language feature: constrain attributes assigned to type #42
Comments
fishilico
pushed a commit
to fishilico/selinux
that referenced
this issue
Jun 19, 2022
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_segregate_attributes: segregate_attributes violated by type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_segregate_attributes: segregate_attributes violated by type virt_content_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type qemu_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type user_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type dockerc_t associated with attributes domain and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type xen_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type proc_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type virt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type container_file_t associated with attributes device_node and file_type
libsepol.check_assertions: 20 segregate attribute failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this issue
Jun 29, 2022
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_segregate_attributes: segregate_attributes violated by type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_segregate_attributes: segregate_attributes violated by type virt_content_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type qemu_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type user_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type dockerc_t associated with attributes domain and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type xen_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type proc_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type virt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type container_file_t associated with attributes device_node and file_type
libsepol.check_assertions: 20 segregate attribute failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
cgzones
added a commit
to cgzones/selinux
that referenced
this issue
Jun 29, 2022
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_segregate_attributes: segregate_attributes violated by type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_segregate_attributes: segregate_attributes violated by type virt_content_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type qemu_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type user_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type dockerc_t associated with attributes domain and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type xen_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type proc_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: segregate_attributes violated by type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: segregate_attributes violated by type svirt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type virt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: segregate_attributes violated by type container_file_t associated with attributes device_node and file_type
libsepol.check_assertions: 20 segregate attribute failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
rebase onto _after suffix change
cgzones
added a commit
to cgzones/selinux
that referenced
this issue
Jul 21, 2022
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_segregate_attributes: Segregate Attributes violation, type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_content_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type qemu_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type user_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type container_file_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type dockerc_t associated with attributes domain and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_assertions: 20 Segregate Attributes failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- drop source location information:
this information was already lost for binary modular policies and
CIL policies; also typeattribute statements have none and the few
segregate_attributes statements can be easily grepped
- misc renaming
v2:
rebase onto _after suffix change
cgzones
added a commit
to cgzones/selinux
that referenced
this issue
Nov 10, 2022
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_segregate_attributes: Segregate Attributes violation, type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_content_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type qemu_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type user_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type container_file_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type dockerc_t associated with attributes domain and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_assertions: 20 Segregate Attributes failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- drop source location information:
this information was already lost for binary modular policies and
CIL policies; also typeattribute statements have none and the few
segregate_attributes statements can be easily grepped
- misc renaming
v2:
rebase onto _after suffix change
cgzones
added a commit
to cgzones/selinux
that referenced
this issue
Nov 23, 2022
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_segregate_attributes: Segregate Attributes violation, type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_content_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type qemu_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type user_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type svirt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type virt_image_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type container_file_t associated with attributes device_node and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type dockerc_t associated with attributes domain and file_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_t associated with attributes file_type and proc_type
libsepol.check_segregate_attributes: Segregate Attributes violation, type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_assertions: 20 Segregate Attributes failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3:
- drop source location information:
this information was already lost for binary modular policies and
CIL policies; also typeattribute statements have none and the few
segregate_attributes statements can be easily grepped
- misc renaming
v2:
rebase onto _after suffix change
cgzones
added a commit
to cgzones/selinux
that referenced
this issue
Apr 29, 2024
Add a new compile-time constraint, similar to neverallow, which enables
to specify two or more type attributes to be mutual exclusive. This
means no type can be associated with more than one of them.
The constraints are stored as a linked-list in the policy for modular
policies, by a new modular policy version, and are discarded in kernel
policies, not needing any kernel support.
Some Reference Policy examples:
unpriv_userdomain, admindomain:
<no violations>
client_packet_type, server_packet_type:
<no violations>
auth_file_type, non_auth_file_type:
<no violations>
pseudofs, xattrfs, noxattrfs:
<no violations>
reserved_port_type, unreserved_port_type:
<no violations>
security_file_type, non_security_file_type:
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type dnssec_t associated with attributes security_file_type and non_security_file_type
ibendport_type, packet_type, sysctl_type, device_node, ibpkey_type,
sysfs_types, domain, boolean_type, netif_type, file_type, node_type,
proc_type, port_type:
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type sysctl_fs_t associated with attributes sysctl_type and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type sysctl_t associated with attributes sysctl_type and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type virt_content_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type initrc_devpts_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type qemu_image_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type user_devpts_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type cardmgr_dev_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type bootloader_tmp_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type xen_image_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type svirt_prot_exec_image_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type xen_devpts_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type svirt_image_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type virt_image_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type container_file_t associated with attributes device_node and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type cpu_online_t associated with attributes sysfs_types and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type sysfs_t associated with attributes sysfs_types and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type dockerc_t associated with attributes domain and file_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type proc_t associated with attributes file_type and proc_type
libsepol.check_disjoint_attributes: Disjoint Attributes Rule violation, type proc_xen_t associated with attributes file_type and proc_type
libsepol.check_assertions: 20 Disjoint Attributes Rule failures occurred
Closes: SELinuxProject#42
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v4:
rename to disjoint attributes
v3:
- drop source location information:
this information was already lost for binary modular policies and
CIL policies; also typeattribute statements have none and the few
segregate_attributes statements can be easily grepped
- misc renaming
v2:
rebase onto _after suffix change
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'd like suggest a new SELinux policy language feature to constrain attribute assignment.
In the reference policy for example, there are the attributes auth_file_type and non_auth_file_type, which should be contradictory, but can be easily messed up by
While on it, a type may also be constrained to hold one attribute of a set:
The text was updated successfully, but these errors were encountered: