* Re: CIL compiler
@ 2011-09-15 16:21 Richard Haines
2011-09-15 17:48 ` Steve Lawrence
0 siblings, 1 reply; 4+ messages in thread
From: Richard Haines @ 2011-09-15 16:21 UTC (permalink / raw)
To: Steve Lawrence; +Cc: selinux
Thanks for the Initial SID fix. It works fine.
I've been experimenting with CIL using a basic base policy (similar to mdp) and blocks to build binary policy files. I've checked these with apol and loaded them with only two issues found so far:
1) The 'booleanif' does not expand the AV or TYPE rules into the binary. apol does not list anything under 'Conditional Expressions' and the policy will not load.
2) The 'optional' sections are not expanded into the binary when the dependencies are resolved. The policy is still loadable.
I also notice that as the CIL dev team work through the changes, the policy requirements change slightly. For example the allow rule format changed because of the permission set changes and the roles for object_r need to be fully defined. These are not an issue - just noting them in case others are testing CIL as well.
Richard
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CIL compiler
2011-09-15 16:21 Richard Haines
@ 2011-09-15 17:48 ` Steve Lawrence
0 siblings, 0 replies; 4+ messages in thread
From: Steve Lawrence @ 2011-09-15 17:48 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On 09/15/2011 12:21 PM, Richard Haines wrote:
> Thanks for the Initial SID fix. It works fine.
>
> I've been experimenting with CIL using a basic base policy (similar to mdp) and blocks to build binary policy files. I've checked these with apol and loaded them with only two issues found so far:
Great! We love to get feedback.
> 1) The 'booleanif' does not expand the AV or TYPE rules into the binary. apol does not list anything under 'Conditional Expressions' and the policy will not load.
Yes, we discovered that issue this week, and believe we have a fix, but
are unsure if it's the 'right' fix. Hopefully, we'll have this resolved
soon.
> 2) The 'optional' sections are not expanded into the binary when the dependencies are resolved. The policy is still loadable.
This seems to work correctly for me. Can you provide the CIL code you're
using that's not working?
> I also notice that as the CIL dev team work through the changes, the policy requirements change slightly. For example the allow rule format changed because of the permission set changes and the roles for object_r need to be fully defined. These are not an issue - just noting them in case others are testing CIL as well.
Yes, the language is still somewhat in flux so some things will break.
When we do a release we'll give a full list of what changed. But if
you're playing with the latest and greatest from git, things might break
without warning. We'll try to keep the wiki up to date with the current
git repo though, so that should be a source of what's new (the
permission set changes haven't made it to the wiki yet, though). If you
notice anything missing, please let us know and we'll make sure we get
it fixed.
Thanks,
- Steve
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CIL compiler
@ 2011-09-16 15:24 Richard Haines
2011-09-16 16:42 ` Steve Lawrence
0 siblings, 1 reply; 4+ messages in thread
From: Richard Haines @ 2011-09-16 15:24 UTC (permalink / raw)
To: Steve Lawrence; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2307 bytes --]
Steve,
Please find attached the 'optional' problem code. There is a README in the tarball + all the modules.
Thanks for your help.
Richard
--- On Thu, 15/9/11, Steve Lawrence <slawrence@tresys.com> wrote:
> From: Steve Lawrence <slawrence@tresys.com>
> Subject: Re: CIL compiler
> To: "Richard Haines" <richard_c_haines@btinternet.com>
> Cc: selinux@tycho.nsa.gov
> Date: Thursday, 15 September, 2011, 18:48
> On 09/15/2011 12:21 PM, Richard
> Haines wrote:
> > Thanks for the Initial SID fix. It works fine.
> >
> > I've been experimenting with CIL using a basic base
> policy (similar to mdp) and blocks to build binary policy
> files. I've checked these with apol and loaded them with
> only two issues found so far:
>
> Great! We love to get feedback.
>
> > 1) The 'booleanif' does not expand the AV or TYPE
> rules into the binary. apol does not list anything under
> 'Conditional Expressions' and the policy will not load.
>
> Yes, we discovered that issue this week, and believe we
> have a fix, but
> are unsure if it's the 'right' fix. Hopefully, we'll have
> this resolved
> soon.
