From: James Carter <jwcart2@tycho.nsa.gov>
To: Dominick Grift <dominick.grift@gmail.com>,
selinux <selinux@tycho.nsa.gov>
Subject: Re: secilc: classmappings do not work
Date: Fri, 16 May 2014 10:20:39 -0400 [thread overview]
Message-ID: <53761EB7.5060906@tycho.nsa.gov> (raw)
In-Reply-To: <1400242442.444.9.camel@x220.localdomain>
On 05/16/2014 08:14 AM, Dominick Grift wrote:
> I wanted to try out some of the less common features of cil after
> studying the cil reference guide but its been a bumpy ride.
>
> Anyhow classmappings do not work
>
> I have for example this one
>
> (clasmap dirs (list))
>
> (classmapping dirs list
> read_lnk_file_perms
> list_dir_perms
> )
>
> The read_lnk_file_perms and list_dir_perms are classpermissionsets
> (which work nicely)
>
> Only the first entry works (in this example read_lnk_file_perms)
> The other entries (like in this example list_dir_perms) do not make it
> to the resulting policy
>
> I have also tried this with straight rules instead of
> classpermissionsets (same result)
>
It will work if it is written as:
(classmapping dirs list
((read_lnk_file_perms)
(list_dir_perms))
)
There is a bit of awkwardness to lists of class-permissions. All of the
following are acceptable:
1. SETNAME
2. (CLASS (PERM1 PERM2 ...))
3. ((CLASS (PERM1 PERM2 ...)) (SETNAME) ...)
We allow case 2 because it is the common case for allow rules, but because of
case 2, if you have more than a single class-permission, everything must be
enclosed in parenthesis.
We are planning to change the syntax, but I haven't gotten around to doing it yet.
The new syntax would only allow cases 1 and 2. If you want to assign more than
one class-permission to a classmap, classpermissionset, or rule you would just
use multiple rules.
So your classmapping would be:
(classmapping dirs list
read_lnk_file_perms
)
(classmapping dirs list
list_dir_perms
)
Would this new syntax make more sense to you?
Currently, if you tried this, the first classmapping would be dropped.
Of course, secilc is not helping in your case because it is not giving any
indication of an error and is just silently dropping the second classpermissionset.
Also note that currently classmaps cannot be used in nametypetransition,
rangetransition, type_rule, roletransition, validatetrans, default_user,
default_role, default_type, or default_range rules.
Jim
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2014-05-16 14:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-16 12:14 secilc: classmappings do not work Dominick Grift
2014-05-16 14:20 ` James Carter [this message]
2014-05-16 14:38 ` James Carter
2014-05-20 15:57 ` Richard Haines
2014-05-21 18:36 ` James Carter
2014-05-21 19:01 ` Steve Lawrence
2014-05-21 19:14 ` James Carter
2014-05-16 15:05 ` Dominick Grift
2014-05-20 16:22 ` Richard Haines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53761EB7.5060906@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=dominick.grift@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.