Trouble building a .cil policy from scratch.

Trouble building a .cil policy from scratch.

[Dan]

Hey guys, I've been reading the documentation of CIL language and have 
been practicing writing policies from scratch and have come across a 
problem. Here is what I have so far(which is just a simple example):

(type myapp_t)
(role object_r)
(role staff_r)
(roletype object_r myapp_t)
(typeattribute domain)
(typeattributetypes domain (myapp_t))


(type myapp_exec_t)
(roletype object_r myapp_exec_t)
(typeattribute domain)
(typeattributetypes domain (myapp_exec_t))



Now I know I need other stuff to build this module completely like SID, 
access vectors, etc, but I'm stuck because it doesn't recognize the 
"typeattributetypes" statement. It just spits out the error as an 
unknown keyword which I don't know why I would because I'm pretty sure I 
used it right, but I'm still learning. Any info would be awesome. Thanks 
guys.

Re: Trouble building a .cil policy from scratch.

[Steve Lawrence]

On 07/22/2015 06:21 PM, Dan wrote:
> Hey guys, I've been reading the documentation of CIL language and have
> been practicing writing policies from scratch and have come across a
> problem. Here is what I have so far(which is just a simple example):
> 
> (type myapp_t)
> (role object_r)
> (role staff_r)
> (roletype object_r myapp_t)
> (typeattribute domain)
> (typeattributetypes domain (myapp_t))
> 
> 
> (type myapp_exec_t)
> (roletype object_r myapp_exec_t)
> (typeattribute domain)
> (typeattributetypes domain (myapp_exec_t))
> 
> 
> 
> Now I know I need other stuff to build this module completely like SID,
> access vectors, etc, but I'm stuck because it doesn't recognize the
> "typeattributetypes" statement. It just spits out the error as an
> unknown keyword which I don't know why I would because I'm pretty sure I
> used it right, but I'm still learning. Any info would be awesome. Thanks
> guys.
> 

typeattributetypes is an old statement that no longer exists. It was
renamed to typeattributeset. The CIL documentation on the wiki is pretty
out of date. I'd recommend just looking at the docs in the secilc
directory in the selinux userspace repo. Running make in secilc/docs
will create an html and pdf version of the documentation, which should
be pretty up to date.

Re: Trouble building a .cil policy from scratch.

[Dan]

Yeah I have checked out that pdf and was wondering which one was right 
because I was going back and forth with the wiki but thanks for 
clarifying it has the up to date info.

On 07/23/2015 07:42 AM, Steve Lawrence wrote:
> On 07/22/2015 06:21 PM, Dan wrote:
>> Hey guys, I've been reading the documentation of CIL language and have
>> been practicing writing policies from scratch and have come across a
>> problem. Here is what I have so far(which is just a simple example):
>>
>> (type myapp_t)
>> (role object_r)
>> (role staff_r)
>> (roletype object_r myapp_t)
>> (typeattribute domain)
>> (typeattributetypes domain (myapp_t))
>>
>>
>> (type myapp_exec_t)
>> (roletype object_r myapp_exec_t)
>> (typeattribute domain)
>> (typeattributetypes domain (myapp_exec_t))
>>
>>
>>
>> Now I know I need other stuff to build this module completely like SID,
>> access vectors, etc, but I'm stuck because it doesn't recognize the
>> "typeattributetypes" statement. It just spits out the error as an
>> unknown keyword which I don't know why I would because I'm pretty sure I
>> used it right, but I'm still learning. Any info would be awesome. Thanks
>> guys.
>>
> typeattributetypes is an old statement that no longer exists. It was
> renamed to typeattributeset. The CIL documentation on the wiki is pretty
> out of date. I'd recommend just looking at the docs in the secilc
> directory in the selinux userspace repo. Running make in secilc/docs
> will create an html and pdf version of the documentation, which should
> be pretty up to date.
>