On Fri, 2004-01-16 at 11:50, Karl MacMillan wrote:
> I'm not certain that we want these to be order dependent. I can imagine
> a policy writer doing
> 
> allow { attr_a -sysadm_t attr_b} . . . 
> 
> and being surprised that sysadm_t was allowed because it was in attr_b.

So, you want something like the attached (untested) patch?
Still wouldn't prevent one allow rule from adding back a
type excluded by another allow rule...

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency