Hello, I've recently started playing with CIL and for various reasons I wanted to start with the smallest possible policy. After having some issues with a tiny CIL policy that compiles but does not actually load, I tracked it down to a hard requirement (of the kernel ?) on the permission `transition` of the `process` class. Is there a reason for this or is this a bug ? Kernel: Linux selinux-pr-test5 5.6.0-2-amd64 #1 SMP Debian 5.6.14-1 (2020-05-23) x86_64 GNU/Linux policycoreutils: 3.0-1 Thanks for your help, bauen1 ; vim: syntax=lisp : ;; initial sids these can be mostly removed after selinux 3.1 and linux 5.7 (sid kernel) (sid any_socket) (sid devnull) (sid file) (sid file_labels) (sid fs) (sid icmp_socket) (sid igmp_packet) (sid init) (sid kmod) (sid netif) (sid netmsg) (sid node) (sid policy) (sid port) (sid scmp_packet) (sid security) (sid sysctl) (sid sysctl_dev) (sid sysctl_fs) (sid sysctl_kernel) (sid sysctl_modprobe) (sid sysctl_net) (sid sysctl_net_unix) (sid sysctl_vm) (sid tcp_socket) (sid unlabeled) (sidorder (kernel any_socket devnull file file_labels fs icmp_socket igmp_packet init kmod netif netmsg node policy port scmp_packet security sysctl sysctl_dev sysctl_fs sysctl_kernel sysctl_modprobe sysctl_net sysctl_net_unix sysctl_vm tcp_socket unlabeled)) ;; these are requirements for compiling the policy (user kernel_u) (role kernel_r) (type kernel_t) (sensitivity s0) (sensitivityorder (s0)) (level low (s0)) (level high (s0)) (levelrange lowhigh (low high)) (userrange kernel_u lowhigh) (userlevel kernel_u low) (userrole kernel_u kernel_r) (roletype kernel_r kernel_t) (context kernel_context (kernel_u kernel_r kernel_t lowhigh)) ;; (sidcontext kernel kernel_context) (sidcontext any_socket kernel_context) (sidcontext devnull kernel_context) (sidcontext file kernel_context) (sidcontext file_labels kernel_context) (sidcontext fs kernel_context) (sidcontext icmp_socket kernel_context) (sidcontext igmp_packet kernel_context) (sidcontext init kernel_context) (sidcontext kmod kernel_context) (sidcontext netif kernel_context) (sidcontext netmsg kernel_context) (sidcontext node kernel_context) (sidcontext policy kernel_context) (sidcontext port kernel_context) (sidcontext scmp_packet kernel_context) (sidcontext security kernel_context) (sidcontext sysctl kernel_context) (sidcontext sysctl_dev kernel_context) (sidcontext sysctl_fs kernel_context) (sidcontext sysctl_kernel kernel_context) (sidcontext sysctl_modprobe kernel_context) (sidcontext sysctl_net kernel_context) (sidcontext sysctl_net_unix kernel_context) (sidcontext sysctl_vm kernel_context) (sidcontext tcp_socket kernel_context) (sidcontext unlabeled kernel_context) ;; this works ;(class process (transition)) ;(classorder (unordered process)) ;(allow kernel_t self (process (all))) ;; this should work in theory ;; systemd or load_policy will try to load the policy, but the kernel will ;; return "Invalid argument" and log "SELinux: failed to load policy" to dmesg. (class file (read)) (classorder (unordered file)) (allow kernel_t self (file (all)))
