* CIL/SELinux Userspace Integration
@ 2011-11-22 22:00 Steve Lawrence
0 siblings, 0 replies; 11+ messages in thread
From: Steve Lawrence @ 2011-11-22 22:00 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 4790 bytes --]
As many of you may know, we have been working on CIL for a while now.
This has been posted to the list many times before, so we'll just post
the link to the wiki for now [1], but we're happy to answer any questions.
In addition to adding numerous features to CIL since we've last posted
to the list, we've also been working hard at integrating CIL
into SELinux userspace. We now have that in a state that's ready for
comments and review.
Because the changes are so large, I've pushed three branches upstream:
"src-revert", "src-policy", and "integration", each one building on the
other.
src-revert:
Reverts changes made to master that conflict with the src-policy
branch (i.e. how paths are handled, enabled/disable modules). This
also reverts the preserve tunables patch. CIL tunables behave
differently than in refpolicy, and so we can't easily preserve them,
so this patchset, unfortunately, cannot be kept.
src-policy:
This is a rebase of the old src-policy branch onto the src-revert
branch. This moves the policy store to /var/lib/selinux and adds
preliminary support for CIL. This was all done about two years ago.
integration:
This branch builds CIL into libsepol, and updates libsemanage and
semodule to understand only CIL files. Binary .pp modules will no
longer work. There is still a lot of binary module code in the tree
that needs to be removed, but that should be relatively easy to start
stripping out.
So with these changes, it it is now possible to build CIL into libsepol,
and manage the SELinux policy store using semodule and only CIL files.
Below are the steps to install CIL integrated into SELinux userspace and
install a simple module. We don't yet have a conversion from reference
policy to CIL, so we don't have a real policy that can be installed.
However, I've attached a CIL version of mdp (created by Richard Haines,
with a few tweaks for syntax changes) that should give you an idea of
how it works. And because CIL files are text files, it's pretty trivial
to write new ones and install them and play around with it.
The mdp.cil file is very simple. For some more interesting examples of
what CIL can do, see the wiki [1] or the policy.cil file in the test
directory in the cil repo.
We look forwward to hearing your feedback now that we've reached this
pretty big milestone.
Thanks,
- Steve
[1] http://userspace.selinuxproject.org/trac/wiki/CilDesign
== Installation Steps ==
Note: This will make a lot of changes to your system, including changing
SELinux userspace, moving your policy store to /var/lib/selinux, and
because we don't yet have full policies yet, potentially breaking your
system if you reboot. It's probably wise to use a VM and/or make a
backup first.
1) Checkout the CIL integration branch
# git clone http://oss.tresys.com/git/cil.git cil
# cd cil
# git checkout integration
# cd ..
2) Checkout the selinux integration branch
# git clone http://oss.tresys.com/git/selinux.git selinux
# cd selinux
# git checkout integration
3) Make a symbolic link in libsepol to the CIL repo
# cd libsepol
# ln -s /path/to/cil/repo/cil cil
4) Install selinux userspace (now with CIL included)
# cd ..
# make install
# make swigify
# make install-pywrap
5) Migrate the current store to the new /var/lib/selinux
# ./libsemanage/utils/semanage_migrate_etc_to_var.py --clean --norebuild
6) Delete the existing binary modules from the new store, they won't
work with CIL
# rm -rf /var/lib/selinux/targeted/active/modules/*
7) Check to make sure all modules have been removed
# semodule --list=full
No modules.
8) Install the mdp module (attached to this email)
# semodule --install /path/to/mdp.cil
9) See the new policy
# semodule --list=full
400 mdp cil
# seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, non-mls)
Classes: 49 Permissions: 163
Sensitivities: 0 Categories: 1
Types: 1 Attributes: 0
Users: 1 Roles: 2
Booleans: 0 Cond. Expr.: 0
Allow: 49 Neverallow: 0
Auditallow: 0 Dontaudit: 0
Type_trans: 0 Type_change: 0
Type_member: 0 Role allow: 0
Role_trans: 0 Range_trans: 0
Constraints: 0 Validatetrans: 0
Initial SIDs: 27 Fs_use: 17
Genfscon: 1 Portcon: 0
Netifcon: 0 Nodecon: 0
Permissives: 0 Polcap: 0
[-- Attachment #2: mdp.cil --]
[-- Type: text/plain, Size: 19173 bytes --]
(category c0)
(categoryorder (c0))
(sensitivity s0)
(dominance (s0))
(sensitivitycategory s0 (c0))
(levelrange default ((s0 (c0)) (s0 (c0))))
(level low (s0 (c0)))
(sid kernel)
(sid security)
(sid unlabeled)
(sid fs)
(sid file)
(sid file_labels)
(sid init)
(sid any_socket)
(sid port)
(sid netif)
(sid netmsg)
(sid node)
(sid igmp_packet)
(sid icmp_socket)
(sid tcp_socket)
(sid sysctl_modprobe)
(sid sysctl)
(sid sysctl_fs)
(sid sysctl_kernel)
(sid sysctl_net)
(sid sysctl_net_unix)
(sid sysctl_vm)
(sid sysctl_dev)
(sid kmod)
(sid policy)
(sid scmp_packet)
(sid devnull)
(class security ( compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))
(class process ( fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate))
(class system ( ipc_info syslog_read syslog_mod syslog_console module_request))
(class capability ( chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap))
(class filesystem ( mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget))
(class file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod execute_no_trans entrypoint))
(class dir ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod add_name remove_name reparent search rmdir))
(class fd ( use))
(class lnk_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod))
(class chr_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod))
(class blk_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod))
(class sock_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod))
(class fifo_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod))
(class socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class tcp_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom node_bind name_connect))
(class udp_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind))
(class rawip_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind))
(class node ( tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto))
(class netif ( tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress))
(class netlink_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class packet_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class key_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class unix_stream_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom))
(class unix_dgram_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class sem ( create destroy getattr setattr read write associate unix_read unix_write))
(class msg ( send receive))
(class msgq ( create destroy getattr setattr read write associate unix_read unix_write enqueue))
(class shm ( create destroy getattr setattr read write associate unix_read unix_write lock))
(class ipc ( create destroy getattr setattr read write associate unix_read unix_write))
(class netlink_route_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write))
(class netlink_firewall_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write))
(class netlink_tcpdiag_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write))
(class netlink_nflog_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class netlink_xfrm_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write))
(class netlink_selinux_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class netlink_audit_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit))
