Commit Graph

17 Commits

Author SHA1 Message Date
James Carter
59ed638c6d Updated secilc ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-12-16 09:51:38 -05:00
Yuli Khodorkovskiy
12c7dfc553 secilc/docs: Convert DocBook documentation into github markdown
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.

The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.

The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.

Running make will now convert the github markdown into PDF and HTML.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 16:18:34 -05:00
James Carter
a2a3c6d03f Updated libsepol and secilc ChangeLogs
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-12-02 15:18:25 -05:00
Steve Lawrence
0013416550 secilc/docs: Add documentation for neverallowx rules
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-12-02 15:15:22 -05:00
Yuli Khodorkovskiy
71dd7b7133 secilc: Add support for unordered classes
Resolves https://github.com/SELinuxProject/cil/issues/3

An 'unordered' keyword provides the ability to append classes to the current
list of ordered classes. This allows users to not need knowledge of existing
classes when creating a class and fixes dependencies on classes when removing a
module. This enables userspace object managers with custom objects to be
modularized.

If a class is declared in both an unordered and ordered statement, then the
ordered statement will supercede the unordered declaration.

Example usage:

    ; Appends new_class to the existing list of classes
    (class new_class ())
    (classorder (unordered new_class))

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-11-10 13:26:52 -05:00
Yuli Khodorkovskiy
77779d2ca5 libsepol/cil: Add userattribute{set} functionality
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.

Also, disallow roleattributes where roles are accepted in contexts.

Specify a userattribute

    (userattribute foo)

Add users to the set foo

    (userattributeset foo (u1 u2))

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-11 09:07:46 -04:00
Steve Lawrence
fbcc08ab2a Updated libselinux and secilc ChangeLog.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-09-02 16:05:56 -04:00
Steve Lawrence
46f32deae2 secilc: Add documentation/examples for allowx, auditallowx, dontauditx, and permissionx
Also removes *bounds statements in policy.cil, which had bounds
violations and are better tested in other test files.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
2015-09-02 16:03:26 -04:00
James Carter
b11ffdd290 Updated libsepol and secilc ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:04:26 -04:00
James Carter
ce5472845b secilc: Add a CIL policy file to test bounds checking.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
James Carter
0e05890e3d secilc: Add a CIL policy file to test neverallow checking.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-06-22 10:03:16 -04:00
Stephen Smalley
1af0ed6f13 Update checkpolicy and secilc ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-15 09:17:16 -04:00
Dan Albert
1f75792ea0 Remove uses of -Wno-return-type.
These warnings were fixed in 93b2e5f.
2015-06-15 09:14:10 -04:00
Stephen Smalley
b35f8536dd Add an empty relabel target to secilc Makfile.
So that building from top-level as per the README does not
fail when it reaches the secilc directory.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-10 09:50:57 -04:00
Stephen Smalley
cacf51cef0 libsepol, secilc: Fix build for Android
The Android build does not like the symbol versioning introduced
by commit 8147bc7; the build fails with:
host SharedLib: libsepol (out/host/linux-x86/obj/lib/libsepol.so)
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version LIBSEPOL_1.1
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Omit the versioned symbols and simply use the current interfaces
when building on Android.

Commit 36f62b7 also broke the Android build by moving secilc out of
libsepol, because the libsepol headers were not installed by the Android.mk
file.

Export the required libsepol headers for use by secilc and adjust secilc
to pick them up from the right location on Android.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-02 12:01:10 -04:00
Stephen Smalley
bfe17c0630 Add VERSION and (empty) ChangeLog files to secilc.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-31 12:40:24 -04:00
Yuli Khodorkovskiy
36f62b78f1 libsepol: Move secilc out of libsepol
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.

- Move secilc source, test policies, docs, and secilc manpage to secilc
  directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
  in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
  Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-03-31 12:31:38 -04:00