SELinux Common Intermediate Language Update

SELinux Common Intermediate Language Update

[Steve Lawrence]

As many of you know, we've been working on the SELinux Common
Intermediate Language (CIL) compiler, called secilc, for many months now.

As a refresher, CIL is an intermediate language designed as a policy
representation that sits between high level policy languages and the
kernel policy representation. We're happy to answer any questions about
the language, but for more information, please take a look at the CIL
Design wiki at http://userspace.selinuxproject.org/trac/wiki/CilDesign

A few months ago, we released a version of secilc that could handle most
of the features supported by reference policy and output a policy.conf
file. We just recently reached a big milestone in that we can now
generate binary policy files from only CIL source files. Because of
this, we're dubbing this secilc v0.1.

Now that the compiler has reached this milestone, we would love for the
community to play around with it a bit and give us any feedback as we
continue on to integration with the existing SELinux tools and
implementing more advanced features, such has inheritance and transforms.

The secilc v0.1 tarball can be downloaded here:

http://userspace.selinuxproject.org/cil/secilc-0.1.tar.gz

The secilc repository can be downloaded via git here:

$ git clone http://oss.tresys.com/git/cil.git

Thanks,
Steve Lawrence

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Common Intermediate Language Update

[Richard Haines]

I've been trying to generate a context for a non-mls policy but keep getting the following error:

Building Parse Tree...
Building AST from Parse Tree...
Invalid context (line: 12)
Failed to fill context, rc: -1
cil_gen_context failed, rc: -1
Failed to process node
cil_tree_walk failed, rc: -1
Failed to build ast, exiting

I've tried various formats of 'context' but all failed. One example:
( context context1 ( unconfined_u unconfined_r unconfined_t ))

I see plenty of mls context examples in the test files but no non-mls.
Could you let me know the correct format please.

Thanks
Richard


--- On Wed, 24/8/11, Steve Lawrence <slawrence@tresys.com> wrote:

> From: Steve Lawrence <slawrence@tresys.com>
> Subject: SELinux Common Intermediate Language Update
> To: "SELinux" <selinux@tycho.nsa.gov>
> Date: Wednesday, 24 August, 2011, 17:45
> As many of you know, we've been
> working on the SELinux Common
> Intermediate Language (CIL) compiler, called secilc, for
> many months now.
> 
> As a refresher, CIL is an intermediate language designed as
> a policy
> representation that sits between high level policy
> languages and the
> kernel policy representation. We're happy to answer any
> questions about
> the language, but for more information, please take a look
> at the CIL
> Design wiki at http://userspace.selinuxproject.org/trac/wiki/CilDesign
> 
> A few months ago, we released a version of secilc that
> could handle most
> of the features supported by reference policy and output a
> policy.conf
> file. We just recently reached a big milestone in that we
> can now
> generate binary policy files from only CIL source files.
> Because of
> this, we're dubbing this secilc v0.1.
> 
> Now that the compiler has reached this milestone, we would
> love for the
> community to play around with it a bit and give us any
> feedback as we
> continue on to integration with the existing SELinux tools
> and
> implementing more advanced features, such has inheritance
> and transforms.
> 
> The secilc v0.1 tarball can be downloaded here:
> 
> http://userspace.selinuxproject.org/cil/secilc-0.1.tar.gz
> 
> The secilc repository can be downloaded via git here:
> 
> $ git clone http://oss.tresys.com/git/cil.git
> 
> Thanks,
> Steve Lawrence
> 
> --
> This message was distributed to subscribers of the selinux
> mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the
> message.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Common Intermediate Language Update

[James Carter]

