Re: generating new type name using CIL macro

[Dominick Grift <dominick.grift@defensec.nl>]

Vit Mojzis <vmojzis@redhat.com> writes:

> Hi Dominick,
> thank you for the suggestion. I know about block inheritance, but it
> produces type/role names that are not consistent with refpolicy ("."
> separating the new block name and it's content). My goal is to create
> new SELinux users and corresponding roles and it would be confusing
> for users to switch between roles with different naming schemes
> (e.g. "secadm_r" vs. "customuser.r"). Given that "typeinherit"
> statements don't seem to be supported, I'm trying my luck with macros
> to replicate interfaces.

I figured. You could alternatively create an abstraction c.q.
HLL. Depending on your requirements that does not have to be
complicated. Could be some shell, python or M4 that does the templating for
you. Essentially that is what refpolicy2 does with its M4 usage.


>
> Thank you,
> Vit
>
> On 9/12/23 05:50, Dominick Grift wrote:
>> Vit Mojzis <vmojzis@redhat.com> writes:
>>
>>> Hello all,
>>> while trying to recreate some selinux-policy templates using CIL
>>> macros I got stuck on creating new type/role/attribute names.
>>> For example consider ssh_role_template [1], which uses its first
>>> parameter to create a new type $1_ssh_agent_t.
>>>
>>> Is there a way to recreate such functionality in a CIL macro (or
>>> another CIL feature)?
>> CIL uses blocks for it implementation of templating. If you want to leverage
>> native CIL then look into blocks.
>>
>> Example:
>>
>> cat > mytest.cil <<EOF
>> (typeattribute foo)
>>
>> (block t
>> (blockabstract t)
>> (type t)
>> (typeattributeset .foo t))
>>
>> (block bar
>> (blockinherit t))
>>
>> (block baz
>> (blockinherit t))
>>
>> (allow .foo .foo (process (signal)))
>> EOF
>>
>> sudo semodule -i mytest.cil
>>
>> seinfo -xafoo
>>
>> Type Attributes: 1
>>     attribute foo;
>>          bar.t
>>          baz.t
>>
>> sesearch -A -s foo -ds
>> allow foo foo:process signal;
>>
>>> Something along the lines of:
>>> (macro new_type_macro ((string type_prefix))
>>>    (type (type_prefix)_t)
>>> )
>>> which when called (call new_type_macro ("yolo")) would produce
>>> (type yolo_t)
>>>
>>> I searched through CIL reference guide [2] and SELinuxProject CIL wiki
>>> on github, but didn't find anything close (maybe there is a better
>>> resource I don't know about).
>>> I'd appreciate any hints or links to other resources related to CIL macros.
>>>
>>> Thank you,
>>> Vit
>>>
>>> [1] -
>>> https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/ssh.if#L301
>>> [2] -
>>> https://raw.githubusercontent.com/SELinuxProject/selinux-notebook/main/src/notebook-examples/selinux-policy/cil/CIL_Reference_Guide.pdf
>>> [3] - https://github.com/SELinuxProject/cil/wiki#macros
>>>
>

-- 
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl