I've updated the 'make dummy policy' (mdp) code that sits in the kernel tree to output a policy in CIL format. This has been tested against version 0.1 of the secilc CIL compiler as follows: 1) Patched the CIL compiler to fix initial SID problem (see [PATCH 1/1] CIL compiler - Generate initial SIDs correctly in binary policy). 2) Generated a non-mls policy in CIL that is an exact replica of the original mdp output using: mdp -c policy.cil file_contexts secilc policy.cil The binary policy was installed in the mdp policy path and the file_contexts file generated by mdp was installed in the mdp contexts/files path. The SELinux config file was updated and set to permissive, added the .autorelabel flag and rebooted. The file system was relabeled (lots of udevd errors about setfiles but ignored them), then rebooted. System came up at run level 3 with no problems. Set into enforcing mode with no issues or audit log entries. Checked process and file labels, all okay. Notes: 1) The SELinux.txt file has been updated to show the additional options as I've also added the ability to output a simple MLS policy for checkpolicy. The only problem I had with this is that checkpolicy insisted on having at least one mlsconstrain statement added before it would build the policy. I've also tested this with no reported errors. 2) I tested an MLS policy generated by the CIL compiler: mdp -c policy.cil file_contexts secilc -M policy.cil This tested okay, however I had to add :s0:c0 to the file_contexts file entries to get relabeling to work. This is because CIL seems to insist on at least one sensitivity and one category. 3) All this was tested on Fedora-16 Alpha release. Richard -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
