Aliases

Aliases

[dmaynor]

Is their a limit on the number of alias interfaces you can have under 2.4?

Re: Aliases

[dlang]

I haven't run into it yet, and yesterday I setup a box with >1700

David Lang



On Thu, 16 Aug 2001 dmaynor@iceland.oit.gatech.edu wrote:

> Date: Thu, 16 Aug 2001 17:11:27 -0400
> From: dmaynor@iceland.oit.gatech.edu
> To: linux-kernel@vger.kernel.org
> Subject: Aliases
>
> Is their a limit on the number of alias interfaces you can have under 2.4?
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: Aliases

[Jim Roland]

Having recently gone from 2.2 to 2.4 what's the device convention now?  I
thought it was eth0 (example) and eth0:0 .. eth0:255, but knew kernel 2.4
would take it further.

----- Original Message -----
From: "dlang" <dlang@enabledparadigm.com>
To: <dmaynor@iceland.oit.gatech.edu>
Cc: <linux-kernel@vger.kernel.org>
Sent: Thursday, August 16, 2001 9:48 PM
Subject: Re: Aliases


> I haven't run into it yet, and yesterday I setup a box with >1700
>
> David Lang
>
>
>
> On Thu, 16 Aug 2001 dmaynor@iceland.oit.gatech.edu wrote:
>
> > Date: Thu, 16 Aug 2001 17:11:27 -0400
> > From: dmaynor@iceland.oit.gatech.edu
> > To: linux-kernel@vger.kernel.org
> > Subject: Aliases
> >
> > Is their a limit on the number of alias interfaces you can have under
2.4?
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/
> >
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: Aliases

[Justin Guyett]

On Sat, 18 Aug 2001, Jim Roland wrote:

> Having recently gone from 2.2 to 2.4 what's the device convention now?  I
> thought it was eth0 (example) and eth0:0 .. eth0:255, but knew kernel 2.4
> would take it further.

presuming this isn't an ifconfig limit instead of a kernel limit, trying
"ifconfig eth0:x" works for x < 10000, anything > 10000 and x becomes
x%10000.

However, 2.4 also has multiple addresses of the same type per device;
unfortunately it's fairly slow.  Adding or deleting addresses seems to
take ~5 seconds per 255 addresses on my machine, and listing addresses
takes about 1 second / 300 addresses on the same machine.

Also, listing addresses for another interface isn't any faster, which is
unfortunate; ip shouldn't need to check addresses of all interfaces just
to get the ones for the requested interface.

At least listing time seems to increase linearly with the number of
addresses.  IIRC someone posted a patch a few weeks ago to speed this up
(no longer sits for a long time before listing addresses).

time ip addr show dev eth1 | wc -l
  37766
ip addr show dev eth1  113.17s user 1.82s system 99% cpu 1:55.38 total

Also, ifconfig, which has no idea about any but the first address in an
address class, also does nothing for the same amount of time before
listing interfaces.

Anyway, it seems ip and the 2.4 scheme with multiple addresses per
interface can handle many more addresses than ifconfig and the device
alias scheme.


justin

Re: Aliases

[Ralf Baechle]

On Sat, Aug 18, 2001 at 03:30:59AM -0700, Justin Guyett wrote:

> > Having recently gone from 2.2 to 2.4 what's the device convention now?  I
> > thought it was eth0 (example) and eth0:0 .. eth0:255, but knew kernel 2.4
> > would take it further.
> 
> presuming this isn't an ifconfig limit instead of a kernel limit, trying
> "ifconfig eth0:x" works for x < 10000, anything > 10000 and x becomes
> x%10000.

For various reasons interfaces aliases are deprecated.  The recommended
way of doing things these days is just adding more addresses to an
interface with the ip(8) program from the iproute package.  It works like:

  ip addr add 192.168.2.0/24 broadcast 192.168.2.255 scope host dev eth0

> However, 2.4 also has multiple addresses of the same type per device;
> unfortunately it's fairly slow.  Adding or deleting addresses seems to
> take ~5 seconds per 255 addresses on my machine, and listing addresses
> takes about 1 second / 300 addresses on the same machine.

