| Message ID | 20230809210157.112275-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add CIL Deny Rule | expand |
James Carter <jwcart2@gmail.com> writes: > This patch series depends on the "Add support for notself and other to > CIL" patch series from August 9th > > These patches add a deny rule to CIL. Deny rules will be processed after > everything except for neverallow rules. Unlike neverallow rules, they > remove the permissions in the deny rule rather than reporting an error. > > See the individual patches for an explanation of what they do. > > Patches 1-8 are unchanged from v3, see: > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@gmail.com/ > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > was going to do. Now it does. I've pushed all 16 into https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny and I'm building it in my COPR repo - https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ I've already run some tests and it looks good. For all 16 patches - together with notself and other serie: Acked-by: Petr Lautrbach <lautrbach@redhat.com> Thanks! > James Carter (9): > libsepol/cil: Parse and add deny rule to AST, but do not process > libsepol/cil: Add cil_list_is_empty macro > libsepol/cil: Add cil_tree_node_remove function > libsepol/cil: Process deny rules > libsepol/cil: Add cil_write_post_ast function > libsepol: Export the cil_write_post_ast function > secilc/secil2tree: Add option to write CIL AST after post processing > secilc/test: Add deny rule tests > secilc/docs: Add deny rule to CIL documentation > > libsepol/cil/include/cil/cil.h | 1 + > libsepol/cil/src/cil.c | 68 ++ > libsepol/cil/src/cil_build_ast.c | 56 + > libsepol/cil/src/cil_build_ast.h | 2 + > libsepol/cil/src/cil_copy_ast.c | 19 + > libsepol/cil/src/cil_copy_ast.h | 1 + > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > libsepol/cil/src/cil_deny.h | 36 + > libsepol/cil/src/cil_flavor.h | 1 + > libsepol/cil/src/cil_internal.h | 10 + > libsepol/cil/src/cil_list.h | 3 + > libsepol/cil/src/cil_post.c | 7 + > libsepol/cil/src/cil_reset_ast.c | 8 + > libsepol/cil/src/cil_resolve_ast.c | 48 + > libsepol/cil/src/cil_resolve_ast.h | 1 + > libsepol/cil/src/cil_tree.c | 35 + > libsepol/cil/src/cil_tree.h | 1 + > libsepol/cil/src/cil_verify.c | 9 + > libsepol/cil/src/cil_write_ast.c | 10 + > libsepol/cil/src/cil_write_ast.h | 1 + > libsepol/src/libsepol.map.in | 5 + > secilc/docs/cil_access_vector_rules.md | 41 +- > secilc/secil2tree.c | 8 +- > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > secilc/test/deny_rule_test2.cil | 418 +++++++ > 25 files changed, 2780 insertions(+), 2 deletions(-) > create mode 100644 libsepol/cil/src/cil_deny.c > create mode 100644 libsepol/cil/src/cil_deny.h > create mode 100644 secilc/test/deny_rule_test1.cil > create mode 100644 secilc/test/deny_rule_test2.cil > > -- > 2.41.0
On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > This patch series depends on the "Add support for notself and other to > > CIL" patch series from August 9th > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > everything except for neverallow rules. Unlike neverallow rules, they > > remove the permissions in the deny rule rather than reporting an error. > > > > See the individual patches for an explanation of what they do. > > > > Patches 1-8 are unchanged from v3, see: > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@gmail.com/ > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > was going to do. Now it does. > > I've pushed all 16 into > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > and I'm building it in my COPR repo - > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > I've already run some tests and it looks good. > > For all 16 patches - together with notself and other serie: > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> > All 16 of the notself and deny patches have been merged. I did find a problem with an uninitialized return value at the last minute which I fixed before merging. Thanks to everyone who looked at or tested these patches. Jim > Thanks! > > > > > James Carter (9): > > libsepol/cil: Parse and add deny rule to AST, but do not process > > libsepol/cil: Add cil_list_is_empty macro > > libsepol/cil: Add cil_tree_node_remove function > > libsepol/cil: Process deny rules > > libsepol/cil: Add cil_write_post_ast function > > libsepol: Export the cil_write_post_ast function > > secilc/secil2tree: Add option to write CIL AST after post processing > > secilc/test: Add deny rule tests > > secilc/docs: Add deny rule to CIL documentation > > > > libsepol/cil/include/cil/cil.h | 1 + > > libsepol/cil/src/cil.c | 68 ++ > > libsepol/cil/src/cil_build_ast.c | 56 + > > libsepol/cil/src/cil_build_ast.h | 2 + > > libsepol/cil/src/cil_copy_ast.c | 19 + > > libsepol/cil/src/cil_copy_ast.h | 1 + > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > libsepol/cil/src/cil_deny.h | 36 + > > libsepol/cil/src/cil_flavor.h | 1 + > > libsepol/cil/src/cil_internal.h | 10 + > > libsepol/cil/src/cil_list.h | 3 + > > libsepol/cil/src/cil_post.c | 7 + > > libsepol/cil/src/cil_reset_ast.c | 8 + > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > libsepol/cil/src/cil_tree.c | 35 + > > libsepol/cil/src/cil_tree.h | 1 + > > libsepol/cil/src/cil_verify.c | 9 + > > libsepol/cil/src/cil_write_ast.c | 10 + > > libsepol/cil/src/cil_write_ast.h | 1 + > > libsepol/src/libsepol.map.in | 5 + > > secilc/docs/cil_access_vector_rules.md | 41 +- > > secilc/secil2tree.c | 8 +- > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > create mode 100644 libsepol/cil/src/cil_deny.c > > create mode 100644 libsepol/cil/src/cil_deny.h > > create mode 100644 secilc/test/deny_rule_test1.cil > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > -- > > 2.41.0 >
On Wed, 16 Aug 2023 at 19:45, James Carter <jwcart2@gmail.com> wrote: > > On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > > > James Carter <jwcart2@gmail.com> writes: > > > > > This patch series depends on the "Add support for notself and other to > > > CIL" patch series from August 9th > > > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > > everything except for neverallow rules. Unlike neverallow rules, they > > > remove the permissions in the deny rule rather than reporting an error. > > > > > > See the individual patches for an explanation of what they do. > > > > > > Patches 1-8 are unchanged from v3, see: > > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@gmail.com/ > > > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > > was going to do. Now it does. > > > > I've pushed all 16 into > > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > > and I'm building it in my COPR repo - > > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > > > I've already run some tests and it looks good. > > > > For all 16 patches - together with notself and other serie: > > > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> > > > > All 16 of the notself and deny patches have been merged. > I did find a problem with an uninitialized return value at the last > minute which I fixed before merging. > Thanks to everyone who looked at or tested these patches. > Jim I think the version in libsepol/src/libsepol.map.in in commit "libsepol: Export the cil_write_post_ast function" should have been updated to 3.6. > > > Thanks! > > > > > > > > > James Carter (9): > > > libsepol/cil: Parse and add deny rule to AST, but do not process > > > libsepol/cil: Add cil_list_is_empty macro > > > libsepol/cil: Add cil_tree_node_remove function > > > libsepol/cil: Process deny rules > > > libsepol/cil: Add cil_write_post_ast function > > > libsepol: Export the cil_write_post_ast function > > > secilc/secil2tree: Add option to write CIL AST after post processing > > > secilc/test: Add deny rule tests > > > secilc/docs: Add deny rule to CIL documentation > > > > > > libsepol/cil/include/cil/cil.h | 1 + > > > libsepol/cil/src/cil.c | 68 ++ > > > libsepol/cil/src/cil_build_ast.c | 56 + > > > libsepol/cil/src/cil_build_ast.h | 2 + > > > libsepol/cil/src/cil_copy_ast.c | 19 + > > > libsepol/cil/src/cil_copy_ast.h | 1 + > > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > > libsepol/cil/src/cil_deny.h | 36 + > > > libsepol/cil/src/cil_flavor.h | 1 + > > > libsepol/cil/src/cil_internal.h | 10 + > > > libsepol/cil/src/cil_list.h | 3 + > > > libsepol/cil/src/cil_post.c | 7 + > > > libsepol/cil/src/cil_reset_ast.c | 8 + > > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > > libsepol/cil/src/cil_tree.c | 35 + > > > libsepol/cil/src/cil_tree.h | 1 + > > > libsepol/cil/src/cil_verify.c | 9 + > > > libsepol/cil/src/cil_write_ast.c | 10 + > > > libsepol/cil/src/cil_write_ast.h | 1 + > > > libsepol/src/libsepol.map.in | 5 + > > > secilc/docs/cil_access_vector_rules.md | 41 +- > > > secilc/secil2tree.c | 8 +- > > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > > create mode 100644 libsepol/cil/src/cil_deny.c > > > create mode 100644 libsepol/cil/src/cil_deny.h > > > create mode 100644 secilc/test/deny_rule_test1.cil > > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > > > -- > > > 2.41.0 > >
