From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 25 Aug 2010 08:54:22 -0400
Subject: [refpolicy] [m4-isms patch 3/6] Add role rule to make
 translation easier
In-Reply-To: <1282679443.14992.33.camel@moss-lions.epoch.ncsc.mil>
References: <1282679443.14992.33.camel@moss-lions.epoch.ncsc.mil>
Message-ID: <4C75127E.5000300@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/24/10 15:50, James Carter wrote:
> By adding this rule, I can assume that every role rule of the form "role
> foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
> are adding types to an existing role.  This makes translating to a
> different language easier.

This is a straightforward one.  I don't have a problem with it, though 
by requiring a role declaration statement imposes a new requirement that 
didn't previously exist.

> ---
>   policy/modules/services/nx.te |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
> index ebb9582..a3559f2 100644
> --- a/policy/modules/services/nx.te
> +++ b/policy/modules/services/nx.te
> @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
>   domain_user_exemption_target(nx_server_t)
>   # we need an extra role because nxserver is called from sshd
>   # cjp: do we really need this?
> +role nx_server_r;
>   role nx_server_r types nx_server_t;
>   allow system_r nx_server_r;
>
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com