platform_external_selinux

History

Joshua Brindle 9ba35fe8c2 Add default_range glblub support Policy developers can set a default_range default to glblub and computed contexts will be the intersection of the ranges of the source and target contexts. This can be used by MLS userspace object managers to find the range of clearances that two contexts have in common. An example usage is computing a transition between the network context and the context of a user logging into an MLS application. For example, one can add a default with this cil: (defaultrange db_table glblub) or in te (base module only): default_range db_table glblub; and then test using the compute_create utility: $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 Some example range transitions are: User Permitted Range \| Network Device Label \| Computed Label ---------------------\|----------------------\|---------------- s0-s1:c0.c12 \| s0 \| s0 s0-s1:c0.c12 \| s0-s1:c0.c1023 \| s0-s1:c0.c12 s0-s4:c0.c512 \| s1-s1:c0.c1023 \| s1-s1:c0.c512 s0-s15:c0,c2 \| s4-s6:c0.c128 \| s4-s6:c0,c2 s0-s4 \| s2-s6 \| s2-s4 s0-s4 \| s5-s8 \| INVALID s5-s8 \| s0-s4 \| INVALID Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>		2019-09-10 12:30:29 -04:00
..
docs	Add default_range glblub support	2019-09-10 12:30:29 -04:00
test	selinux: Add support for the SCTP portcon keyword	2018-03-19 12:34:29 -04:00
.gitignore	secilc: Add secil2conf which creates a policy.conf from CIL policy	2016-11-30 10:18:19 -05:00
COPYING	libsepol: Move secilc out of libsepol	2015-03-31 12:31:38 -04:00
Makefile	secilc: Make the clean target call the clean target of docs/	2018-05-30 22:06:43 +02:00
README	secilc: update dependency information and man page creation	2016-01-08 09:38:40 -05:00
secil2conf.8.xml	secilc: Add secil2conf which creates a policy.conf from CIL policy	2016-11-30 10:18:19 -05:00
secil2conf.c	secilc: Add options to control the expansion of attributes	2017-04-12 14:33:55 -04:00
secilc.8.xml	secilc: add flag to enable policy optimization	2019-06-25 10:11:00 -04:00
secilc.c	secilc: add flag to enable policy optimization	2019-06-25 10:11:00 -04:00
VERSION	Update VERSIONs to 2.9 for release.	2019-03-15 11:32:30 +01:00

README

SELinux Common Intermediate Language (CIL) Compiler

INTRODUCTION

	The SELinux CIL Compiler is a compiler that converts the CIL language as
	described on the CIL design wiki into a kernel binary policy file.
	Please see the CIL Design Wiki at:
	http://github.com/SELinuxProject/cil/wiki/
	for more information about the goals and features on the CIL language.

DEPENDENCIES

	gcc >= 4.5.1
	libsepol >= 2.5


BUILD STEPS

	Run "make" with one of the following targets:

	make
		Build the CIL compiler (secilc).

	make test
		Pass a sample policy to test with the compiler.

	make install
		Install the secilc compiler and man page to disk.

	make clean
		Remove temporary build files.

	make man
		Build the secilc man page.

	make bare
		Remove temporary build files and compile binaries.


USAGE

	Execute 'secilc' with any number of CIL files as arguments. A binary policy and
	file_contexts file will be created.

	Use the '--help' option for more details.


DOCUMENTATION

	There is a github markdown CIL Reference Guide in the docs directory. To
	view the table of contents, see README.md in the docs directory.

	To convert the github markdown content to HTML and PDF, change to the docs
	directory and run:
		make

	The documents will be located in the docs/html and docs/pdf directories.

	To build the html and pdf, the pandoc package is required.

KNOWN ISSUES

	- Blocks inside of macros causes undefined behavior

	- Policy must be well formed. For example, invalid usage of
	  sensitivities/categories/levels may create an unloaded binary

	- Recursive limits are not handled