It seems you've tried to add individual addresses, one by one.  That's not
necessary, you can add the addresses of a whole subnet to the kernel.  If
you have a large network that's dramatically faster and easier to
administrate.

> Also, listing addresses for another interface isn't any faster, which is
> unfortunate; ip shouldn't need to check addresses of all interfaces just
> to get the ones for the requested interface.
> 
> At least listing time seems to increase linearly with the number of
> addresses.  IIRC someone posted a patch a few weeks ago to speed this up
> (no longer sits for a long time before listing addresses).
> 
> time ip addr show dev eth1 | wc -l
>   37766
> ip addr show dev eth1  113.17s user 1.82s system 99% cpu 1:55.38 total

That's crude abuse unless your IPs are actually non-contiguous in address
space - which they're almost certainly not.

> Also, ifconfig, which has no idea about any but the first address in an
> address class, also does nothing for the same amount of time before
> listing interfaces.

ifconfig is deprecated as it permits you only access to a small part of
power of the current Linux networking; ip is the recommended replacement.

> Anyway, it seems ip and the 2.4 scheme with multiple addresses per
> interface can handle many more addresses than ifconfig and the device
> alias scheme.

Try ``ip addr add 10.0.0.0/8 broadcast 10.255.255.255 scope host dev eth0''
with interface aliases :-)

  Ralf

Re: Aliases

[Michael Clark]

Justin Guyett wrote:

> presuming this isn't an ifconfig limit instead of a kernel limit, trying
> "ifconfig eth0:x" works for x < 10000, anything > 10000 and x becomes
> x%10000.

must be a limit in your version of ifconfig.

# ifconfig --version
net-tools 1.60
ifconfig 1.42 (2001-04-13)

# ifconfig lo:10001 127.0.0.2
# ifconfig lo:20001 127.0.0.3
# ifconfig lo:10001
lo:10001  Link encap:Local Loopback  
          inet addr:127.0.0.2  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

# ifconfig lo:20001  
lo:20001  Link encap:Local Loopback  
          inet addr:127.0.0.3  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

> However, 2.4 also has multiple addresses of the same type per device;
> unfortunately it's fairly slow.  Adding or deleting addresses seems to
> take ~5 seconds per 255 addresses on my machine, and listing addresses
> takes about 1 second / 300 addresses on the same machine.

I can raise 1000 interfaces in 1.6 seconds with 2.4.8 on a 500MHz PIII using my
custom written ifconfig program designed for raising a batch of IPS in one go.
I've actually got up to about 64000 IPs on one interface but performance
degrades rapidly after about 8000 probably due to the kernel ip hash size - i
didn't try any higher than this. Anybody wanting more than a Class B of ip
aliases on one machine has gotta have some sort of problem so I don't think its
really an issue.

# time ./vifup -q -f ip.list internal
available interfaces for internal network: eth1
raised 1020 of 1020

real	0m1.671s
user	0m0.820s
sys	0m0.850s

> Also, listing addresses for another interface isn't any faster, which is
> unfortunate; ip shouldn't need to check addresses of all interfaces just
> to get the ones for the requested interface.

It does need to. The kernel ioctl SIOCGIFCONF only lets you fetch info for all
interfaces so you have to search through the whole lot to find the ones your
interested in. This is a standard BSD interface - or is there a new interface
used by ip??.

~mc

Re: Aliases

[David Lang]

the problem with adding an entire netblock to an interface is that you
frequently have a gateway on that netblock that belongs to another
machine so you want to add 253 out of 256 addresses to your machine.

how do you do that easily?

example gateway is 192.168.1.1 and you want the rest of the 192.168.1.x
network aliased on the machine.

