From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 13 Aug 2011 23:06:37 +0200
Subject: [refpolicy] Calling typeattribute within a tunable_policy() is not
	allowed?
Message-ID: <20110813210636.GA2679@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi guys,

I wanted to all a call to seutil_relabelto_bin_policy() (through
files_relabel_all_files) within puppet but only when the
puppet_manage_all_files boolean is set.

However, it seems that this is not allowed as the
seutil_relabelto_bin_policy() interface would add an attribute to the given
type using "typeattribute", which doesn't seem to work:


/usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
puppet.te":142:ERROR 'syntax error' at token 'typeattribute' on line 8617:
#line 142
	typeattribute puppet_t can_relabelto_binary_policy;


I guess that attributes are not something that can be switched on/off
through a tunable. Does that mean that the best way to handle this is to
move the "typeattribute $1 can_relabelto_binary_policy;" out of the
seutil_relabelto_bin_policy() interface and make sure that whomever calls
that interface first sets this attribute?

Then, puppet would have the attribute set, but the effective permission
would still be "shielded" by the boolean...

Wkr,
	Sven Vermeulen