I've noticed that in the new SELinux policy there are some (very welcome) additions to the language syntax, like if .. else statements. I also noticed that the gen_tunable has been replaced with gen_bool and so on.

Is there a definite guide (or even a changelog) where I could educate myself on these changes? Thanks!
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Mr Dash Four wrote:
> I've noticed that in the new SELinux policy there are some (very welcome) additions to the language syntax, like if .. else statements. I also noticed that the gen_tunable has been replaced with gen_bool and so on.
>
> Is there a definite guide (or even a changelog) where I could educate myself on these changes? Thanks!
Any takers?

I am about to update my (customised) local policies and bring them up to date with the current versions, but to do that I need to know what changes have been made to the language syntax, so any help in that respect would be appreciated, thanks!
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Wed, 2012-05-30 at 02:09 +0100, Mr Dash Four wrote:
>
> Mr Dash Four wrote:
> > I've noticed that in the new SELinux policy there are some (very welcome) additions to the language syntax, like if .. else statements. I also noticed that the gen_tunable has been replaced with gen_bool and so on.
> >
> > Is there a definite guide (or even a changelog) where I could educate myself on these changes? Thanks!
> Any takers?

that is no recent change. that gen_tunable vs gen_bool is a old issue.
we currently use gen_tunable()

not sure what gave you the impression that this is new

> I am about to update my (customised) local policies and bring them up to date with the current versions, but to do that I need to know what changes have been made to the language syntax, so any help in that respect would be appreciated, thanks!
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

that is no recent change. that gen_tunable vs gen_bool is a old issue.
we currently use gen_tunable()

not sure what gave you the impression that this is new

gen_tunable used in "old" version of policies was replaced with gen_bool
instead, so I assumed this is something new. Same with the if ... else
statements - to my knowledge this wasn't possible before or have I got
this wrong as well?


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Wed, 2012-05-30 at 13:15 +0100, Mr Dash Four wrote:
> > that is no recent change. that gen_tunable vs gen_bool is a old issue.
> > we currently use gen_tunable()
> >
> > not sure what gave you the impression that this is new
> >
> gen_tunable used in "old" version of policies was replaced with gen_bool
> instead, so I assumed this is something new. Same with the if ... else
> statements - to my knowledge this wasn't possible before or have I got
> this wrong as well?
>

I dont know what you mean. I did one check and its the same as ever:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/services/apache.te;h=6aa4bdcf8b8f63da32da11373aec76a89e2c45 73;hb=595c8bbc1b1789e26005fe3fc74c7d99dbf65d51

example (line #23 to 30)

> ## <desc>
> ## <p>
> ## Allow Apache to modify public files
> ## used for public file transfer services, directories/files must
> ## be labeled public_content_rw_t.
> ## </p>
> ## </desc>
> gen_tunable(allow_httpd_anon_write, false)
>

i suspect that you are confusing raw policy with human readable policy

gen_tunable(allow_httpd_anon_write, false) versus bool httpd_anon_write false;

etc



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

i suspect that you are confusing raw policy with human readable policy

gen_tunable(allow_httpd_anon_write, false) versus bool httpd_anon_write false;

etc

Nope. I'll dig up some examples when I get home tonight. As for the
language syntax changes, this is what I meant:


On 22/06/2011 Daniel J Walsh wrote:



Now I have the rather unpleasant task of upgrading my own customised
policy from the FC13 to FC15 version. Are there any changes from FC13 to
FC15 in terms of the language syntax or anything else I need to be aware
of before I start?



Not that I recall. F16 will add new stuff.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4CMZ0ACgkQrlYvE4MpobNMHwCggv7bZaDAYC wxoja+ek2e9+VC
HaIAoMM9V97gSfccgD9z1QPaqHZ6cZqB
=EYr7
-----END PGP SIGNATURE-----

So, in FC16 there was "new stuff" added in terms of changes to the
language syntax. As I am upgrading the policy from FC15 to the present
level (FC17) I just wanted to know what this "new stuff" is, that's all.
I've already figured out the if ... else statement additions, which I
don't remember seeing in 3.9 version of the policy, so provided I didn't
get this wrong I'd like to know what else has been added?


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Wed, 2012-05-30 at 14:13 +0100, Mr Dash Four wrote:
> > i suspect that you are confusing raw policy with human readable policy
> >
> > gen_tunable(allow_httpd_anon_write, false) versus bool httpd_anon_write false;
> >
> > etc
> >
> Nope. I'll dig up some examples when I get home tonight. As for the
> language syntax changes, this is what I meant:
>
> On 22/06/2011 Daniel J Walsh wrote:
> >
> >> Now I have the rather unpleasant task of upgrading my own customised
> >> policy from the FC13 to FC15 version. Are there any changes from FC13 to
> >> FC15 in terms of the language syntax or anything else I need to be aware
> >> of before I start?
> >>
> >
> > Not that I recall. F16 will add new stuff.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk4CMZ0ACgkQrlYvE4MpobNMHwCggv7bZaDAYC wxoja+ek2e9+VC
> > HaIAoMM9V97gSfccgD9z1QPaqHZ6cZqB
> > =EYr7
> > -----END PGP SIGNATURE-----
> >
> So, in FC16 there was "new stuff" added in terms of changes to the
> language syntax. As I am upgrading the policy from FC15 to the present
> level (FC17) I just wanted to know what this "new stuff" is, that's all.
> I've already figured out the if ... else statement additions, which I
> don't remember seeing in 3.9 version of the policy, so provided I didn't
> get this wrong I'd like to know what else has been added?
>

the only new stuff added to f16 is named file transitions as far as i
know. basically allows you to append the name of the to type transition
object to the type_transition statement or filetrans_pattern()

type_transition joe_t joes_dir_t:file joes_file_t "joe";

filetrans_pattern(joe_t, joes_dir_t, joes_file_t, file, "joe")



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

> the only new stuff added to f16 is named file transitions as far as i
> know. basically allows you to append the name of the to type transition
> object to the type_transition statement or filetrans_pattern()
>
> type_transition joe_t joes_dir_t:file joes_file_t "joe";
>
> filetrans_pattern(joe_t, joes_dir_t, joes_file_t, file, "joe")
Not much then! I figured that the if ... else as well as the gen_bool statements are indeed present in 3.9 - I have no idea how I missed that, I must have been drunk or something!

I also found the create_netif_interfaces_controlled set of macros - very useful! This is what I have implemented - in a round-about way - on all my systems here, without knowing of the existence of the if ... else and the gen_bool statements. This macro is going to be very handy when I redefine my custom policy now and bring it up to speed with 3.10 - I am glad I had a more thorough look at the policy this time...
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux