On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift <dac.overr...@gmail.com> wrote:
> On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote: > > On 09/12/2018 09:26 AM, Ted Toth wrote: > > > > > > > > > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley <s...@tycho.nsa.gov > > > <mailto:s...@tycho.nsa.gov>> wrote: > > > > > > On 09/11/2018 04:59 PM, Ted Toth wrote: > > > > That's awesome and now it's got me thinking about other > > > > classes/permissions that we could implement. Can cil macros can > be > > > > referenced in .te/.if files? > > > > > > Not sure I understand your question. You can't directly embed cil > > > statements in .te/.if files. However, if you define a > class/permission > > > in a .cil module, you can certainly specify a require on it and > use it > > > from a conventional .te/.if module, ala: > > > $ cat > usemcstrans.te <<EOF > > > policy_module(usemcstrans, 1.0) > > > > > > require { > > > class mcstrans { color_use }; > > > attribute domain; > > > } > > > > > > allow domain self:mcstrans color_use; > > > EOF > > > > > > $ make -f /usr/share/selinux/devel/Makefile usemcstrans.pp > > > $ sudo semodule -i usemcstrans.pp > > > > > > > > > If the cil contained: > > > > > > (macro use_color (type caller) (allow caller self mcstrans > (color_use))) > > > > > > then in x.te can I use the macro: > > > > > > type x_t; > > > use_color(x_t) > > > > Sorry, no. The macros used in .te/.if files are just m4 definitions > handled > > at the preprocessing stage, not a feature of the module language. The > CIL > > macros are directly supported by the CIL compiler, but they won't be > visible > > to the module compiler. Also, you are missing several parentheses above > > (I'm not fond of the lisp-like syntax myself). In a CIL module, I think > the > > correct syntax would be: > > > > (macro use_color ((type caller)) (allow caller self (mcstrans > (color_use)))) > > > > (call use_color(x_t)) > > > > Or you could define a m4 macro in an .if file and use that in a .te file. > > Or both. > > > > Ideally you would have all of your policy written in CIL or in a > high-level language that was designed to leverage CIL. > Unfortunately I/we don't live in an ideal world :( but thanks for the pointers. > > My DSSP2 policy is a CIL-only policy. In there I also leverage unordered > classes, Meaning that for example if you remove or disable the mcstrans > module then you automatically also remove or disable the access vectors > that mcstrans manages. > > minimal: > > https://github.com/DefenSec/dssp2-minimal > > standard (my personal policy based on top of minimal): > > https://github.com/DefenSec/dssp2-standard/commits/master > > DSSP2 does not support enforcement of confidentiality though > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift >
_______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.