67b410e80f
In order to reduce policy size, CIL removes attributes that are not used by a policy rule in the generated binary policy. However, CIL keeps attributes used by neverallow rules (which are checked at compile time and not in the binary policy) even if the attribute is not used anywhere else in the policy. This behavior is useful to Google who pulls neverallow rules out of the original policy.conf for compatibility testing, but converts the policy.conf to CIL and uses the CIL compiler to generate policy. Without this behavior, the generated binary policy might not have an attribute referred to by one of the neverallow rules used for testing. The one exception to this behavior is for attributes generated in module_to_cil (these have an "_typeattr_" in the middle of their name). Since these attributes are only created because CIL does not allow a type expression in an AV rule, they are removed if they only appear in a neverallow rule (which is the case for most of them) or if the option to expand generated attributes (-G or --expand-generated) is specified for secilc when compiling the policy. Removing generated attributes causes a problem, however, if the type expression that the generated attribute is replacing uses an attribute that is removed. In this case, the original neverallow rule will refer to an attribute that does not exist in the generated binary policy. Now any non-generated attribute used in a typeattributeset rule for a generated attribute which is used in a neverallow rule will be treated like it was used in a neverallow rule. This does not change the behavior of an expandtypeattribute rule for the attribute. That rule, if it exists, will take precedence. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> |
||
|---|---|---|
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| Makefile | ||
| README | ||
README
Please submit all bug reports and patches to selinux@tycho.nsa.gov. Subscribe via selinux-join@tycho.nsa.gov. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).