On Wed, Aug 16, 2023 at 1:53 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > On Wed, 16 Aug 2023 at 19:45, James Carter <jwcart2@gmail.com> wrote: > > > > On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > > > > > James Carter <jwcart2@gmail.com> writes: > > > > > > > This patch series depends on the "Add support for notself and other to > > > > CIL" patch series from August 9th > > > > > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > > > everything except for neverallow rules. Unlike neverallow rules, they > > > > remove the permissions in the deny rule rather than reporting an error. > > > > > > > > See the individual patches for an explanation of what they do. > > > > > > > > Patches 1-8 are unchanged from v3, see: > > > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@gmail.com/ > > > > > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > > > was going to do. Now it does. > > > > > > I've pushed all 16 into > > > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > > > and I'm building it in my COPR repo - > > > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > > > > > I've already run some tests and it looks good. > > > > > > For all 16 patches - together with notself and other serie: > > > > > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> > > > > > > > All 16 of the notself and deny patches have been merged. > > I did find a problem with an uninitialized return value at the last > > minute which I fixed before merging. > > Thanks to everyone who looked at or tested these patches. > > Jim > > I think the version in libsepol/src/libsepol.map.in in commit > "libsepol: Export the cil_write_post_ast function" should have been > updated to 3.6. > You are right. I was thinking that version 3.5 was the next release, not the previous one. Thanks, Jim > > > > > Thanks! > > > > > > > > > > > > > James Carter (9): > > > > libsepol/cil: Parse and add deny rule to AST, but do not process > > > > libsepol/cil: Add cil_list_is_empty macro > > > > libsepol/cil: Add cil_tree_node_remove function > > > > libsepol/cil: Process deny rules > > > > libsepol/cil: Add cil_write_post_ast function > > > > libsepol: Export the cil_write_post_ast function > > > > secilc/secil2tree: Add option to write CIL AST after post processing > > > > secilc/test: Add deny rule tests > > > > secilc/docs: Add deny rule to CIL documentation > > > > > > > > libsepol/cil/include/cil/cil.h | 1 + > > > > libsepol/cil/src/cil.c | 68 ++ > > > > libsepol/cil/src/cil_build_ast.c | 56 + > > > > libsepol/cil/src/cil_build_ast.h | 2 + > > > > libsepol/cil/src/cil_copy_ast.c | 19 + > > > > libsepol/cil/src/cil_copy_ast.h | 1 + > > > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > > > libsepol/cil/src/cil_deny.h | 36 + > > > > libsepol/cil/src/cil_flavor.h | 1 + > > > > libsepol/cil/src/cil_internal.h | 10 + > > > > libsepol/cil/src/cil_list.h | 3 + > > > > libsepol/cil/src/cil_post.c | 7 + > > > > libsepol/cil/src/cil_reset_ast.c | 8 + > > > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > > > libsepol/cil/src/cil_tree.c | 35 + > > > > libsepol/cil/src/cil_tree.h | 1 + > > > > libsepol/cil/src/cil_verify.c | 9 + > > > > libsepol/cil/src/cil_write_ast.c | 10 + > > > > libsepol/cil/src/cil_write_ast.h | 1 + > > > > libsepol/src/libsepol.map.in | 5 + > > > > secilc/docs/cil_access_vector_rules.md | 41 +- > > > > secilc/secil2tree.c | 8 +- > > > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > > > create mode 100644 libsepol/cil/src/cil_deny.c > > > > create mode 100644 libsepol/cil/src/cil_deny.h > > > > create mode 100644 secilc/test/deny_rule_test1.cil > > > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > > > > > -- > > > > 2.41.0 > > >
