAoItrrawS+hrhwyKc9pYNq+mSPJfF
=Y4VF
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Christopher J. PeBenito]

On 08/23/11 09:43, Daniel J Walsh wrote:
> Eliminating booleans would be great and replacing them with tunables,
> but the tunables must be discoverable, and it must be easy for the
> administrator to discover the "tunable" and turn it on.
> 
> Currently audit2allow/audit2why turns on all booleans in a policy and
> checks to see if an AVC would be allowed with any boolean.  Then it
> prints out the booleans that would have allowed the access.  We use
> this functionality within setroubleshoot.  This is critical to making
> selinux policy usable.
> 
> User wants to allow ftp to access homedirs, he sets up ftp and SELinux
> blocks the access.  Setroubleshoot comes up and says turn on the
> ftp_home_dir boolean to allow this access.
> 
> 
> If we can not duplicate this functionality then I NAK the change from
> booleans to tunables.

Seems very easy to reproduce, as long as you turn on save-linked in
semanage.conf.  The linked policy would have all the tunable
information, right Harry?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[HarryCiao]

[-- Attachment #1.1: Type: text/plain, Size: 2902 bytes --]


Hi Chris,

> Date: Tue, 23 Aug 2011 09:58:00 -0400
> From: cpebenito@tresys.com
> To: dwalsh@redhat.com
> CC: qingtao.cao@windriver.com; slawrence@tresys.com; selinux@tycho.nsa.gov
> Subject: Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.
> 
> On 08/23/11 09:43, Daniel J Walsh wrote:
> > Eliminating booleans would be great and replacing them with tunables,
> > but the tunables must be discoverable, and it must be easy for the
> > administrator to discover the "tunable" and turn it on.
> > 
> > Currently audit2allow/audit2why turns on all booleans in a policy and
> > checks to see if an AVC would be allowed with any boolean.  Then it
> > prints out the booleans that would have allowed the access.  We use
> > this functionality within setroubleshoot.  This is critical to making
> > selinux policy usable.
> > 
> > User wants to allow ftp to access homedirs, he sets up ftp and SELinux
> > blocks the access.  Setroubleshoot comes up and says turn on the
> > ftp_home_dir boolean to allow this access.
> > 
> > 
> > If we can not duplicate this functionality then I NAK the change from
> > booleans to tunables.
> 
> Seems very easy to reproduce, as long as you turn on save-linked in
> semanage.conf.  The linked policy would have all the tunable
> information, right Harry?
> 

The implementation of the save-linked option has no idea about the effort to separate tunables from booleans, so I am afraid  it won't help much.

However, you did enlighten me to create a new option "handle-tunable" for semanage.conf, then we can specify whether discarding tunable is desirable and its value would be saved into a new member "handle_tunable" in policydb_t. Then in the separation_tunables() in link.c, policydb_t.handle_tunable would be consulted about how to handle tunables.

By default this handle-tunable option for semanage.conf could be set to "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we could set this option to "preserve" and rebuild and reload policy.X. When the related tunable is found we could toggle its default value to true and rebuild policy.X with the option back to "discard" again.

This way I think Dan's worries would be addressed. Right?

BTW, Is this the correct or best way to pass configuration options on to link process? I have created two patches for above logic(see attached), however I am pretty new to semanage and run into syntax error while parsing semanage.conf. Chris, could you please kindly take a look at what has been wrong in my 0007 patch? Many thanks!

Cheers,
Harry


> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #1.2: Type: text/html, Size: 3462 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0007-Add-new-option-of-handle-tunable-to-semanage.conf.patch --]
[-- Type: text/x-patch, Size: 6598 bytes --]

From 027bdc2668584f817ca2b48622edac6ebfd99a29 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@windriver.com>
Date: Wed, 24 Aug 2011 17:20:29 +0800
Subject: [PATCH 7/8] Add new option of "handle-tunable" to semanage.conf

Add a new option of "handle-tunable" to semanage.conf, which is used
to indicate how to handle tunables during link/expansion.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsemanage/src/conf-parse.y               |   14 ++++++++++++++
 libsemanage/src/conf-scan.l                |    1 +
 libsemanage/src/semanage_conf.h            |    1 +
 libsemanage/src/semanage_store.c           |    2 ++
 libsepol/include/sepol/policydb.h          |    5 +++++
 libsepol/include/sepol/policydb/policydb.h |    9 +++++++++
 libsepol/src/expand.c                      |    1 +
 libsepol/src/policydb_public.c             |   17 +++++++++++++++++
 8 files changed, 50 insertions(+), 0 deletions(-)

diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
index 77c00b2..e1c9148 100644
--- a/libsemanage/src/conf-parse.y
+++ b/libsemanage/src/conf-parse.y
@@ -59,6 +59,7 @@ static int parse_errors;
 
 %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
 %token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD
+%token HANDLE_TUNABLE
 %token BZIP_BLOCKSIZE BZIP_SMALL
 %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
 %token PROG_PATH PROG_ARGS
@@ -85,6 +86,7 @@ single_opt:     module_store
         |       disable_genhomedircon
         |       usepasswd
         |       handle_unknown
+	|	handle_tunable
 	|	bzip_blocksize
 	|	bzip_small
         ;
@@ -179,6 +181,17 @@ handle_unknown: HANDLE_UNKNOWN '=' ARG {
 	free($3);
  }
 
+handle_tunable: HANDLE_TUNABLE '=' ARG {
+	if (strcasecmp($3, "discard") == 0) {
+		current_conf->handle_tunable = SEPOL_DISCARD_TUNABLE;
+	} else if (strcasecmp($3, "preserve") == 0) {
+		current_conf->handle_tunable = SEPOL_PRESERVE_TUNABLE;
+	} else {
+		yyerror("handle-tunable can only be 'discard' or 'preserve'");
+	}
+	free($3);
+ }
+
 bzip_blocksize:  BZIP_BLOCKSIZE '=' ARG {
 	int blocksize = atoi($3);
 	free($3);
@@ -265,6 +278,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
 	conf->policyvers = sepol_policy_kern_vers_max();
 	conf->expand_check = 1;
 	conf->handle_unknown = -1;
+	conf->handle_tunable = -1;
 	conf->usepasswd = 1;
 	conf->file_mode = 0644;
 	conf->bzip_blocksize = 9;
diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
index e57119d..ca449dd 100644
--- a/libsemanage/src/conf-scan.l
+++ b/libsemanage/src/conf-scan.l
@@ -48,6 +48,7 @@ save-linked       return SAVE_LINKED;
 disable-genhomedircon return DISABLE_GENHOMEDIRCON;
 usepasswd return USEPASSWD;
 handle-unknown    return HANDLE_UNKNOWN;
+handle-tunable    return HANDLE_TUNABLE;
 bzip-blocksize	return BZIP_BLOCKSIZE;
 bzip-small	return BZIP_SMALL;
 "[load_policy]"   return LOAD_POLICY_START;
diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
index f58d9ac..da7cc58 100644
--- a/libsemanage/src/semanage_conf.h
+++ b/libsemanage/src/semanage_conf.h
@@ -40,6 +40,7 @@ typedef struct semanage_conf {
 	int disable_genhomedircon;
 	int usepasswd;
 	int handle_unknown;
+	int handle_tunable;
 	mode_t file_mode;
 	int bzip_blocksize;
 	int bzip_small;
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 8d6ff1c..4098d8a 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1723,6 +1723,8 @@ int semanage_expand_sandbox(semanage_handle_t * sh,
 	}
 	if (sh->conf->handle_unknown >= 0)
 		sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
+	if (sh->conf->handle_tunable > 0)
+		sepol_policydb_set_handle_tunable(out, sh->conf->handle_tunable);
 
 	*policydb = out;
 	return STATUS_SUCCESS;
diff --git a/libsepol/include/sepol/policydb.h b/libsepol/include/sepol/policydb.h
index 43e23b3..5975f88 100644
--- a/libsepol/include/sepol/policydb.h
+++ b/libsepol/include/sepol/policydb.h
@@ -135,4 +135,9 @@ extern int sepol_policydb_mls_enabled(const sepol_policydb_t * p);
  */
 extern int sepol_policydb_compat_net(const sepol_policydb_t * p);
 
+/* Set how to handle tunables */
+#define SEPOL_DISCARD_TUNABLE	    8
+#define SEPOL_PRESERVE_TUNABLE	    16
+extern int sepol_policydb_set_handle_tunable(sepol_policydb_t * p,
+					     unsigned int handle_tunable);
 #endif
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 1848a7b..871a894 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -545,6 +545,9 @@ typedef struct policydb {
 	unsigned policyvers;
 
 	unsigned handle_unknown;
+
+	/* discard tunables or treat them as booleans */
+	unsigned handle_tunable;
 } policydb_t;
 
 struct sepol_policydb {
@@ -709,6 +712,12 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 
 #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
 
+/* the config flags related to how to handle tunables are bits 8 and 16 */
+#define DISCARD_TUNABLE		SEPOL_DISCARD_TUNABLE
+#define PRESERVE_TUNABLE	SEPOL_PRESERVE_TUNABLE
+
+#define POLICYDB_CONFIG_TUNABLE_MASK	(DISCARD_TUNABLE | PRESERVE_TUNABLE)
+
 #define OBJECT_R "object_r"
 #define OBJECT_R_VAL 1
 
