I did a bit of testing. These all work: ~/local/usr/bin/secil2tree -o test_01.cil.tree test_01.cil ~/local/usr/bin/secilc -o test_01.cil.bin test_01.cil ~/local/usr/bin/checkpolicy -C -b -o test_01.cil.bin.cil test_01.cil.bin /local/usr/bin/checkpolicy -o test_01.conf.bin test_01.conf ~/local/usr/bin/checkpolicy -C -b -o test_01.conf.bin.cil test_01.conf.bin ~/local/usr/bin/secil2conf -o test_01.cil.conf test_01.cil ~/local/usr/bin/checkpolicy -o test_01.cil.conf.bin test_01.cil.conf ~/local/usr/bin/checkmodule -o base_01.mod base_01.te ~/local/usr/bin/checkmodule -m -o mod_02.mod mod_02.te ~/local/usr/bin/semodule_package -o base_01.pp -m base_01.mod ~/local/usr/bin/semodule_package -o mod_02.pp -m mod_02.mod ~/local/usr/bin/semodule_link -o test_01.pp.lnk base_01.pp mod_02.pp ~/local/usr/bin/semodule_expand test_01.pp.lnk test_01.pp.bin These do not work: ~/local/usr/bin/checkpolicy -F -b -o test_01.cil.bin.conf test_01.cil.bin ~/local/usr/bin/checkpolicy -F -b -o test_01.conf.bin.conf test_01.conf.bin ~/local/usr/bin/checkpolicy -F -b -o test_01.pp.bin.conf test_01.pp.bin It appears something is wrong with translating the binary to a policy.conf, but I haven't had a chance to look deeper. I've attached the very simple test policies I used. Thanks, Jim On Wed, May 31, 2023 at 7:51 AM Juraj Marcin <juraj@xxxxxxxxxxxxxxx> wrote: > > Currently, filename transitions are stored separately from other type > enforcement rules and only support exact name matching. However, in > practice, the names contain variable parts. This leads to many > duplicated rules in the policy that differ only in the part of the name, > or it is even impossible to cover all possible combinations. > > This series implements equivalent changes made by this kernel patch > series [1]. > > First, this series of patches moves the filename transitions to be part > of the avtab and avrule structures. This not only makes the > implementation of prefix/suffix matching and future enhancements easier, > but also reduces the technical debt regarding the filename transitions. > Next, the last three patches implement the support for prefix/suffix > name matching itself by extending the structures added in previous > patches in this series and adding the support to CIL in the last of the > triple. > > Even though, moving everything to avtab increases the memory usage and > the size of the binary policy itself and thus the loading time, the > ability to match the prefix or suffix of the name will reduce the > overall number of rules in the policy which should mitigate this issue. > > [1]: https://lore.kernel.org/selinux/20230531112927.1957093-1-juraj@xxxxxxxxxxxxxxx/ > > Juraj Marcin (8): > checkpolicy, libsepol: move transition to separate structure in avtab > checkpolicy, libsepol: move filename transitions to avtab > checkpolicy, libsepol: move filename transition rules to avrule > libsepol: implement new kernel binary format for avtab > libsepol: implement new module binary format of avrule > checkpolicy, libsepol: add prefix/suffix support to kernel policy > checkpolicy, libsepol: add prefix/suffix support to module policy > libsepol/cil: add support for prefix/suffix filename transtions to CIL > > checkpolicy/checkmodule.c | 9 + > checkpolicy/module_compiler.c | 12 - > checkpolicy/module_compiler.h | 1 - > checkpolicy/policy_define.c | 211 +----- > checkpolicy/policy_define.h | 3 +- > checkpolicy/policy_parse.y | 15 +- > checkpolicy/policy_scan.l | 6 + > checkpolicy/test/dismod.c | 39 +- > checkpolicy/test/dispol.c | 106 +-- > libsepol/cil/src/cil.c | 8 + > libsepol/cil/src/cil_binary.c | 63 +- > libsepol/cil/src/cil_build_ast.c | 25 +- > libsepol/cil/src/cil_copy_ast.c | 1 + > libsepol/cil/src/cil_internal.h | 5 + > libsepol/cil/src/cil_policy.c | 17 +- > libsepol/cil/src/cil_resolve_ast.c | 10 + > libsepol/cil/src/cil_write_ast.c | 2 + > libsepol/include/sepol/policydb/avtab.h | 19 +- > libsepol/include/sepol/policydb/hashtab.h | 14 + > libsepol/include/sepol/policydb/policydb.h | 50 +- > libsepol/src/avrule_block.c | 1 - > libsepol/src/avtab.c | 336 +++++++++- > libsepol/src/conditional.c | 6 +- > libsepol/src/expand.c | 149 ++--- > libsepol/src/kernel_to_cil.c | 182 ++---- > libsepol/src/kernel_to_common.h | 10 + > libsepol/src/kernel_to_conf.c | 178 ++---- > libsepol/src/link.c | 57 +- > libsepol/src/module_to_cil.c | 86 +-- > libsepol/src/optimize.c | 8 + > libsepol/src/policydb.c | 479 +++----------- > libsepol/src/policydb_validate.c | 100 +-- > libsepol/src/services.c | 5 +- > libsepol/src/write.c | 712 ++++++++++++++++----- > 34 files changed, 1534 insertions(+), 1391 deletions(-) > > -- > 2.40.0 >
class CLASS1
class CLASS01
class CLASS02
class CLASS03
class CLASS04
class CLASS05
class CLASS06
sid kernel
class CLASS1 { PERM1 }
class CLASS01 { PERM01 }
class CLASS02 { PERM02 }
class CLASS03 { PERM03 }
class CLASS04 { PERM04 }
class CLASS05 { PERM05 }
class CLASS06 { PERM06 }
type TYPE1;
type ta;
type tb;
type tc;
allow TYPE1 self : CLASS1 { PERM1 };
type_transition ta tb : CLASS01 tc "file01";
type_transition ta tb : CLASS02 tc "[file02]";
type_transition ta tb : CLASS03 tc "file03";
type_transition ta tb : CLASS04 tc "file04" match_prefix;
type_transition ta tb : CLASS05 tc "file05" match_suffix;
role ROLE1;
role ROLE1 types { TYPE1 };
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1
Attachment:
test_01.cil
Description: application/vnd.ms-artgalry
Attachment:
base_01.te
Description: Binary data
Attachment:
mod_02.te
Description: Binary data