On Wed, Aug 16, 2023 at 2:05 PM James Carter <jwcart2@gmail.com> wrote: > > On Wed, Aug 16, 2023 at 1:53 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > On Wed, 16 Aug 2023 at 19:45, James Carter <jwcart2@gmail.com> wrote: > > > > > > On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > > > > > > > James Carter <jwcart2@gmail.com> writes: > > > > > > > > > This patch series depends on the "Add support for notself and other to > > > > > CIL" patch series from August 9th > > > > > > > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > > > > everything except for neverallow rules. Unlike neverallow rules, they > > > > > remove the permissions in the deny rule rather than reporting an error. > > > > > > > > > > See the individual patches for an explanation of what they do. > > > > > > > > > > Patches 1-8 are unchanged from v3, see: > > > > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@gmail.com/ > > > > > > > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > > > > was going to do. Now it does. > > > > > > > > I've pushed all 16 into > > > > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > > > > and I'm building it in my COPR repo - > > > > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > > > > > > > I've already run some tests and it looks good. > > > > > > > > For all 16 patches - together with notself and other serie: > > > > > > > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> > > > > > > > > > > All 16 of the notself and deny patches have been merged. > > > I did find a problem with an uninitialized return value at the last > > > minute which I fixed before merging. > > > Thanks to everyone who looked at or tested these patches. > > > Jim > > > > I think the version in libsepol/src/libsepol.map.in in commit > > "libsepol: Export the cil_write_post_ast function" should have been > > updated to 3.6. > > > > You are right. I was thinking that version 3.5 was the next release, > not the previous one. Or is everything supposed to be version 3.5 until the next release? This has always confused me. I don't think that we have been consistent. Jim > Thanks, > Jim > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > James Carter (9): > > > > > libsepol/cil: Parse and add deny rule to AST, but do not process > > > > > libsepol/cil: Add cil_list_is_empty macro > > > > > libsepol/cil: Add cil_tree_node_remove function > > > > > libsepol/cil: Process deny rules > > > > > libsepol/cil: Add cil_write_post_ast function > > > > > libsepol: Export the cil_write_post_ast function > > > > > secilc/secil2tree: Add option to write CIL AST after post processing > > > > > secilc/test: Add deny rule tests > > > > > secilc/docs: Add deny rule to CIL documentation > > > > > > > > > > libsepol/cil/include/cil/cil.h | 1 + > > > > > libsepol/cil/src/cil.c | 68 ++ > > > > > libsepol/cil/src/cil_build_ast.c | 56 + > > > > > libsepol/cil/src/cil_build_ast.h | 2 + > > > > > libsepol/cil/src/cil_copy_ast.c | 19 + > > > > > libsepol/cil/src/cil_copy_ast.h | 1 + > > > > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > > > > libsepol/cil/src/cil_deny.h | 36 + > > > > > libsepol/cil/src/cil_flavor.h | 1 + > > > > > libsepol/cil/src/cil_internal.h | 10 + > > > > > libsepol/cil/src/cil_list.h | 3 + > > > > > libsepol/cil/src/cil_post.c | 7 + > > > > > libsepol/cil/src/cil_reset_ast.c | 8 + > > > > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > > > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > > > > libsepol/cil/src/cil_tree.c | 35 + > > > > > libsepol/cil/src/cil_tree.h | 1 + > > > > > libsepol/cil/src/cil_verify.c | 9 + > > > > > libsepol/cil/src/cil_write_ast.c | 10 + > > > > > libsepol/cil/src/cil_write_ast.h | 1 + > > > > > libsepol/src/libsepol.map.in | 5 + > > > > > secilc/docs/cil_access_vector_rules.md | 41 +- > > > > > secilc/secil2tree.c | 8 +- > > > > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > > > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > > > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > > > > create mode 100644 libsepol/cil/src/cil_deny.c > > > > > create mode 100644 libsepol/cil/src/cil_deny.h > > > > > create mode 100644 secilc/test/deny_rule_test1.cil > > > > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > > > > > > > -- > > > > > 2.41.0 > > > >
