From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 27 May 2014 08:40:52 -0400
Subject: [refpolicy] Associate attribute with another attribute?
In-Reply-To: <1400930074.20666.4.camel@x220.localdomain>
References: <1400927336.2689.14.camel@vaio-emefes-com>
	<1400930074.20666.4.camel@x220.localdomain>
Message-ID: <538487D4.6000704@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/24/2014 07:14 AM, Dominick Grift wrote:
> On Sat, 2014-05-24 at 20:28 +1000, Mladen Sekara wrote:
>> Can attribute be associated with another attribute, the same way that is
>> done with type(s)?
>>
>> eg. If we associate attributes with types using: "type mytype1_t,
>> my_attribute1, my_attribute2...;", 
>>
>> can we associate attributes with attributes using: "attribute
>> my_attribute0, my_attribute1, my_attribute2...;", or something similar?
>>
> 
> Not with reference policy but it is possible with CIL policy.
> 
> Do not ask me how they achieve that though because i do not know.
> 
> I suppose that they expand the attributes before the resulting policy
> gets translated to policy the kernel understands because i think it is a
> limitation is the kernel policy language.
> 
> Not that it matters much though, it is handy nevertheless.

Eventually I'd like to make a proper refpolicy high level language on top of CIL, when CIL gets merged.  Then it would allow all of the nice features in refpolicy that we all want.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com