Hi,
recent changes in block inheritance broke our use case where we use
block inheritance for generating container policies
(https://github.com/containers/udica/tree/main/udica/templates).
Basically the policy is composed by inheriting selected "template"
blocks, all of which inherit "container" block, so that they can use
types defined there.
Reproducer:
(block template1 (type t) )
(block template2 (blockinherit template1))
(block b (blockinherit template1) (blockinherit template2))
#semodule -i test.cil
Re-declaration of type t
Previous declaration of type at
/var/lib/selinux/targeted/tmp/modules/400/test/cil:1
Failed to copy block contents into blockinherit
Failed to resolve AST
semodule: Failed!
This used to work just fine.
The following workaround seems to be working as intended, but I'm not
sure if it's the best approach. Types are only defined in template1 and
the rest contains "optional" block, so that I can use types defined in
template1).
(block template1 (type t))
(block template2
(optional o
(allow t t ( file ( read )))
)
)
(block b (blockinherit template1) (blockinherit template2))
#semodule -i test.cil
#sesearch -A -s b.t
allow b.t b.t:file read;
Any pointers would be appreciated.
Thank you.
Vit