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index ff8a214..c85e230 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2710,6 +2710,7 @@ int expand_module(sepol_handle_t * handle,
 	/* Copy mls state from base to out */
 	out->mls = base->mls;
 	out->handle_unknown = base->handle_unknown;
+	out->handle_tunable = base->handle_tunable;
 
 	/* Copy target from base to out */
 	out->target_platform = base->target_platform;
diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
index f6ae793..af08806 100644
--- a/libsepol/src/policydb_public.c
+++ b/libsepol/src/policydb_public.c
@@ -152,6 +152,23 @@ int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
 	return 0;
 }
 
+int sepol_policydb_set_handle_tunable(sepol_policydb_t * sp,
+				      unsigned int handle_tunable)
+{
+	struct policydb *p = &sp->p;
+
+	switch (handle_tunable) {
+	case SEPOL_DISCARD_TUNABLE:
+	case SEPOL_PRESERVE_TUNABLE:
+		break;
+	default:
+		return -1;
+	}
+
+	p->handle_tunable = handle_tunable;
+	return 0;
+}
+
 int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
 {
 	return policydb_read(&p->p, &pf->pf, 0);
-- 
1.7.0.4


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0008-handle_tunable-decides-if-tunables-are-preserved-or-.patch --]
[-- Type: text/x-patch, Size: 3766 bytes --]

From 6e45472fb6bde827bc01241ed269fc82119dce63 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@windriver.com>
Date: Wed, 24 Aug 2011 14:36:51 +0800
Subject: [PATCH 8/8] handle_tunable decides if tunables are preserved or discarded.

If one cond_node_t's expression just contains tunable identifiers, then
how to handle tunable would be determined by the handle_tunable flag
in policydb_t.

If all tunables should be preserved(thus treated as booleans), then the
TUNABLE flag bit would be cleared in their cond_bool_datum_t.flags, so
that these tunable identifiers won't be discarded during expansion,
neither would the cond_node_t ever be marked as TUNABLE.

BTW, if tunables ever mixed with booleans in one expression, tunables
would be transformed as booleans and preserved, in this case the value of
handle_tunable would be ignored.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/link.c |   66 +++++++++++++++++++++++++++++---------------------
 1 files changed, 38 insertions(+), 28 deletions(-)

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 35c075b..47d38c9 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2486,6 +2486,9 @@ static void separate_tunables(link_state_t *state, policydb_t *pol)
 	 *
 	 * If tunables and booleans co-exist in the expression of a cond_node,
 	 * then tunables would be "transformed" as booleans.
+	 *
+	 * If tunables are requested to be preserved then they would be
+	 * "transformed" as booleans.
 	 */
 	for (block = pol->global; block != NULL; block = block->next) {
 		decl = block->enabled;
@@ -2516,35 +2519,42 @@ static void separate_tunables(link_state_t *state, policydb_t *pol)
 					booleans++;
 			}
 			
-			if (tunables && booleans) {
-				/* Tunable mixed with boolean */
-				for (i = 0; i < tunables; i++)
-					tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
-			} else if (tunables && !booleans) {
-				/* Pure tunable conditional */
-				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
-				cur_state = cond_evaluate_expr(pol, cur_node->expr);
-				if (cur_state == -1) {
-					printf("Expression result was "
-						"undefined, skipping all"
-						"rules\n");
-					continue;
+			if (booleans) {
+				cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
+				if (tunables) {
+					for (i = 0; i < tunables; i++)
+						tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
+				}
+			} else {
+				if (pol->handle_tunable == SEPOL_DISCARD_TUNABLE) {
+					cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
+					cur_state = cond_evaluate_expr(pol, cur_node->expr);
+					if (cur_state == -1) {
+						printf("Expression result was "
+						       "undefined, skipping "
+						       "all rules\n");
+						continue;
+					}
+
+					to_be_appended = (cur_state == 1) ?
+						cur_node->avtrue_list :	cur_node->avfalse_list;
+
+					if (tail)
+						tail->next = to_be_appended;
+					else
+						tail = decl->avrules = to_be_appended;
+
+					/* Update the tail of decl->avrules
+					 * for further concatenation */
+					while (tail && tail->next)
+						tail = tail->next;
+
+					cur_node->avtrue_list = cur_node->avfalse_list = NULL;
+				} else if (pol->handle_tunable == SEPOL_PRESERVE_TUNABLE) {
+					cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
+					for (i = 0; i < tunables; i++)
+						tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
 				}
-
-				to_be_appended = (cur_state == 1) ?
-					cur_node->avtrue_list : cur_node->avfalse_list;
-
-				if (tail)
-					tail->next = to_be_appended;
-				else
-					tail = decl->avrules = to_be_appended;
-
-				/* Update the tail of decl->avrules for
-				 * further concatenation */
-				while (tail && tail->next)
-					tail = tail->next;
-
-				cur_node->avtrue_list = cur_node->avfalse_list = NULL;
 			}
 		}
 	}
-- 
1.7.0.4

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Christopher J. PeBenito]

On 08/24/11 06:32, HarryCiao wrote:
> Hi Chris,
> 
>> Date: Tue, 23 Aug 2011 09:58:00 -0400
>> From: cpebenito@tresys.com
>> To: dwalsh@redhat.com
>> CC: qingtao.cao@windriver.com; slawrence@tresys.com; selinux@tycho.nsa.gov
>> Subject: Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in
> expansion.
>>
>> On 08/23/11 09:43, Daniel J Walsh wrote:
>> > Eliminating booleans would be great and replacing them with tunables,
>> > but the tunables must be discoverable, and it must be easy for the
>> > administrator to discover the "tunable" and turn it on.
>> >
>> > Currently audit2allow/audit2why turns on all booleans in a policy and
>> > checks to see if an AVC would be allowed with any boolean. Then it
>> > prints out the booleans that would have allowed the access. We use
>> > this functionality within setroubleshoot. This is critical to making
>> > selinux policy usable.
>> >
> &g t; > User wants to allow ftp to access homedirs, he sets up ftp and
> SELinux
>> > blocks the access. Setroubleshoot comes up and says turn on the
>> > ftp_home_dir boolean to allow this access.
>> >
>> >
>> > If we can not duplicate this functionality then I NAK the change from
>> > booleans to tunables.
>>
>> Seems very easy to reproduce, as long as you turn on save-linked in
>> semanage.conf. The linked policy would have all the tunable
>> information, right Harry?
>>
> 
> The implementation of the save-linked option has no idea about the
> effort to separate tunables from booleans, so I am afraid  it won't help
> much.

So you're saying that when the linked policy file is written out, the
disabled tunables are already gone or all of the tunables information is
gone?

> However, you did enlighten me to create a new option "handle-tunable"
> for semanage.conf, then we can specify whether discarding tunable is
> desirable and its value would be saved into a new member
> "handle_tunable" in policydb_t. Then in the separation_tunables() in
> link .c, policydb_t.handle_tunable would be consulted about how to
> handle tunables.
> 
> By default this handle-tunable option for semanage.conf could be set to
> "discard", if audit2allow/audit2why are needed to debug AVC denied
> messages, we could set this option to "preserve" and rebuild and reload
> policy.X. When the related tunable is found we could toggle its default
> value to true and rebuild policy.X with the option back to "discard" again.
> 
> This way I think Dan's worries would be addressed. Right?
> 
> BTW, Is this the correct or best way to pass configuration options on to
> link process? I have created two patches for above logic(see attached),
> however I am pretty new to semanage and run into syntax error while
> parsing semanage.conf. Chris, could you please kindly take a look at
> what has been wrong in my 0007 patch? Many thanks!

I'll leave this up to the userspace maintainers :)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Joshua Brindle]

HarryCiao wrote:
<snip>
> By default this handle-tunable option for semanage.conf could be set to 
> "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we 
> could set this option to "preserve" and rebuild and reload policy.X. When the 
> related tunable is found we could toggle its default value to true and rebuild 
> policy.X with the option back to "discard" again.
> 
> This way I think Dan's worries would be addressed. Right?

I would say we could use the policycaps bitmap for this but since we already
have to bump the module version to support the extra field there is no reason we
can't just add flag.

> 
> BTW, Is this the correct or best way to pass configuration options on to link 
> process? I have created two patches for above logic(see attached), however I am 
> pretty new to semanage and run into syntax error while parsing semanage.conf. 
> Chris, could you please kindly take a look at what has been wrong in my 0007 
> patch? Many thanks!
> 


Your libsemanage would need to have the option added in order to pass that in.
It could be passed in via the libsepol handle. See how set_disable_dontaudit
works for an example.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

Joshua Brindle 写道:
> HarryCiao wrote:
> <snip>
>   
>> By default this handle-tunable option for semanage.conf could be set to 
>> "discard", if audit2allow/audit2why are needed to debug AVC denied messages, we 
>> could set this option to "preserve" and rebuild and reload policy.X. When the 
>> related tunable is found we could toggle its default value to true and rebuild 
>> policy.X with the option back to "discard" again.
>>
>> This way I think Dan's worries would be addressed. Right?
>>     
>
> I would say we could use the policycaps bitmap for this but since we already
> have to bump the module version to support the extra field there is no reason we
> can't just add flag.
>
>   
>> BTW, Is this the correct or best way to pass configuration options on to link 
>> process? I have created two patches for above logic(see attached), however I am 
>> pretty new to semanage and run into syntax error while parsing semanage.conf. 
>> Chris, could you please kindly take a look at what has been wrong in my 0007 
>> patch? Many thanks!
>>
>>     
>
>
> Your libsemanage would need to have the option added in order to pass that in.
> It could be passed in via the libsepol handle. See how set_disable_dontaudit
> works for an example.
>
>   
Hi Joshua,

Ok, I see your point, I would learn how disable_dontaudit is passed via
libsepol handle and follow the same path.

