SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] Update the cil docs to match the current behaviour.
@ 2020-06-29 16:05 bauen1
  2020-07-02 18:43 ` James Carter
  0 siblings, 1 reply; 9+ messages in thread
From: bauen1 @ 2020-06-29 16:05 UTC (permalink / raw)
  To: selinux

Some features where dropped or change since the docs were last updated.

Signed-off-by: bauen1 <j2468h@gmail.com>
---
secilc/docs/cil_call_macro_statements.md | 6 ++++--
secilc/docs/cil_container_statements.md | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
index 17c46ed9..98b70368 100644
--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
@@ -44,7 +44,7 @@ macro
Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
-Note that when resolving macros the callers namespace is not checked, only the following places:
+When resolving macros the following places are checked in this order:
- Items defined inside the macro
@@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
- Items defined in the same namespace of the macro
+- Items defined in the callers namespace
+
- Items defined in the global namespace
**Statement definition:**
@@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
<tr class="odd">
<td align="left"><p><code>param_type</code></p></td>
<td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
-<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
+<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>param_id</code></p></td>
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
index a570cb23..58b3224d 100644
--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
@@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
in
--
-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
**Statement definition:**

-- 
2.27.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Update the cil docs to match the current behaviour.
  2020-06-29 16:05 [PATCH] Update the cil docs to match the current behaviour bauen1
@ 2020-07-02 18:43 ` James Carter
  2020-07-03 13:49   ` bauen1
                     ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: James Carter @ 2020-07-02 18:43 UTC (permalink / raw)
  To: bauen1; +Cc: selinux

This patch is malformed. It looks like leading spaces and blank lines
(at the very least) have been stripped.
Thanks,
Jim


On Mon, Jun 29, 2020 at 3:44 PM bauen1 <j2468h@googlemail.com> wrote:
>
> Some features where dropped or change since the docs were last updated.
>
> Signed-off-by: bauen1 <j2468h@gmail.com>
> ---
> secilc/docs/cil_call_macro_statements.md | 6 ++++--
> secilc/docs/cil_container_statements.md | 2 +-
> 2 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
> index 17c46ed9..98b70368 100644
> --- a/secilc/docs/cil_call_macro_statements.md
> +++ b/secilc/docs/cil_call_macro_statements.md
> @@ -44,7 +44,7 @@ macro
> Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
> -Note that when resolving macros the callers namespace is not checked, only the following places:
> +When resolving macros the following places are checked in this order:
> - Items defined inside the macro
> @@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
> - Items defined in the same namespace of the macro
> +- Items defined in the callers namespace
> +
> - Items defined in the global namespace
> **Statement definition:**
> @@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
> <tr class="odd">
> <td align="left"><p><code>param_type</code></p></td>
> <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
> -<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
> +<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
> </tr>
> <tr class="even">
> <td align="left"><p><code>param_id</code></p></td>
> diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
> index a570cb23..58b3224d 100644
> --- a/secilc/docs/cil_container_statements.md
> +++ b/secilc/docs/cil_container_statements.md
> @@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
> in
> --
> -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
> +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
> **Statement definition:**
>
> --
> 2.27.0
>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] Update the cil docs to match the current behaviour.
  2020-07-02 18:43 ` James Carter
@ 2020-07-03 13:49   ` bauen1
  2020-07-03 13:52   ` bauen1
  2020-07-09  8:36   ` [PATCH v2] " bauen1
  2 siblings, 0 replies; 9+ messages in thread
From: bauen1 @ 2020-07-03 13:49 UTC (permalink / raw)
  To: James Carter, bauen1; +Cc: selinux



On 7/2/20 8:43 PM, James Carter wrote:
> This patch is malformed. It looks like leading spaces and blank lines
> (at the very least) have been stripped.
> Thanks,
> Jim
> 

I'm sorry.
I will resend the patch properly.
bauen1

-- 
bauen1
https://dn42.bauen1.xyz/

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH] Update the cil docs to match the current behaviour.
  2020-07-02 18:43 ` James Carter
  2020-07-03 13:49   ` bauen1
@ 2020-07-03 13:52   ` bauen1
  2020-07-09  8:36   ` [PATCH v2] " bauen1
  2 siblings, 0 replies; 9+ messages in thread
From: bauen1 @ 2020-07-03 13:52 UTC (permalink / raw)
  To: selinux

Some features where dropped or change since the docs were last updated.