On Thu, 2011-08-25 at 17:10 +0100, Richard Haines wrote:
> I've been trying to generate a context for a non-mls policy but keep getting the following error:
> 
> Building Parse Tree...
> Building AST from Parse Tree...
> Invalid context (line: 12)
> Failed to fill context, rc: -1
> cil_gen_context failed, rc: -1
> Failed to process node
> cil_tree_walk failed, rc: -1
> Failed to build ast, exiting
> 
> I've tried various formats of 'context' but all failed. One example:
> ( context context1 ( unconfined_u unconfined_r unconfined_t ))
> 
> I see plenty of mls context examples in the test files but no non-mls.
> Could you let me know the correct format please.
> 

You always need to specify MLS current and clearance levels in CIL. The
idea behind CIL is that we want a good foundation for building
higher-level languages and tools, so we want minimize the special cases
in the language syntax. Refpolicy already uses gen_context() for
contexts, so just think of CIL as having gen_context() built in.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Common Intermediate Language Update

[Richard Haines]

Does this mean that I need to declare the range components as nulls, for example:

(context context1 (unconfined_u  unconfined_r  unconfined_t (() ())))

or is CIL only for generating MCS/MLS policy.

What I've been trying to do is generate a simple policy based on 'mdp' in CIL and thought I would use secilc to generate the binary. However I found that secilc only supports generating MCS/MLS policy (although I hacked it enough to generate contexts as in the example above).

Richard

--- On Thu, 25/8/11, James Carter <jwcart2@tycho.nsa.gov> wrote:

> From: James Carter <jwcart2@tycho.nsa.gov>
> Subject: Re: SELinux Common Intermediate Language Update
> To: "Richard Haines" <richard_c_haines@btinternet.com>
> Cc: "Steve Lawrence" <slawrence@tresys.com>, "SELinux" <selinux@tycho.nsa.gov>
> Date: Thursday, 25 August, 2011, 17:46
> On Thu, 2011-08-25 at 17:10 +0100,
> Richard Haines wrote:
> > I've been trying to generate a context for a non-mls
> policy but keep getting the following error:
> > 
> > Building Parse Tree...
> > Building AST from Parse Tree...
> > Invalid context (line: 12)
> > Failed to fill context, rc: -1
> > cil_gen_context failed, rc: -1
> > Failed to process node
> > cil_tree_walk failed, rc: -1
> > Failed to build ast, exiting
> > 
> > I've tried various formats of 'context' but all
> failed. One example:
> > ( context context1 ( unconfined_u unconfined_r
> unconfined_t ))
> > 
> > I see plenty of mls context examples in the test files
> but no non-mls.
> > Could you let me know the correct format please.
> > 
> 
> You always need to specify MLS current and clearance levels
> in CIL. The
> idea behind CIL is that we want a good foundation for
> building
> higher-level languages and tools, so we want minimize the
> special cases
> in the language syntax. Refpolicy already uses
> gen_context() for
> contexts, so just think of CIL as having gen_context()
> built in.
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Common Intermediate Language Update

[Steve Lawrence]

It actually means you need a valid range component. If you build a
binary policy without the --mls flag, it just doesn't write any of the
mls information to the binary. As Jim said, this is just required so as
to minimize special cases.

If you don't want to have to specify the range every time you create a
context, you can create a named levelrange with only one category and
sensitivity and use that in contexts, for example:

(category c0)
(categoryorder (c0))
(sensitivity s0)
(dominance (s0))
(sensitivitycategory s0 (c0))
(levelrange default ((s0 (c0)) (s0 (c0))))

(context context1 (unconfined_u unconfined_r unconfined_t default))

This is similar to the way the gen_context statement in refpolicy works,
which just discards the range when not building an mls policy.

Also, if you get the simple CIL policy working, we'd love to see it.

