From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: cgzones@googlemail.com, James Carter <jwcart2@gmail.com>
Subject: [PATCH 6/6] secilc/test: Add notself and other tests
Date: Wed, 12 Apr 2023 17:04:06 -0400 [thread overview]
Message-ID: <20230412210406.522892-7-jwcart2@gmail.com> (raw)
In-Reply-To: <20230412210406.522892-1-jwcart2@gmail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
secilc/test/notself_and_other.cil | 65 +++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
create mode 100644 secilc/test/notself_and_other.cil
diff --git a/secilc/test/notself_and_other.cil b/secilc/test/notself_and_other.cil
new file mode 100644
index 00000000..9b33bfcb
--- /dev/null
+++ b/secilc/test/notself_and_other.cil
@@ -0,0 +1,65 @@
+(class CLASS (PERM))
+(class C1 (p1a p1b p1c p1d p1e))
+(classorder (CLASS C1))
+(sid SID)
+(sidorder (SID))
+(user USER)
+(role ROLE)
+(type TYPE)
+(category CAT)
+(categoryorder (CAT))
+(sensitivity SENS)
+(sensitivityorder (SENS))
+(sensitivitycategory SENS (CAT))
+(allow TYPE self (CLASS (PERM)))
+(roletype ROLE TYPE)
+(userrole USER ROLE)
+(userlevel USER (SENS))
+(userrange USER ((SENS)(SENS (CAT))))
+(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
+
+(type ta)
+(type tb)
+(type tc)
+(type td)
+
+(typeattribute aab)
+(typeattributeset aab (ta tb))
+
+(typeattribute aac)
+(typeattributeset aac (ta tc))
+
+(typeattribute abc)
+(typeattributeset abc (tb tc))
+
+(typeattribute aabc)
+(typeattributeset aabc (ta tb tc))
+
+(typeattribute a_all_not_ta)
+(typeattributeset a_all_not_ta (and (all) (not ta)))
+
+(typeattribute a_all_not_aab)
+(typeattributeset a_all_not_aab (and (all) (not aab)))
+
+; Test 01
+(allow ta notself (C1 (p1a)))
+; (neverallow ta a_all_not_ta (C1 (p1a))) ; This check should fail
+
+; Test 02
+(allow aab notself (C1 (p1b)))
+; (neverallow aab a_all_not_aab (C1 (p1b))) ; This check should fail
+
+; Test 03
+(allow aab other (C1 (p1c)))
+; (neverallow ta tb (C1 (p1c))) ; This check should fail
+; (neverallow tb ta (C1 (p1c))) ; This check should fail
+
+; Test 04
+(allow aabc other (C1 (p1d)))
+; (neverallow ta abc (C1 (p1d))) ; This check should fail
+; (neverallow tb aac (C1 (p1d))) ; This check should fail
+; (neverallow tc aab (C1 (p1d))) ; This check should fail
+
+; Test 05
+(allow ta other (C1 (p1e))) ; other used with a single type results in no rule
+(neverallow ta a_all_not_ta (C1 (p1e)))
--
2.39.2
prev parent reply other threads:[~2023-04-12 21:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-12 21:04 [PATCH 0/6] Add support for notself and other to CIL James Carter
2023-04-12 21:04 ` [PATCH 1/6] libsepol: Changes to ebitmap.h to fix compiler warnings James Carter
2023-04-12 21:04 ` [PATCH 2/6] libsepol/cil: Do not call ebitmap_init twice for an ebitmap James Carter
2023-04-12 21:04 ` [PATCH 3/6] libsepol/cil: Add notself and other support to CIL James Carter
2023-04-12 21:04 ` [PATCH 4/6] libsepol: update CIL generation for trivial not-self rules James Carter
2023-04-12 21:04 ` [PATCH 5/6] secilc/docs: Add notself and other keywords to CIL documentation James Carter
2023-04-12 21:04 ` James Carter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230412210406.522892-7-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.