[PATCH 1/3] secilc/docs: selinuxuser actually takes a string not identifier

bauen1 <j2468h@xxxxxxxxxxxxxx> · Sun, 28 Aug 2022 14:14:03 +0200

Update parameter table and add note to example.
This can very easily lead to confusion, because secilc does not reject
e.g. (selinuxuser "admin_1" admin low_low).

Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@xxxxxxxxx>
---
 secilc/docs/cil_user_statements.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
index d5674f12..45a52140 100644
--- a/secilc/docs/cil_user_statements.md
+++ b/secilc/docs/cil_user_statements.md
@@ -429,7 +429,7 @@ Associates a GNU/Linux user to a previously declared [`user`](cil_user_statement
 </tr>
 <tr class="odd">
 <td align="left"><p><code>user_id</code></p></td>
-<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
+<td align="left"><p>A <b>string</b> referencing a previously declared SELinux <code>user</code> identifier.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><code>userrange_id</code></p></td>
@@ -445,7 +445,8 @@ This example will associate `unconfined.admin` user with a GNU / Linux user "`ad
 ```secil
     (block unconfined
         (user admin)
-        (selinuxuser admin_1 admin low_low)
+        ; XXX: Because the user_id is a string, the fully qualified identifier needs to be used here:
+        (selinuxuser "admin_1" "unconfined.admin" low_low)
     )
 ```
 
--
2.36.1







