On Wed, Sep 12, 2018 at 9:57 AM Ted Toth <txtoth@gmail.com> wrote:


On Wed, Sep 12, 2018 at 9:36 AM Dominick Grift <dac.override@gmail.com> wrote:
On Wed, Sep 12, 2018 at 09:57:20AM -0400, Stephen Smalley wrote:
> On 09/12/2018 09:26 AM, Ted Toth wrote:
> >
> >
> > On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley <sds@tycho.nsa.gov
> > <mailto:sds@tycho.nsa.gov>> wrote:
> >
> >     On 09/11/2018 04:59 PM, Ted Toth wrote:
> >      > That's awesome and now it's got me thinking about other
> >      > classes/permissions that we could implement. Can cil macros can be
> >      > referenced in .te/.if files?
> >
> >     Not sure I understand your question.  You can't directly embed cil
> >     statements in .te/.if files.  However, if you define a class/permission
> >     in a .cil module, you can certainly specify a require on it and use it
> >     from a conventional .te/.if module, ala:
> >     $ cat > usemcstrans.te <<EOF
> >     policy_module(usemcstrans, 1.0)
> >
> >     require {
> >              class mcstrans { color_use };
> >              attribute domain;
> >     }
> >
> >     allow domain self:mcstrans color_use;
> >     EOF
> >
> >     $ make -f /usr/share/selinux/devel/Makefile usemcstrans.pp
> >     $ sudo semodule -i usemcstrans.pp
> >
> >
> > If the cil contained:
> >
> > (macro use_color (type caller) (allow caller self mcstrans (color_use)))
> >
> > then in x.te can I use the macro:
> >
> > type x_t;
> > use_color(x_t)
>
> Sorry, no.  The macros used in .te/.if files are just m4 definitions handled
> at the preprocessing stage, not a feature of the module language.  The CIL
> macros are directly supported by the CIL compiler, but they won't be visible
> to the module compiler.  Also, you are missing several parentheses above
> (I'm not fond of the lisp-like syntax myself).  In a CIL module, I think the
> correct syntax would be:
>
> (macro use_color ((type caller)) (allow caller self (mcstrans (color_use))))
>
> (call use_color(x_t))
>
> Or you could define a m4 macro in an .if file and use that in a .te file.
> Or both.
>

Ideally you would have all of your policy written in CIL or in a high-level language that was designed to leverage CIL.

Unfortunately I/we don't live in an ideal world :( but thanks for the pointers.
 

My DSSP2 policy is a CIL-only policy. In there I also leverage unordered classes, Meaning that for example if you remove or disable the mcstrans module then you automatically also remove or disable  the access vectors that mcstrans manages.

minimal:

https://github.com/DefenSec/dssp2-minimal

standard (my personal policy based on top of minimal):

https://github.com/DefenSec/dssp2-standard/commits/master

DSSP2 does not support enforcement of confidentiality though

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

I added a security class and permission using the following cil:
(block mcstrans
    (typeattributeset cil_gen_require  setrans_t)
    (typeattributeset cil_gen_require user_t)
    (class level_color (pick_using_dominance))
    (classorder (unordered level_color))

    (mlsconstrain (level_color (pick_using_dominance)) (dom h1 h2))

    (allow setrans_t self (level_color (pick_using_dominance))))

and this works for the mcscolor code I changed to use it. However I wrote some python code to test the class/permission (using security_compute_av_raw) and ran it before adding an allow rule for the python code type and no avc was generated as I'd expected. Is there anything different about adding a security class this way that would affect avc generation?