(class netlink_ip6fw_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write))
(class netlink_dnrt_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class association ( sendto recvfrom setcontext polmatch))
(class netlink_kobject_uevent_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class appletalk_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(class packet ( send recv relabelto forward_in forward_out))
(class key ( view read write search link setattr create))
(class dccp_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind name_connect))
(class memprotect ( mmap_zero))
(class peer ( recv))
(class capability2 ( mac_override mac_admin syslog))
(class kernel_service ( use_as_override create_files_as))
(class tun_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind))
(type base_t)
(role base_r)
(roletype base_r base_t)
(allow base_t base_t (security ( compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy)))
(allow base_t base_t (process ( fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate)))
(allow base_t base_t (system ( ipc_info syslog_read syslog_mod syslog_console module_request)))
(allow base_t base_t (capability ( chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
(allow base_t base_t (filesystem ( mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget)))
(allow base_t base_t (file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod execute_no_trans entrypoint)))
(allow base_t base_t (dir ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod add_name remove_name reparent search rmdir)))
(allow base_t base_t (fd ( use)))
(allow base_t base_t (lnk_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod)))
(allow base_t base_t (chr_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod)))
(allow base_t base_t (blk_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod)))
(allow base_t base_t (sock_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod)))
(allow base_t base_t (fifo_file ( ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton audit_access open execmod)))
(allow base_t base_t (socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (tcp_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom node_bind name_connect)))
(allow base_t base_t (udp_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind)))
(allow base_t base_t (rawip_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind)))
(allow base_t base_t (node ( tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto)))
(allow base_t base_t (netif ( tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress)))
(allow base_t base_t (netlink_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (packet_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (key_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (unix_stream_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom)))
(allow base_t base_t (unix_dgram_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (sem ( create destroy getattr setattr read write associate unix_read unix_write)))
(allow base_t base_t (msg ( send receive)))
(allow base_t base_t (msgq ( create destroy getattr setattr read write associate unix_read unix_write enqueue)))
(allow base_t base_t (shm ( create destroy getattr setattr read write associate unix_read unix_write lock)))
(allow base_t base_t (ipc ( create destroy getattr setattr read write associate unix_read unix_write)))
(allow base_t base_t (netlink_route_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write)))
(allow base_t base_t (netlink_firewall_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write)))
(allow base_t base_t (netlink_tcpdiag_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write)))
(allow base_t base_t (netlink_nflog_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (netlink_xfrm_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write)))
(allow base_t base_t (netlink_selinux_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (netlink_audit_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
(allow base_t base_t (netlink_ip6fw_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write)))
(allow base_t base_t (netlink_dnrt_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (association ( sendto recvfrom setcontext polmatch)))
(allow base_t base_t (netlink_kobject_uevent_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (appletalk_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(allow base_t base_t (packet ( send recv relabelto forward_in forward_out)))
(allow base_t base_t (key ( view read write search link setattr create)))
(allow base_t base_t (dccp_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind name_connect)))
(allow base_t base_t (memprotect ( mmap_zero)))
(allow base_t base_t (peer ( recv)))
(allow base_t base_t (capability2 ( mac_override mac_admin syslog)))
(allow base_t base_t (kernel_service ( use_as_override create_files_as)))
(allow base_t base_t (tun_socket ( ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind)))
(user user_u)
(userrole user_u base_r)
(userrange user_u (low low))
(userlevel user_u low)
(context default_context (user_u base_r base_t default))
(sidcontext kernel default_context)
(sidcontext security default_context)
(sidcontext unlabeled default_context)
(sidcontext fs default_context)
(sidcontext file default_context)
(sidcontext file_labels default_context)
(sidcontext init default_context)
(sidcontext any_socket default_context)
(sidcontext port default_context)
(sidcontext netif default_context)
(sidcontext netmsg default_context)
(sidcontext node default_context)
(sidcontext igmp_packet default_context)
(sidcontext icmp_socket default_context)
(sidcontext tcp_socket default_context)
(sidcontext sysctl_modprobe default_context)
(sidcontext sysctl default_context)
(sidcontext sysctl_fs default_context)
(sidcontext sysctl_kernel default_context)
(sidcontext sysctl_net default_context)
(sidcontext sysctl_net_unix default_context)
(sidcontext sysctl_vm default_context)
(sidcontext sysctl_dev default_context)
(sidcontext kmod default_context)
(sidcontext policy default_context)
(sidcontext scmp_packet default_context)
(sidcontext devnull default_context)
(fsuse xattr ext2 default_context)
(fsuse xattr ext3 default_context)
(fsuse xattr ext4 default_context)
(fsuse xattr jfs default_context)
(fsuse xattr xfs default_context)
(fsuse xattr reiserfs default_context)
(fsuse xattr jffs2 default_context)
(fsuse xattr gfs2 default_context)
(fsuse xattr lustre default_context)
(fsuse task eventpollfs default_context)
(fsuse task pipefs default_context)
(fsuse task sockfs default_context)
(fsuse trans mqueue default_context)
(fsuse trans devpts default_context)
(fsuse trans hugetlbfs default_context)
(fsuse trans tmpfs default_context)
(fsuse trans shm default_context)
(genfscon proc / default_context)
(filecon "/" "" any default_context)
(filecon "/" ".*" any default_context)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
@ 2011-12-03 16:30 Richard Haines
2011-12-07 13:32 ` Steve Lawrence
0 siblings, 1 reply; 11+ messages in thread
From: Richard Haines @ 2011-12-03 16:30 UTC (permalink / raw)
To: Steve Lawrence; +Cc: selinux
Steve,
Thanks for this, it seems to work fine with the policy samples I've been
using. I've had a couple of minor problems though:
1) A macro does not work with permissionset as one of the parameters (all
the other parameters worked okay).
2) Macro comments are not permitted. I notice they are not present in the
test files so has it been dropped.
3) I could not find a way to generate the policy.conf file. I set the
DEBUG=1 in the CIL Makefile like I used to but no file.
4) To set deny_unknown in secilc.c required a 'U' in the getopt line:
getopt_long(argc, argv, "hvtU:MDc:", .....
