RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-05 04:59:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
68573634b4
selinux/secilc/docs/cil_container_statements.md

329 lines
10 KiB
Markdown
Raw Normal View History

secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
Container Statements
====================
block
-----
secilc/docs: Update the CIL documentation for various blocks Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-04-19 13:06:15 +00:00
Start a new namespace.
Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Statement definition:**
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(block block_id
cil_statement
...
)
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>block</code></p></td>
<td align="left"><p>The <code>block</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>block_id</code></p></td>
<td align="left"><p>The namespace identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>cil_statement</code></p></td>
<td align="left"><p>Zero or more valid CIL statements.</p></td>
</tr>
</tbody>
</table>
**Example:**
See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example.
blockabstract
-------------
Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
secilc/docs: Update the CIL documentation for various blocks Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-04-19 13:06:15 +00:00
Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Statement definition:**
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(block block_id
(blockabstract template_id)
cil_statement
...
)
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>block</code></p></td>
<td align="left"><p>The <code>block</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>block_id</code></p></td>
<td align="left"><p>The namespace identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>blockabstract</code></p></td>
<td align="left"><p>The <code>blockabstract</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>template_id</code></p></td>
<td align="left"><p>The abstract namespace identifier. This must match the <code>block_id</code> entry.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>cil_statement</code></p></td>
<td align="left"><p>Zero or more valid CIL statements forming the abstract block.</p></td>
</tr>
</tbody>
</table>
**Example:**
See the [`blockinherit`](cil_container_statements.md#blockinherit) statement for an example.
blockinherit
------------
Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
secilc/docs: Document the order that inherited rules are resolved in In the blockinherit section of the CIL documentation clearly state the order in which inherited rules are resolved. That order is: 1) The parent namespaces (if any) where the blockinherit rule is located with the exception of the global namespace. 2) The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. 3) The global namespace. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-05-06 17:05:37 +00:00
Inherited rules are resolved by searching namespaces in the following order:
- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace.
- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace.
- The global namespace.
secilc/docs: Update the CIL documentation for various blocks Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-04-19 13:06:15 +00:00
Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Statement definition:**
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(block block_id
(blockinherit template_id)
cil_statement
...
)
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>block</code></p></td>
<td align="left"><p>The <code>block</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>block_id</code></p></td>
<td align="left"><p>The namespace identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>blockinherit</code></p></td>
<td align="left"><p>The <code>blockinherit</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>template_id</code></p></td>
<td align="left"><p>The inherited namespace identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>cil_statement</code></p></td>
<td align="left"><p>Zero or more valid CIL statements.</p></td>
</tr>
</tbody>
</table>
**Example:**
This example contains a template `client_server` that is instantiated in two blocks (`netserver_app` and `netclient_app`):
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
; This is the template block:
(block client_server
(blockabstract client_server)
; Log file labeling
(type log_file)
(typeattributeset file_type (log_file))
(typeattributeset data_file_type (log_file))
(allow process log_file (dir (write search create setattr add_name)))
(allow process log_file (file (create open append getattr setattr)))
(roletype object_r log_file)
(context log_file_context (u object_r log_file low_low))
; Process labeling
(type process)
(typeattributeset domain (process))
(call app_domain (process))
(call net_domain (process))
)
; This is a policy block that will inherit the abstract block above:
(block netclient_app
; Add common policy rules to namespace:
(blockinherit client_server)
; Label the log files
(filecon "/data/data/com.se4android.netclient/.*" file log_file_context)
)
; This is another policy block that will inherit the abstract block above:
(block netserver_app
; Add common policy rules to namespace:
(blockinherit client_server)
; Label the log files
(filecon "/data/data/com.se4android.netserver/.*" file log_file_context)
)
; This is an example of how blockinherits resolve inherits before copying
(block a
(type one))
(block b
; Notice that block a is declared here as well
(block a
(type two)))
; This will first copy the contents of block b, which results in type b.a.two being copied.
; Next, the contents of block a will be copied which will result in type a.one.
(block ab
(blockinherit b)
(blockinherit a))
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
optional
--------
secilc/docs: Update the CIL documentation for various blocks Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-04-19 13:06:15 +00:00
Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
secilc/docs: Update the CIL documentation for various blocks Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-04-19 13:06:15 +00:00
Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Statement definition:**
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(optional optional_id
cil_statement
...
)
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>optional</code></p></td>
<td align="left"><p>The <code>optional</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>optional_id</code></p></td>
<td align="left"><p>The <code>optional</code> namespace identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>cil_statement</code></p></td>
<td align="left"><p>Zero or more valid CIL statements.</p></td>
</tr>
</tbody>
</table>
**Example:**
This example will instantiate the optional block `ext_gateway.move_file` into policy providing all optional CIL statements can be resolved:
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(block ext_gateway
......
(optional move_file
(typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
(allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))
(allow process msg_filter.move_file.in_file (file (write create getattr)))
(allow msg_filter.move_file.in_file unconfined.object (filesystem (associate)))
(typetransition msg_filter.int_gateway.process msg_filter.move_file.out_queue file
msg_filter.move_file.out_file)
(allow msg_filter.int_gateway.process msg_filter.move_file.out_queue (dir (read write search)))
(allow msg_filter.int_gateway.process msg_filter.move_file.out_file (file (read getattr unlink)))
) ; End optional block
.....
) ; End block
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
in
--
secilc/docs: Update the CIL documentation for various blocks Update the documentation for macros, booleans, booleanifs, tunables, tunableifs, blocks, blockabstracts, blockinherits, and optionals to tell where these statements can be used and, for those that have blocks, what statements are not allowed in them. Signed-off-by: James Carter <jwcart2@gmail.com>
2021-04-19 13:06:15 +00:00
Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Statement definition:**
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(in container_id
cil_statement
...
)
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
**Where:**
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>in</code></p></td>
<td align="left"><p>The <code>in</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>container_id</code></p></td>
<td align="left"><p>A valid <code>block</code>, <code>optional</code> or <code>macro</code> namespace identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>cil_statement</code></p></td>
<td align="left"><p>Zero or more valid CIL statements.</p></td>
</tr>
</tbody>
</table>
**Example:**
This will add rules to the container named `system_server`:
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```secil
secilc/docs: Convert DocBook documentation into github markdown Converting to github markdown allows for easier integration with the SELinux project wiki and viewing of documentation directly on github without creating PDFs or reading through DocBook XML. The conversion of DocBook to github markdown would not format tables or keyword links properly. By maintaining the documentation in github markdown in the repository, the content is well formatted with a table of contents when viewing in the github wiki or in the repository. The migration from DocBook to github markdown was done using Pandoc and manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook conversion were added back. An introduction and design philosphy was also pulled from the SELinux project wiki to provide more cohesion to the current documentation. Running make will now convert the github markdown into PDF and HTML. Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-12-15 20:13:27 +00:00
(in system_server
(dontaudit process secmark_demo.dns_packet (packet (send recv)))
(allow process secmark_demo.dns_packet (packet (send recv)))
)
secilc/docs: use fenced code blocks for cil examples Also fixes the occasional missing brackets as higlighted by my editor, however the individual examples where not reviewed much closer. secilc was chosen as language name because the compiler is named secilc and outside of SELinux the name cil is less searchable and could lead to confusion. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
2021-02-10 15:58:52 +00:00
```
Reference in New Issue Copy Permalink