From: slawrence@tresys.com (Steve Lawrence) Date: Fri, 19 Aug 2011 08:58:57 -0400 Subject: [refpolicy] Calling typeattribute within a tunable_policy() is not allowed? In-Reply-To: <4E4E515E.1050906@tresys.com> References: <20110813210636.GA2679@siphos.be> , <4E4D11F1.1040607@tresys.com> <4E4E515E.1050906@tresys.com> Message-ID: <4E4E5E11.3090906@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/19/2011 08:04 AM, Christopher J. PeBenito wrote: > On 08/18/11 21:44, HarryCiao wrote: >> >>>>> I guess that attributes are not something that can be switched on/off >>>>> through a tunable. >>>> >>>> Just a side note, so far the tunable is implemented as boolean, and the >>>> tunable_policy macro is expanded as if-else conditionals by m4, aiming >>>> to define some block of rules that could be switched on/off at runtime. >>>> However, the tunable and tunable_policy should take effect at module >>>> link/expand time - if the tunable if off, then related block of rules >>>> would not be linked and expanded at all. >>> >>> Yes, that is the reason I created tunables. The toolchain just hasn't >>> implemented that support yet. CIL will have this support, but thats not >>> done yet. >> >> I just started to add such support for separating tunable from boolean >> in the toolchain, hope it would be useful for CIL as well. > > I think its already been implemented in CIL. You should talk to Steve > Lawrence about it. > Chris is correct. Tunables have been implemented in CIL, allowing any CIL statement to be used inside. If you'd like to check it out, the CIL source is in a git repo: git clone http://oss.tresys.com/git/cil.git The CIL design is at the following link, but it's in the process of being updated, so some statements (like tunables) are missing from the design. http://userspace.selinuxproject.org/trac/wiki/CilDesign - Steve