Hi,
typeattribute currently accepts only a single type as its first argument. It associates the provided type with the attribute provided as the second argument. Is there a reason why typeattribute doesn't support multiple types specified as the first argument? The idea being that it would associate each of those types with the attribute.
For example, the first argument to typeattribute could use the same syntax as used for the first argument of allow and neverallow. typeattribute could then expand this set of types, attributes, and exclusions into the set of matching types and then associate each of the types with the provided attribute.
The reason I'm asking is because in Android SELinux policy we're bumping against the need to associate attribute A with the set of types which are grouped using attribute G. We could add a typeattribute for each type associated with G, but that (1) duplicates the grouping which is already expressed via G, and (2) makes it very cumbersome/brittle to keep both A and G associated with exactly the same set of types. In particular, because Android SELinux policy source tree is distributed between a large number of Android devices and organizations, requiring that any time you associate a type with G you must also associate it with A is suboptimal, not to mention that making such a change in the existing policies requires to change each policy.
To make life more interesting, there's also a need to associate A with a subset of G, for example, G minus some type or two.
Kind Regards,
Alex
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
