apol permission map weights

apol permission map weights

[Hayawardh Vijayakumar]

Dear all,

This is a question regarding the weights for the permission mappings
from APOL (the file apol_perm_mapping_ver24 at e.g.,
http://oss.tresys.com/repos/setools/trunk/apol/perm_maps/apol_perm_mapping_ver24).
The documentation on page
http://oss.tresys.com/projects/setools/wiki/helpFiles/iflow_help says

"In addition to mapping each permission to read, write, both, or none,
it is possible to assign the permission a weight between 1 and 10 (the
default is 10).  Apol uses this weight to rate the importance of the
information flow this permission represents and allows the user to
make fine-grained distinctions between high-bandwidth, overt
information flows and low-bandwidth, or difficult to exploit, covert
information flows.  For example, the permissions "read" and "write" on
the file object could be given a weight of 10 because they are very
high-bandwidth information flows.  Additionally, the "use" permission
on the fd object (file descriptor) would probably be given a weight of
1 as it is a very low-bandwidth covert flow at best. "

However, the append permission on class file is given a weight of only
1, whereas write is given 10:

class file 21
...
            append	 w           1
...
            write	         w          10

Appending to a file causes a flow of as big a bandwidth as write. Can
someone please explain why append is given so low a weight?

Thanks,
Hayawardh

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol permission map weights

[Joshua Brindle]

Hayawardh Vijayakumar wrote:
> Dear all,
>
> This is a question regarding the weights for the permission mappings
> from APOL (the file apol_perm_mapping_ver24 at e.g.,
> http://oss.tresys.com/repos/setools/trunk/apol/perm_maps/apol_perm_mapping_ver24).
> The documentation on page
> http://oss.tresys.com/projects/setools/wiki/helpFiles/iflow_help says
>
> "In addition to mapping each permission to read, write, both, or none,
> it is possible to assign the permission a weight between 1 and 10 (the
> default is 10).  Apol uses this weight to rate the importance of the
> information flow this permission represents and allows the user to
> make fine-grained distinctions between high-bandwidth, overt
> information flows and low-bandwidth, or difficult to exploit, covert
> information flows.  For example, the permissions "read" and "write" on
> the file object could be given a weight of 10 because they are very
> high-bandwidth information flows.  Additionally, the "use" permission
> on the fd object (file descriptor) would probably be given a weight of
> 1 as it is a very low-bandwidth covert flow at best. "
>
> However, the append permission on class file is given a weight of only
> 1, whereas write is given 10:
>
> class file 21
> ...
>              append	 w           1
> ...
>              write	         w          10
>
> Appending to a file causes a flow of as big a bandwidth as write. Can
> someone please explain why append is given so low a weight?

Probably an over site, I'll see about getting it fixed. Thanks for 
reporting it.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.