Please find attached three patches:
1) This updates the CIL Reference Guide to reflect all your recent changes.
These patches are from Dominick:
2) Fix the defaulttype title - This needs to be applied after the first patch.
3) Update .gitignore to ignore the build docs directories.
Richard
From 33be49a7ecb7b67d0c249276608e922ec86be4f3 Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Thu, 22 May 2014 15:55:21 +0100
Subject: [PATCH] secilc: Update CIL Reference Guide
Updated classmap/classmapping, added classmap to statements that utilise
class_id's (defaultuser, typetransition etc.), update various examples to
show anonymous classpermissionset's using expressions.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
docs/CIL_Reference_Guide.xml | 8 ++--
docs/cil_access_vector_rules.xml | 50 +++++++++-------------
docs/cil_class_and_permission_statements.xml | 61 +++++++++++++++------------
docs/cil_constraint_statements.xml | 8 ++--
docs/cil_container_statements.xml | 1 -
docs/cil_default_object_statements.xml | 62 ++++++++++++++++++++--------
docs/cil_mls_labeling_statements.xml | 2 +-
docs/cil_role_statements.xml | 2 +-
docs/cil_type_statements.xml | 6 +--
9 files changed, 113 insertions(+), 87 deletions(-)
diff --git a/docs/CIL_Reference_Guide.xml b/docs/CIL_Reference_Guide.xml
index 93c6185..5178dca 100644
--- a/docs/CIL_Reference_Guide.xml
+++ b/docs/CIL_Reference_Guide.xml
@@ -29,9 +29,9 @@
<title>Common Interface Language (CIL) Reference Guide</title>
<revhistory>
<revision>
- <revnumber>0.1</revnumber>
- <date>13th May '14</date>
- <revremark>First Draft</revremark>
+ <revnumber>0.2</revnumber>
+ <date>22nd May '14</date>
+ <revremark>Updated classmap/classmapping, added classmap to statements that utilise class_id's (defaultuser, typetransition etc.), update various examples to show anonymous classpermissionset's using expressions.</revremark>
</revision>
</revhistory>
</articleinfo>
@@ -39,7 +39,7 @@
<sect1>
<title>CIL Information</title>
<orderedlist>
- <listitem><para>The statement definitions are those found in the source from: <literal>git clone <ulink url="https://bitbucket.org/jwcarter/secilc.git";></ulink></literal> dated 6th May '14.</para></listitem>
+ <listitem><para>The statement definitions are those found in the source from: <literal>git clone <ulink url="https://bitbucket.org/jwcarter/secilc.git";></ulink></literal> dated 21st May '14.</para></listitem>
<listitem><para>Not all possible alternate statement permutations are shown, however there should be enough variation to work out any other valid formats. There is also an example <filename>policy.cil</filename> file shown in the <link linkend="example_policy">Appendix</link>.</para></listitem>
<listitem><para>The MLS components on contexts and user statements must be declared even if the policy does not support MCS/MLS. </para></listitem>
<listitem><para>The CIL compiler will not build a policy unless it also has as a minimum: one <literal><link linkend="allow">allow</link></literal> rule, one <literal><link linkend="sid">sid</link></literal>, <literal><link linkend="sidorder">sidorder</link></literal> and <literal><link linkend="sidcontext">sidcontext</link></literal> statement. </para></listitem>
diff --git a/docs/cil_access_vector_rules.xml b/docs/cil_access_vector_rules.xml
index 5bd5d32..56269b2 100644
--- a/docs/cil_access_vector_rules.xml
+++ b/docs/cil_access_vector_rules.xml
@@ -1,7 +1,7 @@
<!-- Common Interface Language (CIL) Reference Guide -->
<!-- access_vector_rules.xml -->
- <sect1>
+ <sect1 id="av_rules">
<title>Access Vector Rules</title>
<sect2 id="allow">
<title>allow</title>
@@ -44,7 +44,7 @@
<para><literal>classpermissionset_id</literal></para>
</entry>
<entry>
- <para>One or more named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal>'s or pairs of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
</entry>
</row>
</tbody></tgroup>
@@ -62,22 +62,15 @@
(classmap android_classes (set_1 set_2 set_3))
-(classmapping android_classes set_1
- (binder (impersonate call set_context_mgr transfer receive))
- (property_service (set))
- (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
-)
+(classmapping android_classes set_1 (binder (all)))
+(classmapping android_classes set_1 (property_service (set)))
+(classmapping android_classes set_1 (zygote (not (specifycapabilities))))
-(classmapping android_classes set_2
- (binder (all))
- (property_service (all))
