47 lines
2.0 KiB
Diff
47 lines
2.0 KiB
Diff
|
From 7fec5e93d97b39ffcf66e7f26c2d9cc0e8533db2 Mon Sep 17 00:00:00 2001
|
||
|
From: James Carter <jwcart2@gmail.com>
|
||
|
Date: Thu, 6 May 2021 13:05:37 -0400
|
||
|
Subject: [PATCH] secilc/docs: Document the order that inherited rules are
|
||
|
resolved in
|
||
|
|
||
|
In the blockinherit section of the CIL documentation clearly state
|
||
|
the order in which inherited rules are resolved.
|
||
|
|
||
|
That order is:
|
||
|
|
||
|
1) The parent namespaces (if any) where the blockinherit rule is
|
||
|
located with the exception of the global namespace.
|
||
|
|
||
|
2) The parent namespaces of the block being inherited (but not that
|
||
|
block's namespace) with the exception of the global namespace.
|
||
|
|
||
|
3) The global namespace.
|
||
|
|
||
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||
|
---
|
||
|
secilc/docs/cil_container_statements.md | 8 ++++++++
|
||
|
1 file changed, 8 insertions(+)
|
||
|
|
||
|
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
|
||
|
index 7a7f67cc27c4..41a4612cd835 100644
|
||
|
--- a/secilc/docs/cil_container_statements.md
|
||
|
+++ b/secilc/docs/cil_container_statements.md
|
||
|
@@ -103,6 +103,14 @@ blockinherit
|
||
|
|
||
|
Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
|
||
|
|
||
|
+Inherited rules are resolved by searching namespaces in the following order:
|
||
|
+
|
||
|
+- The parent namespaces (if any) where the [`blockinherit`](cil_container_statements.md#blockinherit) rule is located with the exception of the global namespace.
|
||
|
+
|
||
|
+- The parent namespaces of the block being inherited (but not that block's namespace) with the exception of the global namespace.
|
||
|
+
|
||
|
+- The global namespace.
|
||
|
+
|
||
|
Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
|
||
|
|
||
|
**Statement definition:**
|
||
|
--
|
||
|
2.32.0
|
||
|
|