David Lang


 On
Sat, 18 Aug 2001, Ralf Baechle wrote:

> Date: Sat, 18 Aug 2001 14:32:32 +0200
> From: Ralf Baechle <ralf@uni-koblenz.de>
> To: Justin Guyett <justin@soze.net>
> Cc: Jim Roland <jroland@roland.net>, linux-kernel@vger.kernel.org
> Subject: Re: Aliases
>
> On Sat, Aug 18, 2001 at 03:30:59AM -0700, Justin Guyett wrote:
>
> > > Having recently gone from 2.2 to 2.4 what's the device convention now?  I
> > > thought it was eth0 (example) and eth0:0 .. eth0:255, but knew kernel 2.4
> > > would take it further.
> >
> > presuming this isn't an ifconfig limit instead of a kernel limit, trying
> > "ifconfig eth0:x" works for x < 10000, anything > 10000 and x becomes
> > x%10000.
>
> For various reasons interfaces aliases are deprecated.  The recommended
> way of doing things these days is just adding more addresses to an
> interface with the ip(8) program from the iproute package.  It works like:
>
>   ip addr add 192.168.2.0/24 broadcast 192.168.2.255 scope host dev eth0
>
> > However, 2.4 also has multiple addresses of the same type per device;
> > unfortunately it's fairly slow.  Adding or deleting addresses seems to
> > take ~5 seconds per 255 addresses on my machine, and listing addresses
> > takes about 1 second / 300 addresses on the same machine.
>
> It seems you've tried to add individual addresses, one by one.  That's not
> necessary, you can add the addresses of a whole subnet to the kernel.  If
> you have a large network that's dramatically faster and easier to
> administrate.
>
> > Also, listing addresses for another interface isn't any faster, which is
> > unfortunate; ip shouldn't need to check addresses of all interfaces just
> > to get the ones for the requested interface.
> >
> > At least listing time seems to increase linearly with the number of
> > addresses.  IIRC someone posted a patch a few weeks ago to speed this up
> > (no longer sits for a long time before listing addresses).
> >
> > time ip addr show dev eth1 | wc -l
> >   37766
> > ip addr show dev eth1  113.17s user 1.82s system 99% cpu 1:55.38 total
>
> That's crude abuse unless your IPs are actually non-contiguous in address
> space - which they're almost certainly not.
>
> > Also, ifconfig, which has no idea about any but the first address in an
> > address class, also does nothing for the same amount of time before
> > listing interfaces.
>
> ifconfig is deprecated as it permits you only access to a small part of
> power of the current Linux networking; ip is the recommended replacement.
>
> > Anyway, it seems ip and the 2.4 scheme with multiple addresses per
> > interface can handle many more addresses than ifconfig and the device
> > alias scheme.
>
> Try ``ip addr add 10.0.0.0/8 broadcast 10.255.255.255 scope host dev eth0''
> with interface aliases :-)
>
>   Ralf
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: Aliases

[David Ford]

>
>
>For various reasons interfaces aliases are deprecated.  The recommended
>way of doing things these days is just adding more addresses to an
>interface with the ip(8) program from the iproute package.  It works like:
>
>  ip addr add 192.168.2.0/24 broadcast 192.168.2.255 scope host dev eth0
>

You can shorten this to:

    ip a a 192.168.2.0/24 brd + dev eth0

..and leaving the scope global [by default] which makes it fully reachable.

David

Re: Aliases

[David Ford]

Try before you buy.



# ip a a 192.168.0.0/24 brd + dev eth0
# ip r a 192.168.0.1/32 via 208.179.59.1 dev eth0

# ip r g 192.168.0.1
192.168.0.1 via 208.179.59.1 dev eth0  src 208.179.59.2
    cache  mtu 1500 advmss 1460

# ip r g 192.168.0.2
192.168.0.2 dev eth0  src 192.168.0.0
    cache  mtu 1500 advmss 1460

David

David Lang wrote:

