* fpp cil-policy
@ 2025-08-23 14:37 Dominick Grift
2025-08-25 16:08 ` James Carter
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2025-08-23 14:37 UTC (permalink / raw)
To: selinux; +Cc: jwcart2
Hi
Someone on IRC asked whether there is a project that can convert
refpolicy to valid CIL and leverages CIL features such as macros,
blockabstracts, class maps and permissions etc.
It reminded me of FPP. I could not find the code anywhere. Is it still
available and if so, where? Also wondering what happened to that
project. Were there any blockers?
Thanks
--
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: fpp cil-policy
2025-08-23 14:37 fpp cil-policy Dominick Grift
@ 2025-08-25 16:08 ` James Carter
0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2025-08-25 16:08 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux
On Sat, Aug 23, 2025 at 10:37 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
>
> Hi
>
> Someone on IRC asked whether there is a project that can convert
> refpolicy to valid CIL and leverages CIL features such as macros,
> blockabstracts, class maps and permissions etc.
>
> It reminded me of FPP. I could not find the code anywhere. Is it still
> available and if so, where? Also wondering what happened to that
> project. Were there any blockers?
>
I have not done anything with FPP in a long time.
You can see this email for a posting to the list back in 2011.
https://lore.kernel.org/selinux/1299608758.24687.19.camel@moss-lions.epoch.ncsc.mil/
A lot of the code lives on in selpoltools
https://github.com/jwcart2/selpoltools
but not the conversion to CIL.
There is a Refpolicy linter in selpoltools and a program to convert to
a new language that I was working on called smpl (SELinux Improved
Policy Language) which I created specifically to be automatically
generated from the Refpolicy. [I think I had to resort to just
identifying certain problems and hard-coding the output.]
There didn't seem to be a lot of interest in smpl and I never finished
the smpl to CIL part.
FPP required a number of patches to Refpolicy for it to work.
It could not handle generic m4 defines (like "basic_ubac_condtions" in
the constraints file or "can_exec" in misc_patterns.spt)
It could not handle defines in an ifdef
It could not handle labeled booleans where a boolean name is concated
with a path.
It could not handle set expressions in an interface ("file_type - $1")
It could not handle an else block for an optional (yes, this occurs
once or twice)
It could not handle undeclared types in an interface (usually an
interface that is not used and would be removed anyway because of the
unfulfilled require block)
While FPP did retain the interfaces, it did not create blocks or use
class maps or anything like that.
Jim
> Thanks
>
> --
> gpg --locate-keys dominick.grift@defensec.nl (wkd)
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> Dominick Grift
> Mastodon: @kcinimod@defensec.nl
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-25 16:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-23 14:37 fpp cil-policy Dominick Grift
2025-08-25 16:08 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).