Thanks,
Harry

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Joshua Brindle]

HarryCiao wrote:
<snip>
> The implementation of the save-linked option has no idea about the effort to 
> separate tunables from booleans, so I am afraid it won't help much.
> 

I'm not sure about this. The linked policy should have everything that the
original modules had, with only the value mapping changed. The expansion is
where things get removed. This behavior should not change for a variety of
reasons, including the ability to do a full semantic analysis of the linked policy.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

Hi Joshua,

Joshua Brindle 写道:
> HarryCiao wrote:
> <snip>
>   
>> The implementation of the save-linked option has no idea about the effort to 
>> separate tunables from booleans, so I am afraid it won't help much.
>>
>>     
>
> I'm not sure about this. The linked policy should have everything that the
> original modules had, with only the value mapping changed. The expansion is
> where things get removed. This behavior should not change for a variety of
> reasons, including the ability to do a full semantic analysis of the linked policy.
>
>   
I can't agree more that the linked module has everything but with the
identifiers' value remapped, actually the separate_tunables() is called
at the very end of link phase, which would do three operations:
1. change the flags for some cond_bool_datum_t;
2. change the flags for some cond_node_t;
3. re-link the effective branch of a tunable conditional, to the end of
its home decl->avrules list;

The 1st and 2nd operations won't stand in the way of any analysis, and
we could set the "handle-tunable = preserve" option in semanage.conf to
bypass the 3rd one.

Thanks,
Harry



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Joshua Brindle]

Harry Ciao wrote:
> Hi Joshua,
>
> Joshua Brindle 写道:
>> HarryCiao wrote:
>> <snip>
>>
>>> The implementation of the save-linked option has no idea about the effort to
>>> separate tunables from booleans, so I am afraid it won't help much.
>>>
>>>
>> I'm not sure about this. The linked policy should have everything that the
>> original modules had, with only the value mapping changed. The expansion is
>> where things get removed. This behavior should not change for a variety of
>> reasons, including the ability to do a full semantic analysis of the linked policy.
>>
>>
> I can't agree more that the linked module has everything but with the
> identifiers' value remapped, actually the separate_tunables() is called
> at the very end of link phase, which would do three operations:
> 1. change the flags for some cond_bool_datum_t;
> 2. change the flags for some cond_node_t;
> 3. re-link the effective branch of a tunable conditional, to the end of
> its home decl->avrules list;
>
> The 1st and 2nd operations won't stand in the way of any analysis, and
> we could set the "handle-tunable = preserve" option in semanage.conf to
> bypass the 3rd one.
>

We should defer the movement of effective rules to the main avrules list 
until expand, I hate adding even more side effects to link than already 
exist (it needs to just link, not move stuff around, not remove things, 
not change the effective policy, etc).

You can do it as a first step to expand, it should entail just moving it 
from link.c to expand.c and adding it to the expand_module function.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

Joshua Brindle 写道:
> Harry Ciao wrote:
>> Hi Joshua,
>>
>> Joshua Brindle 写道:
>>> HarryCiao wrote:
>>> <snip>
>>>
>>>> The implementation of the save-linked option has no idea about the
>>>> effort to
>>>> separate tunables from booleans, so I am afraid it won't help much.
>>>>
>>>>
>>> I'm not sure about this. The linked policy should have everything
>>> that the
>>> original modules had, with only the value mapping changed. The
>>> expansion is
>>> where things get removed. This behavior should not change for a
>>> variety of
>>> reasons, including the ability to do a full semantic analysis of the
>>> linked policy.
>>>
>>>
>> I can't agree more that the linked module has everything but with the
>> identifiers' value remapped, actually the separate_tunables() is called
>> at the very end of link phase, which would do three operations:
>> 1. change the flags for some cond_bool_datum_t;
>> 2. change the flags for some cond_node_t;
>> 3. re-link the effective branch of a tunable conditional, to the end of
>> its home decl->avrules list;
>>
>> The 1st and 2nd operations won't stand in the way of any analysis, and
>> we could set the "handle-tunable = preserve" option in semanage.conf to
>> bypass the 3rd one.
>>
>
> We should defer the movement of effective rules to the main avrules
> list until expand, I hate adding even more side effects to link than
> already exist (it needs to just link, not move stuff around, not
> remove things, not change the effective policy, etc).
>
> You can do it as a first step to expand, it should entail just moving
> it from link.c to expand.c and adding it to the expand_module function.
>
Alright, I have moved it from the very end of link_modules() to the very
first of expand_module(). Would send the v1 patch along with
manipulating sepol handle.

Thanks,
Harry

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Joshua Brindle]

Daniel J Walsh wrote:
> Eliminating booleans would be great and replacing them with tunables,
> but the tunables must be discoverable, and it must be easy for the
> administrator to discover the "tunable" and turn it on.
>
> Currently audit2allow/audit2why turns on all booleans in a policy and
> checks to see if an AVC would be allowed with any boolean.  Then it
> prints out the booleans that would have allowed the access.  We use
> this functionality within setroubleshoot.  This is critical to making
> selinux policy usable.
>
> User wants to allow ftp to access homedirs, he sets up ftp and SELinux
> blocks the access.  Setroubleshoot comes up and says turn on the
> ftp_home_dir boolean to allow this access.
>
>
> If we can not duplicate this functionality then I NAK the change from
> booleans to tunables.

You could actually force a downgrade to a pre-tunable format and use that policy 
to do the setroubleshoot lookups. Since the policy is already linked/expanded 
and just needs to be written out twice it wouldn't add much time to policy 
building (granted that adding _any_ time to policy building is adding too much...)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/24/2011 01:54 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Eliminating booleans would be great and replacing them with
>> tunables, but the tunables must be discoverable, and it must be
>> easy for the administrator to discover the "tunable" and turn it
>> on.
>> 
>> Currently audit2allow/audit2why turns on all booleans in a policy
>> and checks to see if an AVC would be allowed with any boolean.
>> Then it prints out the booleans that would have allowed the
>> access.  We use this functionality within setroubleshoot.  This
>> is critical to making selinux policy usable.
>> 
>> User wants to allow ftp to access homedirs, he sets up ftp and
>> SELinux blocks the access.  Setroubleshoot comes up and says turn
>> on the ftp_home_dir boolean to allow this access.
>> 
>> 
>> If we can not duplicate this functionality then I NAK the change
>> from booleans to tunables.
> 
> You could actually force a downgrade to a pre-tunable format and
> use that policy to do the setroubleshoot lookups. Since the policy
> is already linked/expanded and just needs to be written out twice
> it wouldn't add much time to policy building (granted that adding
> _any_ time to policy building is adding too much...)
I might not have explained it correctly, I really meant the policy
would have to toggle each tunable/boolean at a time and see if the AVC
was allowed.  Recompiling the policy for each tunable/boolean change
would be not be supportable for Time and CPU reasons.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5VXg8ACgkQrlYvE4MpobOtmACgmlsz2hzqglhb/P0CN/ubVoqp
4kwAnjykI9RWDmIQMwYcuwDDRBiMUjnv
=BTix
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Joshua Brindle]

Daniel J Walsh wrote:
>>>
>>>
>>> If we can not duplicate this functionality then I NAK the change
>>> from booleans to tunables.
>> You could actually force a downgrade to a pre-tunable format and
>> use that policy to do the setroubleshoot lookups. Since the policy
>> is already linked/expanded and just needs to be written out twice
>> it wouldn't add much time to policy building (granted that adding
>> _any_ time to policy building is adding too much...)
> I might not have explained it correctly, I really meant the policy
> would have to toggle each tunable/boolean at a time and see if the AVC
> was allowed.  Recompiling the policy for each tunable/boolean change
> would be not be supportable for Time and CPU reasons.
>

What I mean is, if you set the policy writer to not use tunables (by whatever 
method that is) it'll write them out as regular booleans and setroubleshoot 
could load that policy (which should be the same as the loaded one, except with 
extra rules and booleans), toggle the booleans like it does now and do access 
vector lookups to see if a boolean would enable one. Same method as now, there 
would just be 2 policies on disk. Call the one with everything the "debug" policy :)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v0 PATCH 6/6] Skip tunable identifier and cond_node_t in expansion.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/24/2011 04:34 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>>>> 
>>>> 
>>>> If we can not duplicate this functionality then I NAK the
>>>> change from booleans to tunables.
>>> You could actually force a downgrade to a pre-tunable format
>>> and use that policy to do the setroubleshoot lookups. Since the
>>> policy is already linked/expanded and just needs to be written
>>> out twice it wouldn't add much time to policy building (granted
>>> that adding _any_ time to policy building is adding too
>>> much...)
>> I might not have explained it correctly, I really meant the
>> policy would have to toggle each tunable/boolean at a time and
>> see if the AVC was allowed.  Recompiling the policy for each
>> tunable/boolean change would be not be supportable for Time and
>> CPU reasons.
>> 
> 
> What I mean is, if you set the policy writer to not use tunables
> (by whatever method that is) it'll write them out as regular
> booleans and setroubleshoot could load that policy (which should be
> the same as the loaded one, except with extra rules and booleans),
> toggle the booleans like it does now and do access vector lookups
> to see if a boolean would enable one. Same method as now, there
> would just be 2 policies on disk. Call the one with everything the
> "debug" policy :)
> 
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
> 
> 
That is fine, and then the setsebool -P XYZ=1 rule would either set a
boolean or a tunable.

