From: Daniel Burgener <dburgener@linux.microsoft.com>
To: James Carter <jwcart2@gmail.com>, selinux@vger.kernel.org
Subject: Re: [PATCH 9/9 v3] secilc/docs: Add deny rule to CIL documentation
Date: Wed, 26 Jul 2023 11:55:35 -0400 [thread overview]
Message-ID: <6c74b08b-4319-b21a-6570-330f570c3660@linux.microsoft.com> (raw)
In-Reply-To: <20230413193445.588395-10-jwcart2@gmail.com>
On 4/13/2023 3:34 PM, James Carter wrote:
> Signed-off-by: James Carter <jwcart2@gmail.com>
> ---
> v3: Remove the "*Where" section, since the notself patch series moves all of
> that to beginning of the access vector section before talking about specific
> rules.
It doesn't look to me like the patch matches this description. I still
see a "where" section added.
(Presumably the updated patch should also add deny to the "av_flavor"
portion of the new common "Where" section)
-Daniel
>
> secilc/docs/cil_access_vector_rules.md | 67 ++++++++++++++++++++++++++
> 1 file changed, 67 insertions(+)
>
> diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
> index 034185da..385c4f4a 100644
> --- a/secilc/docs/cil_access_vector_rules.md
> +++ b/secilc/docs/cil_access_vector_rules.md
> @@ -175,6 +175,73 @@ This example will not compile as `type_3` is not allowed to be a source type for
> (allow type_3 self (property_service (set)))
> )
> ```
> +deny
> +----------
> +
> +Remove the access rights defined from any matching allow rules. These rules are processed before [`neverallow`](cil_access_vector_rules.md#neverallow) checking.
> +
> +**Rule definition:**
> +
> +```secil
> + (deny source_id target_id|self classpermissionset_id ...)
> +```
> +
> +**Where:**
> +
> +<table>
> +<colgroup>
> +<col width="27%" />
> +<col width="72%" />
> +</colgroup>
> +<tbody>
> +<tr class="odd">
> +<td align="left"><p><code>deny</code></p></td>
> +<td align="left"><p>The <code>deny</code> keyword.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>source_id</code></p></td>
> +<td align="left"><p>A single previously defined source <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
> +</tr>
> +<tr class="odd">
> +<td align="left"><p><code>target_id</code></p></td>
> +<td align="left"><p>A single previously defined target <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p>
> +<p>The <code>self</code> keyword may be used instead to signify that source and target are the same.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>classpermissionset_id</code></p></td>
> +<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
> +</tr>
> +</tbody>
> +</table>
> +
> +**Example:**
> +
> +```secil
> + (class class1 (perm1 perm2))
> +
> + (type type1)
> + (type type2)
> + (allow type1 type2 (class1 (perm1))) ; Allow-1
> + (deny type1 type2 (class1 (perm1))) ; Deny-1
> + ; Allow-1 will be complete removed by Deny-1.
> +
> + (type type3)
> + (type type4)
> + (allow type3 type4 (class1 (perm1 perm2))) ; Allow-2
> + (deny type3 type4 (class1 (perm1))) ; Deny-2
> + ; Allow-2 will be removed and replaced with the following when Deny-2 is evaluated
> + ; (allow type3 type4 (class1 (perm2)))
> +
> + (type type5)
> + (type type6)
> + (typeattribute attr1)
> + (typeattributeset attr1 (type5 type6))
> + (allow attr1 attr1 (class1 (perm1))) ; Allow-3
> + (deny type5 type6 (class1 (perm1))) ; Deny-3
> + ; Allow-3 will be removed and replaced with the following when Deny-3 is evaluated
> + ; (allow type6 attr1 (class1 (perm1)))
> + ; (allow type5 type5 (class1 (perm1)))
> +```
>
> allowx
> ------
next prev parent reply other threads:[~2023-07-26 15:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-13 19:34 [PATCH 0/9 v3] Add CIL Deny Rule James Carter
2023-04-13 19:34 ` [PATCH 1/9 v3] libsepol/cil: Parse and add deny rule to AST, but do not process James Carter
2023-04-13 19:34 ` [PATCH 2/9 v3] libsepol/cil: Add cil_list_is_empty macro James Carter
2023-04-13 19:34 ` [PATCH 3/9 v3] libsepol/cil: Add cil_tree_node_remove function James Carter
2023-04-13 19:34 ` [PATCH 4/9 v3] libsepol/cil: Process deny rules James Carter
2023-04-13 19:34 ` [PATCH 5/9 v3] libsepol/cil: Add cil_write_post_ast function James Carter
2023-04-13 19:34 ` [PATCH 6/9 v3] libsepol: Export the " James Carter
2023-04-13 19:34 ` [PATCH 7/9 v3] secilc/secil2tree: Add option to write CIL AST after post processing James Carter
2023-04-13 19:34 ` [PATCH 8/9 v3] secilc/test: Add deny rule tests James Carter
2023-04-13 19:34 ` [PATCH 9/9 v3] secilc/docs: Add deny rule to CIL documentation James Carter
2023-07-26 15:55 ` Daniel Burgener [this message]
2023-07-26 15:56 ` [PATCH 0/9 v3] Add CIL Deny Rule Daniel Burgener
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c74b08b-4319-b21a-6570-330f570c3660@linux.microsoft.com \
--to=dburgener@linux.microsoft.com \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.