On 02/24/2017 06:39 PM, Alex Klyubin wrote:
> Hi,
>
> typeattribute currently accepts only a single type as its first argument.
> It associates the provided type with the attribute provided as the second
> argument. Is there a reason why typeattribute doesn't support multiple
> types specified as the first argument? The idea being that it would
> associate each of those types with the attribute.
>
> For example, the first argument to typeattribute could use the same syntax
> as used for the first argument of allow and neverallow. typeattribute could
> then expand this set of types, attributes, and exclusions into the set of
> matching types and then associate each of the types with the provided
> attribute.
>
> The reason I'm asking is because in Android SELinux policy we're bumping
> against the need to associate attribute A with the set of types which are
> grouped using attribute G. We could add a typeattribute for each type
> associated with G, but that (1) duplicates the grouping which is already
> expressed via G, and (2) makes it very cumbersome/brittle to keep both A
> and G associated with exactly the same set of types. In particular, because
> Android SELinux policy source tree is distributed between a large number of
> Android devices and organizations, requiring that any time you associate a
> type with G you must also associate it with A is suboptimal, not to mention
> that making such a change in the existing policies requires to change each
> policy.
>
> To make life more interesting, there's also a need to associate A with a
> subset of G, for example, G minus some type or two.
>
CIL is a bit more flexible. You can associate type attributes with type
attributes and do things like:
(typeattributeset
not_dyntransition_subj_type_or_unconfined_subj_type_attribute
(not
(
dyntransition_subj_type_attribute
unconfined_subj_type_attribute
)
)
)
and:
(typeattributeset except_obj_type_attribute
(and
(
obj_type_attribute
)
(not
(
auth_obj_type_attribute
exception_obj_type_attribute
sec_obj_type_attribute
)
)
)
)
> Kind Regards,
> Alex
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
