TE Rule search permission set empty multiple oclass selections

[d3vilbox]

Apol Version 4.1.dev0

When I select multiple object classes in a TE Rule search I expect to be able to select any permission from the union of the permissions for the set of object classes. However, the permission set box is just empty.

[pebenito]

It sounds like this is working as designed. The permissions list is an intersection, not a union, of the permissions of the classes. If there is no intersection between the selected classes, then the permissions list is empty.

[d3vilbox]

Why would you ever want an empty permission set? I'm not looking for that part of Apol to tell me what perms are the same between object classes. I just know I want to select some object classes and then maybe filter down the permissions afterward. Maybe I'm thinking about it the wrong way.

[pebenito]

The main idea is for the 'match all' permissions case. If a user selects process and file, there is only one common permission between them, getattr. If they were able to select signal and write, there could never be any results, which might be confusing.

Also I wasn't aware of such a use case as you're describing.