From mboxrd@z Thu Jan  1 00:00:00 1970
From: qingtao.cao@windriver.com (Harry Ciao)
Date: Wed, 29 Feb 2012 16:20:47 +0800
Subject: [refpolicy] [v0 PATCH 1/1] Copy role declarations to the top of
 base.conf or policy.conf
In-Reply-To: <4F4CF938.5030601@tresys.com>
References: <1330425185-10025-1-git-send-email-qingtao.cao@windriver.com>
	<4F4CAF51.2030501@windriver.com> <4F4CF938.5030601@tresys.com>
Message-ID: <4F4DDFDF.5080506@windriver.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi Chris,

On 02/28/2012 11:56 PM, Christopher J. PeBenito wrote:
> On 2/28/2012 5:41 AM, Harry Ciao wrote:
>> Hi Chirst,
>
> Call me Chris please.  Christ has completely different meanings that I 
> couldn't live up to :)

Gotcha :-)

Many thanks for your suggestion, turns out the role declaration and 
role-types rules could be separated in such an elegant way! I've also 
made very small changes and posted the patch again.

Thanks again!

Harry


>
>> I am a rookie about regexp, were I able to match just the role rule but
>> skip the role-types rule in one regexp, I would have combined the two
>> steps of "get_role_rules" and "remove_role_types" into one, and properly
>> comment out the original role declaration, which so far has not been
>> commented off but duplicated to the top of base.conf or policy.conf,
>> where I have taken the advantage of the fact that multiple declarations
>> for a role identifier are tolerated by the compiler.
>>
>> Such improvement is a must-have given that role-types no longer is used
>> to define roles, and a module built into base.pp which also defines a
>> role could be sorted after other modules which could reference the same
>> role in the role-types rule.
>
> How about this:
>
> diff --git a/support/comment_move_decl.sed 
> b/support/comment_move_decl.sed
> index 601c4f7..1d851c9 100644
> --- a/support/comment_move_decl.sed
> +++ b/support/comment_move_decl.sed
> @@ -10,5 +10,6 @@
>  /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by 
> the build process: &/
>  /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
>  /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
> +/^[[:blank:]]*role [a-zA-Z_]+[[:blank:]]*;/s/^/# this line was moved 
> by the build process: &/
>
>  :nextline
> diff --git a/support/get_type_attr_decl.sed 
> b/support/get_type_attr_decl.sed
> index 69c6ccd..5bf48be 100644
> --- a/support/get_type_attr_decl.sed
> +++ b/support/get_type_attr_decl.sed
> @@ -10,4 +10,9 @@
>      p
>  }
>
> +/^[[:blank:]]*role [a-zA-Z_]+[[:blank:]]*;/{
> +    s/^[[:blank:]]+//
> +    p
> +}
> +
>  :nextline
>
>