From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 19 Aug 2011 08:04:46 -0400
Subject: [refpolicy] Calling typeattribute within a tunable_policy() is
 not allowed?
In-Reply-To: <SNT139-W44584FA16D84E284D0FC22AB2A0@phx.gbl>
References: <20110813210636.GA2679@siphos.be>
	<SNT139-W164C39B0A93B0A94804034AB2B0@phx.gbl>,
	<4E4D11F1.1040607@tresys.com>
	<SNT139-W44584FA16D84E284D0FC22AB2A0@phx.gbl>
Message-ID: <4E4E515E.1050906@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/18/11 21:44, HarryCiao wrote:
> 
>> > > I guess that attributes are not something that can be switched on/off
>> > > through a tunable.
>> >
>> > Just a side note, so far the tunable is implemented as boolean, and the
>> > tunable_policy macro is expanded as if-else conditionals by m4, aiming
>> > to define some block of rules that could be switched on/off at runtime.
>> > However, the tunable and tunable_policy should take effect at module
>> > link/expand time - if the tunable if off, then related block of rules
>> > would not be linked and expanded at all.
>>
>> Yes, that is the reason I created tunables. The toolchain just hasn't
>> implemented that support yet. CIL will have this support, but thats not
>> done yet.
> 
> I just started to add such support for separating tunable from boolean
> in the toolchain, hope it would be useful for CIL as well.

I think its already been implemented in CIL.  You should talk to Steve
Lawrence about it.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com