- (zygote (all))
-)
+(classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer)))
+(classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)))
-(classmapping android_classes set_3
- (binder (impersonate call set_context_mgr))
- cps_zygote
-)
+(classmapping android_classes set_3 cps_zygote)
+(classmapping android_classes set_3 (binder (impersonate call set_context_mgr)))
(block av_rules
(type type_1)
@@ -85,25 +78,22 @@
(type type_3)
(type type_4)
(type type_5)
- (type type_6)
+
(typeattribute all_types)
(typeattributeset all_types (all))
- (allow type_1 self (property_service (set)))
- (allow type_2 self (zygote (specifyids)))
- (allow type_3 self cps_zygote)
- (allow type_4 self (android_classes (set_3)))
- (allow all_types all_types (android_classes (set_2)))
+; These examples have named and anonymous classpermissionset's and
+; classmap/classmapping statements
+ (allow type_1 self (property_service (set))) ; anonymous
+ (allow type_2 self (zygote (specifyids))) ; anonymous
+ (allow type_3 self cps_zygote) ; named
+ (allow type_4 self (android_classes (set_3))) ; classmap/classmapping
+ (allow all_types all_types (android_classes (set_2))) ; classmap/classmapping
;; This rule will cause the build to fail unless --disable-neverallow
; (neverallow type_5 all_types (property_service (set)))
(allow type_5 type_5 (property_service (set)))
(allow type_1 all_types (property_service (set)))
-
-; This example has named and anonymous classpermissionset's and
-; classmap/classmapping statements:
-; named anonymous classmap/classmapping
- (allow type_6 self ((cps_zygote) (binder (call transfer)) (android_classes (set_3))))
)]]>
</programlisting>
</sect2>
@@ -149,7 +139,7 @@
<para><literal>classpermissionset_id</literal></para>
</entry>
<entry>
- <para>One or more named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal>'s or pairs of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
</entry>
</row>
</tbody></tgroup>
@@ -207,7 +197,7 @@
<para><literal>classpermissionset_id</literal></para>
</entry>
<entry>
- <para>One or more named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal>'s or pairs of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
</entry>
</row>
</tbody></tgroup>
@@ -261,7 +251,7 @@
<para><literal>classpermissionset_id</literal></para>
</entry>
<entry>
- <para>One or more named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal>'s or pairs of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
</entry>
</row>
</tbody></tgroup>
diff --git a/docs/cil_class_and_permission_statements.xml b/docs/cil_class_and_permission_statements.xml
index 6d58cf8..fcc36b5 100644
--- a/docs/cil_class_and_permission_statements.xml
+++ b/docs/cil_class_and_permission_statements.xml
@@ -305,7 +305,24 @@
<sect2 id="classmap">
<title>classmap</title>
- <para>Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow multiple <literal><link linkend="classpermissionset">classpermissionset</link></literal>s to be linked to a pair of <literal><link linkend="classmap">classmap</link></literal> / <literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>Declares a class map identifier in the current namespace and one or more class mapping identifiers. This will allow:</para>
+ <orderedlist>
+ <listitem><para>Multiple <literal><link linkend="classpermissionset">classpermissionset</link></literal>s to be linked to a pair of <literal><link linkend="classmap">classmap</link></literal> / <literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para></listitem>
+ <listitem><para>Multiple <literal><link linkend="class">class</link></literal>s to be associated to statements and rules that support a list of classes:</para>
+ <simplelist type="inline">
+ <member><literal><link linkend="typetransition">typetransition</link></literal></member>
+ <member><literal><link linkend="typechange">typechange</link></literal></member>
+ <member><literal><link linkend="typemember">typemember</link></literal></member>
+ <member><literal><link linkend="rangetransition">rangetransition</link></literal></member>
+ <member><literal><link linkend="roletransition">roletransition</link></literal></member>
+ <member><literal><link linkend="defaultuser">defaultuser</link></literal></member>
+ <member><literal><link linkend="defaultrole">defaultrole</link></literal></member>
+ <member><literal><link linkend="defaulttype">defaulttype</link></literal></member>
