On 09/11/2018 03:29 PM, Stephen Smalley wrote:
On 09/11/2018 02:49 PM, Ted Toth wrote:
Yes I too noticed the translate permission but couldn't find any info
related to it intended purpose. Regarding CIL unfortunately I have
zero experience with it but I've installed the compiler and started
reading through https://github.com/SELinuxProject/cil/wiki (any other
pointers to useful info would be appreciated). I have written lots of
policy would it be possible to add a class/permissions/mlsconstraints
in an old-fashion policy module?
The older binary modules didn't support those kinds of statements
outside of the base module. Try this:
$ cat > mcstrans.cil <<EOF
; define a mcstrans class with one permission color_use
(class mcstrans (color_use))
; allow all domains mcstrans color_use permission to themselves
(allow domain self (mcstrans (color_use)))
; only allow mcstrans color_use permission when h1 dominates h2
(mlsconstrain (mcstrans (color_use)) (dom h1 h2))
; append the new mcstrans class to the end after all others
(classorder (unordered mcstrans))
EOF
$ sudo semodule -i mcstrans.cil
Then try performing permission checks with "mcstrans" as your class and
"color_use" as your permission, between a domain and itself, with
different levels.
BTW, an easy way to find CIL syntax for something is to look at how it
is done in the base module. You can extract a copy of that via
semodule -c -E base, then bring up base.cil in your favorite editor/viewer.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.