On Fri, 2013-10-18 at 22:02 +0200, Dominick Grift wrote:
> On Fri, 2013-10-18 at 14:20 -0400, James Carter wrote:
> > I pushed an update of CIL to bitbucket.
>
> I had to do this, to make it compile ( not sure what i might have broken
> by doing this ):
>
> --- a/src/cil.c
> +++ b/src/cil.c
> @@ -1493,7 +1493,6 @@ void cil_userbounds_init(struct cil_userbounds
> **userbounds)
> *userbounds = cil_malloc(sizeof(**userbounds));
>
> (*userbounds)->user_str = NULL;
> - (*userbounds)->user = NULL;
> (*userbounds)->bounds_str = NULL;
> }
>
> Also a thing i noticed, which is unrelated to secilc, but related to
> cilpolicy is that object_r role is associated to identities.
>
> The object_r string is not really a role, although it looks like it.
>
> Its just a string that is used as a place holder for the role security
> attribute of objects.
>
> Anyhow, i am going to write a minimum policy with secilc tomorrow i
> think, so maybe then i will find new bugs, insights.
>
> Thanks for your work
>
Been playing with this today and so far so good except for a few things:
Not sure if its due to my incompetence or due to the line i removed
( see above) from cil.c, login programs (pam) is not able to get a valid
context for my users. I believe i set all the associations up properly
I noticed that no matter if you just want to create a default policy
model, you always have to take the option security models (MLS/MCS) into
account at least to some degree. For example you need to specify current
and clearance with filecon even if you wish to not use use MLS/MCS
Another thing i noticed which is loosely related is that if you build a
mcs policy, and install it, then run restorecon -R -v -F, it will reset
contexts using current and clearance (it has s0-s0 specified in
file_contexts) no matter how many times you run it. It will always reset
from s0 to s0-s0
As said above already, i now also encountered the object_r issue myself:
it sucks. One needs to allow object_r role access to all types...
object_r is not even a role (or atleast it should not be AFAIK)
Lastly i have to get used to the cil syntax, The documentation is a bit
inaccurate. For example it seems that typeattributetypes was renamed to
typeattributeset.
I was trying to associate 3 types to a single type attribute and i first
encountered typeattribute set, and the example showed how its supposed
to be used with "and or xor not", and so i tried that, but it turned out
you can only associate two types to a type attribute using any of those
keywords
Later on i stumbled upon typeattributetypes, and the examples looked
promissing. it mentioned that you can use it to associate more types to
the attribute with it. But when i tried it, it turned out it no longer
existed.
However, i tied the strings together and managed to associate 3 types to
a single type attribute using the typeattributetypes example with the
typeattributeset statement.
Also i was not able to write TE AV rules with two target types. e.g.
where we previously used brace expansion: allow bla_t { foo_t
bar_t }:file read;
I tried several things like: (allow (bla_t ( foo_t bar_t))
all_file_perms), but no go
It is just a matter of getting used to the new way of doing things, but
i feel that its very powerful, and i like it alot.
Also secilc seems nice and fast, especially if it also takes care of the
neverallow rules (doing that with semodule link/expand takes ages)
So, yea, the only pressing issue now for me is to get my users to log
in. I have created a nice minimal policy today with cil and other than
this issue it works great!
> Classes: 54 Permissions: 193
> Sensitivities: 1 Categories: 1024
> Types: 4 Attributes: 1
> Users: 1 Roles: 2
> Booleans: 0 Cond. Expr.: 0
> Allow: 54 Neverallow: 0
> Auditallow: 0 Dontaudit: 0
> Type_trans: 0 Type_change: 0
> Type_member: 0 Role allow: 0
> Role_trans: 0 Range_trans: 0
> Constraints: 0 Validatetrans: 0
> Initial SIDs: 27 Fs_use: 23
> Genfscon: 84 Portcon: 2
> Netifcon: 0 Nodecon: 0
> Permissives: 0 Polcap: 2
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
