48ca44c8bc
The expectation in CIL was to use user, role, or type attributes in constraint expressions. The problem is that neither user nor role attributes are part of the kernel binary policy, so when converting from a kernel policy to CIL, that would require the creation of a role or user attribute. The better solution is to just allow a list to be used. In fact, the only thing preventing a list to be used is a check in cil_verify_constraint_leaf_expr_syntax(). Remove the check and allow lists in constraint expressions. The following is now allowed: (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) Signed-off-by: James Carter <jwcart2@gmail.com> |
||
|---|---|---|
| .. | ||
| cil | ||
| include | ||
| man | ||
| src | ||
| tests | ||
| utils | ||
| .gitignore | ||
| COPYING | ||
| Makefile | ||
| VERSION | ||