That is very true on the policy size. I have some very large policies by increasing the number of categories for testing purposes. I would also agree with using a "category" selector of some sort instead of using "level" which IMHO has a different meaning.
-Chad On Mon, Aug 26, 2013 at 4:41 PM, Stephen Smalley <[email protected]> wrote: > On 08/26/2013 04:03 PM, William Roberts wrote: >> On Mon, Aug 26, 2013 at 10:15 AM, Stephen Smalley <[email protected]> wrote: >> >>> On 08/26/2013 01:03 PM, William Roberts wrote: >>>> On Mon, Aug 26, 2013 at 10:00 AM, Stephen Smalley <[email protected]> >>> wrote: >>>> >>>>> On 08/26/2013 12:56 PM, William Roberts wrote: >>>>>> On Mon, Aug 26, 2013 at 9:22 AM, William Roberts >>>>>>> Implementation 2: >>>>>>> We add a new sens category >>>>>>> >>>>>> Id be more ok with this approach if level was cats. And adding cats now >>>>>> would be an additional thing to remember based on history. >>>>>> sens=s0 cats=app is a bit more clear then sens=s1 level=app >>>>> >>>>> I think you mean if levelFrom= was catsFrom= (or categoriesFrom=). >>>>> If you want to effectively introduce an alias into the parser so that it >>>>> accepts either categoriesFrom= or levelFrom= and switch the sample >>>>> seapp_contexts over to using categoriesFrom=, then I am fine with that. >>>>> That's no different than what we did with the levelFromUid=true|false >>>>> to levelFrom=none|app|user|all transition. >>>>> >>>>> Yes, but my underlying problem with this, is looking back, i think level >>>> could have just been smarter. since a true level (sens + cat) is a >>>> wellformed and well standardized, the logic to handle it is simple. >>> >>> Really? All of the below are valid values for level= >>> >>> s0 >>> s0:c0 >>> s0:c0,c2 >>> s0:c0.c10 == s0:c0,c1,c2,c3,c4,c5,c6,c7,c8,c9,c10 >>> s0:c0.c10,c255 >>> s0-s15 (a range; lowlevel-highlevel) >>> s0-s15:c0,c2 >>> s0:c0-s15:c0 >>> s0:c0,c2-s15:c0.c1024 >>> >>> It gets a bit messy to parse them. >>> mcstransd in Fedora/RHEL is likely an example if you want to look at one. >>> >> >> Looks like both implementations fall short of building weird strings... >> >> >> Josh chimed in with appending a category, what if you specified level and >> levelFrom, it just did a simple concatenation? >> level + levefrom = cats? > > I think I'd rather have an explicit extraCategories= output selector. > But you'd need to expand the number of categories to provide a range > that is not ever used by the levelFrom= code to ensure no conflicts. > And some caution is advised there; due to some inefficiency in the > representation, significant increases in the number of categories can > have a non-trivial affect on policy size. > > > > -- > This message was distributed to subscribers of the seandroid-list mailing > list. > If you no longer wish to subscribe, send mail to [email protected] with > the words "unsubscribe seandroid-list" without quotes as the message. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
