Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
> Hello all,
> while trying to recreate some selinux-policy templates using CIL
> macros I got stuck on creating new type/role/attribute names.
> For example consider ssh_role_template [1], which uses its first
> parameter to create a new type $1_ssh_agent_t.
>
> Is there a way to recreate such functionality in a CIL macro (or
> another CIL feature)?
CIL uses blocks for it implementation of templating. If you want to leverage
native CIL then look into blocks.
Example:
cat > mytest.cil <<EOF
(typeattribute foo)
(block t
(blockabstract t)
(type t)
(typeattributeset .foo t))
(block bar
(blockinherit t))
(block baz
(blockinherit t))
(allow .foo .foo (process (signal)))
EOF
sudo semodule -i mytest.cil
seinfo -xafoo
Type Attributes: 1
attribute foo;
bar.t
baz.t
sesearch -A -s foo -ds
allow foo foo:process signal;
>
> Something along the lines of:
> (macro new_type_macro ((string type_prefix))
> (type (type_prefix)_t)
> )
> which when called (call new_type_macro ("yolo")) would produce
> (type yolo_t)
>
> I searched through CIL reference guide [2] and SELinuxProject CIL wiki
> on github, but didn't find anything close (maybe there is a better
> resource I don't know about).
> I'd appreciate any hints or links to other resources related to CIL macros.
>
> Thank you,
> Vit
>
> [1] -
> https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/ssh.if#L301
> [2] -
> https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/main/src/notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf
> [3] - https://github.com/SELinuxProject/cil/wiki#macros
>
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@xxxxxxxxxxx
