typebounds should support specifying an attribute for the child

[stephensmalley]

At present we can only specify an individual type as the child in a typebounds statement.
This makes it difficult to specify that many types are bounded a single parent type.
Update libsepol/checkpolicy to support specifying an attribute for the child type, and either
update the policy file and kernel to also support this (i.e. new policy version) or have libsepol expand
the rules at build time.

[rhatdan]

This is becoming more critical.

In container-selinux I would need something like

# Added to make typebounds check work.
# Hopefully can remove when we have a better solution
# When we can do the following, this would make this more secure
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
files_entrypoint_all_mountpoint(container_runtime_t)
corecmd_entrypoint_all_executables(container_runtime_t)

[stephensmalley]

In the interim, could you add something like:
optional_policy(`
gen_require(`
type container_runtime_exec_t;
')
typebounds container_runtime_exec_t $1;
')
to the corecmd_executable_file() interface definition?

[rhatdan]

Yes except container_runtime_exec_t is defined external to the base policy. We are shipping container-selinux totally separate.

[stephensmalley]

That's why I put it in an optional?

[rhatdan]

Right. My point was that we would need an update for both packages. Not something easily done in RHEL. But it would fix it for Fedora for now.