RE: security policy and xml

From: Jorgen_Sigvardsson <jorgen@profitab.com>
Subject: RE: security policy and xml
Date: Fri, 27 Jul 2001 08:33:47 +0200

Next Article (by Subject): Several questions steve
Previous Article (by Subject): security policy and xml "T.R.Y."
Top of Thread: security policy and xml "T.R.Y."
Articles sorted by: [Date] [Author] [Subject] 

-----BEGIN PGP SIGNED MESSAGE-----

It depends on how you want to define your XML language. XML puts no
restrictions on your language other than the "basic XML rules" -
correct structure and etc.

A very simple and generic syntax would yield a language such as:
<?xml version="1.0"?>
<secpolicies>
	<model name = "acl">
		<object name = "/etc/shadow" type = "file">
			<subject name = "root" operation = "read"/>
			<subject name = "root" operation = "write"/>
		</object>
	</model>
	.
	.
</secpolicies>
A very small DTD is needed, and the syntax can be applied to pretty
much any model since it is very generic/abstract. The interpreter of
this configuration file must do a lot of work however. The parser
does not give you a specific ACL-syntax tree for this particular
example, thus you have to parse the syntax tree again and do
translations (and validation).

If you allow a "sub-DTD" for each model (i.e. a specific syntax for
each model), then you can
skip the last translation pass.

<?xml version="1.0"?>
<secpolicies>
	<acl>
		<file name = "/etc/shadow">
			<give user = "root" right = "read"/>
			<give user = "root" right = "write"/>
		</file>
	</acl>
	.
	.
</secpolicies>

The latter example is less abstract and more clear to the policy
writer. I think this would be
the way to go. The DTD may be bloated, but I'll take a bloated DTD
over bad readability/ease of configuration any day.

my 0,2 skr
- --
Jorgen Sigvardsson * SW Developer   * jorgen@profitab.com
Gelinsgatan 1      * 65229 Karlstad * +46-54-21 75 50


> -----Original Message-----
> From: owner-rsbac@compuniverse.de 
> [mailto:owner-rsbac@compuniverse.de]On
> Behalf Of T.R.Y.
> Sent: den 27 juli 2001 07:57
> To: rsbac@rsbac.org
> Subject: security policy and xml
> 
> 
> Is xml capable of expressing security policies?
> Sure, different model has different rulesets.
> Just curious.
> 
> - T.
> -
> To unsubscribe from the rsbac list, send a mail to
> majordomo@rsbac.org with
> unsubscribe rsbac
> as single line in the body.
> 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBO2ELS32XcTB6rEikAQHP+gf/QxfLbHS7xdJ37hXLv8L8hCL1GbWoX6OX
3qG3zw+MFcQ/rXimFULxhglqNsg56MgQ/MuK93CIgRlkageE5q+EGnJD8z3l04r0
aPnBuJC/DSe8DA+uEYkMq/6tVHoBvYw8Iw3Yx65cA7az/W8JRwz1u5/daYhJDP67
kwkiaSXlCz+wTUj4RC59u8upshG+4lGZHcykj8WG4A5tleqUSd02XTf+gyxevPLZ
temZIXkMeXbUnl3rr99GY5GBBDw8OcumtxIouI9LwLybefj6/Rap5uYIekcHTKHM
fDOV5dowDxT3IgTWVmt0aCNpNhZQWiCc4GK1Og0GumzHIqtVWyVPjQ==
=ISZn
-----END PGP SIGNATURE-----

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): Several questions steve
Previous Article (by Subject): security policy and xml "T.R.Y."
Top of Thread: security policy and xml "T.R.Y."
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.