>the problem with adding an entire netblock to an interface is that you
>frequently have a gateway on that netblock that belongs to another
>machine so you want to add 253 out of 256 addresses to your machine.
>
>how do you do that easily?
>
>example gateway is 192.168.1.1 and you want the rest of the 192.168.1.x
>network aliased on the machine.
>

Re: Aliases

[Ralf Baechle]

On Sat, Aug 18, 2001 at 03:25:31PM -0400, David Ford wrote:

> >For various reasons interfaces aliases are deprecated.  The recommended
> >way of doing things these days is just adding more addresses to an
> >interface with the ip(8) program from the iproute package.  It works like:
> >
> >  ip addr add 192.168.2.0/24 broadcast 192.168.2.255 scope host dev eth0
> 
> You can shorten this to:
> 
>     ip a a 192.168.2.0/24 brd + dev eth0
> 
> ..and leaving the scope global [by default] which makes it fully reachable.

I did not mean to reproduce the whole over 50 pages of docs documentation
in my posting.

  Ralf

Re: Aliases

[Andi Kleen]

Ralf Baechle <ralf@uni-koblenz.de> writes:
> 
> For various reasons interfaces aliases are deprecated.  The recommended
> way of doing things these days is just adding more addresses to an
> interface with the ip(8) program from the iproute package.  It works like:
> 
>   ip addr add 192.168.2.0/24 broadcast 192.168.2.255 scope host dev eth0

Newer ifconfig also supports "add" for IPv4 (older supported it only for 
v6)

The problem of the original poster is also likely to have an too old ifconfig;
older ones had some O(n^2) algorithms with hurt with many interfaces.

-Andi

Re: Aliases

[David Lang]

where can I get the iproute package mentioned below. I just double checked
slackware 8.0 and it isn't included.

David Lang

On Sat, 18 Aug 2001, Ralf Baechle wrote:

> Date: Sat, 18 Aug 2001 14:32:32 +0200
> From: Ralf Baechle <ralf@uni-koblenz.de>
> To: Justin Guyett <justin@soze.net>
> Cc: Jim Roland <jroland@roland.net>, linux-kernel@vger.kernel.org
> Subject: Re: Aliases
>
> On Sat, Aug 18, 2001 at 03:30:59AM -0700, Justin Guyett wrote:
>
> > > Having recently gone from 2.2 to 2.4 what's the device convention now?  I
> > > thought it was eth0 (example) and eth0:0 .. eth0:255, but knew kernel 2.4
> > > would take it further.
> >
> > presuming this isn't an ifconfig limit instead of a kernel limit, trying
> > "ifconfig eth0:x" works for x < 10000, anything > 10000 and x becomes
> > x%10000.
>
> For various reasons interfaces aliases are deprecated.  The recommended
> way of doing things these days is just adding more addresses to an
> interface with the ip(8) program from the iproute package.  It works like:
>
>   ip addr add 192.168.2.0/24 broadcast 192.168.2.255 scope host dev eth0
>
> > However, 2.4 also has multiple addresses of the same type per device;
> > unfortunately it's fairly slow.  Adding or deleting addresses seems to
> > take ~5 seconds per 255 addresses on my machine, and listing addresses
> > takes about 1 second / 300 addresses on the same machine.
>
> It seems you've tried to add individual addresses, one by one.  That's not
> necessary, you can add the addresses of a whole subnet to the kernel.  If
> you have a large network that's dramatically faster and easier to
> administrate.
>
> > Also, listing addresses for another interface isn't any faster, which is
> > unfortunate; ip shouldn't need to check addresses of all interfaces just
> > to get the ones for the requested interface.
> >
> > At least listing time seems to increase linearly with the number of
> > addresses.  IIRC someone posted a patch a few weeks ago to speed this up
> > (no longer sits for a long time before listing addresses).
> >
> > time ip addr show dev eth1 | wc -l
> >   37766
> > ip addr show dev eth1  113.17s user 1.82s system 99% cpu 1:55.38 total
>
> That's crude abuse unless your IPs are actually non-contiguous in address
> space - which they're almost certainly not.
>
> > Also, ifconfig, which has no idea about any but the first address in an
> > address class, also does nothing for the same amount of time before
> > listing interfaces.
>
> ifconfig is deprecated as it permits you only access to a small part of
> power of the current Linux networking; ip is the recommended replacement.
>
> > Anyway, it seems ip and the 2.4 scheme with multiple addresses per
> > interface can handle many more addresses than ifconfig and the device
> > alias scheme.
>
> Try ``ip addr add 10.0.0.0/8 broadcast 10.255.255.255 scope host dev eth0''
> with interface aliases :-)
>
>   Ralf
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: Aliases

