From: James Carter <jwcart2@tycho.nsa.gov>
To: Dominick Grift <dominick.grift@gmail.com>,
selinux <selinux@tycho.nsa.gov>
Subject: Re: secilc: in statement ordering limitations
Date: Fri, 23 May 2014 09:15:51 -0400 [thread overview]
Message-ID: <537F4A07.70403@tycho.nsa.gov> (raw)
In-Reply-To: <1400689802.5957.5.camel@x220.localdomain>
On 05/21/2014 12:30 PM, Dominick Grift wrote:
> I got a little carried away with block and in statements (to say the
> least)
>
> I hit a limitation were ordering of modules matters (e.g. ordering of
> entries in LISTING or entries fed into secilc)
>
> I order my modules in alphabetical order so for example
> policy/modules/systemd/systemd.cil comes after
> policy/modules/system/dbus for example.
>
> If i, in the dbus.cil file now want to insert some declarations in a
> systemd block i hit issues due to that ordering issue
>
I am having problems reproducing the problem.
In one file, I have:
(block bb
(type t1)
(type t2)
(boolean b1 false)
(tunable tun1 true)
(macro m ((boolean b))
(tunableif tun1
(true
(allow t1 t2 (policy.file (write))))
(false
(allow t1 t2 (policy.file (execute)))))
(booleanif b
(true
(allow t1 t2 (policy.file (read))))))
(call m (b1))
)
and in another, I have:
(in bb
(tunableif bb.tun1
(true
(allow t2 t1 (policy.file (read write execute)))))
(type t3))
The order that I send the files to secilc doesn't seem to matter.
Could you give me a little bit more information on what you are doing?
Thanks,
Jim
> If i move the systemd.cil up the stack then i can work around the
> ordering issue but it is a dead-end. Ordering issues suck (/me points to
> sidorder statement)
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2014-05-23 13:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-21 16:30 secilc: in statement ordering limitations Dominick Grift
2014-05-21 18:41 ` James Carter
2014-05-23 13:15 ` James Carter [this message]
2014-05-23 14:32 ` Dominick Grift
2014-05-23 15:02 ` Dominick Grift
2014-05-23 15:04 ` Steve Lawrence
2014-05-27 16:47 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=537F4A07.70403@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=dominick.grift@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.