+ <member><literal><link linkend="defaultrange">defaultrange</link></literal></member>
+ <member><literal><link linkend="validatetrans">validatetrans</link></literal></member>
+ <member><literal><link linkend="mlsvalidatetrans">mlsvalidatetrans</link></literal></member>
+ </simplelist></listitem>
+ </orderedlist>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(classmap classmap_id (classmapping_id ...))]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
@@ -396,26 +413,20 @@
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
-(classpermission cps_zygote_1)
-(classpermissionset cps_zygote_1 (zygote ((not (specifyids)))))
+(classpermission cps_zygote)
+(classpermissionset cps_zygote (zygote (not (specifyids))))
(classmap android_classes (set_1 set_2 set_3))
-(classmapping android_classes set_1
- (binder (impersonate call set_context_mgr transfer receive))
- (property_service (set))
- (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
-)
+(classmapping android_classes set_1 (binder (all)))
+(classmapping android_classes set_1 (property_service (set)))
+(classmapping android_classes set_1 (zygote (not (specifycapabilities))))
-(classmapping android_classes set_2
- (binder (impersonate call set_context_mgr transfer))
- (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))
-)
+(classmapping android_classes set_2 (binder (impersonate call set_context_mgr transfer)))
+(classmapping android_classes set_2 (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)))
-(classmapping android_classes set_3
- (binder (impersonate call set_context_mgr))
- cps_zygote_1
-)
+(classmapping android_classes set_3 cps_zygote)
+(classmapping android_classes set_3 (binder (impersonate call set_context_mgr)))
(block map_example
(type type_1)
@@ -427,18 +438,16 @@
(allow type_3 self (android_classes (set_3)))
)
-; The above should resolve to the following AV rules:
-; allow map_example.type_1 map_example.type_1 : property_service set ;
-; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ;
-; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
+; The above will resolve to the following AV rules:
+;; allow map_example.type_1 map_example.type_1 : binder { impersonate call set_context_mgr transfer receive } ;
+;; allow map_example.type_1 map_example.type_1 : property_service set ;
+;; allow map_example.type_1 map_example.type_1 : zygote { specifyids specifyrlimits specifyinvokewith specifyseinfo } ;
-; allow map_example.type_2 map_example.type_2 : property_service set ;
-; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer receive } ;
-; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
+;; allow map_example.type_2 map_example.type_2 : binder { impersonate call set_context_mgr transfer } ;
+;; allow map_example.type_2 map_example.type_2 : zygote { specifyids specifyrlimits specifycapabilities specifyinvokewith } ;
-; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ;
-; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;
-]]>
+;; allow map_example.type_3 map_example.type_3 : binder { impersonate call set_context_mgr } ;
+;; allow map_example.type_3 map_example.type_3 : zygote { specifyrlimits specifycapabilities specifyinvokewith specifyseinfo } ;]]>
</programlisting>
</sect2>
diff --git a/docs/cil_constraint_statements.xml b/docs/cil_constraint_statements.xml
index 8d99089..6f5d9c6 100644
--- a/docs/cil_constraint_statements.xml
+++ b/docs/cil_constraint_statements.xml
@@ -27,7 +27,7 @@
<para><literal>classpermissionset_id</literal></para>
</entry>
<entry>
- <para>One or more named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal>'s or pairs of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
</entry>
</row>
<row>
@@ -126,7 +126,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
@@ -206,7 +206,7 @@
<para><literal>classpermissionset_id</literal></para>
</entry>
<entry>
- <para>One or more named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal>'s or pairs of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
+ <para>A single named or anonymous <literal><link linkend="classpermissionset">classpermissionset</link></literal> or a single set of <literal><link linkend="classmap">classmap</link></literal>/<literal><link linkend="classmapping">classmapping</link></literal> identifiers.</para>
</entry>
</row>
<row>
@@ -298,7 +298,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
diff --git a/docs/cil_container_statements.xml b/docs/cil_container_statements.xml
index 626a091..ef6b891 100644
