From: jwcart2@tycho.nsa.gov (James Carter) Date: Wed, 25 Aug 2010 10:11:37 -0400 Subject: [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier In-Reply-To: <4C75127E.5000300@tresys.com> References: <1282679443.14992.33.camel@moss-lions.epoch.ncsc.mil> <4C75127E.5000300@tresys.com> Message-ID: <1282745497.25778.18.camel@moss-lions.epoch.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-08-25 at 08:54 -0400, Christopher J. PeBenito wrote: > On 08/24/10 15:50, James Carter wrote: > > By adding this rule, I can assume that every role rule of the form "role > > foo_r;" is a declaration and those of the form "role foo_r types bar_t;" > > are adding types to an existing role. This makes translating to a > > different language easier. > > This is a straightforward one. I don't have a problem with it, though > by requiring a role declaration statement imposes a new requirement that > didn't previously exist. > But the fact that multiple role declarations are allowed is a deficiency of the current policy language. CIL will have a roletype statement which will eliminate the need for allowing multiple role declarations. I think that having this extra rule won't harm Refpolicy while being beneficial for translating Refpolicy to CIL. > > --- > > policy/modules/services/nx.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te > > index ebb9582..a3559f2 100644 > > --- a/policy/modules/services/nx.te > > +++ b/policy/modules/services/nx.te > > @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t) > > domain_user_exemption_target(nx_server_t) > > # we need an extra role because nxserver is called from sshd > > # cjp: do we really need this? > > +role nx_server_r; > > role nx_server_r types nx_server_t; > > allow system_r nx_server_r; > > > > > > -- James Carter National Security Agency