James Carter <jwcart2@xxxxxxxxx> writes: > On Mon, Mar 29, 2021 at 12:29 PM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> >> typechange rules expect three types: sourcetype loginterminaltype >> targettype >> >> 1. you can use typeattributes for loginterminaltype fine >> 2. if you try to use typeattributes for targettype then cil wil refuse >> to build it with a helpful message along the lines of: targettype cannot >> be typeattribute >> 3. if you try to use typeattributes for sourcetype then cil wil not >> refuse to build it but it will result in the rule not being added >> >> scenario 3 is obviously less than optimal. although it would have been >> nice if you could use typeattributes for not just loginterminaltype, it >> should probably atleast fail to build with a helpful message such as in >> scenario 2 when you try to use a type attribute for source type. > > I am not seeing that behavior. > > I took a minimal CIL policy and added the following lines: > (type t1a) > (type t1b) > (type t2a) > (type t2b) > (type t3) > (typeattribute a1) > (typeattributeset a1 (t1a t1b)) > (typeattribute a2) > (typeattributeset a2 (t2a t2b)) > (typealias ta3) > (typealiasactual ta3 t3) > (typechange a1 a2 CLASS ta3) > > After running: > secilc -o test.bin typeclass.cil > checkpolicy -C -b -o test.bin.cil test.bin > > I get the following typechange rules: > (typechange t1a t2a CLASS t3) > (typechange t1a t2b CLASS t3) > (typechange t1b t2a CLASS t3) > (typechange t1b t2b CLASS t3) > > > Maybe there is something else going on? Sorry, nevermind. it does work... > > Thanks, > Jim > >> >> -- >> gpg --locate-keys dominick.grift@xxxxxxxxxxx >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> Dominick Grift -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
