mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-20 21:20:13 +00:00
e55621c032
Like "self", both of these reserved words can be used as a target in an access vector rule. "notself" means all types other than the source type. "other" is meant to be used with an attribute and its use results in the rule being expanded with each type of the attribute being used as the source type with each of the other types being used as the target type. Using "other" with just a type will result in no rule. Example 1 (allow TYPE1 notself (CLASS (PERM))) This rule is expanded to a number of rules with TYPE1 as the source and every type except for TYPE1 as the target. Example 2 (allow ATTR1 notself (CLASS (PERM))) Like Example 1, this rule will be expanded to each type in ATTR1 being the source with every type except for the type used as the source being the target. Example 3 (allow TYPE1 other (CLASS (PERM))) This expands to no rule. Example 4 (allow ATTR1 other (CLASS (PERM))) Like Example 2, but the target types will be limited to the types in the attribute ATTR1 instead of all types. So if ATTR1 has the type t1, t2, and t3, then this rule expands to the following rules. (allow t1 t2 (CLASS (PERM))) (allow t1 t3 (CLASS (PERM))) (allow t2 t1 (CLASS (PERM))) (allow t2 t3 (CLASS (PERM))) (allow t3 t1 (CLASS (PERM))) (allow t3 t2 (CLASS (PERM))) Signed-off-by: James Carter <jwcart2@gmail.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com> |
||
|---|---|---|
| .. | ||
| cil | ||
| fuzz | ||
| include | ||
| man | ||
| src | ||
| tests | ||
| utils | ||
| .gitignore | ||
| LICENSE | ||
| Makefile | ||
| VERSION | ||