From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 18 Aug 2011 09:21:53 -0400 Subject: [refpolicy] Calling typeattribute within a tunable_policy() is not allowed? In-Reply-To: References: <20110813210636.GA2679@siphos.be> Message-ID: <4E4D11F1.1040607@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/18/2011 4:14 AM, HarryCiao wrote: > > Date: Sat, 13 Aug 2011 23:06:37 +0200 > > From: sven.vermeulen at siphos.be > > To: refpolicy at oss.tresys.com > > Subject: [refpolicy] Calling typeattribute within a tunable_policy() > is not allowed? > > > > Hi guys, > > > > I wanted to all a call to seutil_relabelto_bin_policy() (through > > files_relabel_all_files) within puppet but only when the > > puppet_manage_all_files boolean is set. > > > > However, it seems that this is not allowed as the > > seutil_relabelto_bin_policy() interface would add an attribute to the > given > > type using "typeattribute", which doesn't seem to wo???? <#>rk: > > > > > > /usr/bin/checkmodule: loading policy configuration from tmp/puppet.tmp > > puppet.te":142:ERROR 'syntax error' at token 'typeattribute' on line > 8617: > > #line 142 > > ; typeattribute puppet_t can_relabelto_binary_policy; > > > > > > I guess that attributes are not something that can be switched on/off > > through a tunable. > > Just a side note, so far the tunable is implemented as boolean, and the > tunable_policy macro is expanded as if-else conditionals by m4, aiming > to define some block of rules that could be switched on/off at runtime. > However, the tunable and tunable_policy should take effect at module > link/expand time - if the tunable if off, then related block of rules > would not be linked and expanded at all. Yes, that is the reason I created tunables. The toolchain just hasn't implemented that support yet. CIL will have this support, but thats not done yet. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com