--- a/docs/cil_container_statements.xml
+++ b/docs/cil_container_statements.xml
@@ -275,7 +275,6 @@
</entry>
<entry>
<para><literal><link linkend="typetransition">typetransition</link></literal></para>
- <simpara>(excluding 'file name transition' rule)</simpara>
</entry>
</row>
</tbody>
diff --git a/docs/cil_default_object_statements.xml b/docs/cil_default_object_statements.xml
index 4354dc5..2f994bf 100644
--- a/docs/cil_default_object_statements.xml
+++ b/docs/cil_default_object_statements.xml
@@ -8,7 +8,7 @@
<title>defaultuser</title>
<para>Allows the default user to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
- <programlisting><![CDATA[(defaultuser class_list default)]]></programlisting>
+ <programlisting><![CDATA[(defaultuser class_id default)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
@@ -25,10 +25,10 @@
</row>
<row>
<entry>
- <para><literal>class_list</literal></para>
+ <para><literal>class_id</literal></para>
</entry>
<entry>
- <para>One or more previously declared <literal><link linkend="class">class</link></literal> identifiers.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
@@ -43,15 +43,32 @@
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
- <para>When creating a new <literal>file</literal> object, the <literal><link linkend="user">user</link></literal> component of the new security context will be taken from the <literal>target</literal> context:</para>
- <para><emphasis role="bold">Statement definition:</emphasis></para>
- <programlisting><![CDATA[(defaultuser file target)]]></programlisting>
+ <para>When creating new <literal>binder</literal>, <literal>property_service</literal>, <literal>zygote</literal> or <literal>memprotect</literal> objects the <literal><link linkend="user">user</link></literal> component of the new security context will be taken from the <literal>source</literal> context:</para>
+ <programlisting><![CDATA[
+(class binder (impersonate call set_context_mgr transfer receive))
+(class property_service (set))
+(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
+(class memprotect (mmap_zero))
+
+(classmap android_classes (android))
+(classmapping android_classes android (binder (all)))
+(classmapping android_classes android (property_service (set)))
+(classmapping android_classes android (zygote (not (specifycapabilities))))
+
+(defaultuser (android_classes memprotect) source)
+
+; Will produce the following in the binary policy file:
+;; default_user binder source;
+;; default_user zygote source;
+;; default_user property_service source;
+;; default_user memprotect source;]]>
+ </programlisting>
</sect2>
<sect2 id="defaultrole">
<title>defaultrole</title>
<para>Allows the default role to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para>
- <programlisting><![CDATA[(defaultrole class_list default)]]></programlisting>
+ <programlisting><![CDATA[(defaultrole class_id default)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
@@ -68,10 +85,10 @@
</row>
<row>
<entry>
- <para><literal>class_list</literal></para>
+ <para><literal>class_id</literal></para>
</entry>
<entry>
- <para>One or more previously declared <literal><link linkend="class">class</link></literal> identifiers.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
@@ -86,15 +103,26 @@
</informaltable>
<para><emphasis role="bold">Example:</emphasis></para>
- <para>When creating a new <literal>file</literal> object, the <literal><link linkend="role">role</link></literal> component of the new security context will be taken from the <literal>source</literal> context:</para>
- <programlisting><![CDATA[(defaultrole file source)]]></programlisting>
+ <para>When creating new <literal>binder</literal>, <literal>property_service</literal> or <literal>zygote</literal> objects the <literal><link linkend="role">role</link></literal> component of the new security context will be taken from the <literal>target</literal> context:</para>
+ <programlisting><![CDATA[
+(class binder (impersonate call set_context_mgr transfer receive))
+(class property_service (set))
+(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))
+
+(defaultrole (binder property_service zygote) target)
+
+; Will produce the following in the binary policy file:
+;; default_role binder target;
+;; default_role zygote target;
+;; default_role property_service target;]]>
+ </programlisting>
</sect2>
<sect2 id="defaulttype">
<title>defaultuser</title>
