On Sun, Jul 19, 2020 at 2:17 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > This example CIL policy takes a different approach: > > 1. Leverages CIL > 2. Installs using semodule to make it tunable at runtime (but you can obviously also use secilc to build a monolithic version and deploy that) > 3. Makes few assumptions about variables > 4. Leverages handleunknown allow and declares least required access vectors so that you can pick and choose which access vectors you want to use and ignore the remainder > 5. Leverages unlabeled and file ISID and makes no assumptions about any volatile filesystems you may or may not use > 6. As small and simple as reasonably possible, heavily documented > 7. Modern, Requires SELinux 3.1 > > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> > --- > v2: rename XWAYLAND.md to XSERVER_XWAYLAND.md and cover both Xserver as well as Xwayland > V3: fix typo in XSERVER_XWAYLAND.md and exclude x_contexts altogether > v4: remove XSERVER_XWAYLAND and add the note to README.md, redo README.md and clean up cil-policy.cil > v5: add -F to fixfiles onboot (onboot should probably just imply -F) > > src/cil_overview.md | 11 + > src/notebook-examples/README.md | 2 + > src/notebook-examples/cil-policy/Makefile | 31 ++ > src/notebook-examples/cil-policy/README.md | 90 ++++ > .../cil-policy/cil-policy.cil | 448 ++++++++++++++++++ > 5 files changed, 582 insertions(+) > create mode 100644 src/notebook-examples/cil-policy/Makefile > create mode 100644 src/notebook-examples/cil-policy/README.md > create mode 100644 src/notebook-examples/cil-policy/cil-policy.cil James, Richard, you both had comments on previous drafts, does v3 look good to you guys? -- paul moore www.paul-moore.com
