On 10/21/2013 09:25 AM, Steve Lawrence wrote:
On 10/19/2013 09:32 AM, Dominick Grift wrote:
Also i was not able to write TE AV rules with two target types. e.g.
where we previously used brace expansion: allow bla_t { foo_t
bar_t }:file read;
Yes, the source/target parameters of the allow rule only allow a single type or
typeattribute. CIL is not meant to be succinct. You'll find there's a great deal
of repetition. The idea is that higher level languages would allow for
succinctness.
I tried several things like: (allow (bla_t ( foo_t bar_t))
all_file_perms), but no go
If you really don't want two allow rules, you can create a typeattribute:
(typeattribute foobar)
(typeattributeset foobar (foo_t bar_t))
(allow bla_t foobar all_file_perms)
But unless the foobar attribute has some kind of meaning, it probably makes more
sense to just have two allow rules.
We wanted to prevent writing rules such as "allow foo_t { file_type -bar_t
}:file read;" which expand into a large number of rules. Dan and others have
converted a large number rules like this into ones using attributes which has
really reduced the size of the binary policy. CIL requires what we believe to be
the best practice.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
