From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ted Toth <txtoth@gmail.com>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: MLS dominance check behavior on el7
Date: Tue, 11 Sep 2018 15:43:51 -0400 [thread overview]
Message-ID: <cff08fc3-bd9e-c90f-a632-6937c01e2225@tycho.nsa.gov> (raw)
In-Reply-To: <d4404bc7-9f23-7ed6-fb2f-24c31d7e4704@tycho.nsa.gov>
On 09/11/2018 03:29 PM, Stephen Smalley wrote:
> On 09/11/2018 02:49 PM, Ted Toth wrote:
>> Yes I too noticed the translate permission but couldn't find any info
>> related to it intended purpose. Regarding CIL unfortunately I have
>> zero experience with it but I've installed the compiler and started
>> reading through https://github.com/SELinuxProject/cil/wiki (any other
>> pointers to useful info would be appreciated). I have written lots of
>> policy would it be possible to add a class/permissions/mlsconstraints
>> in an old-fashion policy module?
>
> The older binary modules didn't support those kinds of statements
> outside of the base module. Try this:
> $ cat > mcstrans.cil <<EOF
> ; define a mcstrans class with one permission color_use
> (class mcstrans (color_use))
> ; allow all domains mcstrans color_use permission to themselves
> (allow domain self (mcstrans (color_use)))
> ; only allow mcstrans color_use permission when h1 dominates h2
> (mlsconstrain (mcstrans (color_use)) (dom h1 h2))
> ; append the new mcstrans class to the end after all others
> (classorder (unordered mcstrans))
> EOF
>
> $ sudo semodule -i mcstrans.cil
>
> Then try performing permission checks with "mcstrans" as your class and
> "color_use" as your permission, between a domain and itself, with
> different levels.
BTW, an easy way to find CIL syntax for something is to look at how it
is done in the base module. You can extract a copy of that via
semodule -c -E base, then bring up base.cil in your favorite editor/viewer.
next prev parent reply other threads:[~2018-09-11 19:43 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-10 17:13 MLS dominance check behavior on el7 Ted Toth
2018-09-10 17:47 ` Stephen Smalley
2018-09-10 18:19 ` Ted Toth
2018-09-10 22:30 ` Ted Toth
2018-09-11 14:41 ` Stephen Smalley
2018-09-11 16:53 ` Joshua Brindle
2018-09-11 17:33 ` Stephen Smalley
2018-09-11 17:39 ` Joshua Brindle
2018-09-11 18:21 ` Stephen Smalley
2018-09-11 18:29 ` Stephen Smalley
2018-09-11 18:49 ` Ted Toth
2018-09-11 18:55 ` Yuli Khodorkovskiy
2018-09-11 19:29 ` Stephen Smalley
2018-09-11 19:43 ` Stephen Smalley [this message]
2018-09-11 20:59 ` Ted Toth
2018-09-12 13:05 ` Stephen Smalley
2018-09-12 13:26 ` Ted Toth
2018-09-12 13:57 ` Stephen Smalley
2018-09-12 14:36 ` Dominick Grift
2018-09-12 14:57 ` Ted Toth
2018-09-14 21:18 ` Ted Toth
2018-09-15 6:08 ` Dominick Grift
2018-09-11 19:04 ` Joe Nall
2018-09-11 20:20 ` Stephen Smalley
2018-09-30 14:43 ` Chris PeBenito
[not found] ` <6e21676a-249d-8b05-dd9f-09a3671f46f7@tycho.nsa.gov>
2018-10-05 20:05 ` Chris PeBenito
2018-10-09 2:37 ` Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cff08fc3-bd9e-c90f-a632-6937c01e2225@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).