From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 25 Aug 2010 11:51:15 -0400 Subject: [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier In-Reply-To: <1282745497.25778.18.camel@moss-lions.epoch.ncsc.mil> References: <1282679443.14992.33.camel@moss-lions.epoch.ncsc.mil> <4C75127E.5000300@tresys.com> <1282745497.25778.18.camel@moss-lions.epoch.ncsc.mil> Message-ID: <4C753BF3.2030802@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/25/10 10:11, James Carter wrote: > On Wed, 2010-08-25 at 08:54 -0400, Christopher J. PeBenito wrote: >> On 08/24/10 15:50, James Carter wrote: >>> By adding this rule, I can assume that every role rule of the form "role >>> foo_r;" is a declaration and those of the form "role foo_r types bar_t;" >>> are adding types to an existing role. This makes translating to a >>> different language easier. >> >> This is a straightforward one. I don't have a problem with it, though >> by requiring a role declaration statement imposes a new requirement that >> didn't previously exist. >> > > But the fact that multiple role declarations are allowed is a deficiency > of the current policy language. CIL will have a roletype statement > which will eliminate the need for allowing multiple role declarations. > > I think that having this extra rule won't harm Refpolicy while being > beneficial for translating Refpolicy to CIL. Like I said, I don't have a problem with it. I didn't commit it since you said in your 0 patch email that this patchset was more of a RFC. >>> --- >>> policy/modules/services/nx.te | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te >>> index ebb9582..a3559f2 100644 >>> --- a/policy/modules/services/nx.te >>> +++ b/policy/modules/services/nx.te >>> @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t) >>> domain_user_exemption_target(nx_server_t) >>> # we need an extra role because nxserver is called from sshd >>> # cjp: do we really need this? >>> +role nx_server_r; >>> role nx_server_r types nx_server_t; >>> allow system_r nx_server_r; >>> >>> >> >> > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com