5) I could not load a new policy that had a boolean and supporting
statements in it. The actual binary policy was fine (using apol), but
load_policy had problems. I started with a Fedora 16 base and added
the new Integration code with no problems. Is it a known problem as
if not I'll check further.
The errors I had when running semodule with a boolean were (Note: I
had already built a new base policy (SELINUXTYPE=rch-test1) with no
problems):
------ Start --------------
# semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil
SELinux: Could not load policy file /etc/selinux/rch-test1/policy/policy.26: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux: Could not load policy file /etc/selinux/rch-test1/policy/policy.26: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
semodule: Failed!
----- End -----------------
Richard
--- On Tue, 22/11/11, Steve Lawrence <slawrence@tresys.com> wrote:
> From: Steve Lawrence <slawrence@tresys.com>
> Subject: CIL/SELinux Userspace Integration
> To: "SELinux" <selinux@tycho.nsa.gov>
> Date: Tuesday, 22 November, 2011, 22:00
> As many of you may know, we have been
> working on CIL for a while now.
> This has been posted to the list many times before, so
> we'll just post
> the link to the wiki for now [1], but we're happy to answer
> any questions.
>
> In addition to adding numerous features to CIL since we've
> last posted
> to the list, we've also been working hard at integrating
> CIL
> into SELinux userspace. We now have that in a state that's
> ready for
> comments and review.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-03 16:30 Richard Haines
@ 2011-12-07 13:32 ` Steve Lawrence
2011-12-07 13:54 ` Eric Paris
0 siblings, 1 reply; 11+ messages in thread
From: Steve Lawrence @ 2011-12-07 13:32 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 3719 bytes --]
On 12/03/2011 11:30 AM, Richard Haines wrote:
> Steve,
>
> Thanks for this, it seems to work fine with the policy samples I've been
> using. I've had a couple of minor problems though:
>
> 1) A macro does not work with permissionset as one of the parameters (all
> the other parameters worked okay).
>
Thanks for finding this. Just pushed a commit that fixes this.
> 2) Macro comments are not permitted. I notice they are not present in the
> test files so has it been dropped.
>
Yep. Macro comments have been dropped. I've updated it on the wiki.
> 3) I could not find a way to generate the policy.conf file. I set the
> DEBUG=1 in the CIL Makefile like I used to but no file.
>
In selinux userspace, make DEBUG=1 doesn't define the DEBUG macro that
the CIL code uses to enable debugging. You'll have to add '-DDEBUG' to
the CFLAGS in the userspace Makefile to enable building of the
policy.conf file.
> 4) To set deny_unknown in secilc.c required a 'U' in the getopt line:
> getopt_long(argc, argv, "hvtU:MDc:", .....
>
Thanks, fixed and pushed.
> 5) I could not load a new policy that had a boolean and supporting
> statements in it. The actual binary policy was fine (using apol), but
> load_policy had problems. I started with a Fedora 16 base and added
> the new Integration code with no problems. Is it a known problem as
> if not I'll check further.
> The errors I had when running semodule with a boolean were (Note: I
> had already built a new base policy (SELINUXTYPE=rch-test1) with no
> problems):
Hmmm, this is interesting. Both seinfo and apol are fine with my
CIL-generated binary, but fails to load when I add booleans. I also
generated a similar mdp policy.conf, ran checkpolicy, and that failed to
load as well. sediff also shows the two binaries to be the same.
I'll look into this more, but because of that, I'm thinking this is a
kernel bug. If anyone else wants to look at it, I've attached a simple
file that is the standard mdp.conf with a single boolean defined, and
single conditional statement using that boolean. This builds a binary
fine, and apol/seinfo have no problem with it, but fails to load with
load_policy.
>
> ------ Start --------------
> # semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil
>
> SELinux: Could not load policy file /etc/selinux/rch-test1/policy/policy.26: No such file or directory
> /sbin/load_policy: Can't load policy: No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
> SELinux: Could not load policy file /etc/selinux/rch-test1/policy/policy.26: No such file or directory
> /sbin/load_policy: Can't load policy: No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
> semodule: Failed!
> ----- End -----------------
>
> Richard
>
>
> --- On Tue, 22/11/11, Steve Lawrence<slawrence@tresys.com> wrote:
>
>> From: Steve Lawrence<slawrence@tresys.com>
>> Subject: CIL/SELinux Userspace Integration
>> To: "SELinux"<selinux@tycho.nsa.gov>
>> Date: Tuesday, 22 November, 2011, 22:00
>> As many of you may know, we have been
>> working on CIL for a while now.
>> This has been posted to the list many times before, so
>> we'll just post
>> the link to the wiki for now [1], but we're happy to answer
>> any questions.
>>
>> In addition to adding numerous features to CIL since we've
>> last posted
>> to the list, we've also been working hard at integrating
>> CIL
>> into SELinux userspace. We now have that in a state that's
>> ready for
>> comments and review.
