On Fri, Sep 14, 2018 at 04:18:29PM -0500, Ted Toth wrote: > On Wed, Sep 12, 2018 at 9:57 AM Ted Toth <txtoth@xxxxxxxxx> wrote: > > > > > > > On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift <dac.override@xxxxxxxxx> > > wrote: > > > >> On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote: > >> > On 09/12/2018 09:26 AM, Ted Toth wrote: > >> > > > >> > > > >> > > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley <sds@xxxxxxxxxxxxx > >> > > <mailto:sds@xxxxxxxxxxxxx>> wrote: > >> > > > >> > > On 09/11/2018 04:59 PM, Ted Toth wrote: > >> > > > That's awesome and now it's got me thinking about other > >> > > > classes/permissions that we could implement. Can cil macros > >> can be > >> > > > referenced in .te/.if files? > >> > > > >> > > Not sure I understand your question. You can't directly embed cil > >> > > statements in .te/.if files. However, if you define a > >> class/permission > >> > > in a .cil module, you can certainly specify a require on it and > >> use it > >> > > from a conventional .te/.if module, ala: > >> > > $ cat > usemcstrans.te <<EOF > >> > > policy_module(usemcstrans, 1.0) > >> > > > >> > > require { > >> > > class mcstrans { color_use }; > >> > > attribute domain; > >> > > } > >> > > > >> > > allow domain self:mcstrans color_use; > >> > > EOF > >> > > > >> > > $ make -f /usr/share/selinux/devel/Makefile usemcstrans.pp > >> > > $ sudo semodule -i usemcstrans.pp > >> > > > >> > > > >> > > If the cil contained: > >> > > > >> > > (macro use_color (type caller) (allow caller self mcstrans > >> (color_use))) > >> > > > >> > > then in x.te can I use the macro: > >> > > > >> > > type x_t; > >> > > use_color(x_t) > >> > > >> > Sorry, no. The macros used in .te/.if files are just m4 definitions > >> handled > >> > at the preprocessing stage, not a feature of the module language. The > >> CIL > >> > macros are directly supported by the CIL compiler, but they won't be > >> visible > >> > to the module compiler. Also, you are missing several parentheses above > >> > (I'm not fond of the lisp-like syntax myself). In a CIL module, I > >> think the > >> > correct syntax would be: > >> > > >> > (macro use_color ((type caller)) (allow caller self (mcstrans > >> (color_use)))) > >> > > >> > (call use_color(x_t)) > >> > > >> > Or you could define a m4 macro in an .if file and use that in a .te > >> file. > >> > Or both. > >> > > >> > >> Ideally you would have all of your policy written in CIL or in a > >> high-level language that was designed to leverage CIL. > >> > > > > Unfortunately I/we don't live in an ideal world :( but thanks for the > > pointers. > > > > > >> > >> My DSSP2 policy is a CIL-only policy. In there I also leverage unordered > >> classes, Meaning that for example if you remove or disable the mcstrans > >> module then you automatically also remove or disable the access vectors > >> that mcstrans manages. > >> > >> minimal: > >> > >> https://github.com/DefenSec/dssp2-minimal > >> > >> standard (my personal policy based on top of minimal): > >> > >> https://github.com/DefenSec/dssp2-standard/commits/master > >> > >> DSSP2 does not support enforcement of confidentiality though > >> > >> > _______________________________________________ > >> > Selinux mailing list > >> > Selinux@xxxxxxxxxxxxx > >> > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > >> > To get help, send an email containing "help" to > >> Selinux-request@xxxxxxxxxxxxx. > >> > >> -- > >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > >> Dominick Grift > >> > > > I added a security class and permission using the following cil: > (block mcstrans > (typeattributeset cil_gen_require setrans_t) > (typeattributeset cil_gen_require user_t) > (class level_color (pick_using_dominance)) > (classorder (unordered level_color)) > > (mlsconstrain (level_color (pick_using_dominance)) (dom h1 h2)) > > (allow setrans_t self (level_color (pick_using_dominance)))) > > and this works for the mcscolor code I changed to use it. However I wrote > some python code to test the class/permission (using > security_compute_av_raw) and ran it before adding an allow rule for the > python code type and no avc was generated as I'd expected. Is there > anything different about adding a security class this way that would affect > avc generation? Did you look for type=user_avc messages? Is setrans using "selinux_access_check()" instead of "avc_has_perm()"? > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