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 secilc/docs/cil_call_macro_statements.md | 6 ++++--
 secilc/docs/cil_container_statements.md  | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
index 17c46ed9..98b70368 100644
--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
@@ -44,7 +44,7 @@ macro
 
 Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
 
-Note that when resolving macros the callers namespace is not checked, only the following places:
+When resolving macros the following places are checked in this order:
 
 -   Items defined inside the macro
 
@@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
 
 -   Items defined in the same namespace of the macro
 
+-   Items defined in the callers namespace
+
 -   Items defined in the global namespace
 
 **Statement definition:**
@@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
 <tr class="odd">
 <td align="left"><p><code>param_type</code></p></td>
 <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
-<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
+<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><code>param_id</code></p></td>
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
index a570cb23..58b3224d 100644
--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
@@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
 in
 --
 
-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
 
 **Statement definition:**
 
-- 
2.27.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH v2] Update the cil docs to match the current behaviour.
  2020-07-02 18:43 ` James Carter
  2020-07-03 13:49   ` bauen1
  2020-07-03 13:52   ` bauen1
@ 2020-07-09  8:36   ` bauen1
  2020-07-10 13:46     ` Petr Lautrbach
  2020-07-10 16:17     ` James Carter
  2 siblings, 2 replies; 9+ messages in thread
From: bauen1 @ 2020-07-09  8:36 UTC (permalink / raw)
  To: selinux

Some features where dropped or change since the docs were last updated.

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
---

Notes:
    Updated to include additional fixes and a correct Signed-off-by line.

 secilc/docs/cil_call_macro_statements.md | 6 ++++--
 secilc/docs/cil_container_statements.md  | 2 +-
 secilc/docs/cil_reference_guide.md       | 2 +-
 secilc/docs/cil_user_statements.md       | 2 +-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
index 17c46ed9..98b70368 100644
--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
@@ -44,7 +44,7 @@ macro
 
 Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
 
-Note that when resolving macros the callers namespace is not checked, only the following places:
+When resolving macros the following places are checked in this order:
 
 -   Items defined inside the macro
 
@@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
 
 -   Items defined in the same namespace of the macro
 
+-   Items defined in the callers namespace
+
 -   Items defined in the global namespace
 
 **Statement definition:**
@@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
 <tr class="odd">
 <td align="left"><p><code>param_type</code></p></td>
 <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
-<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
+<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><code>param_id</code></p></td>
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
index a570cb23..58b3224d 100644
--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
@@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
 in
 --
 
-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
 
 **Statement definition:**
 
diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
index 1b1fccca..3e33c5f7 100644
--- a/secilc/docs/cil_reference_guide.md
+++ b/secilc/docs/cil_reference_guide.md
@@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea
 Expressions
 -----------
 
-Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans)
+Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)
 
 CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:
 
diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
index bbd76eff..26e45510 100644
--- a/secilc/docs/cil_user_statements.md
+++ b/secilc/docs/cil_user_statements.md
@@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml
     (categoryorder (c0 c1))
     (sensitivity s0)
     (sensitivity s1)
-    (dominance (s0 s1))
+    (sensitivityorder (s0 s1))
     (sensitivitycategory s0 (c0 c1))
     (level systemLow (s0))
     (level systemHigh (s0 (c0 c1)))
-- 
2.27.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH v2] Update the cil docs to match the current behaviour.
  2020-07-09  8:36   ` [PATCH v2] " bauen1
@ 2020-07-10 13:46     ` Petr Lautrbach
  2020-07-10 14:44       ` bauen1
  2020-07-10 16:17     ` James Carter
  1 sibling, 1 reply; 9+ messages in thread
From: Petr Lautrbach @ 2020-07-10 13:46 UTC (permalink / raw)
  To: selinux; +Cc: bauen1


[-- Attachment #1: Type: text/plain, Size: 7336 bytes --]

On Thu, Jul 09, 2020 at 10:36:36AM +0200, bauen1 wrote:
> Some features where dropped or change since the docs were last updated.
> 
> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>

I think it should go to 3.1 release. But I have to confess myself not beeing
able to confirm  whether the change is correct.

