From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t1QDaUvU027636 for ; Thu, 26 Feb 2015 08:36:30 -0500 Message-ID: <54EF2149.9000000@tresys.com> Date: Thu, 26 Feb 2015 08:36:09 -0500 From: Steve Lawrence MIME-Version: 1.0 To: Richard Haines , Subject: Re: [PATCH] libsepol: Update CIL documentation References: <1424872804-4311-1-git-send-email-richard_c_haines@btinternet.com> In-Reply-To: <1424872804-4311-1-git-send-email-richard_c_haines@btinternet.com> Content-Type: text/plain; charset="windows-1252" List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 02/25/2015 09:00 AM, Richard Haines wrote: > Reformat secilc(8) man page for readability and correct url > > Remove unused/obsolete info and correct portcon statement in the > Reference Guide. > > Signed-off-by: Richard Haines Acked-by: Steve Lawrence Thanks! > --- > libsepol/cil/docs/CIL_Reference_Guide.xml | 10 +-- > .../cil/docs/cil_network_labeling_statements.xml | 14 +++- > libsepol/cil/docs/secilc.8.xml | 92 ++++++++++++++-------- > 3 files changed, 71 insertions(+), 45 deletions(-) > > diff --git a/libsepol/cil/docs/CIL_Reference_Guide.xml b/libsepol/cil/docs/CIL_Reference_Guide.xml > index e905152..e089079 100644 > --- a/libsepol/cil/docs/CIL_Reference_Guide.xml > +++ b/libsepol/cil/docs/CIL_Reference_Guide.xml > @@ -27,26 +27,18 @@ >
> > Common Interface Language (CIL) Reference Guide > - > - > - 0.2 > - 22nd May '14 > - Updated classmap/classmapping, added classmap to statements that utilise class_id's (defaultuser, typetransition etc.), update various examples to show anonymous classpermissionset's using expressions. > - > - > > > > CIL Information > > - The statement definitions are those found in the source from: git clone dated 21st May '14. > Not all possible alternate statement permutations are shown, however there should be enough variation to work out any other valid formats. There is also an example policy.cil file shown in the Appendix. > The MLS components on contexts and user statements must be declared even if the policy does not support MCS/MLS. > The CIL compiler will not build a policy unless it also has as a minimum: one allow rule, one sid, sidorder and sidcontext statement. > The role object_r must be explicitly associated to contexts used for labeling objects. The original checkpolicy(8) and checkmodule(8) compilers did this by default - CIL does not. > Be aware that CIL allows class statements to be declared in a namespace, however the policy author needs to note that applications (and the kernel) generally reference a class by its well known class identifier (e.g. zygote) however if declared in a namespace (e.g. (block zygote (class zygote (...))) or (block zygote (class class (...)))) it would be prefixed with that namespace (e.g. zygote.zygote or zygote.class). Unless the application / kernel code was updated the class would never be resolved, therefore it is recommended that classes are declared in the global namespace. > Where possible use typeattribute's when defining source/target allow rules instead of multiple allow rules with individual type's. This will lead to the generation of much smaller kernel policy files. > - The site explains the language however some of the statement definitions are dated. > + The site explains the language however some of the statement definitions are dated. > > > Declarations > diff --git a/libsepol/cil/docs/cil_network_labeling_statements.xml b/libsepol/cil/docs/cil_network_labeling_statements.xml > index 785b583..1047108 100644 > --- a/libsepol/cil/docs/cil_network_labeling_statements.xml > +++ b/libsepol/cil/docs/cil_network_labeling_statements.xml > @@ -186,7 +186,7 @@ > portcon > Label a udp or tcp port. > Statement definition: > - > + > Where: > > > @@ -211,6 +211,16 @@ > > > > + port | > + (port_low port_high) > + > + > + A single port to apply the context, or a range of ports. > + The entries must consist of numerics [0-9]. > + > + > + > + > context_id > > > @@ -227,7 +237,7 @@ > (portcon tcp 2222 (unconfined.user object_r unconfined.object levelrange_2)) > (portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) > (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) > -(portcon tcp 55555 (unconfined.user object_r unconfined.object (systemlow level_3)))]]> > +(portcon tcp (2000 20000) (unconfined.user object_r unconfined.object (systemlow level_3)))]]> > > > > diff --git a/libsepol/cil/docs/secilc.8.xml b/libsepol/cil/docs/secilc.8.xml > index 12d72b7..9e2670b 100644 > --- a/libsepol/cil/docs/secilc.8.xml > +++ b/libsepol/cil/docs/secilc.8.xml > @@ -12,7 +12,7 @@ > > SECILC > 8 > - 12 May 2014 > + 18 February 2015 > secilc > SELinux CIL Compiler > > @@ -34,38 +34,62 @@ > > > OPTIONS > - > - Write binary policy to file (default: policy.version) > - > - > - Write file contexts to file (default: file_contexts) > - > - > - Specify target architecture. May be selinux or xen (default: selinux) > - > - > - Build an mls policy. Must be true or false. This will override the (mls boolean) statement if present in the policy. > - > - > - Build a binary policy with a given version (default: depends on the systems SELinux policy version, see sestatus8) > - > - > - How to handle unknown classes or permissions. May be deny, allow, or reject (default: deny). This will override the (handleunknown action) statement if present in the policy. > - > - > - Do not add dontaudit rules to the binary policy. > - > - > - Treat tunables as booleans. > - > - > - Do not check neverallow rules. > - > - > - Increment verbosity level. > - > - > - Display usage information. > + > + > + > + Write binary policy to file (default: policy.version) > + > + > + > + > + Write file contexts to file (default: file_contexts) > + > + > + > + > + Specify target architecture. May be selinux or xen (default: selinux) > + > + > + > + > + Build an mls policy. Must be true or false. This will override the (mls boolean) statement if present in the policy. > + > + > + > + > + Build a binary policy with a given version (default: depends on the systems SELinux policy version, see sestatus8) > + > + > + > + > + How to handle unknown classes or permissions. May be deny, allow, or reject (default: deny). This will override the (handleunknown action) statement if present in the policy. > + > + > + > + > + Do not add dontaudit rules to the binary policy. > + > + > + > + > + Treat tunables as booleans. > + > + > + > + > + Do not check neverallow rules. > + > + > + > + > + Increment verbosity level. > + > + > + > + > + Display usage information. > + > + > > > SEE ALSO > @@ -83,7 +107,7 @@ > > HTML documentation describing the CIL language statements is available starting with docs/html/index.html. > PDF documentation describing the CIL language statements is available at: docs/pdf/CIL_Reference_Guide.pdf. > - There is a CIL Design Wiki at: that describes the goals and features of the CIL language. > + There is a CIL Design Wiki at: that describes the goals and features of the CIL language. > > > >