On Mon, Oct 28, 2019 at 2:07 AM Ian Pilcher <arequipeno@xxxxxxxxx> wrote: > > I have a policy module that consists of a .te and an .fc file. I would > like to add a "portcon" rule to this module, which (AFAIK) can only be > done in CIL "format." > > What I've got today is: > > 1. Build a "traditional" .pp file > (make -f /usr/share/selinux/devel/Makefile). > > 2. Use /usr/libexec/selinux/hll/pp to convert the .pp file to a .cil > file. > > 3. Add the port context rule to the .cil file. > > Is this the best/only way to do this? "portcon" is what is used in refpolicy's corenetwork module: corenetwork.te.in [1] contains lines such as: network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) and "network_port" is a macro defined in corenetwork.te.m4 [2], that expands to lines similar to: type http_port_t, port_type, defined_port_type; portcon tcp 80 gen_context(system_u:object_r:http_port_t,s0) portcon tcp 443 gen_context(system_u:object_r:http_port_t,s0) ... I have not tested whether these statements are supported in policy modules other that in the "base" module (if I remember correctly, "base" is no longer a special module but there could be things I missed). What led you to state that "portcon" rules can only be done in CIL? (For example did you encounter an error while building the .pp module?) Thanks, Nicolas [1] https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20190609/policy/modules/kernel/corenetwork.te.in [2] https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20190609/policy/modules/kernel/corenetwork.te.m4
