| 1 |
On Sun, Dec 04, 2016 at 04:53:49PM +0000, Robert Sharp wrote: |
| 2 |
> Thanks for this. I wrote a little CIL snippet based on your example for |
| 3 |
> 27017 and semodule'd it in. I could then see the port with semanage port |
| 4 |
> -l and I could use it in the .te file as well. I made a mistake first |
| 5 |
> time round by naming the .cil file the same as the others, which create |
| 6 |
> mayhem when I tried importing the module. I removed the .cil bit, |
| 7 |
> renamed it mongodb.cil and tried again. This time it worked. I guess I |
| 8 |
> ought to look at the mongodb in contrib to see if there should be a |
| 9 |
> client side to the policy, and perhaps rename my CIL to something like |
| 10 |
> mongodb_port.cil. |
| 11 |
> |
| 12 |
> Is there a plan to move everything to CIL? It is just that you referred |
| 13 |
> to the .pp approach as "legacy". I just wonder because CIL looks fairly |
| 14 |
> unfriendly and may even be an intermediate language. Also, are there any |
| 15 |
> plans to make the whole thing more modular? Looking at corenetwork.if, |
| 16 |
> for example, is a bit of a surprise. |
| 17 |
|
| 18 |
I am not aware of an active project (in Gentoo or outside) to build up or |
| 19 |
migrate the current policy towards CIL. There have been a couple of tests on |
| 20 |
this (there once was a cilrefpolicy project, and Dominick Grift maintains a |
| 21 |
CIL-only policy but I don't know if that one is usable in a larger context, |
| 22 |
and I think he shares it more from a "sharing knowledge" perspective rather |
| 23 |
than "please contribute to make it work for distributions"). |
| 24 |
|
| 25 |
The reason I quoted "legacy" is because the current policy is actually using |
| 26 |
CIL when you run with the user space project version 2.4 or later. The |
| 27 |
binary .pp file is translated into CIL in the background. The SELinux |
| 28 |
project calls this HLL (High Level Language) although I wouldn't call the |
| 29 |
binary .pp format as "high level". But it is nice that this translation is |
| 30 |
already put in place, because it shows that CIL by itself is |
| 31 |
production-ready. |
| 32 |
|
| 33 |
I have thought about starting a CIL-only policy with the intention of making |
| 34 |
it reusable for multiple users, but given my current time constraints I'm |
| 35 |
confident that that project would fail to start. |
| 36 |
|
| 37 |
One day though... ;-) |
| 38 |
|
| 39 |
Wkr, |
| 40 |
Sven Vermeulen |
Archives