>
>
[-- Attachment #2: mdp-bool.conf --]
[-- Type: text/plain, Size: 13541 bytes --]
class security
class process
class system
class capability
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
class sem
class msg
class msgq
class shm
class ipc
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket
class association
class netlink_kobject_uevent_socket
class appletalk_socket
class packet
class key
class dccp_socket
class memprotect
class peer
class capability2
class kernel_service
class tun_socket
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce
setbool
setsecparam
setcheckreqprot
read_policy
}
class process
{
fork
transition
sigchld
sigkill
sigstop
signull
signal
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
}
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
}
class capability
{
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
execute_no_trans
entrypoint
}
class dir
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
add_name
remove_name
reparent
search
rmdir
}
class fd
{
use
}
class lnk_file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
}
class chr_file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
}
class blk_file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
}
class sock_file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
}
class fifo_file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
audit_access
open
execmod
}
class socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class tcp_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
node_bind
}
class rawip_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
dccp_recv
dccp_send
recvfrom
sendto
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
dccp_recv
dccp_send
ingress
egress
}
class netlink_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class packet_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class key_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class unix_stream_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
connectto
newconn
acceptfrom
}
class unix_dgram_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class sem
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
class msg
{
send
receive
}
class msgq
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
enqueue
}
class shm
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
lock
}
class ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
class netlink_route_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class netlink_xfrm_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class netlink_audit_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_ip6fw_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class association
{
sendto
recvfrom
setcontext
polmatch
}
class netlink_kobject_uevent_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class appletalk_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
class packet
{
send
recv
relabelto
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class dccp_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
class peer
{
recv
}
class capability2
{
mac_override
mac_admin
syslog
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
type base_t;
role base_r;
role base_r types { base_t };
bool cond true;
if (cond) {
allow base_t base_t : file *;
}
allow base_t base_t : security *;
allow base_t base_t : process *;
allow base_t base_t : system *;
allow base_t base_t : capability *;
allow base_t base_t : filesystem *;
allow base_t base_t : dir *;
allow base_t base_t : fd *;
allow base_t base_t : lnk_file *;
allow base_t base_t : chr_file *;
allow base_t base_t : blk_file *;
allow base_t base_t : sock_file *;
allow base_t base_t : fifo_file *;
allow base_t base_t : socket *;
allow base_t base_t : tcp_socket *;
allow base_t base_t : udp_socket *;
allow base_t base_t : rawip_socket *;
allow base_t base_t : node *;
allow base_t base_t : netif *;
allow base_t base_t : netlink_socket *;
allow base_t base_t : packet_socket *;
allow base_t base_t : key_socket *;
allow base_t base_t : unix_stream_socket *;
allow base_t base_t : unix_dgram_socket *;
allow base_t base_t : sem *;
allow base_t base_t : msg *;
allow base_t base_t : msgq *;
allow base_t base_t : shm *;
allow base_t base_t : ipc *;
allow base_t base_t : netlink_route_socket *;
allow base_t base_t : netlink_firewall_socket *;
allow base_t base_t : netlink_tcpdiag_socket *;
allow base_t base_t : netlink_nflog_socket *;
allow base_t base_t : netlink_xfrm_socket *;
allow base_t base_t : netlink_selinux_socket *;
allow base_t base_t : netlink_audit_socket *;
allow base_t base_t : netlink_ip6fw_socket *;
allow base_t base_t : netlink_dnrt_socket *;
allow base_t base_t : association *;
allow base_t base_t : netlink_kobject_uevent_socket *;
allow base_t base_t : appletalk_socket *;
allow base_t base_t : packet *;
allow base_t base_t : key *;
allow base_t base_t : dccp_socket *;
allow base_t base_t : memprotect *;
allow base_t base_t : peer *;
allow base_t base_t : capability2 *;
allow base_t base_t : kernel_service *;
allow base_t base_t : tun_socket *;
user user_u roles { base_r };
sid kernel user_u:base_r:base_t
sid security user_u:base_r:base_t
sid unlabeled user_u:base_r:base_t
sid fs user_u:base_r:base_t
sid file user_u:base_r:base_t
sid file_labels user_u:base_r:base_t
sid init user_u:base_r:base_t
sid any_socket user_u:base_r:base_t
sid port user_u:base_r:base_t
sid netif user_u:base_r:base_t
sid netmsg user_u:base_r:base_t
sid node user_u:base_r:base_t
sid igmp_packet user_u:base_r:base_t
sid icmp_socket user_u:base_r:base_t
sid tcp_socket user_u:base_r:base_t
sid sysctl_modprobe user_u:base_r:base_t
sid sysctl user_u:base_r:base_t
sid sysctl_fs user_u:base_r:base_t
sid sysctl_kernel user_u:base_r:base_t
sid sysctl_net user_u:base_r:base_t
sid sysctl_net_unix user_u:base_r:base_t
sid sysctl_vm user_u:base_r:base_t
sid sysctl_dev user_u:base_r:base_t
sid kmod user_u:base_r:base_t
sid policy user_u:base_r:base_t
sid scmp_packet user_u:base_r:base_t
sid devnull user_u:base_r:base_t
fs_use_xattr ext2 user_u:base_r:base_t;
fs_use_xattr ext3 user_u:base_r:base_t;
fs_use_xattr ext4 user_u:base_r:base_t;
fs_use_xattr jfs user_u:base_r:base_t;
fs_use_xattr xfs user_u:base_r:base_t;
fs_use_xattr reiserfs user_u:base_r:base_t;
fs_use_xattr jffs2 user_u:base_r:base_t;
fs_use_xattr gfs2 user_u:base_r:base_t;
fs_use_xattr lustre user_u:base_r:base_t;
fs_use_task eventpollfs user_u:base_r:base_t;
fs_use_task pipefs user_u:base_r:base_t;
fs_use_task sockfs user_u:base_r:base_t;
fs_use_trans mqueue user_u:base_r:base_t;
fs_use_trans devpts user_u:base_r:base_t;
fs_use_trans hugetlbfs user_u:base_r:base_t;
fs_use_trans tmpfs user_u:base_r:base_t;
fs_use_trans shm user_u:base_r:base_t;
genfscon proc / user_u:base_r:base_t
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 13:32 ` Steve Lawrence
@ 2011-12-07 13:54 ` Eric Paris
2011-12-07 14:04 ` Steve Lawrence
0 siblings, 1 reply; 11+ messages in thread
From: Eric Paris @ 2011-12-07 13:54 UTC (permalink / raw)
To: Steve Lawrence; +Cc: Richard Haines, selinux
On Wed, Dec 7, 2011 at 8:32 AM, Steve Lawrence <slawrence@tresys.com> wrote:
> On 12/03/2011 11:30 AM, Richard Haines wrote:
>> 5) I could not load a new policy that had a boolean and supporting
>> statements in it. The actual binary policy was fine (using apol), but
>> load_policy had problems. I started with a Fedora 16 base and added
>> the new Integration code with no problems. Is it a known problem as
>> if not I'll check further.
>> The errors I had when running semodule with a boolean were (Note: I
>> had already built a new base policy (SELINUXTYPE=rch-test1) with no
>> problems):
>
>
> Hmmm, this is interesting. Both seinfo and apol are fine with my
> CIL-generated binary, but fails to load when I add booleans. I also
> generated a similar mdp policy.conf, ran checkpolicy, and that failed to
> load as well. sediff also shows the two binaries to be the same.
>
> I'll look into this more, but because of that, I'm thinking this is a kernel
> bug. If anyone else wants to look at it, I've attached a simple file that is
> the standard mdp.conf with a single boolean defined, and single conditional
> statement using that boolean. This builds a binary fine, and apol/seinfo
> have no problem with it, but fails to load with load_policy.
>
>>
>> ------ Start --------------
>> # semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil
>>
>> SELinux: Could not load policy file
>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>> /sbin/load_policy: Can't load policy: No such file or directory
>>
>> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No
>> such file or directory).
