On Wed, Jun 17, 2020 at 7:10 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > Hello, > > I've recently started playing with CIL and for various reasons I wanted > to start with the smallest possible policy. > > After having some issues with a tiny CIL policy that compiles but does > not actually load, I tracked it down to a hard requirement (of the > kernel ?) on the permission `transition` of the `process` class. > Is there a reason for this or is this a bug ? Yes, the kernel security server depends on at least this class and permission being defined in policy for some of its internal logic; otherwise you will get some rather odd behavior. I suppose we could make the kernel handle it more gracefully, or change libsepol to catch this and flag it as an error when writing a policy with the target platform set to Linux (it wouldn't be an error when writing a Xen policy, for example).
