From: txtoth@gmail.com (Ted Toth)
Date: Mon, 8 Jun 2015 09:42:45 -0500
Subject: [refpolicy] refpolicywarn usage
In-Reply-To: <5575947A.3070005@tresys.com>
References: <CAFPpqQEKBu2SsRN=GJj2SMvNLDW+Hj91MUTkU_L_-3DbKaW1Xg@mail.gmail.com>
	<5575947A.3070005@tresys.com>
Message-ID: <CAFPpqQEqzE2777RpH_aGWGHEFs4AOd76t-wxBJAyNn8AUHCe8A@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

So many lists so little time ... I'll post to the refpolicy list next time.
Simply adding:
gen_require(` type null_device_t; ')


did the trick.

On Mon, Jun 8, 2015 at 8:11 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On 6/5/2015 4:28 PM, Ted Toth wrote:
>> I tried to use "refpolicywarn(`$0($*) has been deprecated.')" in a
>> deprecated interface removing all of the previously defined policy.
>> However the interface is used in an 'optional' which then causes the
>> policy compilation to fail. What is the right way to handle this
>> situation?
>
> This should go to the refpolicy list.
>
> Refpolicywarn is an m4 macro, so it doesn't result in any policy.  If
> you have an optional block with only one call to an interface that only
> has a refpolicywarn in its implementation, it will result in an optional
> with no rules inside.
>
> We handle this in refpolicy by calling the new interface, e.g. if
> interface X is being replaced by interface Y, in the implementation of X
> we put a refpolicywarn message and call Y.  If there is no new
> interface, you could put safe placeholder rules, such as a call to
> dev_rw_null().
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com