From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 16 Aug 2011 15:26:21 -0400
Subject: [refpolicy] Calling typeattribute within a tunable_policy() is
 not allowed?
In-Reply-To: <20110813210636.GA2679@siphos.be>
References: <20110813210636.GA2679@siphos.be>
Message-ID: <4E4AC45D.1070300@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/13/2011 5:06 PM, Sven Vermeulen wrote:
> Hi guys,
>
> I wanted to all a call to seutil_relabelto_bin_policy() (through
> files_relabel_all_files) within puppet but only when the
> puppet_manage_all_files boolean is set.
>
> However, it seems that this is not allowed as the
> seutil_relabelto_bin_policy() interface would add an attribute to the given
> type using "typeattribute", which doesn't seem to work:
>
>
> /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
> puppet.te":142:ERROR 'syntax error' at token 'typeattribute' on line 8617:
> #line 142
> 	typeattribute puppet_t can_relabelto_binary_policy;
>
>
> I guess that attributes are not something that can be switched on/off

This is a limitation of conditional policy, and tunables are currently 
implemented as Booleans/conditionals.

> through a tunable. Does that mean that the best way to handle this is to
> move the "typeattribute $1 can_relabelto_binary_policy;" out of the
> seutil_relabelto_bin_policy() interface and make sure that whomever calls
> that interface first sets this attribute?
>
> Then, puppet would have the attribute set, but the effective permission
> would still be "shielded" by the boolean...

Why would puppet need this access anyway?  The binary policy should be 
managed by semanage.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com