mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-18 12:14:33 +00:00
49bfee8562
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.
This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.
This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||
|---|---|---|
| .. | ||
| test | ||
| .gitignore | ||
| checkmodule.8 | ||
| checkmodule.c | ||
| checkpolicy.8 | ||
| checkpolicy.c | ||
| checkpolicy.h | ||
| COPYING | ||
| Makefile | ||
| module_compiler.c | ||
| module_compiler.h | ||
| parse_util.c | ||
| parse_util.h | ||
| policy_define.c | ||
| policy_define.h | ||
| policy_parse.y | ||
| policy_scan.l | ||
| queue.c | ||
| queue.h | ||
| VERSION | ||