| 2017-06-07 20:00:54 |
Jamie Strandboge |
description |
$ cat /tmp/foo
#include <tunables/global>
profile foo {}
profile test {
#include <abstractions/base>
/foo/** ix -> @{profile_name}//&foo,
}
In this, the 'ix' transition to '@{profile_name}//&foo' makes no sense. In today's implementation, ix rules only support relative transitions but '@{profile_name}//&foo' is a direct transition.
In discussing this bug it was decided that ix exec stack transitions will be obsoleted. Feel free to use this bug to track that. |
$ cat /tmp/foo
#include <tunables/global>
profile foo {}
profile test {
#include <abstractions/base>
/foo/** ix -> @{profile_name}//&foo,
}
In this, the 'ix' transition to '@{profile_name}//&foo' makes no sense. In today's implementation, ix rules only support relative transitions but '@{profile_name}//&foo' is a direct transition. Today, the above parses and the exec is allowed, but the profile reported by ps -Z is 'test', not 'test//&foo'.
In discussing this bug it was decided that ix exec stack transitions will be obsoleted. Feel free to use this bug to track that. |
|
