On Sun, 2012-07-29 at 21:10 +0100, Richard Haines wrote:
> I'm only planning to run this in the same way as checkpolicy so not
> worried about AOSP etc.
>
> I'm using the most suitable CIL statements (block, macro etc.), but as
> the policy is limited, not that many. I've converted all modules to
> blocks, figured out the classmap/classmapping statements and almost
> finished, although I'll probably wait for the next CIL release as I
> have come across three minor problems:
>
> 1) Cannot call a macro within a booleanif block.
>
That has been fixed at some point since the last release.
> 2) The mlsconstrain statements seem to be generated in reverse order but
> need to check manually as APOL etc doesn't handle them.
Generated in the binary in reverse order? I don't understand what you
are referring to here.
> Are there any
> utilities that will allow me to compare mlsconstrain statements within
> a binary policy?
>
sediff doesn't handle constraints and I don't know of a tool that will
do that comparison.
> 3) Cannot generate a file context without at least one category (example
> always wants s0:c0-s0:c0 instead of the normal s0).
>
This does need to be fixed.
> Otherwise the current CIL compiler is running well.
>
Thanks for your feedback.
Jim
> Richard
>
> --- On Tue, 24/7/12, Joshua Brindle <method@xxxxxxxxxxxxxxx> wrote:
>
> > From: Joshua Brindle <method@xxxxxxxxxxxxxxx>
> > Subject: Re: Is the CIL project still active
> > To: "Richard Haines" <richard_c_haines@xxxxxxxxxxxxxx>
> > Cc: jwcart2@xxxxxxxxxxxxx, "Jeremy Solt" <jsolt@xxxxxxxxxx>, selinux@xxxxxxxxxxxxx
> > Date: Tuesday, 24 July, 2012, 13:29
> > Richard Haines wrote:
> > > Glad to hear its still going as I started converting
> > the Android
> > > policy to CIL using the current compiler that works ok
> > so far. However
> > > I'm having problems defining 'sets of classes' for
> > example with M4:
> >
> > Since it is a small policy it should be possible to do a
> > real, semantic
> > conversion (using blocks and ignoring legacy file types). Is
> > that what
> > you are doing?
> >
> > However, I'm not sure if CIL will be able to be in Android
> > anytime soon.
> > It could still be used on the host side like
> > checkpolicy/libsepol are
> > now but since CIL is currently statically linked against
> > libsepol (GPL)
> > it would be prohibited in the AOSP userspace IIUC.
> >
> > >
> > > define(`dir_file_class_set (dir file lnk_file sock_file
> > fifo_file
> > > chr_file blk_file))
> > >
> > > I've tried various methods using classmap/classmapping
> > etc. but failed
> > > to work out how to define in CIL:
> > >
> > > mlsconstrain dir_file_class_set { create relabelfrom
> > relabelto }
> > > (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
> > >
> > > I can produce CIL mlsconstrain statements when I define
> > them with each
> > > class separately but not as a set. Is it possible with
> > the current
> > > release of CIL ? (if not I'll just produce an entry for
> > each class so
> > > I can continue).
> > >
> > > Thanks
> > > Richard
> > >
> > >
> > > --- On Fri, 20/7/12, James Carter<jwcart2@xxxxxxxxxxxxx>
> > wrote:
> > >
> > >> From: James Carter<jwcart2@xxxxxxxxxxxxx>
> > >> Subject: Re: Is the CIL project still active
> > >> To: "Richard Haines"<richard_c_haines@xxxxxxxxxxxxxx>
> > >> Cc: selinux@xxxxxxxxxxxxx
> > >> Date: Friday, 20 July, 2012, 20:13
> > >> On Fri, 2012-07-20 at 19:39 +0100,
> > >> Richard Haines wrote:
> > >>> Does anyone know the status of the CIL project
> > as it
> > >> looked useful and would seem ideal for SEAndroid.
> > >>
> > >> There are still a few more bugs that need to be
> > fixed so
> > >> that it can
> > >> correctly compile a CIL-transformed Refpolicy.
> > Progress has
> > >> been slow
> > >> recently, but it is not going to be abandoned.
> > >>
> > >> --
> > >> James Carter<jwcart2@xxxxxxxxxxxxx>
> > >> National Security Agency
> > >>
> > >>
> > >
> > >
> > > --
> > > This message was distributed to subscribers of the
> > selinux mailing list.
> > > If you no longer wish to subscribe, send mail to
> > > majordomo@xxxxxxxxxxxxx
> > with
> > > the words "unsubscribe selinux" without quotes as the
> > message.
> > >
> >
> > --
> > This message was distributed to subscribers of the selinux
> > mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
> > with
> > the words "unsubscribe selinux" without quotes as the
> > message.
> >
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