- Steve

On 08/29/2011 12:14 PM, Richard Haines wrote:
> Does this mean that I need to declare the range components as nulls, for example:
> 
> (context context1 (unconfined_u  unconfined_r  unconfined_t (() ())))
> 
> or is CIL only for generating MCS/MLS policy.
> 
> What I've been trying to do is generate a simple policy based on 'mdp' in CIL and thought I would use secilc to generate the binary. However I found that secilc only supports generating MCS/MLS policy (although I hacked it enough to generate contexts as in the example above).
> 
> Richard
> 
> --- On Thu, 25/8/11, James Carter <jwcart2@tycho.nsa.gov> wrote:
> 
>> From: James Carter <jwcart2@tycho.nsa.gov>
>> Subject: Re: SELinux Common Intermediate Language Update
>> To: "Richard Haines" <richard_c_haines@btinternet.com>
>> Cc: "Steve Lawrence" <slawrence@tresys.com>, "SELinux" <selinux@tycho.nsa.gov>
>> Date: Thursday, 25 August, 2011, 17:46
>> On Thu, 2011-08-25 at 17:10 +0100,
>> Richard Haines wrote:
>>> I've been trying to generate a context for a non-mls
>> policy but keep getting the following error:
>>>
>>> Building Parse Tree...
>>> Building AST from Parse Tree...
>>> Invalid context (line: 12)
>>> Failed to fill context, rc: -1
>>> cil_gen_context failed, rc: -1
>>> Failed to process node
>>> cil_tree_walk failed, rc: -1
>>> Failed to build ast, exiting
>>>
>>> I've tried various formats of 'context' but all
>> failed. One example:
>>> ( context context1 ( unconfined_u unconfined_r
>> unconfined_t ))
>>>
>>> I see plenty of mls context examples in the test files
>> but no non-mls.
>>> Could you let me know the correct format please.
>>>
>>
>> You always need to specify MLS current and clearance levels
>> in CIL. The
>> idea behind CIL is that we want a good foundation for
>> building
>> higher-level languages and tools, so we want minimize the
>> special cases
>> in the language syntax. Refpolicy already uses
>> gen_context() for
>> contexts, so just think of CIL as having gen_context()
>> built in.
>>
>> -- 
>> James Carter <jwcart2@tycho.nsa.gov>
>> National Security Agency
>>
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Common Intermediate Language Update

[Richard Haines]

Thanks for this useful information. I've now managed to modify mdp to generate the CIL code for a simple policy and tested an MLS and non-MLS version of the binary policies.

To achieve this I also had to patch the CIL compiler to output initial SIDs correctly.

What I will do now is send out emails with:

1) Patches for mdp to output CIL format policy (I also added a flag to output an MLS policy suitable for checkpolicy).

2) The patch for the CIL compiler to output SIDs correctly. This patch is very simple but it's probably not the right way to fix the problem - but it does work.

Richard

--- On Tue, 30/8/11, Steve Lawrence <slawrence@tresys.com> wrote:

> From: Steve Lawrence <slawrence@tresys.com>
> Subject: Re: SELinux Common Intermediate Language Update
> To: "Richard Haines" <richard_c_haines@btinternet.com>
> Cc: jwcart2@tycho.nsa.gov, "SELinux" <selinux@tycho.nsa.gov>
> Date: Tuesday, 30 August, 2011, 19:40
> It actually means you need a valid
> range component. If you build a
> binary policy without the --mls flag, it just doesn't write
> any of the
> mls information to the binary. As Jim said, this is just
> required so as
> to minimize special cases.
> 
> If you don't want to have to specify the range every time
> you create a
> context, you can create a named levelrange with only one
> category and
> sensitivity and use that in contexts, for example:
> 
> (category c0)
> (categoryorder (c0))
> (sensitivity s0)
> (dominance (s0))
> (sensitivitycategory s0 (c0))
> (levelrange default ((s0 (c0)) (s0 (c0))))
> 
> (context context1 (unconfined_u unconfined_r unconfined_t
> default))
> 
> This is similar to the way the gen_context statement in
> refpolicy works,
> which just discards the range when not building an mls
> policy.
> 
> Also, if you get the simple CIL policy working, we'd love
> to see it.
> 
> - Steve
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Common Intermediate Language Update

[Justin Ethier]

