[refpolicy] Calling typeattribute within a tunable_policy() is not allowed?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Calling typeattribute within a tunable_policy() is not allowed?
Date: Sat, 13 Aug 2011 23:06:37 +0200	[thread overview]
Message-ID: <20110813210636.GA2679@siphos.be> (raw)

Hi guys,

I wanted to all a call to seutil_relabelto_bin_policy() (through
files_relabel_all_files) within puppet but only when the
puppet_manage_all_files boolean is set.

However, it seems that this is not allowed as the
seutil_relabelto_bin_policy() interface would add an attribute to the given
type using "typeattribute", which doesn't seem to work:

/usr/bin/checkmodule:  loading policy configuration from tmp/puppet.tmp
puppet.te":142:ERROR 'syntax error' at token 'typeattribute' on line 8617:
#line 142
	typeattribute puppet_t can_relabelto_binary_policy;

I guess that attributes are not something that can be switched on/off
through a tunable. Does that mean that the best way to handle this is to
move the "typeattribute $1 can_relabelto_binary_policy;" out of the
seutil_relabelto_bin_policy() interface and make sure that whomever calls
that interface first sets this attribute?

Then, puppet would have the attribute set, but the effective permission
would still be "shielded" by the boolean...

Wkr,
	Sven Vermeulen

next             reply	other threads:[~2011-08-13 21:06 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-13 21:06 Sven Vermeulen [this message]
2011-08-16 19:26 ` [refpolicy] Calling typeattribute within a tunable_policy() is not allowed? Christopher J. PeBenito
2011-08-17  3:39   ` Sven Vermeulen
2011-08-18  8:14 ` HarryCiao
2011-08-18 13:21   ` Christopher J. PeBenito
2011-08-19  1:44     ` HarryCiao
2011-08-19 12:04       ` Christopher J. PeBenito
2011-08-19 12:58         ` Steve Lawrence

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110813210636.GA2679@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.