Thanks for the bad news, anyway I've been trying the classmap / classmapping and not sure if this is a bug or
another change. The sample I've been using is (I just modified the test policy):
(classmap files_rw (read write))
(classmapping files_rw read
(file (open read getattr)))
(classmapping files_rw write
(file (execute_no_trans entrypoint execmod open audit_access))
(file (open write setattr)))
However the results vary between your version and the Tresys version as follows:
secil from git clone http://oss.tresys.com/git/cil.git cil
allow policy.console_t policy.t_1 : policy.file { write setattr execute_no_trans entrypoint execmod open audit_access } ;
allow policy.console_t policy.t_2 : policy.file { read getattr open } ;
secil from git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/secilc.git
allow policy.console_t policy.t_1 : policy.file { execute_no_trans entrypoint execmod open audit_access } ;
allow policy.console_t policy.t_2 : policy.file { read getattr open } ;
From: James Carter <jwcart2@xxxxxxxxxxxxx>
To: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Cc: SELinux List <selinux@xxxxxxxxxxxxx>
Sent: Thursday, 22 August 2013, 20:38
Subject: Re: Common Intermediate Language (CIL) Update
On 08/22/2013 12:30 PM, Richard Haines wrote:
> Thanks for the updated CIL that has many useful fixes, however I notice that you removed the "permissionset" statement. Is this to be dropped altogether or just in your version (I've got lots in my test policy so thought I would ask before I change them all).
>
Yes, it is. Permissions can no longer be referred to apart from their class. Not
only was the permissionset statement removed, but permissions can no longer be
passed as an argument to a call.
Either classpermissionset or classmapping statements can be used to replace
them. I am sorry to say that this is a little bit more work up front, but I
think it makes sense for the overall policy.
> Richard
>
>
>
> ________________________________
> From: James Carter <jwcart2@xxxxxxxxxxxxx>
> To: SELinux List <selinux@xxxxxxxxxxxxx>
> Cc: Steve Lawrence <slawrence@xxxxxxxxxx>
> Sent: Monday, 29 July 2013, 18:36
> Subject: Common Intermediate Language (CIL) Update
>
>
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary policies from a slightly modified version of Refpolicy that has been converted to CIL.
>
> Anyone interested in trying CIL out can do the following:
>
> 1) Clone the CIL compiler and cilpolicy
> git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/secilc.git
> git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/cilpolicy.git
>
> 2) Build secilc
> cd secilc
> make
> cd ..
>
> 3) Build cilpolicy
> ./secilc/secilc `cat cilpolicy/LISTING`
>
>
> To build an MLS policy:
>
> Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to "(tunable enable_mls true)"
>
> Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`
>
> MCS is similar.
>
>
> Anyone interested in trying to create their own CIL policy from Refpolicy can clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions in the README. To clone fpp:
> git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/fpp.git
>
> -- James Carter <jwcart2@xxxxxxxxxxxxx>
> National Security Agency
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
another change. The sample I've been using is (I just modified the test policy):
(classmap files_rw (read write))
(classmapping files_rw read
(file (open read getattr)))
(classmapping files_rw write
(file (execute_no_trans entrypoint execmod open audit_access))
(file (open write setattr)))
However the results vary between your version and the Tresys version as follows:
secil from git clone http://oss.tresys.com/git/cil.git cil
allow policy.console_t policy.t_1 : policy.file { write setattr execute_no_trans entrypoint execmod open audit_access } ;
allow policy.console_t policy.t_2 : policy.file { read getattr open } ;
secil from git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/secilc.git
allow policy.console_t policy.t_1 : policy.file { execute_no_trans entrypoint execmod open audit_access } ;
allow policy.console_t policy.t_2 : policy.file { read getattr open } ;
I think the Tresys version is correct (well I hope so)
Richard
From: James Carter <jwcart2@xxxxxxxxxxxxx>
To: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Cc: SELinux List <selinux@xxxxxxxxxxxxx>
Sent: Thursday, 22 August 2013, 20:38
Subject: Re: Common Intermediate Language (CIL) Update
On 08/22/2013 12:30 PM, Richard Haines wrote:
> Thanks for the updated CIL that has many useful fixes, however I notice that you removed the "permissionset" statement. Is this to be dropped altogether or just in your version (I've got lots in my test policy so thought I would ask before I change them all).
>
Yes, it is. Permissions can no longer be referred to apart from their class. Not
only was the permissionset statement removed, but permissions can no longer be
passed as an argument to a call.
Either classpermissionset or classmapping statements can be used to replace
them. I am sorry to say that this is a little bit more work up front, but I
think it makes sense for the overall policy.
> Richard
>
>
>
> ________________________________
> From: James Carter <jwcart2@xxxxxxxxxxxxx>
> To: SELinux List <selinux@xxxxxxxxxxxxx>
> Cc: Steve Lawrence <slawrence@xxxxxxxxxx>
> Sent: Monday, 29 July 2013, 18:36
> Subject: Common Intermediate Language (CIL) Update
>
>
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary policies from a slightly modified version of Refpolicy that has been converted to CIL.
>
> Anyone interested in trying CIL out can do the following:
>
> 1) Clone the CIL compiler and cilpolicy
> git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/secilc.git
> git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/cilpolicy.git
>
> 2) Build secilc
> cd secilc
> make
> cd ..
>
> 3) Build cilpolicy
> ./secilc/secilc `cat cilpolicy/LISTING`
>
>
> To build an MLS policy:
>
> Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to "(tunable enable_mls true)"
>
> Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`
>
> MCS is similar.
>
>
> Anyone interested in trying to create their own CIL policy from Refpolicy can clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions in the README. To clone fpp:
> git clone https://jwcarter@xxxxxxxxxxxxx/jwcarter/fpp.git
>
> -- James Carter <jwcart2@xxxxxxxxxxxxx>
> National Security Agency
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