>> SELinux: Could not load policy file
>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>> /sbin/load_policy: Can't load policy: No such file or directory
>>
>> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No
>> such file or directory).
>> semodule: Failed!
>>
>> ----- End -----------------
If you send me the policy.X in question I'll spend a couple minutes
figuring out what the kernel is upset about...
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 13:54 ` Eric Paris
@ 2011-12-07 14:04 ` Steve Lawrence
2011-12-07 18:45 ` Eric Paris
0 siblings, 1 reply; 11+ messages in thread
From: Steve Lawrence @ 2011-12-07 14:04 UTC (permalink / raw)
To: Eric Paris; +Cc: Richard Haines, selinux
[-- Attachment #1: Type: text/plain, Size: 2309 bytes --]
On 12/07/2011 08:54 AM, Eric Paris wrote:
> On Wed, Dec 7, 2011 at 8:32 AM, Steve Lawrence<slawrence@tresys.com> wrote:
>> On 12/03/2011 11:30 AM, Richard Haines wrote:
>
>>> 5) I could not load a new policy that had a boolean and supporting
>>> statements in it. The actual binary policy was fine (using apol), but
>>> load_policy had problems. I started with a Fedora 16 base and added
>>> the new Integration code with no problems. Is it a known problem as
>>> if not I'll check further.
>>> The errors I had when running semodule with a boolean were (Note: I
>>> had already built a new base policy (SELINUXTYPE=rch-test1) with no
>>> problems):
>>
>>
>> Hmmm, this is interesting. Both seinfo and apol are fine with my
>> CIL-generated binary, but fails to load when I add booleans. I also
>> generated a similar mdp policy.conf, ran checkpolicy, and that failed to
>> load as well. sediff also shows the two binaries to be the same.
>>
>> I'll look into this more, but because of that, I'm thinking this is a kernel
>> bug. If anyone else wants to look at it, I've attached a simple file that is
>> the standard mdp.conf with a single boolean defined, and single conditional
>> statement using that boolean. This builds a binary fine, and apol/seinfo
>> have no problem with it, but fails to load with load_policy.
>>
>>>
>>> ------ Start --------------
>>> # semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil
>>>
>>> SELinux: Could not load policy file
>>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>>> /sbin/load_policy: Can't load policy: No such file or directory
>>>
>>> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No
>>> such file or directory).
>>> SELinux: Could not load policy file
>>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>>> /sbin/load_policy: Can't load policy: No such file or directory
>>>
>>> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No
>>> such file or directory).
>>> semodule: Failed!
>>>
>>> ----- End -----------------
>
> If you send me the policy.X in question I'll spend a couple minutes
> figuring out what the kernel is upset about...
policy.24 attached. Thanks.
[-- Attachment #2: policy.24 --]
[-- Type: application/octet-stream, Size: 17312 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
@ 2011-12-07 17:01 Richard Haines
2011-12-07 18:02 ` Steve Lawrence
0 siblings, 1 reply; 11+ messages in thread
From: Richard Haines @ 2011-12-07 17:01 UTC (permalink / raw)
To: Steve Lawrence; +Cc: selinux
Thanks for the updates The deny_unknown, permissionset and generating policy.conf all worked okay.
I've had a couple of other minor problems:
1) I added a 'policycap' statement in a block. secilc processed the CIL statements but failed to gen the policy. I then moved it to the global namespace and then worked okay. I assume that policycap must always be in the global namespace.
2) Are there any known issues regarding typetransition rules as I'm having problems generating a policy. For example secilc will throw 'Error: Duplicate rule defined (line: xxx)'. I then comment out the typetransition statement (that actually looks okay) and it fails with another one, however semodule -i .. will compile it okay. In the end I can get both secilc and semodule to build the binary policy once I remove enough typetransition statements to keep both of them happy. (both seem to be happy with about 16 typetransition statements in policy but semodule can take a few more !!!)
The policy consists of 10 CIL modules (files) with about 1,200 lines of CIL statements - but nothing complex just the SELinux Notebook moules I'm converting to CIL as an exercise.
I've had both problems on the original integration you sent plus the updates you pushed today (7th Dec).
Richard
--- On Wed, 7/12/11, Steve Lawrence <slawrence@tresys.com> wrote:
> From: Steve Lawrence <slawrence@tresys.com>
> Subject: Re: CIL/SELinux Userspace Integration
> To: "Richard Haines" <richard_c_haines@btinternet.com>
> Cc: selinux@tycho.nsa.gov
> Date: Wednesday, 7 December, 2011, 13:32
> On 12/03/2011 11:30 AM, Richard
> Haines wrote:
> > Steve,
> >
> > Thanks for this, it seems to work fine with the policy
> samples I've been
> > using. I've had a couple of minor problems though:
> >
> > 1) A macro does not work with permissionset as one of
> the parameters (all
> > the other parameters worked
> okay).
> >
>
> Thanks for finding this. Just pushed a commit that fixes
> this.
>
> > 2) Macro comments are not permitted. I notice they are
> not present in the
> > test files so has it been
> dropped.
> >
>
> Yep. Macro comments have been dropped. I've updated it on
> the wiki.
>
> > 3) I could not find a way to generate the policy.conf
> file. I set the
> > DEBUG=1 in the CIL Makefile
> like I used to but no file.
> >
>
> In selinux userspace, make DEBUG=1 doesn't define the DEBUG
> macro that
> the CIL code uses to enable debugging. You'll have to add
> '-DDEBUG' to
> the CFLAGS in the userspace Makefile to enable building of
> the
> policy.conf file.
>
> > 4) To set deny_unknown in secilc.c required a 'U' in
> the getopt line:
> >
> getopt_long(argc, argv, "hvtU:MDc:",
> .....
> >
>
> Thanks, fixed and pushed.
>
> > 5) I could not load a new policy that had a boolean
> and supporting
> > statements in it. The actual
> binary policy was fine (using apol), but
> > load_policy had problems. I
> started with a Fedora 16 base and added
> > the new Integration code with
> no problems. Is it a known problem as
> > if not I'll check further.
