Hi All,
I'm reading "SELINUX COMMON INTERMEDIATE LANGUAGE MOTIVATION AND DESIGN"
wiki page [1] and I'm interested in CIL namespaces. I tried several
examples related to blockinheritence and all works just great!
However, in following example I see keyword "blockinheritfilter":
(block logger
(blockabstract logger)
(type process)
(type log)
(allow process log (file (getattr append write))))
(block myapp
(blockinherit logger)
(blockinheritfilter myapp logger
(allow process log (file (write)))))
If I understand it correctly, it should "remove" rule:
allow myapp.process log:file write;
So process type in myapp should have allowed:
allow myapp.process log:file {getattr append};
And process type in logger should have allowed:
allow logger.process log:file {getattr append write};
Which could be very cool feature, but I don't see any code in secilc
related to "blockinheritfilter". Are there any plans to implement also
this in CIL namespaces or is there any other way how to handle this
(DELETE statement is also not implemented) ?
Thanks for any help.
Lukas.
[1] https://github.com/SELinuxProject/cil/wiki
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