Meaning from the customers point of view he would not know the
difference.

The other problem would be to know we would like to be able to get a
list of all tunables.  Currently this happens through the kernel
interface, I guess we would need tools like
getsebool -a to read this policy file?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5VZ18ACgkQrlYvE4MpobO2rQCcDOG5D66GYgxCUrn0W92PeeTD
DlEAmgLdjd33wNNZ9zF59MiCIyIgx+hF
=heQ9
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Eric Paris]

On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao <qingtao.cao@windriver.com> wrote:

> With this patchset, the size of policy.X would drop significantly from 600+k
> down to 322+k bytes(since most of tunables are default to false, and there is
> no else branch of most conditionals).

I should point out that I think you're off by one order of magnitude.
You went from a 6M policy to a 3.2M policy.  But still.

I decided to do a little playing with this yesterday in Fedora policy
(where Dan already DRASTICALLY reduced the policy size by changing
from type sets with removal to using all attributes.  My numbers
weren't quite as impressive as yours (and I'm not certain I did one
thing correctly)

Pre Patch:
        2148552 bytes    89383 allow rules    193 booleans
Post Patch (no policy changes)
        2166328 bytes    89383 allow rules    193 booleans
Post Patch WITH policy changes
        2031150 bytes    79685 allow rules    4 booleans

So our policy grows 0.8% with only the tools change.  Our policy
shrinks 5.5% with this change.  So it certainly doesn't look like bad
news.


I did have one problem with my testing however.
0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch doesn't
apply to Fedora.  I tried to fix it up by hand.  We actually have both
of the following lines inside that if (user_ping)
        netutils_domtrans_ping($1)
        allow $1 ping_t:process { signal sigkill };

I turned that into:
        tunable_policy(`user_ping',`
                netutils_domtrans_traceroute($1)
                allow $1 traceroute_t:process { signal sigkill };
        ')

But that resulted in an error which I didn't bother to figure out.
Maybe you can tell me what it is?

/usr/share/selinux/devel/include/system/modutils.if: Syntax error on
line 181095 ` [type=TICK]
/usr/share/selinux/devel/include/system/modutils.if: Syntax error on
line 181097 ' [type=SQUOTE]

It's also very possible that it comes from sepolgen-ifgen and it is
part of the fedora-ism that is setroubleshoot.....

-Eric

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Harry Ciao]

Hi Eric,

Eric Paris 写道:
> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao <qingtao.cao@windriver.com> wrote:
>
>   
>> With this patchset, the size of policy.X would drop significantly from 600+k
>> down to 322+k bytes(since most of tunables are default to false, and there is
>> no else branch of most conditionals).
>>     
>
> I should point out that I think you're off by one order of magnitude.
> You went from a 6M policy to a 3.2M policy.  But still.
>
> I decided to do a little playing with this yesterday in Fedora policy
> (where Dan already DRASTICALLY reduced the policy size by changing
> from type sets with removal to using all attributes.  My numbers
> weren't quite as impressive as yours (and I'm not certain I did one
> thing correctly)
>
> Pre Patch:
>         2148552 bytes    89383 allow rules    193 booleans
> Post Patch (no policy changes)
>         2166328 bytes    89383 allow rules    193 booleans
> Post Patch WITH policy changes
>         2031150 bytes    79685 allow rules    4 booleans
>
> So our policy grows 0.8% with only the tools change.  Our policy
> shrinks 5.5% with this change.  So it certainly doesn't look like bad
> news.
>
>
>   
No problem. I am using refpolicy from tresys tree and I have applied my
test patch to introduce a new keyword of "tunable" and change
tunable_policy() to use this tunable keyword rather than the current
"bool" keyword. Since your number of booleans has jumped from 193 down
to 4, you must have applied this patch correctly :-)

Since most tunables declared by tunable_policy() would default to false
and most of these tunable_policy() just has one if branch, then in
practice none rules would ever be expanded and written to raw policy for
them, that's why I have witnessed a significant drop from 6M to 3.22M.

So I could only guess in Fedora policy perhaps most tunables default to
true, or many tunable conditionals have two branches, then the logically
true branch would be expanded as normal. By whatever, the size of
policy.X would decrease when all disabled branch of rules are discarded.

> I did have one problem with my testing however.
> 0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch doesn't
> apply to Fedora.  I tried to fix it up by hand.  We actually have both
> of the following lines inside that if (user_ping)
>         netutils_domtrans_ping($1)
>         allow $1 ping_t:process { signal sigkill };
>
> I turned that into:
>         tunable_policy(`user_ping',`
>                 netutils_domtrans_traceroute($1)
>                 allow $1 traceroute_t:process { signal sigkill };
>         ')
>
> But that resulted in an error which I didn't bother to figure out.
> Maybe you can tell me what it is?
>
>   
Sorry I have no idea what this error is. There is no "allow $1
ping_t/traceroute_t:process ..." rules in these two interface in tresys
refpolicy, but after added them exactly as yours above still no error
happens on my side.

Or could you pass me your patch to netutils.if after you've adopted my
original patch manually?

Thanks,
Harry


> /usr/share/selinux/devel/include/system/modutils.if: Syntax error on
> line 181095 ` [type=TICK]
> /usr/share/selinux/devel/include/system/modutils.if: Syntax error on
> line 181097 ' [type=SQUOTE]
>
> It's also very possible that it comes from sepolgen-ifgen and it is
> part of the fedora-ism that is setroubleshoot.....
>
> -Eric
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/25/2011 02:17 AM, Harry Ciao wrote:
> Hi Eric,
> 
> Eric Paris 写道:
>> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao
>> <qingtao.cao@windriver.com> wrote:
>> 
>> 
>>> With this patchset, the size of policy.X would drop
>>> significantly from 600+k down to 322+k bytes(since most of
>>> tunables are default to false, and there is no else branch of
>>> most conditionals).
>>> 
>> 
>> I should point out that I think you're off by one order of
>> magnitude. You went from a 6M policy to a 3.2M policy.  But
>> still.
>> 
>> I decided to do a little playing with this yesterday in Fedora
>> policy (where Dan already DRASTICALLY reduced the policy size by
>> changing from type sets with removal to using all attributes.  My
>> numbers weren't quite as impressive as yours (and I'm not certain
>> I did one thing correctly)
>> 
>> Pre Patch: 2148552 bytes    89383 allow rules    193 booleans 
>> Post Patch (no policy changes) 2166328 bytes    89383 allow rules
>> 193 booleans Post Patch WITH policy changes 2031150 bytes
>> 79685 allow rules    4 booleans
>> 
>> So our policy grows 0.8% with only the tools change.  Our policy 
>> shrinks 5.5% with this change.  So it certainly doesn't look like
>> bad news.
>> 
>> 
>> 
> No problem. I am using refpolicy from tresys tree and I have
> applied my test patch to introduce a new keyword of "tunable" and
> change tunable_policy() to use this tunable keyword rather than the
> current "bool" keyword. Since your number of booleans has jumped
> from 193 down to 4, you must have applied this patch correctly :-)
> 
> Since most tunables declared by tunable_policy() would default to
> false and most of these tunable_policy() just has one if branch,
> then in practice none rules would ever be expanded and written to
> raw policy for them, that's why I have witnessed a significant drop
> from 6M to 3.22M.
> 
> So I could only guess in Fedora policy perhaps most tunables
> default to true, or many tunable conditionals have two branches,
> then the logically true branch would be expanded as normal. By
> whatever, the size of policy.X would decrease when all disabled
> branch of rules are discarded.
> 

The Fedora policy has removed all calls that do stuff like

allow XYZ_t { file_type -shadow_t }:file read;

Which generates hundreds/thousands of rules when run though the M4
Macro, since it writes a rule for each file_type except the shadow_t.
 Anywhere in policy that we use this construct has to be reworked and
this shrunk the policy by 90%.  Your enhancement just adds another 5%
reduction after this change.  I sent a patch to refpolicy yesterday to
fix the coreutils interfaces that we doing something like this.


