CilTypes - SELinuxProject/cil GitHub Wiki

CIL Type Enforcement and Attribute Statements

Type

The type statement declares a new type in the current namespace.

'''Syntax:'''

	(type type_name)

'''Syntax Explanation:''' type:: The keyword for the type statement. type_name:: The name of the new type being declared.

'''Example:'''

	(type foo)

Typeattribute

The typeattribute statement declares a new typeattribute in the current namespace.

'''Syntax'''

	(typeattribute attribute_name)

'''Syntax Explanation:''' typeattribute:: The keyword for the typeattribute statement. attribute_name:: The name of the new typeattribute being declared.

'''Example:'''

	(typeattribute file_type)

Typeattributeset

The typeattributeset statement adds types to a declared typeattribute.

'''Syntax'''

	(typeattributeset attribute_name expr)

'''Syntax Explanation:''' typeattributeset:: The keyword for the typeattributeset statement. attribute_name:: The name of the typeattribute being modified. expr::

  • A single type or typeattribute
  • A set expression on types or typeattributes. The permitted expression operators and syntax: {{{ (and expr expr) (or expr expr) (xor expr expr) (not expr) }}}

'''Example:'''

	; Single type
	(type foo)
	(typeattribute files)
	(typeattributeset files foo)

	; Expression
	(type shadow)
	(typeattribute file_type)
	(typeattributeset file_type (and foo shadow))

	(typeattribute files_no_shadow)
	(typeattributeset files_no_shadow (and file_type (not shadow)))

Typealias

The typealias statement creates another name for a type in the current namespace. This can be useful for backwards compatibility or for simplifying references to a type in another namespace. Multiple aliases can refer to the same type. Each alias requires a separate typealias statement to create the association.

'''Syntax'''

	(typealias type_name alias_name)

'''Syntax Explanation:''' typealias:: The keyword for the typealias statement. type_name:: The name of a declared type. alias_name:: The name of the alias being created.

'''Example:'''

	(class file (read write execute))
	(type log)

	; Backwards compatibility
	; foo has been renamed and all old references to foo should point to new_foo
	(type new_foo)
	(typealias new_foo foo)

	; if this statement existed somewhere in policy, .foo will refer to new_foo
	(allow .foo log (file (read)))


	; Simplifying reference
	(block foo
		(block bar
			(block baz
				(type foobar))))
	(block z
		(type x)
		(typealias .foo.bar.baz.foobar fb)
		(allow fb x (file (read)))) 
⚠️ **GitHub.com Fallback** ⚠️