[Justin Guyett]

On Sun, 19 Aug 2001, David Lang wrote:

> where can I get the iproute package mentioned below. I just double checked
> slackware 8.0 and it isn't included.

Yeah, i always get upset when I go looking for it because it's not on
freshmeat.  iproute and iputils both.

ftp://ftp.inr.ac.ru/ip-routing/


justin

aliases

[Russell Coker]

I believe that we need a minor change in the policy language to deal with 
aliases.

The current setup requires that all aliases be specified on the type 
declaration line.  One significant problem with this is that if a type is 
declared by a macro there is no way to add aliases to it.  Because of this we 
have at various times had aliases specified in macros when they weren't 
needed for 95% of the cases.

I believe that a declaration of the form is necessary:
typealias foo_t aliases { bar_t baz_t };

That would mean that I could do:

var_run_domain(foo)
typealias foo_var_run_t alias var_run_foo_t;

Instead of having the current alias in the var_run_domain() macro.  Of course 
it's no big deal for the var_run_domain() macro (and I'll remove the alias 
from my tree because it's been there too long anyway).  But there are other 
situations which are more difficult to manage (such as renaming netscape to 
mozilla).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: aliases

[Stephen Smalley]

On Fri, 2004-01-09 at 06:18, Russell Coker wrote:
> I believe that we need a minor change in the policy language to deal with 
> aliases.
> 
> The current setup requires that all aliases be specified on the type 
> declaration line.  One significant problem with this is that if a type is 
> declared by a macro there is no way to add aliases to it.  Because of this we 
> have at various times had aliases specified in macros when they weren't 
> needed for 95% of the cases.
> 
> I believe that a declaration of the form is necessary:
> typealias foo_t aliases { bar_t baz_t };
> 
> That would mean that I could do:
> 
> var_run_domain(foo)
> typealias foo_var_run_t alias var_run_foo_t;
> 
> Instead of having the current alias in the var_run_domain() macro.  Of course 
> it's no big deal for the var_run_domain() macro (and I'll remove the alias 
> from my tree because it's been there too long anyway).  But there are other 
> situations which are more difficult to manage (such as renaming netscape to 
> mozilla).

Aside from preserving old type names for compatibility, type aliases
seem to have little use, and significant potential for confusion.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: aliases

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1489 bytes --]

On Fri, 2004-01-09 at 06:18, Russell Coker wrote:
> I believe that we need a minor change in the policy language to deal with 
> aliases.
> 
> The current setup requires that all aliases be specified on the type 
> declaration line.  One significant problem with this is that if a type is 
> declared by a macro there is no way to add aliases to it.  Because of this we 
> have at various times had aliases specified in macros when they weren't 
> needed for 95% of the cases.
> 
> I believe that a declaration of the form is necessary:
> typealias foo_t aliases { bar_t baz_t };
> 
> That would mean that I could do:
> 
> var_run_domain(foo)
> typealias foo_var_run_t alias var_run_foo_t;
> 
> Instead of having the current alias in the var_run_domain() macro.  Of course 
> it's no big deal for the var_run_domain() macro (and I'll remove the alias 
> from my tree because it's been there too long anyway).  But there are other 
> situations which are more difficult to manage (such as renaming netscape to 
> mozilla).

