Re: generating new type name using CIL macro

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dominick,
thank you for the suggestion. I know about block inheritance, but it produces type/role names that are not consistent with refpolicy ("." separating the new block name and it's content). My goal is to create new SELinux users and corresponding roles and it would be confusing for users to switch between roles with different naming schemes (e.g. "secadm_r" vs. "customuser.r"). Given that "typeinherit" statements don't seem to be supported, I'm trying my luck with macros to replicate interfaces. 

Thank you,
Vit

On 9/12/23 05:50, Dominick Grift wrote:

Vit Mojzis <vmojzis@xxxxxxxxxx> writes:


Hello all,
while trying to recreate some selinux-policy templates using CIL
macros I got stuck on creating new type/role/attribute names.
For example consider ssh_role_template [1], which uses its first
parameter to create a new type $1_ssh_agent_t.

Is there a way to recreate such functionality in a CIL macro (or
another CIL feature)?

CIL uses blocks for it implementation of templating. If you want to leverage
native CIL then look into blocks.

Example:

cat > mytest.cil <<EOF
(typeattribute foo)

(block t
(blockabstract t)
(type t)
(typeattributeset .foo t))

(block bar
(blockinherit t))

(block baz
(blockinherit t))

(allow .foo .foo (process (signal)))
EOF

sudo semodule -i mytest.cil

seinfo -xafoo

Type Attributes: 1
    attribute foo;
         bar.t
         baz.t

sesearch -A -s foo -ds
allow foo foo:process signal;


Something along the lines of:
(macro new_type_macro ((string type_prefix))
   (type (type_prefix)_t)
)
which when called (call new_type_macro ("yolo")) would produce
(type yolo_t)

I searched through CIL reference guide [2] and SELinuxProject CIL wiki
on github, but didn't find anything close (maybe there is a better
resource I don't know about).
I'd appreciate any hints or links to other resources related to CIL macros.

Thank you,
Vit

[1] -
https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/ssh.if#L301
[2] -
https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/main/src/notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf
[3] - https://github.com/SELinuxProject/cil/wiki#macros
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux