On 04/13/2013 07:43 PM, Kevin Kofler wrote:
Richard W.M. Jones wrote:
> This would be excellent, and projects in this area could make a
> significant contribution. I suspect that any general code-to-policy
> translator will hit the Halting Problem, since it seems trivial to
> write a program which would not be possible to translate, but that
> doesn't mean it can't be solved for many useful real world cases.
That's exactly why SELinux policy is the wrong representation. It duplicates
information of the code without being automatically transformable either
way, requiring every change to be made twice.
From the security point of view this is a good thing, because it
requires both the programmer's code and the security policy to
independently agree to perform every action.
Otherwise, the programmer might write 'if (uid=0) then ...' and the
automatic policy generator would obediently generate a rule for that.
I agree that it's tedious, but practical evidence seems to suggest that
it's a converging process and we're almost there---'enforcing' SELinux
is a viable setting for a majority of deployments.