From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 27 May 2014 08:40:52 -0400 Subject: [refpolicy] Associate attribute with another attribute? In-Reply-To: <1400930074.20666.4.camel@x220.localdomain> References: <1400927336.2689.14.camel@vaio-emefes-com> <1400930074.20666.4.camel@x220.localdomain> Message-ID: <538487D4.6000704@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/24/2014 07:14 AM, Dominick Grift wrote: > On Sat, 2014-05-24 at 20:28 +1000, Mladen Sekara wrote: >> Can attribute be associated with another attribute, the same way that is >> done with type(s)? >> >> eg. If we associate attributes with types using: "type mytype1_t, >> my_attribute1, my_attribute2...;", >> >> can we associate attributes with attributes using: "attribute >> my_attribute0, my_attribute1, my_attribute2...;", or something similar? >> > > Not with reference policy but it is possible with CIL policy. > > Do not ask me how they achieve that though because i do not know. > > I suppose that they expand the attributes before the resulting policy > gets translated to policy the kernel understands because i think it is a > limitation is the kernel policy language. > > Not that it matters much though, it is handy nevertheless. Eventually I'd like to make a proper refpolicy high level language on top of CIL, when CIL gets merged. Then it would allow all of the nice features in refpolicy that we all want. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com