If it's acked somebody else I could apply it and push to 3.1 release



> ---
> 
> Notes:
>     Updated to include additional fixes and a correct Signed-off-by line.
> 
>  secilc/docs/cil_call_macro_statements.md | 6 ++++--
>  secilc/docs/cil_container_statements.md  | 2 +-
>  secilc/docs/cil_reference_guide.md       | 2 +-
>  secilc/docs/cil_user_statements.md       | 2 +-
>  4 files changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
> index 17c46ed9..98b70368 100644
> --- a/secilc/docs/cil_call_macro_statements.md
> +++ b/secilc/docs/cil_call_macro_statements.md
> @@ -44,7 +44,7 @@ macro
>  
>  Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
>  
> -Note that when resolving macros the callers namespace is not checked, only the following places:
> +When resolving macros the following places are checked in this order:
>  
>  -   Items defined inside the macro
>  
> @@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
>  
>  -   Items defined in the same namespace of the macro
>  
> +-   Items defined in the callers namespace
> +
>  -   Items defined in the global namespace
>  
>  **Statement definition:**
> @@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
>  <tr class="odd">
>  <td align="left"><p><code>param_type</code></p></td>
>  <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
> -<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
> +<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
>  </tr>
>  <tr class="even">
>  <td align="left"><p><code>param_id</code></p></td>
> diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
> index a570cb23..58b3224d 100644
> --- a/secilc/docs/cil_container_statements.md
> +++ b/secilc/docs/cil_container_statements.md
> @@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
>  in
>  --
>  
> -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
> +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
>  
>  **Statement definition:**
>  
> diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
> index 1b1fccca..3e33c5f7 100644
> --- a/secilc/docs/cil_reference_guide.md
> +++ b/secilc/docs/cil_reference_guide.md
> @@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea
>  Expressions
>  -----------
>  
> -Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans)
> +Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)
>  
>  CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:
>  
> diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
> index bbd76eff..26e45510 100644
> --- a/secilc/docs/cil_user_statements.md
> +++ b/secilc/docs/cil_user_statements.md
> @@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml
>      (categoryorder (c0 c1))
>      (sensitivity s0)
>      (sensitivity s1)
> -    (dominance (s0 s1))
> +    (sensitivityorder (s0 s1))
>      (sensitivitycategory s0 (c0 c1))
>      (level systemLow (s0))
>      (level systemHigh (s0 (c0 c1)))
> -- 
> 2.27.0
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH v2] Update the cil docs to match the current behaviour.
  2020-07-10 13:46     ` Petr Lautrbach
@ 2020-07-10 14:44       ` bauen1
  0 siblings, 0 replies; 9+ messages in thread
From: bauen1 @ 2020-07-10 14:44 UTC (permalink / raw)
  To: Petr Lautrbach, selinux; +Cc: bauen1

On 7/10/20 3:46 PM, Petr Lautrbach wrote:
> On Thu, Jul 09, 2020 at 10:36:36AM +0200, bauen1 wrote:
>> Some features where dropped or change since the docs were last updated.
>>
>> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
> 
> I think it should go to 3.1 release. But I have to confess myself not beeing
> able to confirm  whether the change is correct.
> 
> If it's acked somebody else I could apply it and push to 3.1 release
> 

Thanks, but please don't let this alone block the release.

-- 
bauen1
https://dn42.bauen1.xyz/

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH v2] Update the cil docs to match the current behaviour.
  2020-07-09  8:36   ` [PATCH v2] " bauen1
  2020-07-10 13:46     ` Petr Lautrbach
@ 2020-07-10 16:17     ` James Carter
  2020-07-14 14:29       ` Petr Lautrbach
  1 sibling, 1 reply; 9+ messages in thread
From: James Carter @ 2020-07-10 16:17 UTC (permalink / raw)
  To: bauen1; +Cc: SElinux list

On Thu, Jul 9, 2020 at 4:37 AM bauen1 <j2468h@googlemail.com> wrote:
>
> Some features where dropped or change since the docs were last updated.
>
> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>
> Notes:
>     Updated to include additional fixes and a correct Signed-off-by line.
>
>  secilc/docs/cil_call_macro_statements.md | 6 ++++--
>  secilc/docs/cil_container_statements.md  | 2 +-
>  secilc/docs/cil_reference_guide.md       | 2 +-
>  secilc/docs/cil_user_statements.md       | 2 +-
>  4 files changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
> index 17c46ed9..98b70368 100644
> --- a/secilc/docs/cil_call_macro_statements.md
> +++ b/secilc/docs/cil_call_macro_statements.md
> @@ -44,7 +44,7 @@ macro
>
>  Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
>
> -Note that when resolving macros the callers namespace is not checked, only the following places:
> +When resolving macros the following places are checked in this order:
>
>  -   Items defined inside the macro
>
> @@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
>
>  -   Items defined in the same namespace of the macro
>
> +-   Items defined in the callers namespace
> +
>  -   Items defined in the global namespace
>
>  **Statement definition:**
> @@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
>  <tr class="odd">
>  <td align="left"><p><code>param_type</code></p></td>
>  <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
> -<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
> +<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
>  </tr>
>  <tr class="even">
>  <td align="left"><p><code>param_id</code></p></td>
> diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
> index a570cb23..58b3224d 100644
> --- a/secilc/docs/cil_container_statements.md
> +++ b/secilc/docs/cil_container_statements.md
> @@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
>  in
>  --
>
> -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
> +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
>
>  **Statement definition:**
>
> diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
> index 1b1fccca..3e33c5f7 100644
> --- a/secilc/docs/cil_reference_guide.md
> +++ b/secilc/docs/cil_reference_guide.md
> @@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea
>  Expressions
>  -----------
>
> -Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans)
> +Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)
>
>  CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:
>
> diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
> index bbd76eff..26e45510 100644
> --- a/secilc/docs/cil_user_statements.md
> +++ b/secilc/docs/cil_user_statements.md
> @@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml
>      (categoryorder (c0 c1))
>      (sensitivity s0)
>      (sensitivity s1)
> -    (dominance (s0 s1))
> +    (sensitivityorder (s0 s1))
>      (sensitivitycategory s0 (c0 c1))
>      (level systemLow (s0))
>      (level systemHigh (s0 (c0 c1)))
> --
> 2.27.0
>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH v2] Update the cil docs to match the current behaviour.
  2020-07-10 16:17     ` James Carter
@ 2020-07-14 14:29       ` Petr Lautrbach
  0 siblings, 0 replies; 9+ messages in thread
From: Petr Lautrbach @ 2020-07-14 14:29 UTC (permalink / raw)
  To: SElinux list; +Cc: bauen1, James Carter