On Wed, 16 Aug 2023 at 20:08, James Carter <jwcart2@gmail.com> wrote: > > On Wed, Aug 16, 2023 at 2:05 PM James Carter <jwcart2@gmail.com> wrote: > > > > On Wed, Aug 16, 2023 at 1:53 PM Christian Göttsche > > <cgzones@googlemail.com> wrote: > > > > > > On Wed, 16 Aug 2023 at 19:45, James Carter <jwcart2@gmail.com> wrote: > > > > > > > > On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > > > > > > > > > James Carter <jwcart2@gmail.com> writes: > > > > > > > > > > > This patch series depends on the "Add support for notself and other to > > > > > > CIL" patch series from August 9th > > > > > > > > > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > > > > > everything except for neverallow rules. Unlike neverallow rules, they > > > > > > remove the permissions in the deny rule rather than reporting an error. > > > > > > > > > > > > See the individual patches for an explanation of what they do. > > > > > > > > > > > > Patches 1-8 are unchanged from v3, see: > > > > > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@gmail.com/ > > > > > > > > > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > > > > > was going to do. Now it does. > > > > > > > > > > I've pushed all 16 into > > > > > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > > > > > and I'm building it in my COPR repo - > > > > > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > > > > > > > > > I've already run some tests and it looks good. > > > > > > > > > > For all 16 patches - together with notself and other serie: > > > > > > > > > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> > > > > > > > > > > > > > All 16 of the notself and deny patches have been merged. > > > > I did find a problem with an uninitialized return value at the last > > > > minute which I fixed before merging. > > > > Thanks to everyone who looked at or tested these patches. > > > > Jim > > > > > > I think the version in libsepol/src/libsepol.map.in in commit > > > "libsepol: Export the cil_write_post_ast function" should have been > > > updated to 3.6. > > > > > > > You are right. I was thinking that version 3.5 was the next release, > > not the previous one. > > Or is everything supposed to be version 3.5 until the next release? > This has always confused me. I don't think that we have been > consistent. > Jim If I read the documentation[1] correctly the version number tells in which version a symbol is available. For example dpkg should declare any package with an application using cil_write_post_ast() to depend on libsepol 3.6 (and not 3.5 where the symbol is not available). [1]: https://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_25.html > > > > Thanks, > > Jim > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > James Carter (9): > > > > > > libsepol/cil: Parse and add deny rule to AST, but do not process > > > > > > libsepol/cil: Add cil_list_is_empty macro > > > > > > libsepol/cil: Add cil_tree_node_remove function > > > > > > libsepol/cil: Process deny rules > > > > > > libsepol/cil: Add cil_write_post_ast function > > > > > > libsepol: Export the cil_write_post_ast function > > > > > > secilc/secil2tree: Add option to write CIL AST after post processing > > > > > > secilc/test: Add deny rule tests > > > > > > secilc/docs: Add deny rule to CIL documentation > > > > > > > > > > > > libsepol/cil/include/cil/cil.h | 1 + > > > > > > libsepol/cil/src/cil.c | 68 ++ > > > > > > libsepol/cil/src/cil_build_ast.c | 56 + > > > > > > libsepol/cil/src/cil_build_ast.h | 2 + > > > > > > libsepol/cil/src/cil_copy_ast.c | 19 + > > > > > > libsepol/cil/src/cil_copy_ast.h | 1 + > > > > > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > > > > > libsepol/cil/src/cil_deny.h | 36 + > > > > > > libsepol/cil/src/cil_flavor.h | 1 + > > > > > > libsepol/cil/src/cil_internal.h | 10 + > > > > > > libsepol/cil/src/cil_list.h | 3 + > > > > > > libsepol/cil/src/cil_post.c | 7 + > > > > > > libsepol/cil/src/cil_reset_ast.c | 8 + > > > > > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > > > > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > > > > > libsepol/cil/src/cil_tree.c | 35 + > > > > > > libsepol/cil/src/cil_tree.h | 1 + > > > > > > libsepol/cil/src/cil_verify.c | 9 + > > > > > > libsepol/cil/src/cil_write_ast.c | 10 + > > > > > > libsepol/cil/src/cil_write_ast.h | 1 + > > > > > > libsepol/src/libsepol.map.in | 5 + > > > > > > secilc/docs/cil_access_vector_rules.md | 41 +- > > > > > > secilc/secil2tree.c | 8 +- > > > > > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > > > > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > > > > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > > > > > create mode 100644 libsepol/cil/src/cil_deny.c > > > > > > create mode 100644 libsepol/cil/src/cil_deny.h > > > > > > create mode 100644 secilc/test/deny_rule_test1.cil > > > > > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > > > > > > > > > -- > > > > > > 2.41.0 > > > > >