type inheritance in CIL

type inheritance in CIL

[Miroslav Grepl]

Trying to make sandbox working using CIL but I see it does not support
typeinherit statement.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

Re: type inheritance in CIL

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1112 bytes --]

On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl wrote:
> Trying to make sandbox working using CIL but I see it does not support
> typeinherit statement.

One of those features that really define CIL but that is currently not available or fully working yet.

My suggestion is to study the "cilpolicy" (which is really just a snapshot of reference policy transformed to cil with hll i believe)

This will give you some pointers as to how to create an alternative implementation that achieves a similar result.

When you write CIL policy, there are some "bugs" to take into account and to workaround.

> 
> -- 
> Miroslav Grepl
> Senior Software Engineer, SELinux Solutions
> Red Hat, Inc.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: type inheritance in CIL

[Miroslav Grepl]

On 06/29/2015 09:56 AM, Dominick Grift wrote:
> On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl wrote:
>> Trying to make sandbox working using CIL but I see it does not
>> support typeinherit statement.
> 
> One of those features that really define CIL but that is currently
> not available or fully working yet.
> 
> My suggestion is to study the "cilpolicy" (which is really just a
> snapshot of reference policy transformed to cil with hll i
> believe)
> 
> This will give you some pointers as to how to create an alternative
> implementation that achieves a similar result.
> 
> When you write CIL policy, there are some "bugs" to take into
> account and to workaround.
> 

Sure there are different ways how to write it. I just wanted to
combine it with the current Fedora policy as much as possible without
re-writing the current Fedora policy.

>> 
>> -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red
>> Hat, Inc. _______________________________________________ Selinux
>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to
>> Selinux-leave@tycho.nsa.gov. To get help, send an email
>> containing "help" to Selinux-request@tycho.nsa.gov.
> 
> 
> 
> _______________________________________________ Selinux mailing
> list Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
> "help" to Selinux-request@tycho.nsa.gov.
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

Re: type inheritance in CIL

[James Carter]

On 06/29/2015 07:19 AM, Miroslav Grepl wrote:
> On 06/29/2015 09:56 AM, Dominick Grift wrote:
>> On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl wrote:
>>> Trying to make sandbox working using CIL but I see it does not
>>> support typeinherit statement.
>>
>> One of those features that really define CIL but that is currently
>> not available or fully working yet.
>>

Inheritance in CIL is handled with blocks.

The following policy:

(block b1
   (type t)
   (allow t self (CLASS (PERM)))
)

(block b2
   (blockinherit b1))

Would result in two types (b1.t and b2.t) and two rules.

See block_test.cil and name_resolution_test.cil in secilc/test/ for more 
examples. Everything should work, but, of course, it has seen less testing at 
this point.

Jim

>> My suggestion is to study the "cilpolicy" (which is really just a
>> snapshot of reference policy transformed to cil with hll i
>> believe)
>>
>> This will give you some pointers as to how to create an alternative
>> implementation that achieves a similar result.
>>
>> When you write CIL policy, there are some "bugs" to take into
>> account and to workaround.
>>
>
> Sure there are different ways how to write it. I just wanted to
> combine it with the current Fedora policy as much as possible without
> re-writing the current Fedora policy.
>
>>>
>>> -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red
>>> Hat, Inc. _______________________________________________ Selinux
>>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to
>>> Selinux-leave@tycho.nsa.gov. To get help, send an email
>>> containing "help" to Selinux-request@tycho.nsa.gov.
>>
>>
>>
>> _______________________________________________ Selinux mailing
>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
>> "help" to Selinux-request@tycho.nsa.gov.
>>
>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: type inheritance in CIL

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2959 bytes --]

On Mon, Jun 29, 2015 at 02:56:34PM -0400, James Carter wrote:
> On 06/29/2015 07:19 AM, Miroslav Grepl wrote:
> >On 06/29/2015 09:56 AM, Dominick Grift wrote:
> >>On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl wrote:
> >>>Trying to make sandbox working using CIL but I see it does not
> >>>support typeinherit statement.
> >>
> >>One of those features that really define CIL but that is currently
> >>not available or fully working yet.
> >>
> 
> Inheritance in CIL is handled with blocks.
> 
> The following policy:
> 
> (block b1
>   (type t)
>   (allow t self (CLASS (PERM)))
> )
> 
> (block b2
>   (blockinherit b1))
> 
> Would result in two types (b1.t and b2.t) and two rules.
> 
> See block_test.cil and name_resolution_test.cil in secilc/test/ for more
> examples. Everything should work, but, of course, it has seen less testing
> at this point.

