From: Steve Lawrence <slawrence@tresys.com>
To: Dominick Grift <dominick.grift@gmail.com>
Cc: selinux <selinux@tycho.nsa.gov>
Subject: Re: [secilc] typeattributeset with "and" expression does not work
Date: Tue, 22 Apr 2014 15:44:42 -0400 [thread overview]
Message-ID: <5356C6AA.5030009@tresys.com> (raw)
In-Reply-To: <1398195193.16991.12.camel@x220.localdomain>
On 04/22/2014 03:33 PM, Dominick Grift wrote:
> On Tue, 2014-04-22 at 15:03 -0400, Steve Lawrence wrote:
>> On 04/22/2014 01:56 PM, Dominick Grift wrote:
>>> (type foo)
>>> (typeattribute bar)
>>> (typeattribute baz)
>>> (typeattributeset bar (and baz foo))
>>>
>>> It compiles but neither bar, nor baz gets associated with type foo
>>>
>>
>> This is because 'and' is similar to the set intersection of baz and foo.
>> But baz is empty, so the intersection of baz and foo is nothing,
>> resulting in nothing being added to the bar attribute.
>>
>> You probably want the union of baz and foo? Replacing 'and' with 'or'
>> would make it so bar would be associated with foo and everything
>> associated with baz.
>
> Impressive, what i am looking for is actually very simple.
>
> I just want to know how i can associate more than a single type
> attribute to a specified type in a single statement, that is possible.
>
> (type foo)
> (typeattribute bar)
> (typeattribute baz)
>
> The equivalent of:
>
> (typeattributeset bar foo)
> (typeattributeset baz foo)
>
> In a single statement instead of two
>
Unfortunately, there is no way to associate a single type/attribute with
multiple attributes in a single statement. CIL is a pretty verbose language.
>>> Also, i still have that weird boolean issue where, even though sesearch
>>> shows the rules are loaded and enabled, SELinux still blocks the access
>>
>> I think we actually fixed this about an hour ago. Give it a shot, let us
>> know if it's actually fixed.
>
> Nice, i will try with up-to-date secilc tomorrow
>
>> Thanks for the feedback!
>> - Steve
>>
>>
>
>
next prev parent reply other threads:[~2014-04-22 19:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-22 17:56 [secilc] typeattributeset with "and" expression does not work Dominick Grift
2014-04-22 19:03 ` Steve Lawrence
2014-04-22 19:33 ` Dominick Grift
2014-04-22 19:44 ` Steve Lawrence [this message]
2014-04-22 20:39 ` Dominick Grift
2014-04-22 20:44 ` Dominick Grift
2014-04-23 6:19 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5356C6AA.5030009@tresys.com \
--to=slawrence@tresys.com \
--cc=dominick.grift@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.