> > The errors I had when running
> semodule with a boolean were (Note: I
> > had already built a new base
> policy (SELINUXTYPE=rch-test1) with no
> > problems):
>
> Hmmm, this is interesting. Both seinfo and apol are fine
> with my
> CIL-generated binary, but fails to load when I add
> booleans. I also
> generated a similar mdp policy.conf, ran checkpolicy, and
> that failed to
> load as well. sediff also shows the two binaries to be the
> same.
>
> I'll look into this more, but because of that, I'm thinking
> this is a
> kernel bug. If anyone else wants to look at it, I've
> attached a simple
> file that is the standard mdp.conf with a single boolean
> defined, and
> single conditional statement using that boolean. This
> builds a binary
> fine, and apol/seinfo have no problem with it, but fails to
> load with
> load_policy.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 17:01 Richard Haines
@ 2011-12-07 18:02 ` Steve Lawrence
0 siblings, 0 replies; 11+ messages in thread
From: Steve Lawrence @ 2011-12-07 18:02 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On 12/07/2011 12:01 PM, Richard Haines wrote:
> Thanks for the updates The deny_unknown, permissionset and generating policy.conf all worked okay.
>
> I've had a couple of other minor problems:
>
> 1) I added a 'policycap' statement in a block. secilc processed the CIL statements but failed to gen the policy. I then moved it to the global namespace and then worked okay. I assume that policycap must always be in the global namespace.
>
There isn't anything in theory that requires the policycap statement to
be global. However, putting a policycap in a block will namespace it, so
this:
(block foo
(policycap bar))
results in the policy capability "foo.bar". Right now, the only valid
policy capabilities are "network_peer_controls" and "open_perms". So
"foo.bar" as well as any namespaced policy cap will never work in
practice. However, there is a bug that this error isn't check at the
right spot. I've fixed this, so you should at least get a better error
message now.
> 2) Are there any known issues regarding typetransition rules as I'm having problems generating a policy. For example secilc will throw 'Error: Duplicate rule defined (line: xxx)'. I then comment out the typetransition statement (that actually looks okay) and it fails with another one, however semodule -i .. will compile it okay. In the end I can get both secilc and semodule to build the binary policy once I remove enough typetransition statements to keep both of them happy. (both seem to be happy with about 16 typetransition statements in policy but semodule can take a few more !!!)
>
No known issues with typetransitions. Can you send the policy you're
having trouble with and I'll take a look?
> The policy consists of 10 CIL modules (files) with about 1,200 lines of CIL statements - but nothing complex just the SELinux Notebook moules I'm converting to CIL as an exercise.
>
> I've had both problems on the original integration you sent plus the updates you pushed today (7th Dec).
>
> Richard
>
> --- On Wed, 7/12/11, Steve Lawrence<slawrence@tresys.com> wrote:
>
>> From: Steve Lawrence<slawrence@tresys.com>
>> Subject: Re: CIL/SELinux Userspace Integration
>> To: "Richard Haines"<richard_c_haines@btinternet.com>
>> Cc: selinux@tycho.nsa.gov
>> Date: Wednesday, 7 December, 2011, 13:32
>> On 12/03/2011 11:30 AM, Richard
>> Haines wrote:
>>> Steve,
>>>
>>> Thanks for this, it seems to work fine with the policy
>> samples I've been
>>> using. I've had a couple of minor problems though:
>>>
>>> 1) A macro does not work with permissionset as one of
>> the parameters (all
>>> the other parameters worked
>> okay).
>>>
>>
>> Thanks for finding this. Just pushed a commit that fixes
>> this.
>>
>>> 2) Macro comments are not permitted. I notice they are
>> not present in the
>>> test files so has it been
>> dropped.
>>>
>>
>> Yep. Macro comments have been dropped. I've updated it on
>> the wiki.
>>
>>> 3) I could not find a way to generate the policy.conf
>> file. I set the
>>> DEBUG=1 in the CIL Makefile
>> like I used to but no file.
>>>
>>
>> In selinux userspace, make DEBUG=1 doesn't define the DEBUG
>> macro that
>> the CIL code uses to enable debugging. You'll have to add
>> '-DDEBUG' to
>> the CFLAGS in the userspace Makefile to enable building of
>> the
>> policy.conf file.
>>
>>> 4) To set deny_unknown in secilc.c required a 'U' in
>> the getopt line:
>>>
>> getopt_long(argc, argv, "hvtU:MDc:",
>> .....
>>>
>>
>> Thanks, fixed and pushed.
>>
>>> 5) I could not load a new policy that had a boolean
>> and supporting
>>> statements in it. The actual
>> binary policy was fine (using apol), but
>>> load_policy had problems. I
>> started with a Fedora 16 base and added
>>> the new Integration code with
>> no problems. Is it a known problem as
>>> if not I'll check further.
>>> The errors I had when running
>> semodule with a boolean were (Note: I
>>> had already built a new base
>> policy (SELINUXTYPE=rch-test1) with no
>>> problems):
>>
>> Hmmm, this is interesting. Both seinfo and apol are fine
>> with my
>> CIL-generated binary, but fails to load when I add
>> booleans. I also
>> generated a similar mdp policy.conf, ran checkpolicy, and
>> that failed to
>> load as well. sediff also shows the two binaries to be the
>> same.
>>
>> I'll look into this more, but because of that, I'm thinking
>> this is a
>> kernel bug. If anyone else wants to look at it, I've
>> attached a simple
>> file that is the standard mdp.conf with a single boolean
>> defined, and
>> single conditional statement using that boolean. This
>> builds a binary
>> fine, and apol/seinfo have no problem with it, but fails to
>> load with
>> load_policy.
>>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 14:04 ` Steve Lawrence
@ 2011-12-07 18:45 ` Eric Paris
2011-12-07 20:15 ` Eric Paris
0 siblings, 1 reply; 11+ messages in thread
From: Eric Paris @ 2011-12-07 18:45 UTC (permalink / raw)
To: Steve Lawrence; +Cc: Richard Haines, selinux
I've found and fixed one kernel bug using this policy, but not THE
kernel bug. Weeeee
On Wed, Dec 7, 2011 at 9:04 AM, Steve Lawrence <slawrence@tresys.com> wrote:
> On 12/07/2011 08:54 AM, Eric Paris wrote:
>>
>> On Wed, Dec 7, 2011 at 8:32 AM, Steve Lawrence<slawrence@tresys.com>
>> wrote:
>>>
>>> On 12/03/2011 11:30 AM, Richard Haines wrote:
>>
>>
>>>> 5) I could not load a new policy that had a boolean and supporting
>>>> statements in it. The actual binary policy was fine (using apol), but
>>>> load_policy had problems. I started with a Fedora 16 base and added
>>>> the new Integration code with no problems. Is it a known problem as
>>>> if not I'll check further.
