On 09/09/2016 07:35 AM, James Carter wrote: > On 09/09/2016 08:29 AM, James Carter wrote: >> On 09/08/2016 04:37 PM, Daniel Cashman wrote: >>> On 09/08/2016 01:30 PM, Daniel Cashman wrote: >>>> From: dcashman <dcashman@xxxxxxxxxxx> >>>> >>>> cil_gen_policy() appears to exist to generate a policy.conf >>>> corresponding to the >>>> original SELinux HLL from a cil_db struct. All of >>>> libsepol/cil/src/cil_policy.c >>>> appears to exist to support this functionality. This patchset >>>> provides some >>>> fixes for issues encountered when trying to go from android's >>>> policy.conf to a >>>> CIL representation (via checkpolicy) and then back to the HLL >>>> representation via >>>> cil_gen_policy(). >>>> >>>> dcashman (5): >>>> libsepol: cil: Add userrole mapping to cil_gen_policy(). >>>> libsepol: cil: Remove duplicate sid policy declaration. >>>> libsepol: cil: Replace sensitivityorder statement. >>>> libsepol: cil: Fix CIL_OP data assignment. >>>> libsepol: cil: Add cil_constraint_expr_to_policy() >>>> >>>> libsepol/cil/src/cil_policy.c | 235 >>>> ++++++++++++++++++++++++++++++++++++++++-- >>>> 1 file changed, 224 insertions(+), 11 deletions(-) >>>> >>> >>> I suspect that the "proper" fix here is to just remove all of >>> libsepol/cil/src/cil_policy.c, so I can put that patch together too if >>> desired. >>> >> >> Yes, that code was used early on to help with debugging the CIL >> compiler, but >> hasn't been maintained. I've wanted to go back and fix it, but there >> didn't seem >> to be any use case needing it before now. >> >> If that functionality would be valuable to you, I would be glad to >> work on this. >> >> I think the right course would be to move this out of libsepol like >> secilc is. >> > > The caffeine hadn't kicked in yet. cil_policy.c is like cil_binary.c and > should stay where it is. > > Jim > Yes, it requires access to the cil_db internals, most-importantly the ast. I'm trying to do similar processing to replace types and attributes to new attributes (what I'm calling 'attributizing') for portions of policy. Thus, I think any changes I make will also have to live in libsepol, although we'll see eventually how acceptable they are for upstream. As for the usefulness of cil_gen_policy(), my actual desire was to get some CIL -> CIL code, perhaps a cil_write_ast() used as part of a cil_gen_cil() function, that would allow me to make some AST modifications and then produce transformed CIL policy. I noticed cil_gen_policy() as a potential shortcut to allow me to postpone that further. I don't currently see a need for cil_gen_policy() outside of testing other changes, so I submitted the fixes I'd come up with before deciding to continue with another approach. Dan >> Jim >> >>> The patches in this patchset do not address all of the bugs I >>> encountered trying to go from HLL -> CIL -> HLL. Since I was using this >>> as a temporary work-around, I decided to move on and submit these, in >>> case rescuing cil_gen_policy() is desired; the additional changes needed >>> were becoming more invasive (similar to the 5th patch in this set) and >>> less bug-fix-like. >>> >>> Thank You, >>> Dan >>> >> >> > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
