1 |
On Sun, Dec 04, 2016 at 04:53:49PM +0000, Robert Sharp wrote: |
2 |
> Thanks for this. I wrote a little CIL snippet based on your example for |
3 |
> 27017 and semodule'd it in. I could then see the port with semanage port |
4 |
> -l and I could use it in the .te file as well. I made a mistake first |
5 |
> time round by naming the .cil file the same as the others, which create |
6 |
> mayhem when I tried importing the module. I removed the .cil bit, |
7 |
> renamed it mongodb.cil and tried again. This time it worked. I guess I |
8 |
> ought to look at the mongodb in contrib to see if there should be a |
9 |
> client side to the policy, and perhaps rename my CIL to something like |
10 |
> mongodb_port.cil. |
11 |
> |
12 |
> Is there a plan to move everything to CIL? It is just that you referred |
13 |
> to the .pp approach as "legacy". I just wonder because CIL looks fairly |
14 |
> unfriendly and may even be an intermediate language. Also, are there any |
15 |
> plans to make the whole thing more modular? Looking at corenetwork.if, |
16 |
> for example, is a bit of a surprise. |
17 |
|
18 |
I am not aware of an active project (in Gentoo or outside) to build up or |
19 |
migrate the current policy towards CIL. There have been a couple of tests on |
20 |
this (there once was a cilrefpolicy project, and Dominick Grift maintains a |
21 |
CIL-only policy but I don't know if that one is usable in a larger context, |
22 |
and I think he shares it more from a "sharing knowledge" perspective rather |
23 |
than "please contribute to make it work for distributions"). |
24 |
|
25 |
The reason I quoted "legacy" is because the current policy is actually using |
26 |
CIL when you run with the user space project version 2.4 or later. The |
27 |
binary .pp file is translated into CIL in the background. The SELinux |
28 |
project calls this HLL (High Level Language) although I wouldn't call the |
29 |
binary .pp format as "high level". But it is nice that this translation is |
30 |
already put in place, because it shows that CIL by itself is |
31 |
production-ready. |
32 |
|
33 |
I have thought about starting a CIL-only policy with the intention of making |
34 |
it reusable for multiple users, but given my current time constraints I'm |
35 |
confident that that project would fail to start. |
36 |
|
37 |
One day though... ;-) |
38 |
|
39 |
Wkr, |
40 |
Sven Vermeulen |