On Wed, Sep 12, 2018 at 9:57 AM Ted Toth <txt...@gmail.com> wrote:
>
>
> On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift <dac.overr...@gmail.com>
> wrote:
>
>> On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote:
>> > On 09/12/2018 09:26 AM, Ted Toth wrote:
>> > >
>> > >
>> > > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley <s...@tycho.nsa.gov
>> > > <mailto:s...@tycho.nsa.gov>> wrote:
>> > >
>> > > On 09/11/2018 04:59 PM, Ted Toth wrote:
>> > > > That's awesome and now it's got me thinking about other
>> > > > classes/permissions that we could implement. Can cil macros
>> can be
>> > > > referenced in .te/.if files?
>> > >
>> > > Not sure I understand your question. You can't directly embed cil
>> > > statements in .te/.if files. However, if you define a
>> class/permission
>> > > in a .cil module, you can certainly specify a require on it and
>> use it
>> > > from a conventional .te/.if module, ala:
>> > > $ cat > usemcstrans.te <<EOF
>> > > policy_module(usemcstrans, 1.0)
>> > >
>> > > require {
>> > > class mcstrans { color_use };
>> > > attribute domain;
>> > > }
>> > >
>> > > allow domain self:mcstrans color_use;
>> > > EOF
>> > >
>> > > $ make -f /usr/share/selinux/devel/Makefile usemcstrans.pp
>> > > $ sudo semodule -i usemcstrans.pp
>> > >
>> > >
>> > > If the cil contained:
>> > >
>> > > (macro use_color (type caller) (allow caller self mcstrans
>> (color_use)))
>> > >
>> > > then in x.te can I use the macro:
>> > >
>> > > type x_t;
>> > > use_color(x_t)
>> >
>> > Sorry, no. The macros used in .te/.if files are just m4 definitions
>> handled
>> > at the preprocessing stage, not a feature of the module language. The
>> CIL
>> > macros are directly supported by the CIL compiler, but they won't be
>> visible
>> > to the module compiler. Also, you are missing several parentheses above
>> > (I'm not fond of the lisp-like syntax myself). In a CIL module, I
>> think the
>> > correct syntax would be:
>> >
>> > (macro use_color ((type caller)) (allow caller self (mcstrans
>> (color_use))))
>> >
>> > (call use_color(x_t))
>> >
>> > Or you could define a m4 macro in an .if file and use that in a .te
>> file.
>> > Or both.
>> >
>>
>> Ideally you would have all of your policy written in CIL or in a
>> high-level language that was designed to leverage CIL.
>>
>
> Unfortunately I/we don't live in an ideal world :( but thanks for the
> pointers.
>
>
>>
>> My DSSP2 policy is a CIL-only policy. In there I also leverage unordered
>> classes, Meaning that for example if you remove or disable the mcstrans
>> module then you automatically also remove or disable the access vectors
>> that mcstrans manages.
>>
>> minimal:
>>
>> https://github.com/DefenSec/dssp2-minimal
>>
>> standard (my personal policy based on top of minimal):
>>
>> https://github.com/DefenSec/dssp2-standard/commits/master
>>
>> DSSP2 does not support enforcement of confidentiality though
>>
>> > _______________________________________________
>> > Selinux mailing list
>> > Selinux@tycho.nsa.gov
>> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>> > To get help, send an email containing "help" to
>> selinux-requ...@tycho.nsa.gov.
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>
I added a security class and permission using the following cil:
(block mcstrans
(typeattributeset cil_gen_require setrans_t)
(typeattributeset cil_gen_require user_t)
(class level_color (pick_using_dominance))
(classorder (unordered level_color))
(mlsconstrain (level_color (pick_using_dominance)) (dom h1 h2))
(allow setrans_t self (level_color (pick_using_dominance))))
and this works for the mcscolor code I changed to use it. However I wrote
some python code to test the class/permission (using
security_compute_av_raw) and ran it before adding an allow rule for the
python code type and no avc was generated as I'd expected. Is there
anything different about adding a security class this way that would affect
avc generation?
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
