| Message ID | 20210506170537.146337-2-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/2] libsepol/cil: Fix name resolution involving inherited blocks | expand |
James Carter <jwcart2@gmail.com> writes: > In the blockinherit section of the CIL documentation clearly state > the order in which inherited rules are resolved. > > That order is: > > 1) The parent namespaces (if any) where the blockinherit rule is > located with the exception of the global namespace. > > 2) The parent namespaces of the block being inherited (but not that > block's namespace) with the exception of the global namespace. > > 3) The global namespace. > > Signed-off-by: James Carter <jwcart2@gmail.com> Both Acked-by: Petr Lautrbach <plautrba@redhat.com> and merged. Thanks! > --- > secilc/docs/cil_container_statements.md | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md > index 7a7f67cc..41a4612c 100644 > --- a/secilc/docs/cil_container_statements.md > +++ b/secilc/docs/cil_container_statements.md > @@ -103,6 +103,14 @@ blockinherit > > Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. > > +Inherited rules are resolved by searching namespaces in the following order: > + > +- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace. > + > +- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. > + > +- The global namespace. > + > Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. > > **Statement definition:** > -- > 2.26.3
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md index 7a7f67cc..41a4612c 100644 --- a/secilc/docs/cil_container_statements.md +++ b/secilc/docs/cil_container_statements.md @@ -103,6 +103,14 @@ blockinherit Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. +Inherited rules are resolved by searching namespaces in the following order: + +- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace. + +- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. + +- The global namespace. + Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. **Statement definition:**
In the blockinherit section of the CIL documentation clearly state the order in which inherited rules are resolved. That order is: 1) The parent namespaces (if any) where the blockinherit rule is located with the exception of the global namespace. 2) The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace. 3) The global namespace. Signed-off-by: James Carter <jwcart2@gmail.com> --- secilc/docs/cil_container_statements.md | 8 ++++++++ 1 file changed, 8 insertions(+)