<para>Allows the default type to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 28.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
- <programlisting><![CDATA[(defaulttype class_list default)]]></programlisting>
+ <programlisting><![CDATA[(defaulttype class_id default)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
@@ -111,10 +139,10 @@
</row>
<row>
<entry>
- <para><literal>class_list</literal></para>
+ <para><literal>class_id</literal></para>
</entry>
<entry>
- <para>One or more previously declared <literal><link linkend="class">class</link></literal> identifiers.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
@@ -137,7 +165,7 @@
<title>defaultrange</title>
<para>Allows the default level or range to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 27.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
- <programlisting><![CDATA[(defaultrange class_list default range)]]></programlisting>
+ <programlisting><![CDATA[(defaultrange class_id default range)]]></programlisting>
<para><emphasis role="bold">Where:</emphasis></para>
<informaltable frame="all">
<tgroup cols="2">
@@ -154,10 +182,10 @@
</row>
<row>
<entry>
- <para><literal>class_list</literal></para>
+ <para><literal>class_id</literal></para>
</entry>
<entry>
- <para>One or more previously declared <literal><link linkend="class">class</link></literal> identifiers.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier, or a list of previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifiers enclosed within parentheses.</para>
</entry>
</row>
<row>
diff --git a/docs/cil_mls_labeling_statements.xml b/docs/cil_mls_labeling_statements.xml
index 130c7e5..3738789 100644
--- a/docs/cil_mls_labeling_statements.xml
+++ b/docs/cil_mls_labeling_statements.xml
@@ -690,7 +690,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single previously declared <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
diff --git a/docs/cil_role_statements.xml b/docs/cil_role_statements.xml
index ff87faa..47ca8c7 100644
--- a/docs/cil_role_statements.xml
+++ b/docs/cil_role_statements.xml
@@ -289,7 +289,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single previously declared <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
diff --git a/docs/cil_type_statements.xml b/docs/cil_type_statements.xml
index cb16dfb..b140f86 100644
--- a/docs/cil_type_statements.xml
+++ b/docs/cil_type_statements.xml
@@ -341,7 +341,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single previously declared <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
@@ -412,7 +412,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single previously declared <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
@@ -483,7 +483,7 @@
<para><literal>class_id</literal></para>
</entry>
<entry>
- <para>A single previously declared <literal><link linkend="class">class</link></literal> identifier.</para>
+ <para>A single previously declared <literal><link linkend="class">class</link></literal> or <literal><link linkend="classmap">classmap</link></literal> identifier.</para>
</entry>
</row>
<row>
--
1.9.0
From 90e554950412268923900bc0b4c42c58537066ca Thu, 15 May 2014 17:32:07 +0200
From: Dominick Grift <dac.override@xxxxxxxxx>
Date: Thu, 15 May 2014 17:29:34 +0200
Subject: [PATCH] Fix copy and paste error
diff --git a/docs/cil_default_object_statements.xml b/docs/cil_default_object_statements.xml
index 4354dc5..eb13bc2 100644
--- a/docs/cil_default_object_statements.xml
+++ b/docs/cil_default_object_statements.xml
@@ -91,7 +91,7 @@
</sect2>
<sect2 id="defaulttype">
- <title>defaultuser</title>
+ <title>defaulttype</title>
<para>Allows the default type to be taken from the source or target context when computing a new context for the object <literal><link linkend="class">class</link></literal> identifier. Requires policy version 28.</para>
<para><emphasis role="bold">Statement definition:</emphasis></para>
<programlisting><![CDATA[(defaulttype class_list default)]]></programlisting>From 41ebb72a9c012ac660fa469019b8e8a35bc4e92b Thu, 15 May 2014 17:31:59 +0200
From: Dominick Grift <dac.override@xxxxxxxxx>
Date: Thu, 15 May 2014 17:28:39 +0200
Subject: [PATCH] Ignore docs/{html,pdf,man8}/
diff --git a/.gitignore b/.gitignore
index 263ba72..3f59987 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,6 @@
src/cil_lexer.c
unit_tests
cov
+ docs/pdf/
+ docs/html/
+ docs/man8/
--
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
