Common Intermediate Language (CIL) Update

Common Intermediate Language (CIL) Update

[James Carter]

The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary 
policies from a slightly modified version of Refpolicy that has been converted 
to CIL.

Anyone interested in trying CIL out can do the following:

1) Clone the CIL compiler and cilpolicy
git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
git clone https://jwcarter@bitbucket.org/jwcarter/cilpolicy.git

2) Build secilc
cd secilc
make
cd ..

3) Build cilpolicy
./secilc/secilc `cat cilpolicy/LISTING`


To build an MLS policy:

Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to 
"(tunable enable_mls true)"

Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`

MCS is similar.


Anyone interested in trying to create their own CIL policy from Refpolicy can 
clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions 
in the README. To clone fpp:
git clone https://jwcarter@bitbucket.org/jwcarter/fpp.git

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Common Intermediate Language (CIL) Update

[James Carter]

On 07/29/2013 01:36 PM, James Carter wrote:
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary
> policies from a slightly modified version of Refpolicy that has been converted
> to CIL.
>

I meant to mention that the next step will be to integrate CIL into the SELinux 
userspace toolchain.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Common Intermediate Language (CIL) Update

[Richard Haines]

[-- Attachment #1: Type: text/plain, Size: 1802 bytes --]

Thanks for the updated CIL that has many useful fixes, however I notice that you removed the "permissionset" statement. Is this to be dropped altogether or just in your version (I've got lots in my test policy so thought I would ask before I change them all).

Richard



________________________________
 From: James Carter <jwcart2@tycho.nsa.gov>
To: SELinux List <selinux@tycho.nsa.gov> 
Cc: Steve Lawrence <slawrence@tresys.com> 
Sent: Monday, 29 July 2013, 18:36
Subject: Common Intermediate Language (CIL) Update
 

The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary policies from a slightly modified version of Refpolicy that has been converted to CIL.

Anyone interested in trying CIL out can do the following:

1) Clone the CIL compiler and cilpolicy
git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
git clone https://jwcarter@bitbucket.org/jwcarter/cilpolicy.git

2) Build secilc
cd secilc
make
cd ..

3) Build cilpolicy
./secilc/secilc `cat cilpolicy/LISTING`


To build an MLS policy:

Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to "(tunable enable_mls true)"

Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`

MCS is similar.


Anyone interested in trying to create their own CIL policy from Refpolicy can clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions in the README. To clone fpp:
git clone https://jwcarter@bitbucket.org/jwcarter/fpp.git

-- James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: text/html, Size: 3361 bytes --]

Re: Common Intermediate Language (CIL) Update

[James Carter]

On 08/22/2013 12:30 PM, Richard Haines wrote:
> Thanks for the updated CIL that has many useful fixes, however I notice that you removed the "permissionset" statement. Is this to be dropped altogether or just in your version (I've got lots in my test policy so thought I would ask before I change them all).
>

Yes, it is. Permissions can no longer be referred to apart from their class. Not 
only was the permissionset statement removed, but permissions can no longer be 
passed as an argument to a call.

Either classpermissionset or classmapping statements can be used to replace 
them. I am sorry to say that this is a little bit more work up front, but I 
think it makes sense for the overall policy.


> Richard
>
>
>
> ________________________________
>   From: James Carter <jwcart2@tycho.nsa.gov>
> To: SELinux List <selinux@tycho.nsa.gov>
> Cc: Steve Lawrence <slawrence@tresys.com>
> Sent: Monday, 29 July 2013, 18:36
> Subject: Common Intermediate Language (CIL) Update
>
>
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary policies from a slightly modified version of Refpolicy that has been converted to CIL.
>
> Anyone interested in trying CIL out can do the following:
>
> 1) Clone the CIL compiler and cilpolicy
> git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
> git clone https://jwcarter@bitbucket.org/jwcarter/cilpolicy.git
>
> 2) Build secilc
> cd secilc
> make
> cd ..
>
> 3) Build cilpolicy
> ./secilc/secilc `cat cilpolicy/LISTING`
>
>
> To build an MLS policy:
>
> Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to "(tunable enable_mls true)"
>
> Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`
>
> MCS is similar.
>
>
> Anyone interested in trying to create their own CIL policy from Refpolicy can clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions in the README. To clone fpp:
> git clone https://jwcarter@bitbucket.org/jwcarter/fpp.git
>
> -- James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Common Intermediate Language (CIL) Update