Thanks I am aware of that featurew, namespacing is also still a bit buggy in my view though.

If this is meant to be a substitute for typeinherit then how is one supposed to implement something that behaves like typeinheritfilter?

You are aware the typeinherit and typeinheritfilter are still documented on https://github.com/SELinuxProject/cil/wiki?
> 
> Jim
> 
> >>My suggestion is to study the "cilpolicy" (which is really just a
> >>snapshot of reference policy transformed to cil with hll i
> >>believe)
> >>
> >>This will give you some pointers as to how to create an alternative
> >>implementation that achieves a similar result.
> >>
> >>When you write CIL policy, there are some "bugs" to take into
> >>account and to workaround.
> >>
> >
> >Sure there are different ways how to write it. I just wanted to
> >combine it with the current Fedora policy as much as possible without
> >re-writing the current Fedora policy.
> >
> >>>
> >>>-- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red
> >>>Hat, Inc. _______________________________________________ Selinux
> >>>mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to
> >>>Selinux-leave@tycho.nsa.gov. To get help, send an email
> >>>containing "help" to Selinux-request@tycho.nsa.gov.
> >>
> >>
> >>
> >>_______________________________________________ Selinux mailing
> >>list Selinux@tycho.nsa.gov To unsubscribe, send email to
> >>Selinux-leave@tycho.nsa.gov. To get help, send an email containing
> >>"help" to Selinux-request@tycho.nsa.gov.
> >>
> >
> >
> 
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: type inheritance in CIL

[James Carter]

On 06/29/2015 03:25 PM, Dominick Grift wrote:
> On Mon, Jun 29, 2015 at 02:56:34PM -0400, James Carter wrote:
>> On 06/29/2015 07:19 AM, Miroslav Grepl wrote:
>>> On 06/29/2015 09:56 AM, Dominick Grift wrote:
>>>> On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl wrote:
>>>>> Trying to make sandbox working using CIL but I see it does not
>>>>> support typeinherit statement.
>>>>
>>>> One of those features that really define CIL but that is currently
>>>> not available or fully working yet.
>>>>
>>
>> Inheritance in CIL is handled with blocks.
>>
>> The following policy:
>>
>> (block b1
>>    (type t)
>>    (allow t self (CLASS (PERM)))
>> )
>>
>> (block b2
>>    (blockinherit b1))
>>
>> Would result in two types (b1.t and b2.t) and two rules.
>>
>> See block_test.cil and name_resolution_test.cil in secilc/test/ for more
>> examples. Everything should work, but, of course, it has seen less testing
>> at this point.
>
> Thanks I am aware of that featurew, namespacing is also still a bit buggy in my view though.
>
> If this is meant to be a substitute for typeinherit then how is one supposed to implement something that behaves like typeinheritfilter?
>
> You are aware the typeinherit and typeinheritfilter are still documented on https://github.com/SELinuxProject/cil/wiki?

Yes, although it has been a while since I looked at that.

The blockinherit is a substitute for typeinherit. There is no replacement for 
typeinheritfilter yet.

We would like to add a mechanism to remove rules at some point. But there are 
all sorts of potential ordering issues when you add something like that and we 
have been busy with other parts of CIL.

