From: harrytaurus2002@hotmail.com (HarryCiao)
Date: Thu, 18 Aug 2011 08:14:10 +0000
Subject: [refpolicy] Calling typeattribute within a tunable_policy() is
 not allowed?
In-Reply-To: <20110813210636.GA2679@siphos.be>
References: <20110813210636.GA2679@siphos.be>
Message-ID: <SNT139-W164C39B0A93B0A94804034AB2B0@phx.gbl>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



> Date: Sat, 13 Aug 2011 23:06:37 +0200
> From: sven.vermeulen at siphos.be
> To: refpolicy at oss.tresys.com
> Subject: [refpolicy] Calling typeattribute within a tunable_policy() is not	allowed?
> 
> Hi guys,
> 
> I wanted to all a call to seutil_relabelto_bin_policy() (through
> files_relabel_all_files) within puppet but only when the
> puppet_manage_all_files boolean is set.
> 
> However, it seems that this is not allowed as the
> seutil_relabelto_bin_policy() interface would add an attribute to the given
> type using "typeattribute", which doesn't seem to wo??rk:
> 
> 
> /usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
> puppet.te":142:ERROR 'syntax error' at token 'typeattribute' on line 8617:
> #line 142
> 	typeattribute puppet_t can_relabelto_binary_policy;
> 
> 
> I guess that attributes are not something that can be switched on/off
> through a tunable.

Just a side note, so far the tunable is implemented as boolean, and the tunable_policy macro is expanded as if-else conditionals by m4, aiming to define some block of rules that could be switched on/off at runtime. However, the tunable and tunable_policy should take effect at module link/expand time - if the tunable if off, then related block of rules would not be linked and expanded at all.

As stated in policy_parse.y, only rules of AVRULE_AV and AVRULE_TYPE are allowed to be used in conditionals and all the rest would trigger "syntax error" as in your case:

cond_rule_def    : cond_transition_def
                        { $$ = $1; }
                        | cond_te_avtab_def
                        { $$ = $1; }
                        | require_block
                        { $$ = NULL; }
                        ;

Moreover, we could further define some function to explicitly warn that some particular rule is not allowed in conditionals, see define_cond_filename_trans().

Cheers,
Harry
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110818/3326dc73/attachment.html