[Richard Haines]

[-- Attachment #1: Type: text/plain, Size: 4039 bytes --]

Thanks for the bad news, anyway I've been trying the classmap / classmapping and not sure if this is a bug or
another change. The sample I've been using is (I just modified the test policy):

    (classmap files_rw (read write))

    (classmapping files_rw read
        (file (open read getattr)))

    (classmapping files_rw write
        (file (execute_no_trans entrypoint execmod open audit_access))
        (file (open write setattr)))

However the results vary between your version and the Tresys version as follows:

secil from git clone http://oss.tresys.com/git/cil.git cil
allow policy.console_t policy.t_1 : policy.file { write setattr execute_no_trans entrypoint execmod open audit_access } ;
allow policy.console_t policy.t_2 : policy.file { read getattr open } ;

secil from git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
allow policy.console_t policy.t_1 : policy.file { execute_no_trans entrypoint execmod open audit_access } ;
allow policy.console_t policy.t_2 : policy.file { read getattr open } ;


I think the Tresys version is correct (well I hope so)

Richard



________________________________
 From: James Carter <jwcart2@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com> 
Cc: SELinux List <selinux@tycho.nsa.gov> 
Sent: Thursday, 22 August 2013, 20:38
Subject: Re: Common Intermediate Language (CIL) Update
 

On 08/22/2013 12:30 PM, Richard Haines wrote:
> Thanks for the updated CIL that has many useful fixes, however I notice that you removed the "permissionset" statement. Is this to be dropped altogether or just in your version (I've got lots in my test policy so thought I would ask before I change them all).
>

Yes, it is. Permissions can no longer be referred to apart from their class. Not 
only was the permissionset statement removed, but permissions can no longer be 
passed as an argument to a call.

Either classpermissionset or classmapping statements can be used to replace 
them. I am sorry to say that this is a little bit more work up front, but I 
think it makes sense for the overall policy.


> Richard
>
>
>
> ________________________________
>   From: James Carter <jwcart2@tycho.nsa.gov>
> To: SELinux List <selinux@tycho.nsa.gov>
> Cc: Steve Lawrence <slawrence@tresys.com>
> Sent: Monday, 29 July 2013, 18:36
> Subject: Common Intermediate Language (CIL) Update
>
>
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary policies from a slightly modified version of Refpolicy that has been converted to CIL.
>
> Anyone interested in trying CIL out can do the following:
>
> 1) Clone the CIL compiler and cilpolicy
> git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
> git clone https://jwcarter@bitbucket.org/jwcarter/cilpolicy.git
>
> 2) Build secilc
> cd secilc
> make
> cd ..
>
> 3) Build cilpolicy
> ./secilc/secilc `cat cilpolicy/LISTING`
>
>
> To build an MLS policy:
>
> Edit "cilpolicy/mls_declarations" and change "(tunable enable_mls false)" to "(tunable enable_mls true)"
>
> Build the MLS policy: ./secilc/secilc -M `cat cilpolicy/LISTING`
>
> MCS is similar.
>
>
> Anyone interested in trying to create their own CIL policy from Refpolicy can clone the Flask Policy Parser (fpp) from bitbucket and follow the instructions in the README. To clone fpp:
> git clone https://jwcarter@bitbucket.org/jwcarter/fpp.git
>
> -- James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: text/html, Size: 6452 bytes --]

Re: Common Intermediate Language (CIL) Update

[James Carter]

On 08/23/2013 11:05 AM, Richard Haines wrote:
> Thanks for the bad news, anyway I've been trying the classmap / classmapping and not sure if this is a bug or
> another change. The sample I've been using is (I just modified the test policy):
>
>      (classmap files_rw (read write))
>
>      (classmapping files_rw read
>          (file (open read getattr)))
>
>      (classmapping files_rw write
>          (file (execute_no_trans entrypoint execmod open audit_access))
>          (file (open write setattr)))
>
> However the results vary between your version and the Tresys version as follows:
>
> secil from git clone http://oss.tresys.com/git/cil.git cil
> allow policy.console_t policy.t_1 : policy.file { write setattr execute_no_trans entrypoint execmod open audit_access } ;
> allow policy.console_t policy.t_2 : policy.file { read getattr open } ;
>
> secil from git clone https://jwcarter@bitbucket.org/jwcarter/secilc.git
> allow policy.console_t policy.t_1 : policy.file { execute_no_trans entrypoint execmod open audit_access } ;
> allow policy.console_t policy.t_2 : policy.file { read getattr open } ;
>
>
> I think the Tresys version is correct (well I hope so)
>

The Tresys version is correct. This is a bug. I will take a look at it.