[-- Attachment #1: Type: text/plain, Size: 1929 bytes --]

The README says that gcc >= 4.5.1 is required, but when building on 4.5.1 I
received the following errors:

    cc1: error: unrecognized command line option
"-Wunused-but-set-parameter"

According to http://gcc.gnu.org/gcc-4.6/changes.html this is a new warning
added in gcc 4.6.
Thanks,

Justin

On Wed, Jun 8, 2011 at 5:14 PM, Steve Lawrence <slawrence@tresys.com> wrote:

> As many of you know, we've been working on the SELinux Common
> Intermediate Language (CIL) compiler for many months now, most recently
> discussed in November of last year [1].
>
> As a refresher, CIL is an intermediate language designed as a policy
> representation that sits between high level policy languages and the
> kernel policy representation. We're happy to answer any questions about
> the language, but for more information, please take a look at the CIL
> Design wiki at http://userspace.selinuxproject.org/trac/wiki/CilDesign
>
> As to the purpose of this email, we've recently reached a pretty
> significant milestone with the compiler, in that it now supports most of
> the features that are currently supported by reference policy (e.g.
> macros, optionals, tunables, etc) as well as the standard SELinux policy
> rules (e.g. allow, type, role, etc). Now that the compiler has reached
> this milestone, we would love for the community to play around with it a
> bit and give us any feedback as we continue on to integration and
> implementing the more advanced features, such has inheritance and
> transforms.
>
> The CIL compiler repository can be downloaded via git:
>
> $ git clone http://oss.tresys.com/git/cil.git
>
> Thanks,
> Steve Lawrence
>
> [1] http://marc.info/?l=selinux&m=128881480827958&w=2
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
> the words "unsubscribe selinux" without quotes as the message.
>

[-- Attachment #2: Type: text/html, Size: 2763 bytes --]

Re: SELinux Common Intermediate Language Update

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 948 bytes --]



On Wed, 2011-06-08 at 17:14 -0400, Steve Lawrence wrote:

> As to the purpose of this email, we've recently reached a pretty
> significant milestone with the compiler, in that it now supports most of
> the features that are currently supported by reference policy (e.g.
> macros, optionals, tunables, etc) as well as the standard SELinux policy
> rules (e.g. allow, type, role, etc). Now that the compiler has reached
> this milestone, we would love for the community to play around with it a
> bit and give us any feedback as we continue on to integration and
> implementing the more advanced features, such has inheritance and
> transforms.

Could not get it to build. One dependency not mentioned in the README is
"flex".

src/cil_list.c: In function ‘cil_list_get_tail’:
src/cil_list.c:73:68: error: parameter ‘tail’ set but not used
[-Werror=unused-but-set-parameter]
cc1: all warnings being treated as errors


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

SELinux Common Intermediate Language Update

[Steve Lawrence]

As many of you know, we've been working on the SELinux Common
Intermediate Language (CIL) compiler for many months now, most recently
discussed in November of last year [1].

As a refresher, CIL is an intermediate language designed as a policy
representation that sits between high level policy languages and the
kernel policy representation. We're happy to answer any questions about
the language, but for more information, please take a look at the CIL
Design wiki at http://userspace.selinuxproject.org/trac/wiki/CilDesign

As to the purpose of this email, we've recently reached a pretty
significant milestone with the compiler, in that it now supports most of
the features that are currently supported by reference policy (e.g.
macros, optionals, tunables, etc) as well as the standard SELinux policy
rules (e.g. allow, type, role, etc). Now that the compiler has reached
this milestone, we would love for the community to play around with it a
bit and give us any feedback as we continue on to integration and
implementing the more advanced features, such has inheritance and
transforms.

The CIL compiler repository can be downloaded via git:

$ git clone http://oss.tresys.com/git/cil.git

Thanks,
Steve Lawrence

[1] http://marc.info/?l=selinux&m=128881480827958&w=2

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.