Jim

>>
>> Jim
>>
>>>> My suggestion is to study the "cilpolicy" (which is really just a
>>>> snapshot of reference policy transformed to cil with hll i
>>>> believe)
>>>>
>>>> This will give you some pointers as to how to create an alternative
>>>> implementation that achieves a similar result.
>>>>
>>>> When you write CIL policy, there are some "bugs" to take into
>>>> account and to workaround.
>>>>
>>>
>>> Sure there are different ways how to write it. I just wanted to
>>> combine it with the current Fedora policy as much as possible without
>>> re-writing the current Fedora policy.
>>>
>>>>>
>>>>> -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red
>>>>> Hat, Inc. _______________________________________________ Selinux
>>>>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to
>>>>> Selinux-leave@tycho.nsa.gov. To get help, send an email
>>>>> containing "help" to Selinux-request@tycho.nsa.gov.
>>>>
>>>>
>>>>
>>>> _______________________________________________ Selinux mailing
>>>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>>>> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
>>>> "help" to Selinux-request@tycho.nsa.gov.
>>>>
>>>
>>>
>>
>>
>> --
>> James Carter <jwcart2@tycho.nsa.gov>
>> National Security Agency
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: type inheritance in CIL

[Miroslav Grepl]

On 06/29/2015 09:25 PM, Dominick Grift wrote:
> On Mon, Jun 29, 2015 at 02:56:34PM -0400, James Carter wrote:
>> On 06/29/2015 07:19 AM, Miroslav Grepl wrote:
>>> On 06/29/2015 09:56 AM, Dominick Grift wrote:
>>>> On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl
>>>> wrote:
>>>>> Trying to make sandbox working using CIL but I see it does
>>>>> not support typeinherit statement.
>>>> 
>>>> One of those features that really define CIL but that is
>>>> currently not available or fully working yet.
>>>> 
>> 
>> Inheritance in CIL is handled with blocks.
>> 
>> The following policy:
>> 
>> (block b1 (type t) (allow t self (CLASS (PERM))) )
>> 
>> (block b2 (blockinherit b1))
>> 
>> Would result in two types (b1.t and b2.t) and two rules.
>> 
>> See block_test.cil and name_resolution_test.cil in secilc/test/
>> for more examples. Everything should work, but, of course, it has
>> seen less testing at this point.
> 
> Thanks I am aware of that featurew, namespacing is also still a bit
> buggy in my view though.
> 
> If this is meant to be a substitute for typeinherit then how is one
> supposed to implement something that behaves like
> typeinheritfilter?
> 
> You are aware the typeinherit and typeinheritfilter are still
> documented on https://github.com/SELinuxProject/cil/wiki?
>> 

Yeap.

So the point is I need to re-write the current sandbox policy to CIL
using block statements to use inheritance.

>> Jim
>> 
>>>> My suggestion is to study the "cilpolicy" (which is really
>>>> just a snapshot of reference policy transformed to cil with
>>>> hll i believe)
>>>> 
>>>> This will give you some pointers as to how to create an
>>>> alternative implementation that achieves a similar result.
>>>> 
>>>> When you write CIL policy, there are some "bugs" to take
>>>> into account and to workaround.
>>>> 
>>> 
>>> Sure there are different ways how to write it. I just wanted
>>> to combine it with the current Fedora policy as much as
>>> possible without re-writing the current Fedora policy.
>>> 
>>>>> 
>>>>> -- Miroslav Grepl Senior Software Engineer, SELinux
>>>>> Solutions Red Hat, Inc.
>>>>> _______________________________________________ Selinux 
>>>>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send
>>>>> email to Selinux-leave@tycho.nsa.gov. To get help, send an
>>>>> email containing "help" to Selinux-request@tycho.nsa.gov.
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ Selinux
>>>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send email
>>>> to Selinux-leave@tycho.nsa.gov. To get help, send an email
>>>> containing "help" to Selinux-request@tycho.nsa.gov.
>>>> 
>>> 
>>> 
>> 
>> 
>> -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency 
>> _______________________________________________ Selinux mailing
>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>> Selinux-leave@tycho.nsa.gov. To get help, send an email
>> containing "help" to Selinux-request@tycho.nsa.gov.
> 
> 
> 
> _______________________________________________ Selinux mailing
> list Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
> "help" to Selinux-request@tycho.nsa.gov.
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

Re: type inheritance in CIL

[James Carter]

