James Carter <jwcart2@xxxxxxxxx> writes: > In the blockinherit section of the CIL documentation clearly state > the order in which inherited rules are resolved. > > That order is: > > 1) The parent namespaces (if any) where the blockinherit rule is > located with the exception of the global namespace. > > 2) The parent namespaces of the block being inherited (but not that > block's namespace) with the exception of the global namespace. > > 3) The global namespace. > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> Both Acked-by: Petr Lautrbach <plautrba@xxxxxxxxxx> and merged. Thanks! > --- > secilc/docs/cil_container_statements.md | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md > index 7a7f67cc..41a4612c 100644 > --- a/secilc/docs/cil_container_statements.md > +++ b/secilc/docs/cil_container_statements.md > @@ -103,6 +103,14 @@ blockinherit > > Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. > > +Inherited rules are resolved by searching namespaces in the following order: > + > +- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace. > + > +- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. > + > +- The global namespace. > + > Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. > > **Statement definition:** > -- > 2.26.3