>> I did have one problem with my testing however. 
>> 0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch
>> doesn't apply to Fedora.  I tried to fix it up by hand.  We
>> actually have both of the following lines inside that if
>> (user_ping) netutils_domtrans_ping($1) allow $1 ping_t:process {
>> signal sigkill };
>> 
>> I turned that into: tunable_policy(`user_ping',` 
>> netutils_domtrans_traceroute($1) allow $1 traceroute_t:process {
>> signal sigkill }; ')
>> 
>> But that resulted in an error which I didn't bother to figure
>> out. Maybe you can tell me what it is?
>> 
>> 
This is happening because sepolgen does not understand the new syntax.
 It can be ignored until the new syntax is agreed upon, then sepolgen
will need to be updated.
> Sorry I have no idea what this error is. There is no "allow $1 
> ping_t/traceroute_t:process ..." rules in these two interface in
> tresys refpolicy, but after added them exactly as yours above still
> no error happens on my side.
> 
> Or could you pass me your patch to netutils.if after you've adopted
> my original patch manually?
> 
> Thanks, Harry
> 
> 
>> /usr/share/selinux/devel/include/system/modutils.if: Syntax error
>> on line 181095 ` [type=TICK] 
>> /usr/share/selinux/devel/include/system/modutils.if: Syntax error
>> on line 181097 ' [type=SQUOTE]
>> 
>> It's also very possible that it comes from sepolgen-ifgen and it
>> is part of the fedora-ism that is setroubleshoot.....
>> 
>> -Eric
>> 
>> 
> 
> 
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5WSGAACgkQrlYvE4MpobOdrACfQj2zNMQK7ASGz0pr7OKAfa4N
SegAn12yUMX1MhlsAW+SP53uOPXj0WRe
=2TXI
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[James Carter]

On Thu, 2011-08-25 at 09:04 -0400, Daniel J Walsh wrote:
> On 08/25/2011 02:17 AM, Harry Ciao wrote:
> > Hi Eric,
> > 
> > Eric Paris 写道:
> >> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao
> >> <qingtao.cao@windriver.com> wrote:
> >> 
> >> 
> >>> With this patchset, the size of policy.X would drop
> >>> significantly from 600+k down to 322+k bytes(since most of
> >>> tunables are default to false, and there is no else branch of
> >>> most conditionals).
> >>> 
> >> 
> >> I should point out that I think you're off by one order of
> >> magnitude. You went from a 6M policy to a 3.2M policy.  But
> >> still.
> >> 
> >> I decided to do a little playing with this yesterday in Fedora
> >> policy (where Dan already DRASTICALLY reduced the policy size by
> >> changing from type sets with removal to using all attributes.  My
> >> numbers weren't quite as impressive as yours (and I'm not certain
> >> I did one thing correctly)
> >> 
> >> Pre Patch: 2148552 bytes    89383 allow rules    193 booleans 
> >> Post Patch (no policy changes) 2166328 bytes    89383 allow rules
> >> 193 booleans Post Patch WITH policy changes 2031150 bytes
> >> 79685 allow rules    4 booleans
> >> 
> >> So our policy grows 0.8% with only the tools change.  Our policy 
> >> shrinks 5.5% with this change.  So it certainly doesn't look like
> >> bad news.
> >> 
> >> 
> >> 
> > No problem. I am using refpolicy from tresys tree and I have
> > applied my test patch to introduce a new keyword of "tunable" and
> > change tunable_policy() to use this tunable keyword rather than the
> > current "bool" keyword. Since your number of booleans has jumped
> > from 193 down to 4, you must have applied this patch correctly :-)
> > 
> > Since most tunables declared by tunable_policy() would default to
> > false and most of these tunable_policy() just has one if branch,
> > then in practice none rules would ever be expanded and written to
> > raw policy for them, that's why I have witnessed a significant drop
> > from 6M to 3.22M.
> > 
> > So I could only guess in Fedora policy perhaps most tunables
> > default to true, or many tunable conditionals have two branches,
> > then the logically true branch would be expanded as normal. By
> > whatever, the size of policy.X would decrease when all disabled
> > branch of rules are discarded.
> > 
> 
> The Fedora policy has removed all calls that do stuff like
> 
> allow XYZ_t { file_type -shadow_t }:file read;
> 
> Which generates hundreds/thousands of rules when run though the M4
> Macro, since it writes a rule for each file_type except the shadow_t.
>  Anywhere in policy that we use this construct has to be reworked and
> this shrunk the policy by 90%.  Your enhancement just adds another 5%
> reduction after this change.  I sent a patch to refpolicy yesterday to
> fix the coreutils interfaces that we doing something like this.
> 

I saw your patch removing -port_t and notice that it is in rawhide, but
I don't see anything in rawhide removing -shadow_t. Will that be
appearing soon? It will make translating Refpolicy to CIL much easier.
> 
> >> I did have one problem with my testing however. 
> >> 0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch
> >> doesn't apply to Fedora.  I tried to fix it up by hand.  We
> >> actually have both of the following lines inside that if
> >> (user_ping) netutils_domtrans_ping($1) allow $1 ping_t:process {
> >> signal sigkill };
> >> 
> >> I turned that into: tunable_policy(`user_ping',` 
> >> netutils_domtrans_traceroute($1) allow $1 traceroute_t:process {
> >> signal sigkill }; ')
> >> 
> >> But that resulted in an error which I didn't bother to figure
> >> out. Maybe you can tell me what it is?
> >> 
> >> 
> This is happening because sepolgen does not understand the new syntax.
>  It can be ignored until the new syntax is agreed upon, then sepolgen
> will need to be updated.
> > Sorry I have no idea what this error is. There is no "allow $1 
> > ping_t/traceroute_t:process ..." rules in these two interface in
> > tresys refpolicy, but after added them exactly as yours above still
> > no error happens on my side.
> > 
> > Or could you pass me your patch to netutils.if after you've adopted
> > my original patch manually?
> > 
> > Thanks, Harry
> > 
> > 
> >> /usr/share/selinux/devel/include/system/modutils.if: Syntax error
> >> on line 181095 ` [type=TICK] 
> >> /usr/share/selinux/devel/include/system/modutils.if: Syntax error
> >> on line 181097 ' [type=SQUOTE]
> >> 
> >> It's also very possible that it comes from sepolgen-ifgen and it
> >> is part of the fedora-ism that is setroubleshoot.....
> >> 
> >> -Eric
> >> 
> >> 
> > 
> > 
> > -- This message was distributed to subscribers of the selinux
> > mailing list. If you no longer wish to subscribe, send mail to
> > majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> > without quotes as the message.
> > 
> > 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 2912 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/25/2011 09:35 AM, James Carter wrote:
> On Thu, 2011-08-25 at 09:04 -0400, Daniel J Walsh wrote:
>> On 08/25/2011 02:17 AM, Harry Ciao wrote:
>>> Hi Eric,
>>> 
>>> Eric Paris 写道:
>>>> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao 
>>>> <qingtao.cao@windriver.com> wrote:
>>>> 
>>>> 
>>>>> With this patchset, the size of policy.X would drop 
>>>>> significantly from 600+k down to 322+k bytes(since most of 
>>>>> tunables are default to false, and there is no else branch
>>>>> of most conditionals).
>>>>> 
>>>> 
>>>> I should point out that I think you're off by one order of 
>>>> magnitude. You went from a 6M policy to a 3.2M policy.  But 
>>>> still.
>>>> 
>>>> I decided to do a little playing with this yesterday in
>>>> Fedora policy (where Dan already DRASTICALLY reduced the
>>>> policy size by changing from type sets with removal to using
>>>> all attributes.  My numbers weren't quite as impressive as
>>>> yours (and I'm not certain I did one thing correctly)
>>>> 
>>>> Pre Patch: 2148552 bytes    89383 allow rules    193 booleans
>>>>  Post Patch (no policy changes) 2166328 bytes    89383 allow
>>>> rules 193 booleans Post Patch WITH policy changes 2031150
>>>> bytes 79685 allow rules    4 booleans
>>>> 
>>>> So our policy grows 0.8% with only the tools change.  Our
>>>> policy shrinks 5.5% with this change.  So it certainly
>>>> doesn't look like bad news.
>>>> 
>>>> 
>>>> 
>>> No problem. I am using refpolicy from tresys tree and I have 
>>> applied my test patch to introduce a new keyword of "tunable"
>>> and change tunable_policy() to use this tunable keyword rather
>>> than the current "bool" keyword. Since your number of booleans
>>> has jumped from 193 down to 4, you must have applied this patch
>>> correctly :-)
>>> 
>>> Since most tunables declared by tunable_policy() would default
>>> to false and most of these tunable_policy() just has one if
>>> branch, then in practice none rules would ever be expanded and
>>> written to raw policy for them, that's why I have witnessed a
>>> significant drop from 6M to 3.22M.
>>> 
>>> So I could only guess in Fedora policy perhaps most tunables 
>>> default to true, or many tunable conditionals have two
>>> branches, then the logically true branch would be expanded as
>>> normal. By whatever, the size of policy.X would decrease when
>>> all disabled branch of rules are discarded.
>>> 
>> 
>> The Fedora policy has removed all calls that do stuff like
>> 
>> allow XYZ_t { file_type -shadow_t }:file read;
>> 
<<snip>>
I left the interfaces but I stopped using them.

