From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 12 Aug 2011 08:31:21 -0400
Subject: [refpolicy] RFC: macro expansion in monolithic policy: seusers
In-Reply-To: <4E442861.5000801@twobit.us>
References: <4E442861.5000801@twobit.us>
Message-ID: <4E451D19.8050507@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/11/11 15:07, Philip Tricca wrote:
> While playing with a monolithic policy this morning I noticed that calls
> to getseuserbyname were returning a strange level string
> ("s0-mcs_systemhigh") and breaking subsequent calls to
> get_default_context_with_level.  The culprit turned out to be unexpanded
> macros in /etc/selinux/$(NAME)/seusers.
> 
> For a modular policy the source file ./config/appconfig-$(TYPE)/seusers
> gets run through m4, output to ./tmp, then included in the base module.
>   For a monolithic policy, the Rules.monolithic file just copies seusers
> from ./config/appconfig-$(TYPE) to the destination without passing it
> through the m4 processor.
> 
> I was working with the 20100524 release and, if this is a bug and not my
> misunderstanding, it's present up to the current head of the development
> tree.  In the attached patch I've moved the m4 processing step from the
> Rules.modular file to the main Makefile and fixed up the install target
> for seusers in Rules.monolithic.
> 
> Has it really been this long since someone's built a monolithic policy
> or am I missing something?

You are correct.  I have fixed this in the master branch.  From my
experience, most people that still use a monolithic policy don't use
MLS/MCS; thus, they wouldn't see this issue.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com