From: Daniel Burgener <dburgener@linux.microsoft.com>
To: James Carter <jwcart2@gmail.com>, selinux@vger.kernel.org
Subject: Re: [RFC PATCH 9/9] secilc/docs: Add deny rule to CIL documentation
Date: Fri, 3 Feb 2023 17:55:07 -0500 [thread overview]
Message-ID: <98d7a37e-dcfb-ca7d-24d1-57f2a3abbadd@linux.microsoft.com> (raw)
In-Reply-To: <20221215213429.998948-10-jwcart2@gmail.com>
On 12/15/2022 4:34 PM, James Carter wrote:
> Signed-off-by: James Carter <jwcart2@gmail.com>
> ---
> secilc/docs/cil_access_vector_rules.md | 68 ++++++++++++++++++++++++++
> 1 file changed, 68 insertions(+)
>
> diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
> index f0ba4a90..35825283 100644
> --- a/secilc/docs/cil_access_vector_rules.md
> +++ b/secilc/docs/cil_access_vector_rules.md
> @@ -247,6 +247,74 @@ This example will not compile as `type_3` is not allowed to be a source type for
> (allow type_3 self (property_service (set)))
> )
> ```
> +deny
> +----------
> +
> +Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking.
> +
> +**Rule definition:**
> +
> +```secil
> + (deny source_id target_id|self classpermissionset_id ...)
> +```
> +
> +**Where:**
> +
> +<table>
> +<colgroup>
> +<col width="27%" />
> +<col width="72%" />
> +</colgroup>
> +<tbody>
> +<tr class="odd">
> +<td align="left"><p><code>deny</code></p></td>
> +<td align="left"><p>The <code>deny</code> keyword.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>source_id</code></p></td>
> +<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
> +</tr>
> +<tr class="odd">
> +<td align="left"><p><code>target_id</code></p></td>
> +<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
> +<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>classpermissionset_id</code></p></td>
> +<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
> +</tr>
> +</tbody>
> +</table>
> +
> +**Example:**
> +
> +```secil
> + (class class1 (perm1 perm2))
> +
> + (type type_1)
> + (type type_2)
> + (allow type_1 type_2 (class1 (perm1))) ; Allow_1
> + (deny type_1 type_2 (class1 (perm1))) ; Deny_1
> + ; Allow_1 will be complete removed by Deny_1.
> +
> + (type type_3)
> + (type type_4)
> + (allow type_3 type_4 (class1 (perm1 perm2))) ; Allow_2
> + (deny type_3 type_4 (class1 (perm1))) ; Deny_2
> + ; Allow_2 will be removed and replaced with the following when Deny_2 is evaluated
> + ; (allow type_3 type_4 (class1 (perm2)))
> +
> + (type type_5)
> + (type type_6)
> + (typeattribute attr_1)
> + (typeattributeset attr_1 (type_5 type_6))
> + (allow attr_1 attr_1 (class1 (perm1))) ; Allow_3
> + (deny type_5 type_6 (class1 (perm1))) ; Deny_3
> + ; Allow_3 will be removed and replaced with the following when Deny_3 is evaluated
> + ; (allow type_6 attr_1 (class1 (perm1)))
> + ; (allow attr_1 type_5 (class1 (perm1)))
> + )
> +```
Looks like theres some intermixing of spaces and tabs messing up
formatting on the example.
-Daniel
>
> allowx
> ------
next prev parent reply other threads:[~2023-02-03 22:55 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-15 21:34 [RFC PATCH 0/9] Add CIL Deny Rule James Carter
2022-12-15 21:34 ` [RFC PATCH 1/9] libsepol/cil: Parse and add deny rule to AST, but do not process James Carter
2022-12-15 21:34 ` [RFC PATCH 2/9] libsepol/cil: Add cil_list_is_empty macro James Carter
2022-12-15 21:34 ` [RFC PATCH 3/9] libsepol/cil: Add cil_tree_remove_node function James Carter
2023-02-03 22:54 ` Daniel Burgener
2023-02-08 21:09 ` James Carter
2022-12-15 21:34 ` [RFC PATCH 4/9] libsepol/cil: Process deny rules James Carter
2023-02-03 22:54 ` Daniel Burgener
2023-02-08 21:57 ` James Carter
2022-12-15 21:34 ` [RFC PATCH 5/9] libsepol/cil: Add cil_write_post_ast function James Carter
2022-12-15 21:34 ` [RFC PATCH 6/9] libsepol: Export the " James Carter
2022-12-15 21:34 ` [RFC PATCH 7/9] secilc/secil2tree: Add option to write CIL AST after post processing James Carter
2022-12-15 21:34 ` [RFC PATCH 8/9] secilc/test: Add a deny rule test James Carter
2023-02-03 22:54 ` Daniel Burgener
2023-02-09 14:31 ` James Carter
2022-12-15 21:34 ` [RFC PATCH 9/9] secilc/docs: Add deny rule to CIL documentation James Carter
2023-02-03 22:55 ` Daniel Burgener [this message]
2023-02-09 14:39 ` James Carter
2022-12-16 18:51 ` [RFC PATCH 0/9] Add CIL Deny Rule Daniel Burgener
2022-12-16 20:23 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98d7a37e-dcfb-ca7d-24d1-57f2a3abbadd@linux.microsoft.com \
--to=dburgener@linux.microsoft.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.