>>>> The errors I had when running semodule with a boolean were (Note: I
>>>> had already built a new base policy (SELINUXTYPE=rch-test1) with no
>>>> problems):
>>>
>>>
>>>
>>> Hmmm, this is interesting. Both seinfo and apol are fine with my
>>> CIL-generated binary, but fails to load when I add booleans. I also
>>> generated a similar mdp policy.conf, ran checkpolicy, and that failed to
>>> load as well. sediff also shows the two binaries to be the same.
>>>
>>> I'll look into this more, but because of that, I'm thinking this is a
>>> kernel
>>> bug. If anyone else wants to look at it, I've attached a simple file that
>>> is
>>> the standard mdp.conf with a single boolean defined, and single
>>> conditional
>>> statement using that boolean. This builds a binary fine, and apol/seinfo
>>> have no problem with it, but fails to load with load_policy.
>>>
>>>>
>>>> ------ Start --------------
>>>> # semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil
>>>>
>>>> SELinux: Could not load policy file
>>>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>>>> /sbin/load_policy: Can't load policy: No such file or directory
>>>>
>>>> libsemanage.semanage_reload_policy: load_policy returned error code 2.
>>>> (No
>>>> such file or directory).
>>>> SELinux: Could not load policy file
>>>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>>>> /sbin/load_policy: Can't load policy: No such file or directory
>>>>
>>>> libsemanage.semanage_reload_policy: load_policy returned error code 2.
>>>> (No
>>>> such file or directory).
>>>> semodule: Failed!
>>>>
>>>> ----- End -----------------
>>
>>
>> If you send me the policy.X in question I'll spend a couple minutes
>> figuring out what the kernel is upset about...
>
>
> policy.24 attached. Thanks.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 18:45 ` Eric Paris
@ 2011-12-07 20:15 ` Eric Paris
2011-12-08 12:25 ` Richard Haines
2011-12-08 13:28 ` Stephen Smalley
0 siblings, 2 replies; 11+ messages in thread
From: Eric Paris @ 2011-12-07 20:15 UTC (permalink / raw)
To: Steve Lawrence; +Cc: Richard Haines, selinux
So the problem comes from the code which creates the files in
/selinux/booleans. It does an explicit check for a genfs rule for
selinuxfs to label the new inode. I'm not certain why we need this
bit of code. Maybe it is there to support labeling of individual
booleans somehow, but I don't see how of why this particular piece of
code is needed. In any case I believe (Steve tested but I'm not
exactly sure what he did) that you can add a genfs statement for
selinuxfs and it will start working...
On Wed, Dec 7, 2011 at 1:45 PM, Eric Paris <eparis@parisplace.org> wrote:
> I've found and fixed one kernel bug using this policy, but not THE
> kernel bug. Weeeee
>
> On Wed, Dec 7, 2011 at 9:04 AM, Steve Lawrence <slawrence@tresys.com> wrote:
>> On 12/07/2011 08:54 AM, Eric Paris wrote:
>>>
>>> On Wed, Dec 7, 2011 at 8:32 AM, Steve Lawrence<slawrence@tresys.com>
>>> wrote:
>>>>
>>>> On 12/03/2011 11:30 AM, Richard Haines wrote:
>>>
>>>
>>>>> 5) I could not load a new policy that had a boolean and supporting
>>>>> statements in it. The actual binary policy was fine (using apol), but
>>>>> load_policy had problems. I started with a Fedora 16 base and added
>>>>> the new Integration code with no problems. Is it a known problem as
>>>>> if not I'll check further.
>>>>> The errors I had when running semodule with a boolean were (Note: I
>>>>> had already built a new base policy (SELINUXTYPE=rch-test1) with no
>>>>> problems):
>>>>
>>>>
>>>>
>>>> Hmmm, this is interesting. Both seinfo and apol are fine with my
>>>> CIL-generated binary, but fails to load when I add booleans. I also
>>>> generated a similar mdp policy.conf, ran checkpolicy, and that failed to
>>>> load as well. sediff also shows the two binaries to be the same.
>>>>
>>>> I'll look into this more, but because of that, I'm thinking this is a
>>>> kernel
>>>> bug. If anyone else wants to look at it, I've attached a simple file that
>>>> is
>>>> the standard mdp.conf with a single boolean defined, and single
>>>> conditional
>>>> statement using that boolean. This builds a binary fine, and apol/seinfo
>>>> have no problem with it, but fails to load with load_policy.
>>>>
>>>>>
>>>>> ------ Start --------------
>>>>> # semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil
>>>>>
>>>>> SELinux: Could not load policy file
>>>>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>>>>> /sbin/load_policy: Can't load policy: No such file or directory
>>>>>
>>>>> libsemanage.semanage_reload_policy: load_policy returned error code 2.
>>>>> (No
>>>>> such file or directory).
>>>>> SELinux: Could not load policy file
>>>>> /etc/selinux/rch-test1/policy/policy.26: No such file or directory
>>>>> /sbin/load_policy: Can't load policy: No such file or directory
>>>>>
>>>>> libsemanage.semanage_reload_policy: load_policy returned error code 2.
>>>>> (No
>>>>> such file or directory).
>>>>> semodule: Failed!
>>>>>
>>>>> ----- End -----------------
>>>
>>>
>>> If you send me the policy.X in question I'll spend a couple minutes
>>> figuring out what the kernel is upset about...
>>
>>
>> policy.24 attached. Thanks.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 20:15 ` Eric Paris
@ 2011-12-08 12:25 ` Richard Haines
2011-12-08 13:28 ` Stephen Smalley
1 sibling, 0 replies; 11+ messages in thread
From: Richard Haines @ 2011-12-08 12:25 UTC (permalink / raw)
To: Steve Lawrence, Eric Paris; +Cc: selinux
I added (genfscon selinuxfs / ...) as Eric suggested and booleans now work okay in policy.
I found getsebool and sestatus -b worked okay.
setsebool worked setting a different value in running policy, however 'setsebool -P ..' core dumped.
