[apparmor] DBus rule syntax for subject and peer components

[John Johansen]

On 06/23/2013 05:28 AM, Christian Boltz wrote:
> Hello,
> 
> Am Freitag, 21. Juni 2013 schrieb John Johansen:
>> On 06/21/2013 07:07 AM, Steve Beattie wrote:
>>> On Thu, Jun 20, 2013 at 11:41:21AM -0700, Tyler Hicks wrote:
> 
>>>>   # Talks to system and session buses
>>>>   dbus (send receive) bus={system,session}
>>>>   peer=(name=org.freedesktop.DBus),> 
>>> Shouldn't "(send receive)" be an alternation a la "{send, receive}"?
>>
>> no its not an alternation, its a multi-valued set. That is it grants
>> send,
>> receive,
>> send and receive at the same time
>>
>> an alternation would one of send or receive
> 
> It may be a silly question, but: what's the difference between the 
> alternation "send or receive" and "send and receive at the same time"?
> 

so it depends on how you view the values. Alternation certainly could
be interpreted as A or B or A and B. From a text match perspective it
is not, you need to specify the other possibilities.

  /eg{foo,bar,foo\,bar,bar\,foo}

also there are cases where you want to be specify allow X but only if
Y is specified.  So X and Y.

Another way of looking at it is the multi-valued set takes care of
converting a set expression into an ordered alternation like in the
eg above (not saying that is how it works necessarily but it could
be viewed as such).