On Wed, Jun 17, 2020 at 9:24 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Jun 17, 2020 at 7:10 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > > > Hello, > > > > I've recently started playing with CIL and for various reasons I wanted > > to start with the smallest possible policy. > > > > After having some issues with a tiny CIL policy that compiles but does > > not actually load, I tracked it down to a hard requirement (of the > > kernel ?) on the permission `transition` of the `process` class. > > Is there a reason for this or is this a bug ? > > Yes, the kernel security server depends on at least this class and > permission being defined in policy for some of its internal logic; > otherwise you will get some rather odd behavior. I suppose we could > make the kernel handle it more gracefully, or change libsepol to catch > this and flag it as an error when writing a policy with the target > platform set to Linux (it wouldn't be an error when writing a Xen > policy, for example). By the way, there is a program in the kernel source tree, under scripts/selinux/mdp, that will generate a fairly minimalist policy for that kernel with all of its classes/permissions defined, a single user/role/type, fs_use and genfscon rules for all filesystem types configured, and allow rules allowing everything. See Documentation/admin-guide/LSM/SELinux.rst. That however generates policy.conf not CIL currently although adding support for generating CIL is an open issue in GitHub, https://github.com/SELinuxProject/selinux-kernel/issues/45