I replaced them with files calls.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5XrZYACgkQrlYvE4MpobMBhQCeMu/rdbhb6c17fgZeGbQW0I1I
OkYAoNW5RAAyiCTvtwz4KO5FuK1NEnx+
=u+94
-----END PGP SIGNATURE-----

[-- Attachment #2: eliminate_except_auth.patch --]
[-- Type: text/plain, Size: 12246 bytes --]

diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 633d2fc..8d62407 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(dpkg_t)
 
-auth_relabel_all_files_except_auth_files(dpkg_t)
-auth_manage_all_files_except_auth_files(dpkg_t)
+files_relabel_non_security_files(dpkg_t)
+files_manage_non_security_files(dpkg_t)
 auth_dontaudit_read_shadow(dpkg_t)
 
 files_exec_etc_files(dpkg_t)
@@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
 
 auth_dontaudit_getattr_shadow(dpkg_script_t)
 # ideally we would not need this
-auth_manage_all_files_except_auth_files(dpkg_script_t)
+files_manage_non_security_files(dpkg_script_t)
 
 init_domtrans_script(dpkg_script_t)
 init_use_script_fds(dpkg_script_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 7d964bf..ba6e400 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
 
 term_list_ptys(rpm_t)
 
-auth_relabel_all_files_except_auth_files(rpm_t)
-auth_manage_all_files_except_auth_files(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
 auth_use_nsswitch(rpm_t)
 
@@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
 auth_dontaudit_getattr_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)
 # ideally we would not need this
-auth_manage_all_files_except_auth_files(rpm_script_t)
-auth_relabel_shadow(rpm_script_t)
+files_manage_all_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
 
 corecmd_exec_all_executables(rpm_script_t)
 
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index ebaff2f..de6b197 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
 
 # some config files do not have configfile attribute
 # sosreport needs to read various files on system
-auth_read_all_files_except_auth_files(sosreport_t)
+files_read_non_security_files(sosreport_t)
 auth_use_nsswitch(sosreport_t)
 
 init_domtrans_script(sosreport_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 045fb86..a51a92d 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
 
 term_dontaudit_use_console(sxid_t)
 
-auth_read_all_files_except_auth_files(sxid_t)
+files_read_non_security_files(sxid_t)
 auth_dontaudit_getattr_shadow(sxid_t)
 
 init_use_fds(sxid_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..225c263 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
 		attribute non_security_file_type;
 	')
 
+	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
 	read_files_pattern($1, non_security_file_type, non_security_file_type)
 	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
 ########################################
 ## <summary>
+##	Manage all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Relabel all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+	allow $1 { non_security_file_type }:dir list_dir_perms;
+	relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+	relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+
+	# satisfy the assertions:
+	seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
 ##	Read all directories on the filesystem, except
 ##	the listed exceptions.
 ## </summary>
@@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain not to audit.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index eac9961..797f131 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -336,7 +336,7 @@ optional_policy(`
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
 		auth_read_all_dirs_except_auth_files(kernel_t)
-		auth_read_all_files_except_auth_files(kernel_t)
+		files_read_non_security_files(kernel_t)
 		auth_read_all_symlinks_except_auth_files(kernel_t)
 	')
 
@@ -346,7 +346,7 @@ optional_policy(`
 		fs_read_noxattr_fs_files(kernel_t)
 		fs_read_noxattr_fs_symlinks(kernel_t)
 
-		auth_manage_all_files_except_auth_files(kernel_t)
+		files_manage_non_security_files(kernel_t)
 	')
 ')
 
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 89ddeaa..4b5119b 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
 mls_file_downgrade(secadm_t)
 
 auth_role(secadm_r, secadm_t)
-auth_relabel_all_files_except_auth_files(secadm_t)
+files_relabel_non_security_files(secadm_t)
 auth_relabel_shadow(secadm_t)
 
 init_exec(secadm_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 02ffdfb..69c2d2c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
 
 tunable_policy(`allow_ftpd_full_access',`
 	allow ftpd_t self:capability { dac_override dac_read_search };
-	auth_manage_all_files_except_auth_files(ftpd_t)
+	files_manage_non_security_files(ftpd_t)
 ')
 
 tunable_policy(`ftp_home_dir',`
@@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
-	auth_manage_all_files_except_auth_files(sftpd_t)
+	files_manage_non_security_files(sftpd_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 941f6e1..68985da 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
 sysnet_run_ifconfig(puppet_t, system_r)
 
 tunable_policy(`puppet_manage_all_files',`
-	auth_manage_all_files_except_auth_files(puppet_t)
+	files_manage_non_security_files(puppet_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index c537000..52ec13b 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
 #term_use_ptmx(rgmanager_t)
 
 # needed by resources scripts
-auth_read_all_files_except_auth_files(rgmanager_t)
+files_read_non_security_files(rgmanager_t)
 auth_dontaudit_getattr_shadow(rgmanager_t)
 auth_use_nsswitch(rgmanager_t)
 
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 62fca97..6c6d18b 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
-	auth_manage_all_files_except_auth_files(nfsd_t)
+	files_manage_non_security_files(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
@@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
 	fs_read_noxattr_fs_files(nfsd_t)
 
 	auth_read_all_dirs_except_auth_files(nfsd_t)
-	auth_read_all_files_except_auth_files(nfsd_t)
+	files_read_non_security_files(nfsd_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 1c381e1..51cedbd 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
 	fs_read_nfs_files(rsync_t)
 	fs_read_cifs_files(rsync_t)
 	auth_read_all_dirs_except_auth_files(rsync_t)
-	auth_read_all_files_except_auth_files(rsync_t)
+	files_read_non_security_files(rsync_t)
 	auth_read_all_symlinks_except_auth_files(rsync_t)
 	auth_tunable_read_shadow(rsync_t)
 ')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index df830cf..d1f1a15 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
 	auth_read_all_dirs_except_auth_files(smbd_t)
-	auth_read_all_files_except_auth_files(smbd_t)
+	files_read_non_security_files(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 	auth_read_all_dirs_except_auth_files(nmbd_t)
-	auth_read_all_files_except_auth_files(nmbd_t)
+	files_read_non_security_files(nmbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
 	fs_read_noxattr_fs_files(smbd_t) 
-	auth_manage_all_files_except_auth_files(smbd_t)
+	files_manage_non_security_files(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
-	auth_manage_all_files_except_auth_files(nmbd_t)
+	files_manage_non_security_files(nmbd_t)
 	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
 ')
 
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 94e49e8..fd331b9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
 
 tunable_policy(`allow_mount_anyfile',`
 	auth_read_all_dirs_except_auth_files(mount_t)
-	auth_read_all_files_except_auth_files(mount_t)
+	files_read_non_security_files(mount_t)
 	files_mounton_non_security(mount_t)
 ')
 
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 508b206..52a5442 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
 selinux_compute_relabel_context(restorecond_t)
 selinux_compute_user_contexts(restorecond_t)
 
-auth_relabel_all_files_except_auth_files(restorecond_t )
-auth_read_all_files_except_auth_files(restorecond_t)
+files_relabel_non_security_files(restorecond_t )
+files_read_non_security_files(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
 locallogin_dontaudit_use_fds(restorecond_t)

Re: v0 Separate tunables from booleans

[Harry Ciao]

Daniel J Walsh 写道:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/25/2011 02:17 AM, Harry Ciao wrote:
>   
>> Hi Eric,
>>
>> Eric Paris 写道:
>>     
>>> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao
>>> <qingtao.cao@windriver.com> wrote:
>>>
>>>
>>>       
>>>> With this patchset, the size of policy.X would drop
>>>> significantly from 600+k down to 322+k bytes(since most of
>>>> tunables are default to false, and there is no else branch of
>>>> most conditionals).
>>>>
>>>>         
>>> I should point out that I think you're off by one order of
>>> magnitude. You went from a 6M policy to a 3.2M policy.  But
>>> still.
>>>
>>> I decided to do a little playing with this yesterday in Fedora
>>> policy (where Dan already DRASTICALLY reduced the policy size by
>>> changing from type sets with removal to using all attributes.  My
>>> numbers weren't quite as impressive as yours (and I'm not certain
>>> I did one thing correctly)
>>>
>>> Pre Patch: 2148552 bytes    89383 allow rules    193 booleans 
>>> Post Patch (no policy changes) 2166328 bytes    89383 allow rules
>>> 193 booleans Post Patch WITH policy changes 2031150 bytes
>>> 79685 allow rules    4 booleans
>>>
>>> So our policy grows 0.8% with only the tools change.  Our policy 
>>> shrinks 5.5% with this change.  So it certainly doesn't look like
>>> bad news.
>>>
>>>
>>>
>>>       
>> No problem. I am using refpolicy from tresys tree and I have
>> applied my test patch to introduce a new keyword of "tunable" and
>> change tunable_policy() to use this tunable keyword rather than the
>> current "bool" keyword. Since your number of booleans has jumped
>> from 193 down to 4, you must have applied this patch correctly :-)
>>
>> Since most tunables declared by tunable_policy() would default to
>> false and most of these tunable_policy() just has one if branch,
>> then in practice none rules would ever be expanded and written to
>> raw policy for them, that's why I have witnessed a significant drop
>> from 6M to 3.22M.
>>
>> So I could only guess in Fedora policy perhaps most tunables
>> default to true, or many tunable conditionals have two branches,
>> then the logically true branch would be expanded as normal. By
>> whatever, the size of policy.X would decrease when all disabled
>> branch of rules are discarded.
>>
>>     
>
> The Fedora policy has removed all calls that do stuff like
>
> allow XYZ_t { file_type -shadow_t }:file read;
>
> Which generates hundreds/thousands of rules when run though the M4
> Macro, since it writes a rule for each file_type except the shadow_t.
>  Anywhere in policy that we use this construct has to be reworked and
> this shrunk the policy by 90%.  Your enhancement just adds another 5%
> reduction after this change.  I sent a patch to refpolicy yesterday to
> fix the coreutils interfaces that we doing something like this.
>
>
>   
I don't know much about Fedora policy, but for upstream refpolicy and
toolchain my patch would contribute 45% size reduction for raw policy
and before I sent my patchset out for review I had not seen your patch.

