In Gentoo, we have been supporting custom policy packages for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although binary packages are supported as well).
A recent commit now also allows CIL files to be used.
CIL is SELinux' Common Intermediate Language, which brings on a whole new set of possibilities with policy development. I hardly know CIL but am (slowly) learning. Of course, the best way to learn is to try and do lots of things with it, but real-life work and time-to-market for now forces me to stick with the M4-based refpolicy one.
Still, I do try out some things here and there, and one of the things I wanted to look into was how CIL policies would deal with interfaces.
With the increased attention that SELinux is getting thanks to its inclusion in recent Android releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.
In a previous
I used the
secilc binary to load an additional test policy. Little did
I know (and that's actually embarrassing because it was one of the
things I complained about) that you can just use the CIL policy as
With this I mean that a …
SELinux policy developers already have a number of file formats to work with. Currently, policy code is written in a set of three files:
.tefile contains the SELinux policy code (type enforcement rules)
.iffile contains functions which turn a set of arguments into blocks of SELinux policy code (interfaces). These functions are called by other interface files or type enforcement files
.fcfile contains mappings of file path expressions towards labels (file contexts)
These files are compiled into loadable modules (or a base module) which are then transformed to an active policy. But this is not a single-step approach.
In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the SELinux userspace so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.
I keep on struggling to remember this, so let's make a blog post out of it ;-)
When the SELinux policy is being built, recent userspace (2.4 and higher) will convert the policy into CIL language, and then build the binary policy. When the policy supports type attributes, these are …
In a few moments, SELinux users which have the \~arch KEYWORDS set (either globally or for the SELinux utilities in particular) will notice that the SELinux userspace will upgrade to version 2.4 (release candidate 5 for now). This upgrade comes with a manual step that needs to be performed …