On 06/19/2016 11:15 AM, Sven Vermeulen wrote: > Hi all > > I'm going through the information at > https://github.com/SELinuxProject/cil/wiki to try some new things that > CIL offers. One of the documented "features" is to delete rules from > the final policy using the "(delete ...)" statement. > > However, when I try to use that, I always get the failure "Error: > Unknown keyword delete". > > The test.cil file is pretty simple: > (delete (allow sysadm_t rsync_etc_t (file (read)))) > > ~# semodule -i test.cil > Error: Unknown keyword delete > semodule: Failed! > > I considered that it might only work when it builds everything > together with secilc, so I tried that as well: > > ~$ secilc -c 29 /var/lib/selinux/mcs/active/modules/400/*/cil test.cil > Error: Unknown keyword delete > Failed to compile cildb: -1 > > Perhaps this keyword is not part of the final CIL construction? That > wiki page above is from before it got merged in the main userspace, > but I didn't find a more up-to-date version of that information. > Unfortunately, some of the features described in that CIL wiki page (e.g. delete, filter, transform) were never implemented. More up to date documentation is available here: https://github.com/SELinuxProject/selinux/tree/master/secilc/docs - Steve _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