Anyway, it would be fantastic to have your patch to further drastically
reduce the raw policy size, the whole community would benefit from each
single contributor's effort like this.

Thanks,
Harry


>>> I did have one problem with my testing however. 
>>> 0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch
>>> doesn't apply to Fedora.  I tried to fix it up by hand.  We
>>> actually have both of the following lines inside that if
>>> (user_ping) netutils_domtrans_ping($1) allow $1 ping_t:process {
>>> signal sigkill };
>>>
>>> I turned that into: tunable_policy(`user_ping',` 
>>> netutils_domtrans_traceroute($1) allow $1 traceroute_t:process {
>>> signal sigkill }; ')
>>>
>>> But that resulted in an error which I didn't bother to figure
>>> out. Maybe you can tell me what it is?
>>>
>>>
>>>       
> This is happening because sepolgen does not understand the new syntax.
>  It can be ignored until the new syntax is agreed upon, then sepolgen
> will need to be updated.
>   
>> Sorry I have no idea what this error is. There is no "allow $1 
>> ping_t/traceroute_t:process ..." rules in these two interface in
>> tresys refpolicy, but after added them exactly as yours above still
>> no error happens on my side.
>>
>> Or could you pass me your patch to netutils.if after you've adopted
>> my original patch manually?
>>
>> Thanks, Harry
>>
>>
>>     
>>> /usr/share/selinux/devel/include/system/modutils.if: Syntax error
>>> on line 181095 ` [type=TICK] 
>>> /usr/share/selinux/devel/include/system/modutils.if: Syntax error
>>> on line 181097 ' [type=SQUOTE]
>>>
>>> It's also very possible that it comes from sepolgen-ifgen and it
>>> is part of the fedora-ism that is setroubleshoot.....
>>>
>>> -Eric
>>>
>>>
>>>       
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>> without quotes as the message.
>>
>>
>>     
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5WSGAACgkQrlYvE4MpobOdrACfQj2zNMQK7ASGz0pr7OKAfa4N
> SegAn12yUMX1MhlsAW+SP53uOPXj0WRe
> =2TXI
> -----END PGP SIGNATURE-----
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Eric Paris]

On 08/25/2011 09:17 PM, Harry Ciao wrote:
> Daniel J Walsh 写道:

>> The Fedora policy has removed all calls that do stuff like
>>
>> allow XYZ_t { file_type -shadow_t }:file read;
>>
>> Which generates hundreds/thousands of rules when run though the M4
>> Macro, since it writes a rule for each file_type except the shadow_t.
>>  Anywhere in policy that we use this construct has to be reworked and
>> this shrunk the policy by 90%.  Your enhancement just adds another 5%
>> reduction after this change.  I sent a patch to refpolicy yesterday to
>> fix the coreutils interfaces that we doing something like this.
>>
>>
>>   
> I don't know much about Fedora policy, but for upstream refpolicy and
> toolchain my patch would contribute 45% size reduction for raw policy
> and before I sent my patchset out for review I had not seen your patch.
> 
> Anyway, it would be fantastic to have your patch to further drastically
> reduce the raw policy size, the whole community would benefit from each
> single contributor's effort like this.

Agreed.  I'm excited about both approaches (reducing the policy size by
using attributes and eliminating needless unused portions of booleans).
 I'm glad to see Dan pushing his changes.  Once this patch set is
finished I'll be very happy to see a further 5-6% reduction in the
policy size of Fedora!

-Eric

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/25/2011 10:22 PM, Eric Paris wrote:
> On 08/25/2011 09:17 PM, Harry Ciao wrote:
>> Daniel J Walsh 写道:
> 
>>> The Fedora policy has removed all calls that do stuff like
>>> 
>>> allow XYZ_t { file_type -shadow_t }:file read;
>>> 
>>> Which generates hundreds/thousands of rules when run though the
>>> M4 Macro, since it writes a rule for each file_type except the
>>> shadow_t. Anywhere in policy that we use this construct has to
>>> be reworked and this shrunk the policy by 90%.  Your
>>> enhancement just adds another 5% reduction after this change.
>>> I sent a patch to refpolicy yesterday to fix the coreutils
>>> interfaces that we doing something like this.
>>> 
>>> 
>>> 
>> I don't know much about Fedora policy, but for upstream refpolicy
>> and toolchain my patch would contribute 45% size reduction for
>> raw policy and before I sent my patchset out for review I had not
>> seen your patch.
>> 
>> Anyway, it would be fantastic to have your patch to further
>> drastically reduce the raw policy size, the whole community would
>> benefit from each single contributor's effort like this.
> 
> Agreed.  I'm excited about both approaches (reducing the policy
> size by using attributes and eliminating needless unused portions
> of booleans). I'm glad to see Dan pushing his changes.  Once this
> patch set is finished I'll be very happy to see a further 5-6%
> reduction in the policy size of Fedora!
> 
> -Eric
> 
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
> 
> 


I agree, I would like to take the patch to make tunables real, but we
need to have a similar level of diagnosis capability to what we have now.

The admin needs to know what the tunables are and needs to be able to
take an AVC and see if any tunable/boolean would allow the AVC.

If we had this, I would be racing towards the tunable.

I see this as two steps.

1.  Implement what we have now in booleans in tunables to shrink the
size of policy.
2.  Allow policy writers to define rules within tunables that is
currently not available in booleans.
    - Type Definitions
    - Assigning attributes

The major problems with #2 is I am not sure we have good tools to
analyze this type of policy from the audit2allow -> tunable that I
talk about above, to the security analysis that DOD needs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5XmKkACgkQrlYvE4MpobM0VACeNKcVtb597WkpThQ+hnLbC6M+
cTcAniR5MBqUGm0AUndTSrwNfbkATN1q
=DroM
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Christopher J. PeBenito]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252", Size: 2954 bytes --]

On 08/26/11 08:59, Daniel J Walsh wrote:
> On 08/25/2011 10:22 PM, Eric Paris wrote:
>> On 08/25/2011 09:17 PM, Harry Ciao wrote:
>>> Daniel J Walsh 写道:
> 
>>>> The Fedora policy has removed all calls that do stuff like
>>>>
>>>> allow XYZ_t { file_type -shadow_t }:file read;
>>>>
>>>> Which generates hundreds/thousands of rules when run though the
>>>> M4 Macro, since it writes a rule for each file_type except the
>>>> shadow_t. Anywhere in policy that we use this construct has to
>>>> be reworked and this shrunk the policy by 90%.  Your
>>>> enhancement just adds another 5% reduction after this change.
>>>> I sent a patch to refpolicy yesterday to fix the coreutils
>>>> interfaces that we doing something like this.
>>>>
>>>>
>>>>
>>> I don't know much about Fedora policy, but for upstream refpolicy
>>> and toolchain my patch would contribute 45% size reduction for
>>> raw policy and before I sent my patchset out for review I had not
>>> seen your patch.
>>>
>>> Anyway, it would be fantastic to have your patch to further
>>> drastically reduce the raw policy size, the whole community would
>>> benefit from each single contributor's effort like this.
> 
>> Agreed.  I'm excited about both approaches (reducing the policy
>> size by using attributes and eliminating needless unused portions
>> of booleans). I'm glad to see Dan pushing his changes.  Once this
>> patch set is finished I'll be very happy to see a further 5-6%
>> reduction in the policy size of Fedora!
> 
>> -Eric
> 
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>> without quotes as the message.
> 
> 
> 
> 
> I agree, I would like to take the patch to make tunables real, but we
> need to have a similar level of diagnosis capability to what we have now.
> 
> The admin needs to know what the tunables are and needs to be able to
> take an AVC and see if any tunable/boolean would allow the AVC.
> 
> If we had this, I would be racing towards the tunable.
> 
> I see this as two steps.
> 
> 1.  Implement what we have now in booleans in tunables to shrink the
> size of policy.
> 2.  Allow policy writers to define rules within tunables that is
> currently not available in booleans.
>     - Type Definitions
>     - Assigning attributes

I would go farther than that.  I think it should be any statement that
is allowed in an optional block.  If I can get the RBAC stuff in there,
then I can get rid of the DIRECT_INITRC build option, which exists due
to the role_transition statement in the init_run_daemon() interface.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Christopher J. PeBenito]

On 08/26/11 09:06, Christopher J. PeBenito wrote:
> On 08/26/11 08:59, Daniel J Walsh wrote:
>> I agree, I would like to take the patch to make tunables real, but we
>> need to have a similar level of diagnosis capability to what we have now.
>>
>> The admin needs to know what the tunables are and needs to be able to
>> take an AVC and see if any tunable/boolean would allow the AVC.
>>
>> If we had this, I would be racing towards the tunable.
>>
>> I see this as two steps.
>>
>> 1.  Implement what we have now in booleans in tunables to shrink the
>> size of policy.
>> 2.  Allow policy writers to define rules within tunables that is
>> currently not available in booleans.
>>     - Type Definitions
>>     - Assigning attributes
> 
> I would go farther than that.  I think it should be any statement that
> is allowed in an optional block.  If I can get the RBAC stuff in there,
> then I can get rid of the DIRECT_INITRC build option, which exists due
> to the role_transition statement in the init_run_daemon() interface.

By "get rid of" I mean "convert to tunable".

