On Thu, May 28, 2020 at 9:28 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > > > On 5/28/20 3:19 PM, James Carter wrote: > > On Thu, May 28, 2020 at 7:21 AM Dominick Grift > > <dominick.grift@xxxxxxxxxxx> wrote: > >> > >> > >> tl;dr typalias (and possibly typealiasactual) statement does not like periods > >> > >> systemd plans to consolidate systemd-udevd and udevadm and so I was > >> looking to consolidate the policy. For compatibility I wanted to add a > >> (typealias .udev.udevadm.exec) and (typealiasactual .udev.udevadm.exec > >> .udev.daemon.exec) > >> > >> That reminded me that it does not like the period name space > >> delimiter in at least the typealias statement. > >> > >> Example: > >> > >> [root@brutus ~]# echo "(block test (type test1) (typealias test2.test1) > >> (typealiasactual test2.test1 test.test1))" > mytest.cil > >> [root@brutus ~]# semodule -vvv -i mytest.cil > >> > >> <snip> > >> Building AST from Parse Tree > >> Invalid character "." in test2.test1 > >> Invalid name > >> Failed to create node > >> Bad typealias declaration at > >> /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1 > >> Problem at /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1 > >> Failed to build ast > >> semodule: Failed! > >> > > > > CIL doesn't like "." in any name used in a declaration. > > > > If you want an alias with a "." in it, then use blocks. > > (block udev > > (block daemon > > (type exec) > > ) > > (block udevadm > > (typealias exec) > > (typealiasactual exec .udev.daemon.exec) > > ) > > ) > > > > Or something like that. > > Right, thanks that works and sorry about that. Feels like deja vu, must > have not been the first time I encountered this. > > Feels kind of un-intuitive but makes perfect sense thinking about it. > Just need to get used to it. > I had forgotten myself until I looked at the code. It is obvious in hindsight though, because if CIL allowed ".", then it would have trouble trying to resolve the name, because it would expect a block. Thanks for the report anyway. You do a great job of finding all of the corner cases in CIL. CIL has been greatly helped by all of your reports. Jim