>
> > 2) The 'optional' sections are not expanded into the
> binary when the dependencies are resolved. The policy is
> still loadable.
>
> This seems to work correctly for me. Can you provide the
> CIL code you're
> using that's not working?
>
> > I also notice that as the CIL dev team work through
> the changes, the policy requirements change slightly. For
> example the allow rule format changed because of the
> permission set changes and the roles for object_r need to be
> fully defined. These are not an issue - just noting them in
> case others are testing CIL as well.
>
> Yes, the language is still somewhat in flux so some things
> will break.
> When we do a release we'll give a full list of what
> changed. But if
> you're playing with the latest and greatest from git,
> things might break
> without warning. We'll try to keep the wiki up to date with
> the current
> git repo though, so that should be a source of what's new
> (the
> permission set changes haven't made it to the wiki yet,
> though). If you
> notice anything missing, please let us know and we'll make
> sure we get
> it fixed.
>
> Thanks,
> - Steve
>
[-- Attachment #2: optional-bug.tar.gz --]
[-- Type: application/x-gzip, Size: 11849 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CIL compiler
2011-09-16 15:24 CIL compiler Richard Haines
@ 2011-09-16 16:42 ` Steve Lawrence
0 siblings, 0 replies; 4+ messages in thread
From: Steve Lawrence @ 2011-09-16 16:42 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
Looks like just a typo. The second typetransition rule in the optional
move_file references out_file_t, which should be move_file.out_file_t.
out_file_t is out of scope, so the optional always fails, even if
move_file.cil is included.
- Steve
On 09/16/2011 11:24 AM, Richard Haines wrote:
> Steve,
>
> Please find attached the 'optional' problem code. There is a README in the tarball + all the modules.
>
> Thanks for your help.
> Richard
>
> --- On Thu, 15/9/11, Steve Lawrence <slawrence@tresys.com> wrote:
>
>> From: Steve Lawrence <slawrence@tresys.com>
>> Subject: Re: CIL compiler
>> To: "Richard Haines" <richard_c_haines@btinternet.com>
>> Cc: selinux@tycho.nsa.gov
>> Date: Thursday, 15 September, 2011, 18:48
>> On 09/15/2011 12:21 PM, Richard
>> Haines wrote:
>>> Thanks for the Initial SID fix. It works fine.
>>>
>>> I've been experimenting with CIL using a basic base
>> policy (similar to mdp) and blocks to build binary policy
>> files. I've checked these with apol and loaded them with
>> only two issues found so far:
>>
>> Great! We love to get feedback.
>>
>>> 1) The 'booleanif' does not expand the AV or TYPE
>> rules into the binary. apol does not list anything under
>> 'Conditional Expressions' and the policy will not load.
>>
>> Yes, we discovered that issue this week, and believe we
>> have a fix, but
>> are unsure if it's the 'right' fix. Hopefully, we'll have
>> this resolved
>> soon.
>>
>>> 2) The 'optional' sections are not expanded into the
>> binary when the dependencies are resolved. The policy is
>> still loadable.
>>
>> This seems to work correctly for me. Can you provide the
>> CIL code you're
>> using that's not working?
>>
>>> I also notice that as the CIL dev team work through
>> the changes, the policy requirements change slightly. For
>> example the allow rule format changed because of the
>> permission set changes and the roles for object_r need to be
>> fully defined. These are not an issue - just noting them in
>> case others are testing CIL as well.
>>
>> Yes, the language is still somewhat in flux so some things
>> will break.
>> When we do a release we'll give a full list of what
>> changed. But if
>> you're playing with the latest and greatest from git,
>> things might break
>> without warning. We'll try to keep the wiki up to date with
>> the current
>> git repo though, so that should be a source of what's new
>> (the
>> permission set changes haven't made it to the wiki yet,
>> though). If you
>> notice anything missing, please let us know and we'll make
>> sure we get
>> it fixed.
>>
>> Thanks,
>> - Steve
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-09-16 16:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-16 15:24 CIL compiler Richard Haines
2011-09-16 16:42 ` Steve Lawrence
-- strict thread matches above, loose matches on Subject: below --
2011-09-15 16:21 Richard Haines
2011-09-15 17:48 ` Steve Lawrence
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.