On 06/30/2015 04:37 AM, Miroslav Grepl wrote:
> On 06/29/2015 09:25 PM, Dominick Grift wrote:
>> On Mon, Jun 29, 2015 at 02:56:34PM -0400, James Carter wrote:
>>> On 06/29/2015 07:19 AM, Miroslav Grepl wrote:
>>>> On 06/29/2015 09:56 AM, Dominick Grift wrote:
>>>>> On Mon, Jun 29, 2015 at 09:29:34AM +0200, Miroslav Grepl
>>>>> wrote:
>>>>>> Trying to make sandbox working using CIL but I see it does
>>>>>> not support typeinherit statement.
>>>>>
>>>>> One of those features that really define CIL but that is
>>>>> currently not available or fully working yet.
>>>>>
>>>
>>> Inheritance in CIL is handled with blocks.
>>>
>>> The following policy:
>>>
>>> (block b1 (type t) (allow t self (CLASS (PERM))) )
>>>
>>> (block b2 (blockinherit b1))
>>>
>>> Would result in two types (b1.t and b2.t) and two rules.
>>>
>>> See block_test.cil and name_resolution_test.cil in secilc/test/
>>> for more examples. Everything should work, but, of course, it has
>>> seen less testing at this point.
>>
>> Thanks I am aware of that featurew, namespacing is also still a bit
>> buggy in my view though.
>>
>> If this is meant to be a substitute for typeinherit then how is one
>> supposed to implement something that behaves like
>> typeinheritfilter?
>>
>> You are aware the typeinherit and typeinheritfilter are still
>> documented on https://github.com/SELinuxProject/cil/wiki?
>>>
>
> Yeap.
>
> So the point is I need to re-write the current sandbox policy to CIL
> using block statements to use inheritance.
>

Yes.

Please keep me informed of any difficulties and bugs. I've tested the name 
resolution and block handling as much as I could, but you're likely to discover 
corner cases which I didn't think about.

I am also curious about how you plan on using inheritance. What are you going to 
put in blocks? Which blocks are going to inherit from which blocks?

I am not sure if it will be useful in your case, but there is a blockabstract 
statement which tells CIL that the block is to be ignored except for inheritance.

Jim

>>> Jim
>>>
>>>>> My suggestion is to study the "cilpolicy" (which is really
>>>>> just a snapshot of reference policy transformed to cil with
>>>>> hll i believe)
>>>>>
>>>>> This will give you some pointers as to how to create an
>>>>> alternative implementation that achieves a similar result.
>>>>>
>>>>> When you write CIL policy, there are some "bugs" to take
>>>>> into account and to workaround.
>>>>>
>>>>
>>>> Sure there are different ways how to write it. I just wanted
>>>> to combine it with the current Fedora policy as much as
>>>> possible without re-writing the current Fedora policy.
>>>>
>>>>>>
>>>>>> -- Miroslav Grepl Senior Software Engineer, SELinux
>>>>>> Solutions Red Hat, Inc.
>>>>>> _______________________________________________ Selinux
>>>>>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send
>>>>>> email to Selinux-leave@tycho.nsa.gov. To get help, send an
>>>>>> email containing "help" to Selinux-request@tycho.nsa.gov.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________ Selinux
>>>>> mailing list Selinux@tycho.nsa.gov To unsubscribe, send email
>>>>> to Selinux-leave@tycho.nsa.gov. To get help, send an email
>>>>> containing "help" to Selinux-request@tycho.nsa.gov.
>>>>>
>>>>
>>>>
>>>
>>>
>>> -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency
>>> _______________________________________________ Selinux mailing
>>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>>> Selinux-leave@tycho.nsa.gov. To get help, send an email
>>> containing "help" to Selinux-request@tycho.nsa.gov.
>>
>>
>>
>> _______________________________________________ Selinux mailing
>> list Selinux@tycho.nsa.gov To unsubscribe, send email to
>> Selinux-leave@tycho.nsa.gov. To get help, send an email containing
>> "help" to Selinux-request@tycho.nsa.gov.
>>
>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency