On 10/27/19 9:07 PM, Ian Pilcher wrote:
I have a policy module that consists of a .te and an .fc file. I would
like to add a "portcon" rule to this module, which (AFAIK) can only be
done in CIL "format."
What I've got today is:
1. Build a "traditional" .pp file
(make -f /usr/share/selinux/devel/Makefile).
2. Use /usr/libexec/selinux/hll/pp to convert the .pp file to a .cil
file.
3. Add the port context rule to the .cil file.
Is this the best/only way to do this?
Alternatives:
1) Use semanage port to add the port context instead of including it in
the policy module, or
2) Rewrite the module in CIL or start using the automatically converted
one going forward as the preferred source form of your module.
Eventually, a high level policy language is anticipated to be created on
top of CIL that will offer the full flexibility of CIL along with some
of the syntactic niceties of .te as well as newer high level features.
