On 09/12/2018 09:26 AM, Ted Toth wrote:
On Wed, Sep 12, 2018 at 8:04 AM Stephen Smalley <s...@tycho.nsa.gov
<mailto:s...@tycho.nsa.gov>> wrote:
On 09/11/2018 04:59 PM, Ted Toth wrote:
> That's awesome and now it's got me thinking about other
> classes/permissions that we could implement. Can cil macros can be
> referenced in .te/.if files?
Not sure I understand your question. You can't directly embed cil
statements in .te/.if files. However, if you define a class/permission
in a .cil module, you can certainly specify a require on it and use it
from a conventional .te/.if module, ala:
$ cat > usemcstrans.te <<EOF
policy_module(usemcstrans, 1.0)
require {
class mcstrans { color_use };
attribute domain;
}
allow domain self:mcstrans color_use;
EOF
$ make -f /usr/share/selinux/devel/Makefile usemcstrans.pp
$ sudo semodule -i usemcstrans.pp
If the cil contained:
(macro use_color (type caller) (allow caller self mcstrans (color_use)))
then in x.te can I use the macro:
type x_t;
use_color(x_t)
Sorry, no. The macros used in .te/.if files are just m4 definitions
handled at the preprocessing stage, not a feature of the module
language. The CIL macros are directly supported by the CIL compiler,
but they won't be visible to the module compiler. Also, you are missing
several parentheses above (I'm not fond of the lisp-like syntax myself).
In a CIL module, I think the correct syntax would be:
(macro use_color ((type caller)) (allow caller self (mcstrans (color_use))))
(call use_color(x_t))
Or you could define a m4 macro in an .if file and use that in a .te
file. Or both.
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