[-- Attachment #1: Type: text/plain, Size: 7492 bytes --]

On Fri, Jul 10, 2020 at 12:17:49PM -0400, James Carter wrote:
> On Thu, Jul 9, 2020 at 4:37 AM bauen1 <j2468h@googlemail.com> wrote:
> >
> > Some features where dropped or change since the docs were last updated.
> >
> > Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
> 
> Acked-by: James Carter <jwcart2@gmail.com>

I'd asked for that and then missed it, I'm sorry.

It's applied now. Thanks!

> > ---
> >
> > Notes:
> >     Updated to include additional fixes and a correct Signed-off-by line.
> >
> >  secilc/docs/cil_call_macro_statements.md | 6 ++++--
> >  secilc/docs/cil_container_statements.md  | 2 +-
> >  secilc/docs/cil_reference_guide.md       | 2 +-
> >  secilc/docs/cil_user_statements.md       | 2 +-
> >  4 files changed, 7 insertions(+), 5 deletions(-)
> >
> > diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
> > index 17c46ed9..98b70368 100644
> > --- a/secilc/docs/cil_call_macro_statements.md
> > +++ b/secilc/docs/cil_call_macro_statements.md
> > @@ -44,7 +44,7 @@ macro
> >
> >  Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
> >
> > -Note that when resolving macros the callers namespace is not checked, only the following places:
> > +When resolving macros the following places are checked in this order:
> >
> >  -   Items defined inside the macro
> >
> > @@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
> >
> >  -   Items defined in the same namespace of the macro
> >
> > +-   Items defined in the callers namespace
> > +
> >  -   Items defined in the global namespace
> >
> >  **Statement definition:**
> > @@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
> >  <tr class="odd">
> >  <td align="left"><p><code>param_type</code></p></td>
> >  <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
> > -<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
> > +<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
> >  </tr>
> >  <tr class="even">
> >  <td align="left"><p><code>param_id</code></p></td>
> > diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
> > index a570cb23..58b3224d 100644
> > --- a/secilc/docs/cil_container_statements.md
> > +++ b/secilc/docs/cil_container_statements.md
> > @@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
> >  in
> >  --
> >
> > -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
> > +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
> >
> >  **Statement definition:**
> >
> > diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
> > index 1b1fccca..3e33c5f7 100644
> > --- a/secilc/docs/cil_reference_guide.md
> > +++ b/secilc/docs/cil_reference_guide.md
> > @@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea
> >  Expressions
> >  -----------
> >
> > -Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans)
> > +Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)
> >
> >  CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:
> >
> > diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
> > index bbd76eff..26e45510 100644
> > --- a/secilc/docs/cil_user_statements.md
> > +++ b/secilc/docs/cil_user_statements.md
> > @@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml
> >      (categoryorder (c0 c1))
> >      (sensitivity s0)
> >      (sensitivity s1)
> > -    (dominance (s0 s1))
> > +    (sensitivityorder (s0 s1))
> >      (sensitivitycategory s0 (c0 c1))
> >      (level systemLow (s0))
> >      (level systemHigh (s0 (c0 c1)))
> > --
> > 2.27.0
> >
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-29 16:05 [PATCH] Update the cil docs to match the current behaviour bauen1
2020-07-02 18:43 ` James Carter
2020-07-03 13:49   ` bauen1
2020-07-03 13:52   ` bauen1
2020-07-09  8:36   ` [PATCH v2] " bauen1
2020-07-10 13:46     ` Petr Lautrbach
2020-07-10 14:44       ` bauen1
2020-07-10 16:17     ` James Carter
2020-07-14 14:29       ` Petr Lautrbach

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git