On Mon, Mar 29, 2021 at 12:29 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > > typechange rules expect three types: sourcetype loginterminaltype > targettype > > 1. you can use typeattributes for loginterminaltype fine > 2. if you try to use typeattributes for targettype then cil wil refuse > to build it with a helpful message along the lines of: targettype cannot > be typeattribute > 3. if you try to use typeattributes for sourcetype then cil wil not > refuse to build it but it will result in the rule not being added > > scenario 3 is obviously less than optimal. although it would have been > nice if you could use typeattributes for not just loginterminaltype, it > should probably atleast fail to build with a helpful message such as in > scenario 2 when you try to use a type attribute for source type. I am not seeing that behavior. I took a minimal CIL policy and added the following lines: (type t1a) (type t1b) (type t2a) (type t2b) (type t3) (typeattribute a1) (typeattributeset a1 (t1a t1b)) (typeattribute a2) (typeattributeset a2 (t2a t2b)) (typealias ta3) (typealiasactual ta3 t3) (typechange a1 a2 CLASS ta3) After running: secilc -o test.bin typeclass.cil checkpolicy -C -b -o test.bin.cil test.bin I get the following typechange rules: (typechange t1a t2a CLASS t3) (typechange t1a t2b CLASS t3) (typechange t1b t2a CLASS t3) (typechange t1b t2b CLASS t3) Maybe there is something else going on? Thanks, Jim > > -- > gpg --locate-keys dominick.grift@xxxxxxxxxxx > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift
