I've been poking around with the idea of using Ruby and some meta-programming to specify policy. The complaint I've heard voiced by a couple of people is that while many of the m4-based abstractions present in refpolicy are pretty intuitive and useful, the limitation of m4 as a language is that you cannot maintain relationships and resolve conflicts automatically. Therefore, in many cases you need to result to naming conventions to do that work.

The idea I put forward here is to create a set of base objects in Ruby, Python, or something of that ilk that can be extended and used to define policy in an organized, error-checking, and namespaced manner. Heres a quick little example:

class LogDir < FileType
  pattern '/var/log/.*'
end

class SomeProgam < Application
  executable '/usr/bin/someprog'
  allow_role SysadminRole
  allow self, LogDir, File, File.perms(:r, :w) end

This expands to all the relevant TE & FC statements. 'executable' generates the someprogram_exec_t type and all needed type transitions and allows, 'allow_role' looks up types associated with the role and generates relevant allows and transitions. The 'allow' statement works pretty much as expected, except that the FLASK class File is an actual Ruby class, with the ability to filter on permission categories, etc.

This system isn't meant to replace all the work thats gone in to existing policies, nor does it set out to be a policy language of its own like existing high-level lanaguage work, but I think it would make an interesting little project. Ideas, comments, suggestions, criticisms, etc. would be appreciated.

Aleks Kissinger

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.