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Christopher J. PeBenito]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252", Size: 1974 bytes --]

On 08/25/11 22:22, Eric Paris wrote:
> On 08/25/2011 09:17 PM, Harry Ciao wrote:
>> Daniel J Walsh 写道:
>>> The Fedora policy has removed all calls that do stuff like
>>>
>>> allow XYZ_t { file_type -shadow_t }:file read;
>>>
>>> Which generates hundreds/thousands of rules when run though the M4
>>> Macro, since it writes a rule for each file_type except the shadow_t.
>>>  Anywhere in policy that we use this construct has to be reworked and
>>> this shrunk the policy by 90%.  Your enhancement just adds another 5%
>>> reduction after this change.  I sent a patch to refpolicy yesterday to
>>> fix the coreutils interfaces that we doing something like this.
>>>
>>>
>>>   
>> I don't know much about Fedora policy, but for upstream refpolicy and
>> toolchain my patch would contribute 45% size reduction for raw policy
>> and before I sent my patchset out for review I had not seen your patch.
>>
>> Anyway, it would be fantastic to have your patch to further drastically
>> reduce the raw policy size, the whole community would benefit from each
>> single contributor's effort like this.
> 
> Agreed.  I'm excited about both approaches (reducing the policy size by
> using attributes and eliminating needless unused portions of booleans).
>  I'm glad to see Dan pushing his changes.  Once this patch set is
> finished I'll be very happy to see a further 5-6% reduction in the
> policy size of Fedora!

I merged Dan's patch into Refpolicy.  With all modules on, and using a
monolithic build for easy comparison, it reduced the policy.26 from
5.9MB to 4.5MB, a 23.7% reduction.  Its too bad we don't have an
optimizing compiler that can do these optimizations automatically.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Christopher J. PeBenito]

On 08/23/11 06:08, Harry Ciao wrote:
> Comments
> ---------
> Separate tunables from booleans.
> 
> The effective branch of an if-else conditional that controlled by a tunable
> should be expanded and registered to te_avtab hashtab permanently; while the
> whole if-else conditional that controlled by a boolean should be expaned and
> registered to te_cond_avtab hashtab as normal.
> 
> Also nearly all tunables(exceptions see below) would be discarded from
> policy.X.
> 
> With this patchset, the size of policy.X would drop significantly from 600+k
> down to 322+k bytes(since most of tunables are default to false, and there is
> no else branch of most conditionals).
> 
> Note, so far some tunable would be used along with some boolean in the
> tunable_policy() macro(say pppd_can_insmod), this is not recommended and such
> tunable would have to be transformed as boolean.

I'd say that this is a good first step, but I think it has a problem.
It has the same limitations as conditional policy, since you're reusing
those data structures.  I'd like to be able to put more in tunables than
can be put in conditional policy blocks, such as rbac (role, role allow,
role_transition) statements and typeattributes statements.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Joshua Brindle]

Christopher J. PeBenito wrote:
> On 08/23/11 06:08, Harry Ciao wrote:
>> Comments
>> ---------
>> Separate tunables from booleans.
>>
>> The effective branch of an if-else conditional that controlled by a tunable
>> should be expanded and registered to te_avtab hashtab permanently; while the
>> whole if-else conditional that controlled by a boolean should be expaned and
>> registered to te_cond_avtab hashtab as normal.
>>
>> Also nearly all tunables(exceptions see below) would be discarded from
>> policy.X.
>>
>> With this patchset, the size of policy.X would drop significantly from 600+k
>> down to 322+k bytes(since most of tunables are default to false, and there is
>> no else branch of most conditionals).
>>
>> Note, so far some tunable would be used along with some boolean in the
>> tunable_policy() macro(say pppd_can_insmod), this is not recommended and such
>> tunable would have to be transformed as boolean.
>
> I'd say that this is a good first step, but I think it has a problem.
> It has the same limitations as conditional policy, since you're reusing
> those data structures.  I'd like to be able to put more in tunables than
> can be put in conditional policy blocks, such as rbac (role, role allow,
> role_transition) statements and typeattributes statements.
>

I'm with Chris on this one. CIL implements tunables as switchable blocks where 
you can have anything in them you could have in a regular block (declarations, 
modifiers, rules, etc). This isn't a big deal because CIL tunables will never 
make it into the policy.XX either.

However, it does mean that tunables will be different things within not very 
much time (hopefully anyway) and it doesn't address the major thing we wanted 
tunables to do, which was allow declarations.

IMHO if the above numbers are correct and there is really a 50% reduction in 
size this is certainly worth doing now, just for that, with the understanding 
that CIL tunables are going to be the desired solution. How confusing this will 
be to uses remains to be seen.

It would be much more work to do this with the current toolchain but it isn't 
hard to conceptualize. Basically add a tunable table to the required index in 
avrule_block_t and start a new block when you encounter an if(). I don't think 
the amount of work it would require is justified given that we are actively 
trying to deprecate the module format.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Harry Ciao]

Joshua Brindle 写道:
> Christopher J. PeBenito wrote:
>> On 08/23/11 06:08, Harry Ciao wrote:
>>> Comments
>>> ---------
>>> Separate tunables from booleans.
>>>
>>> The effective branch of an if-else conditional that controlled by a
>>> tunable
>>> should be expanded and registered to te_avtab hashtab permanently;
>>> while the
>>> whole if-else conditional that controlled by a boolean should be
>>> expaned and
>>> registered to te_cond_avtab hashtab as normal.
>>>
>>> Also nearly all tunables(exceptions see below) would be discarded from
>>> policy.X.
>>>
>>> With this patchset, the size of policy.X would drop significantly
>>> from 600+k
>>> down to 322+k bytes(since most of tunables are default to false, and
>>> there is
>>> no else branch of most conditionals).
>>>
>>> Note, so far some tunable would be used along with some boolean in the
>>> tunable_policy() macro(say pppd_can_insmod), this is not recommended
>>> and such
>>> tunable would have to be transformed as boolean.
>>
>> I'd say that this is a good first step, but I think it has a problem.
>> It has the same limitations as conditional policy, since you're reusing
>> those data structures. I'd like to be able to put more in tunables than
>> can be put in conditional policy blocks, such as rbac (role, role allow,
>> role_transition) statements and typeattributes statements.
>>
>
> I'm with Chris on this one. CIL implements tunables as switchable
> blocks where you can have anything in them you could have in a regular
> block (declarations, modifiers, rules, etc). This isn't a big deal
> because CIL tunables will never make it into the policy.XX either.
>
> However, it does mean that tunables will be different things within
> not very much time (hopefully anyway) and it doesn't address the major
> thing we wanted tunables to do, which was allow declarations.
>
> IMHO if the above numbers are correct and there is really a 50%
> reduction in size this is certainly worth doing now, just for that,
> with the understanding that CIL tunables are going to be the desired
> solution. How confusing this will be to uses remains to be seen.
>
> It would be much more work to do this with the current toolchain but
> it isn't hard to conceptualize. Basically add a tunable table to the
> required index in avrule_block_t and start a new block when you
> encounter an if(). I don't think the amount of work it would require
> is justified given that we are actively trying to deprecate the module
> format.
>
Hi Joshua,

Honestly speaking I have become kinda confused. If tunable_policy()
remains as if-else conditionals then what Chris has wanted is to expand
all RBAC rules into cond_rule_def aside from just AVRULE_AV and
AVRULE_TYPE rules.

However, if tunable_policy() is to be implemented as a block, then
what's the major difference between such "tunable block " and the blocks
already created by optional_block()? The optional_block() already
supports the else-branch, and only one of the two branches would take
effect, also if its external requirement won't be satisfied, the whole
block would not be enabled and skipped over during expansion, which
sounds to me like a tunable which just has the if-branch and defaults to
false.

Anyway, it's good to know how tunable is handled in CIL, I would have
better understanding once I get to know more about it.

Thanks,
Harry

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v0 Separate tunables from booleans

[Joshua Brindle]

Harry Ciao wrote:
> Joshua Brindle 写道:
>> Christopher J. PeBenito wrote:
<snip>>
> Hi Joshua,
>
> Honestly speaking I have become kinda confused. If tunable_policy()
> remains as if-else conditionals then what Chris has wanted is to expand
> all RBAC rules into cond_rule_def aside from just AVRULE_AV and
> AVRULE_TYPE rules.
>
> However, if tunable_policy() is to be implemented as a block, then
> what's the major difference between such "tunable block " and the blocks
> already created by optional_block()? The optional_block() already
> supports the else-branch, and only one of the two branches would take
> effect, also if its external requirement won't be satisfied, the whole
> block would not be enabled and skipped over during expansion, which
> sounds to me like a tunable which just has the if-branch and defaults to
> false.
>

Yes, it is close. We thought about making a tunable symbol and putting 
it in the require section of a block. Unfortunately it doesn't give us 
the expressions that conditionals do ( foo || bar ) so it still isn't 
ideal. Additionally you can't declare things in the else branch. We 
didn't know how to deal with this case:

optional {
	requires { type a; }
	type b;
	...
} else {
	requires { type c; }
	type d;
}

optional {
	requires { type b; }
	type c;
} else {
	requires { type d; }
	type b;
}

So we just punted on allowing declarations in the else block so Chris 
uses them very rarely.
	

> Anyway, it's good to know how tunable is handled in CIL, I would have
> better understanding once I get to know more about it.
>


There was just a release of the compiler, take a look :)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.