Thanks for the report.

Jim


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

CIL constraint problem

[Richard Haines]

I've been trying the constraints in CIL and found they were not being
generated although I managed to fix this with the patch listed at the end. 

However there is still a problem that I have not managed to track down and
that is where I use a typeattribute in the constraint. The following is an
example CIL policy segment:

; Start
(class file (execute_no_trans entrypoint execmod open audit_access))
(common file (ioctl read write create getattr setattr lock relabelfrom
    relabelto append unlink link rename execute swapon quotaon mounton))
(classcommon file file)
(type  ax_t)
(type  bx_t)
(type  cx_t)
(typeattribute attribute_1)
(typeattributeset attribute_1 ax_t)
(typeattributeset attribute_1 bx_t)
(typeattributeset attribute_1 cx_t)
(constrain (file (execute_no_trans)) (or (and (eq t2 attribute_1) (eq t1 ax_t)) (neq r1 r2)))
; End

The policy statement generated by secilc (note the Tresys version does the same):
constrain { file } { execute_no_trans }
    (( t2 == attribute_1  ) and ( t1 == ax_t  ) or ( r1 != r2 ));

However it should be:
constrain { file } { execute_no_trans }
    (( t2 == { ax_t bx_t cx_t } ) and ( t1 == ax_t  ) or ( r1 != r2 ));


Subject: [PATCH] Allow CIL to generate constraints

Before this, no constraint statements were generated.
---
 src/cil_binary.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cil_binary.c b/src/cil_binary.c
index e31f589..bbbc534 100644
--- a/src/cil_binary.c
+++ b/src/cil_binary.c
@@ -1971,14 +1971,14 @@ int cil_constrain_to_policydb(policydb_t *pdb, struct cil_symtab_datum *datum)
 
     cil_list_for_each(curr, cil_constrain->classperms) {
         struct cil_classperms *classperms = curr->data;
-        if (classperms->flavor == CIL_CLASS) {
+        if (classperms->flavor == CIL_CLASSPERMS) {
             key = ((struct cil_symtab_datum *)classperms->r.cp.class)->name;
 
             rc = cil_constrain_to_policydb_helper(pdb, key, classperms->r.cp.perms, expr);
             if (rc != SEPOL_OK) {
                 goto exit;
             }
-        } else if (classperms->flavor == CIL_MAP_CLASS) {
+        } else if (classperms->flavor == CIL_MAP_CLASSPERMS) {
             struct cil_list_item *i = NULL;
             cil_list_for_each(i, classperms->r.mcp.perms) {
                 struct cil_map_perm *cmp = i->data;
-- 
1.7.11.7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: CIL constraint problem

[James Carter]

On 08/27/2013 12:20 PM, Steve Lawrence wrote:
> Yep, looks like we aren't expanding typeattributes in constraints. I have a fix
> for the master branch on oss, but Jim has made a few changes to how constraints
> work, so my patch doesn't apply cleanly. I'm also seeing a segfault on the nsa
> branch with the simple test cil file (test/policy.cil), still looking into that.
> I've attached the patch to the oss master branch if you'd like to give it a shot.
>

I am still looking at the previous bug with constraints and investigating 
perhaps the same segfault. Expanding typeattributes won't be hard I just hadn't 
realized that needed to be done for constraints. Hopefully, it won't take too 
long to resolve this.

