Re: Is the CIL project still active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Richard Haines wrote:

Glad to hear its still going as I started converting the Android
policy to CIL using the current compiler that works ok so far. However
I'm having problems defining 'sets of classes' for example with M4:
Since it is a small policy it should be possible to do a real, semantic conversion (using blocks and ignoring legacy file types). Is that what you are doing?
However, I'm not sure if CIL will be able to be in Android anytime soon. It could still be used on the host side like checkpolicy/libsepol are now but since CIL is currently statically linked against libsepol (GPL) it would be prohibited in the AOSP userspace IIUC. 



define(`dir_file_class_set (dir file lnk_file sock_file fifo_file
chr_file blk_file))

I've tried various methods using classmap/classmapping etc. but failed
to work out how to define in CIL:

mlsconstrain dir_file_class_set { create relabelfrom relabelto }
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));

I can produce CIL mlsconstrain statements when I define them with each
class separately but not as a set. Is it possible with the current
release of CIL ? (if not I'll just produce an entry for each class so
I can continue).

Thanks
Richard


--- On Fri, 20/7/12, James Carter<jwcart2@xxxxxxxxxxxxx> wrote:


From: James Carter<jwcart2@xxxxxxxxxxxxx>
Subject: Re: Is the CIL project still active
To: "Richard Haines"<richard_c_haines@xxxxxxxxxxxxxx>
Cc: selinux@xxxxxxxxxxxxx
Date: Friday, 20 July, 2012, 20:13
On Fri, 2012-07-20 at 19:39 +0100,
Richard Haines wrote:

Does anyone know the status of the CIL project as it

looked useful and would seem ideal for SEAndroid.

There are still a few more bugs that need to be fixed so
that it can
correctly compile a CIL-transformed Refpolicy. Progress has
been slow
recently, but it is not going to be abandoned.

--
James Carter<jwcart2@xxxxxxxxxxxxx>
National Security Agency





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux