Re: [RFC PATCH 9/9] secilc/docs: Add deny rule to CIL documentation

Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx> · Fri, 3 Feb 2023 17:55:07 -0500

On 12/15/2022 4:34 PM, James Carter wrote:
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
  secilc/docs/cil_access_vector_rules.md | 68 ++++++++++++++++++++++++++
  1 file changed, 68 insertions(+)

diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
index f0ba4a90..35825283 100644
--- a/secilc/docs/cil_access_vector_rules.md
+++ b/secilc/docs/cil_access_vector_rules.md
@@ -247,6 +247,74 @@ This example will not compile as `type_3` is not allowed to be a source type for
          (allow type_3 self (property_service (set)))
      )
  ```
+deny
+----------
+
+Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking.
+
+**Rule definition:**
+
+```secil
+    (deny source_id target_id|self classpermissionset_id ...)
+```
+
+**Where:**
+
+<table>
+<colgroup>
+<col width="27%" />
+<col width="72%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><code>deny</code></p></td>
+<td align="left"><p>The <code>deny</code> keyword.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code>source_id</code></p></td>
+<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><code>target_id</code></p></td>
+<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
+<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code>classpermissionset_id</code></p></td>
+<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
+</tr>
+</tbody>
+</table>
+
+**Example:**
+
+```secil
+    (class class1 (perm1 perm2))
+
+	(type type_1)
+    (type type_2)
+	(allow type_1 type_2 (class1 (perm1))) ; Allow_1
+	(deny type_1 type_2 (class1 (perm1)))  ; Deny_1
+  	; Allow_1 will be complete removed by Deny_1.
+
+    (type type_3)
+	(type type_4)
+	(allow type_3 type_4 (class1 (perm1 perm2))) ; Allow_2
+	(deny type_3 type_4 (class1 (perm1)))        ; Deny_2
+	; Allow_2 will be removed and replaced with the following when Deny_2 is evaluated
+    ; (allow type_3 type_4 (class1 (perm2)))
+
+	(type type_5)
+	(type type_6)
+	(typeattribute attr_1)
+	(typeattributeset attr_1 (type_5 type_6))
+	(allow attr_1 attr_1 (class1 (perm1))) ; Allow_3
+	(deny type_5 type_6 (class1 (perm1)))  ; Deny_3
+	; Allow_3 will be removed and replaced with the following when Deny_3 is evaluated
+	; (allow type_6 attr_1 (class1 (perm1)))
+	; (allow attr_1 type_5 (class1 (perm1)))
+    )
+```

Looks like theres some intermixing of spaces and tabs messing up 
formatting on the example.

-Daniel
  
  allowx
  ------