Richard
--- On Wed, 7/12/11, Eric Paris <eparis@parisplace.org> wrote:
> From: Eric Paris <eparis@parisplace.org>
> Subject: Re: CIL/SELinux Userspace Integration
> To: "Steve Lawrence" <slawrence@tresys.com>
> Cc: "Richard Haines" <richard_c_haines@btinternet.com>, selinux@tycho.nsa.gov
> Date: Wednesday, 7 December, 2011, 20:15
> So the problem comes from the code
> which creates the files in
> /selinux/booleans. It does an explicit check for a
> genfs rule for
> selinuxfs to label the new inode. I'm not certain why
> we need this
> bit of code. Maybe it is there to support labeling of
> individual
> booleans somehow, but I don't see how of why this
> particular piece of
> code is needed. In any case I believe (Steve tested
> but I'm not
> exactly sure what he did) that you can add a genfs
> statement for
> selinuxfs and it will start working...
>
> On Wed, Dec 7, 2011 at 1:45 PM, Eric Paris <eparis@parisplace.org>
> wrote:
> > I've found and fixed one kernel bug using this policy,
> but not THE
> > kernel bug. Weeeee
> >
> > On Wed, Dec 7, 2011 at 9:04 AM, Steve Lawrence <slawrence@tresys.com>
> wrote:
> >> On 12/07/2011 08:54 AM, Eric Paris wrote:
> >>>
> >>> On Wed, Dec 7, 2011 at 8:32 AM, Steve
> Lawrence<slawrence@tresys.com>
> >>> wrote:
> >>>>
> >>>> On 12/03/2011 11:30 AM, Richard Haines
> wrote:
> >>>
> >>>
> >>>>> 5) I could not load a new policy that
> had a boolean and supporting
> >>>>> statements in it. The actual
> binary policy was fine (using apol), but
> >>>>> load_policy had problems. I
> started with a Fedora 16 base and added
> >>>>> the new Integration code with no
> problems. Is it a known problem as
> >>>>> if not I'll check further.
> >>>>> The errors I had when running
> semodule with a boolean were (Note: I
> >>>>> had already built a new base
> policy (SELINUXTYPE=rch-test1) with no
> >>>>> problems):
> >>>>
> >>>>
> >>>>
> >>>> Hmmm, this is interesting. Both seinfo and
> apol are fine with my
> >>>> CIL-generated binary, but fails to load
> when I add booleans. I also
> >>>> generated a similar mdp policy.conf, ran
> checkpolicy, and that failed to
> >>>> load as well. sediff also shows the two
> binaries to be the same.
> >>>>
> >>>> I'll look into this more, but because of
> that, I'm thinking this is a
> >>>> kernel
> >>>> bug. If anyone else wants to look at it,
> I've attached a simple file that
> >>>> is
> >>>> the standard mdp.conf with a single
> boolean defined, and single
> >>>> conditional
> >>>> statement using that boolean. This builds
> a binary fine, and apol/seinfo
> >>>> have no problem with it, but fails to load
> with load_policy.
> >>>>
> >>>>>
> >>>>>
> ------ Start --------------
> >>>>> # semodule -i base.cil ext_gateway.cil
> int_gateway.cil move_file.cil
> >>>>>
> >>>>> SELinux: Could not load policy file
> >>>>>
> /etc/selinux/rch-test1/policy/policy.26: No such file or
> directory
> >>>>> /sbin/load_policy: Can't load
> policy: No such file or directory
> >>>>>
> >>>>> libsemanage.semanage_reload_policy:
> load_policy returned error code 2.
> >>>>> (No
> >>>>> such file or directory).
> >>>>> SELinux: Could not load policy file
> >>>>>
> /etc/selinux/rch-test1/policy/policy.26: No such file or
> directory
> >>>>> /sbin/load_policy: Can't load
> policy: No such file or directory
> >>>>>
> >>>>> libsemanage.semanage_reload_policy:
> load_policy returned error code 2.
> >>>>> (No
> >>>>> such file or directory).
> >>>>> semodule: Failed!
> >>>>>
> >>>>> -----
> End -----------------
> >>>
> >>>
> >>> If you send me the policy.X in question I'll
> spend a couple minutes
> >>> figuring out what the kernel is upset
> about...
> >>
> >>
> >> policy.24 attached. Thanks.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: CIL/SELinux Userspace Integration
2011-12-07 20:15 ` Eric Paris
2011-12-08 12:25 ` Richard Haines
@ 2011-12-08 13:28 ` Stephen Smalley
1 sibling, 0 replies; 11+ messages in thread
From: Stephen Smalley @ 2011-12-08 13:28 UTC (permalink / raw)
To: Eric Paris; +Cc: Steve Lawrence, Richard Haines, selinux
On Wed, 2011-12-07 at 15:15 -0500, Eric Paris wrote:
> So the problem comes from the code which creates the files in
> /selinux/booleans. It does an explicit check for a genfs rule for
> selinuxfs to label the new inode. I'm not certain why we need this
> bit of code. Maybe it is there to support labeling of individual
> booleans somehow, but I don't see how of why this particular piece of
> code is needed. In any case I believe (Steve tested but I'm not
> exactly sure what he did) that you can add a genfs statement for
> selinuxfs and it will start working...
Yes, it was to support per-boolean labeling. However, as you note, lack
of a matching entry for selinuxfs in policy shouldn't be fatal for
policy load, so we should at least ignore ENOENT from
security_genfs_sid() there. There is a larger issue there however; any
failure in sel_make_bools, sel_make_classes, or sel_make_policycap will
return an error to userspace, causing it to think that the policy load
failed (which triggers an unwind of the transaction by libsemanage,
reverting to the prior policy file), but we have already switched
policies in the kernel as part of security_load_policy().
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2011-12-08 13:28 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-22 22:00 CIL/SELinux Userspace Integration Steve Lawrence
-- strict thread matches above, loose matches on Subject: below --
2011-12-03 16:30 Richard Haines
2011-12-07 13:32 ` Steve Lawrence
2011-12-07 13:54 ` Eric Paris
2011-12-07 14:04 ` Steve Lawrence
2011-12-07 18:45 ` Eric Paris
2011-12-07 20:15 ` Eric Paris
2011-12-08 12:25 ` Richard Haines
2011-12-08 13:28 ` Stephen Smalley
2011-12-07 17:01 Richard Haines
2011-12-07 18:02 ` Steve Lawrence
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.