-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, Sep 09, 2015 at 04:17:13PM -0400, James Carter wrote: <snip> > > This doesn't appear to be ONLY because of the "in" block. It still segfaults > even with moving everything inside the block and removing the "in" block. > > It looks like one problem is with the use of a blockinherit inside a macro. > Blocks and blockinherits are not allowed to be used in macros. As we were > fixing CIL's name resolution last Fall we came to the conclusion that > allowing both of these would provide little benefit while causing a lot of > potential problems. But we are open to a discussion if you can provide a > compelling use case. > > Why not use something like this: > > (block exec_blk > (blockabstract exec_blk) > (macro exec ((type ARG1)) > (call can_exec (ARG1 cmd_file)))) > > (block auditctl > (blockinherit exec_blk)) > > (call auditctl.exec (some_type)) > > instead of: > > (block exec_blk > (blockabstract exec_blk) > (call can_exec (ARG1 cmd_file))) > > (block auditctl > (macro exec ((type ARG1)) > (blockinherit exec_blk))) > > (call auditctl.exec (some_type)) > Thanks, That looks fine to me. I will try this out tomorrow and see how it goes. I am not attached to any particular solution. Although I tried what, to me, felt natural and intuitive. Thanks for the suggestion. > > Jim > > >I first thought it was because i was using "ARG1" in the blockabstract > >(see first commit). However that seems to not be the case. > > > >I am left wondering: what am i doing wrong here (obviously secilc should > >not segfault nevertheless) > > > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJV8JpUAAoJENAR6kfG5xmcF7EL/3RpgagwqZHgF8HdbQBhuQBU 7uYaEBLDVgvDFTh8MZqPhNGXxmazCi/DYCL3XgFy96wCCjHG5Ea1HvHLWiy+kWcT 3TunGCAKPbyCX1gHf1MyOgsbmXjdK2aIeOv3FoRiCoY+q1cZZ1F18ORSbd9Qfkcb Bfg4XEcwZNYcw0LQGjVnuuAIQthGHOisv1DSGcXP4HtVghEBNWwKKMji4dgGbpKP 7AyBfnAux8gFyNLQZVeaCXnDz62iTxGVvKRfSEETx/JWrsqNV4XqhLpRcJcOZGEU 4PLSUO/jz1wdG/CtC6/swq01D46BZwkwri5JrihXPEb2k2CFLjbvJ7Bie1LU1J1T 0s8vPIV/gVFsCfKX3ilnTX4mFCXsoAlOntpgjfk9PkPwTTRpsYbXhJYy91llyuR0 Deg3u9P2eO/yiEoPwpvB0kn7LEZN0vBiZSzCNW+NdVHy2pu2+uqanCUs4qUOj71E DnAEeXlPBGtVwWyMqfbcU+0Fc119HRJeynJDrDKuig== =JhA8 -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
