On Sun, Dec 04, 2016 at 04:53:49PM +0000, Robert Sharp wrote:
> Thanks for this. I wrote a little CIL snippet based on your example for
> 27017 and semodule'd it in. I could then see the port with semanage port
> -l and I could use it in the .te file as well. I made a mistake first
> time round by naming the .cil file the same as the others, which create
> mayhem when I tried importing the module. I removed the .cil bit,
> renamed it mongodb.cil and tried again. This time it worked. I guess I
> ought to look at the mongodb in contrib to see if there should be a
> client side to the policy, and perhaps rename my CIL to something like
> mongodb_port.cil.
>
> Is there a plan to move everything to CIL? It is just that you referred
> to the .pp approach as "legacy". I just wonder because CIL looks fairly
> unfriendly and may even be an intermediate language. Also, are there any
> plans to make the whole thing more modular? Looking at corenetwork.if,
> for example, is a bit of a surprise.
I am not aware of an active project (in Gentoo or outside) to build up or
migrate the current policy towards CIL. There have been a couple of tests on
this (there once was a cilrefpolicy project, and Dominick Grift maintains a
CIL-only policy but I don't know if that one is usable in a larger context,
and I think he shares it more from a "sharing knowledge" perspective rather
than "please contribute to make it work for distributions").
The reason I quoted "legacy" is because the current policy is actually using
CIL when you run with the user space project version 2.4 or later. The
binary .pp file is translated into CIL in the background. The SELinux
project calls this HLL (High Level Language) although I wouldn't call the
binary .pp format as "high level". But it is nice that this translation is
already put in place, because it shows that CIL by itself is
production-ready.
I have thought about starting a CIL-only policy with the intention of making
it reusable for multiple users, but given my current time constraints I'm
confident that that project would fail to start.
One day though... ;-)
Wkr,
Sven Vermeulen
