From: James Carter <jwcart2@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: Common Intermediate Language (CIL) Update
Date: Thu, 22 Aug 2013 15:38:50 -0400 [thread overview]
Message-ID: <521668CA.7040305@tycho.nsa.gov> (raw)
In-Reply-To: <1377189006.38963.YahooMailNeo@web87904.mail.ir2.yahoo.com>
On 08/22/2013 12:30 PM, Richard Haines wrote:
> Thanks for the updated CIL that has many useful fixes, however I notice that you removed the "permissionset" statement. Is this to be dropped altogether or just in your version (I've got lots in my test policy so thought I would ask before I change them all).
>
Yes, it is. Permissions can no longer be referred to apart from their class. Not
only was the permissionset statement removed, but permissions can no longer be
passed as an argument to a call.
Either classpermissionset or classmapping statements can be used to replace
them. I am sorry to say that this is a little bit more work up front, but I
think it makes sense for the overall policy.
> Richard
>
>
>
> ________________________________
> From: James Carter <jwcart2@tycho.nsa.gov>
> To: SELinux List <selinux@tycho.nsa.gov>
> Cc: Steve Lawrence <slawrence@tresys.com>
> Sent: Monday, 29 July 2013, 18:36
> Subject: Common Intermediate Language (CIL) Update
>
>
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary policies from a slightly modified version of Refpolicy that has been converted to CIL.
>
> Anyone interested in trying CIL out can do the following:
>
> 1) Clone the CIL compiler and cilpolicy
> git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
> git clone https://jwcarter@bitbucket.org/jwcarter/cilpolicy.git
>
> 2) Build secilc
> cd secilc
> make
> cd ..
>
> 3) Build cilpolicy
> ./secilc/secilc `cat cilpolicy/LISTING`
>
>
> To build an MLS policy:
>
> Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to "(tunable enable_mls true)"
>
> Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`
>
> MCS is similar.
>
>
> Anyone interested in trying to create their own CIL policy from Refpolicy can clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions in the README. To clone fpp:
> git clone https://jwcarter@bitbucket.org/jwcarter/fpp.git
>
> -- James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-08-22 19:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-29 17:36 Common Intermediate Language (CIL) Update James Carter
2013-07-29 17:52 ` James Carter
2013-08-22 16:30 ` Richard Haines
2013-08-22 19:38 ` James Carter [this message]
2013-08-23 15:05 ` Richard Haines
2013-08-23 15:18 ` James Carter
2013-08-25 16:15 ` CIL constraint problem Richard Haines
[not found] ` <521CD1D7.1070505@tresys.com>
2013-08-27 16:29 ` James Carter
2013-10-16 19:47 ` Common Intermediate Language (CIL) Update Dominick Grift
2013-10-16 20:50 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=521668CA.7040305@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.