Jim

> - Steve
>
>
> On 08/25/2013 12:15 PM, Richard Haines wrote:
>> I've been trying the constraints in CIL and found they were not being
>> generated although I managed to fix this with the patch listed at the end.
>>
>> However there is still a problem that I have not managed to track down and
>> that is where I use a typeattribute in the constraint. The following is an
>> example CIL policy segment:
>>
>> ; Start
>> (class file (execute_no_trans entrypoint execmod open audit_access))
>> (common file (ioctl read write create getattr setattr lock relabelfrom
>>      relabelto append unlink link rename execute swapon quotaon mounton))
>> (classcommon file file)
>> (type  ax_t)
>> (type  bx_t)
>> (type  cx_t)
>> (typeattribute attribute_1)
>> (typeattributeset attribute_1 ax_t)
>> (typeattributeset attribute_1 bx_t)
>> (typeattributeset attribute_1 cx_t)
>> (constrain (file (execute_no_trans)) (or (and (eq t2 attribute_1) (eq t1
>> ax_t)) (neq r1 r2)))
>> ; End
>>
>> The policy statement generated by secilc (note the Tresys version does the same):
>> constrain { file } { execute_no_trans }
>>      (( t2 == attribute_1  ) and ( t1 == ax_t  ) or ( r1 != r2 ));
>>
>> However it should be:
>> constrain { file } { execute_no_trans }
>>      (( t2 == { ax_t bx_t cx_t } ) and ( t1 == ax_t  ) or ( r1 != r2 ));
>>
>>
>> Subject: [PATCH] Allow CIL to generate constraints
>>
>> Before this, no constraint statements were generated.
>> ---
>>   src/cil_binary.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/cil_binary.c b/src/cil_binary.c
>> index e31f589..bbbc534 100644
>> --- a/src/cil_binary.c
>> +++ b/src/cil_binary.c
>> @@ -1971,14 +1971,14 @@ int cil_constrain_to_policydb(policydb_t *pdb, struct
>> cil_symtab_datum *datum)
>>
>>       cil_list_for_each(curr, cil_constrain->classperms) {
>>           struct cil_classperms *classperms = curr->data;
>> -        if (classperms->flavor == CIL_CLASS) {
>> +        if (classperms->flavor == CIL_CLASSPERMS) {
>>               key = ((struct cil_symtab_datum *)classperms->r.cp.class)->name;
>>
>>               rc = cil_constrain_to_policydb_helper(pdb, key,
>> classperms->r.cp.perms, expr);
>>               if (rc != SEPOL_OK) {
>>                   goto exit;
>>               }
>> -        } else if (classperms->flavor == CIL_MAP_CLASS) {
>> +        } else if (classperms->flavor == CIL_MAP_CLASSPERMS) {
>>               struct cil_list_item *i = NULL;
>>               cil_list_for_each(i, classperms->r.mcp.perms) {
>>                   struct cil_map_perm *cmp = i->data;
>>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Common Intermediate Language (CIL) Update

[Dominick Grift]

On Mon, 2013-07-29 at 13:36 -0400, James Carter wrote:
> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary 
> policies from a slightly modified version of Refpolicy that has been converted 
> to CIL.
> 
> Anyone interested in trying CIL out can do the following:

I cloned both the repositories in this mail as well as the one hosted by
tresys but no new commits in either

A couple of things stand out when i try this

both non-mls and mls policy have no constraints according to seinfo
both non-mls and mls policy have no neverallow rules according to seinfo
the non-mls policy has a category "c0"

I like what i am seeing a lot, unfortunately it is not really usable yet
because user land can't work with it yet, and i need it to create home
directory contexts

looking forward to and update to this


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Common Intermediate Language (CIL) Update

[James Carter]

On 10/16/2013 03:47 PM, Dominick Grift wrote:
> On Mon, 2013-07-29 at 13:36 -0400, James Carter wrote:
>> The CIL compiler, secilc, is now able to create MLS, MCS, and non-MLS binary
>> policies from a slightly modified version of Refpolicy that has been converted
>> to CIL.
>>
>> Anyone interested in trying CIL out can do the following:
>
> I cloned both the repositories in this mail as well as the one hosted by
> tresys but no new commits in either
>
> A couple of things stand out when i try this
>
> both non-mls and mls policy have no constraints according to seinfo

An update will be coming soon that will fix that bug.

> both non-mls and mls policy have no neverallow rules according to seinfo

They are evaluated by CIL.

> the non-mls policy has a category "c0"
>

That might be a recent bug. I don't see it on some earlier policy binaries 
generated by CIL.

> I like what i am seeing a lot, unfortunately it is not really usable yet
> because user land can't work with it yet, and i need it to create home
> directory contexts
>

The userspace stuff is coming along.

> looking forward to and update to this
>

Thanks for the comments.


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.