A simple patch for checkpolicy that adds such typealias declarations
is attached.  However, note that this patch only supports typealias
declarations _after_ the base type declaration has been processed;
removing this ordering dependency would require reworking checkpolicy
further, as it currently collects all of the type declarations
(including alias and attribute information) in a single pass.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: checkpolicy-typealias.patch --]
[-- Type: text/x-patch, Size: 3048 bytes --]

Index: checkpolicy/policy_parse.y
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/checkpolicy/policy_parse.y,v
retrieving revision 1.11
diff -u -r1.11 policy_parse.y
--- checkpolicy/policy_parse.y	15 Jan 2004 14:23:02 -0000	1.11
+++ checkpolicy/policy_parse.y	15 Jan 2004 17:48:45 -0000
@@ -42,6 +42,7 @@
 static int define_common_base(void);
 static int define_av_base(void);
 static int define_attrib(void);
+static int define_typealias(void);
 static int define_type(int alias);
 static int define_compute_type(int which);
 static int define_te_avtab(int which);
@@ -82,6 +83,7 @@
 %token SID
 %token ROLE
 %token ROLES
+%token TYPEALIAS
 %token TYPE
 %token TYPES
 %token ALIAS
@@ -240,6 +242,7 @@
 			;
 te_decl			: attribute_def
                         | type_def
+                        | typealias_def
                         | transition_def
                         | te_avtab_def
 			;
@@ -251,6 +254,9 @@
 	                | TYPE identifier opt_attr_list ';'
                         {if (define_type(0)) return -1;}
     			;
+typealias_def           : TYPEALIAS identifier alias_def
+			{if (define_typealias()) return -1;}
+			;
 opt_attr_list           : ',' id_comma_list
 			| 
 			;
@@ -1479,6 +1485,61 @@
 	return 0;
 }
 
+static int define_typealias(void)
+{
+	char *id;
+	type_datum_t *t, *aliasdatum;;
+	int ret;
+
+
+	if (pass == 2) {
+		while ((id = queue_remove(id_queue))) 
+			free(id);
+		return 0;
+	}
+
+	id = (char *) queue_remove(id_queue);
+	if (!id) {
+		yyerror("no type name for typealias definition?");
+		return -1;
+	}
+
+	t = hashtab_search(policydbp->p_types.table, id);
+	if (!t || t->isattr) {
+		sprintf(errormsg, "unknown type %s", id);
+		yyerror(errormsg);
+		free(id);
+		return -1;
+	}
+
+	while ((id = queue_remove(id_queue))) {
+		aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
+		if (!aliasdatum) {
+			yyerror("out of memory");
+			return -1;
+		}
+		memset(aliasdatum, 0, sizeof(type_datum_t));
+		aliasdatum->value = t->value;
+
+		ret = hashtab_insert(policydbp->p_types.table,
+				     (hashtab_key_t) id, (hashtab_datum_t) aliasdatum);
+
+		if (ret == HASHTAB_PRESENT) {
+			sprintf(errormsg, "name conflict for type alias %s", id);
+			yyerror(errormsg);
+			free(aliasdatum);
+			free(id);
+			return -1;
+		}
+		if (ret == HASHTAB_OVERFLOW) {
+			yyerror("hash table overflow");
+			free(aliasdatum);
+			free(id);
+			return -1;
+		}
+	}
+	return 0;
+}
 
 static int define_type(int alias)
 {
Index: checkpolicy/policy_scan.l
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/checkpolicy/policy_scan.l,v
retrieving revision 1.3
diff -u -r1.3 policy_scan.l
--- checkpolicy/policy_scan.l	17 Dec 2003 16:52:20 -0000	1.3
+++ checkpolicy/policy_scan.l	15 Jan 2004 17:33:23 -0000
@@ -46,6 +46,8 @@
 roles				{ return(ROLES); }
 TYPES |
 types				{ return(TYPES); }
+TYPEALIAS |
+typealias			{ return(TYPEALIAS); }
 TYPE |
 type				{ return(TYPE); }
 ALIAS |