Hi,
It seems that if an interface has a role statement inside it, that interface can’t be used *inside* a tunable_policy block.
For example, the shutdown_run() interface causes this policy to fail compilation:
policy_module(test, 1.0.0)
require { type staff_t; role staff_r; }
gen_tunable(staff_shutdown, false)
tunable_policy(`staff_shutdown', ` shutdown_run(staff_t,staff_r) ')
This is the error given:
test.te":10:ERROR 'syntax error' at token 'role' on line 3360: role staff_r types shutdown_t; #line 10 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/test.mod] Error 1
If I manually put the rules that interface generates into the tunable_policy block but place the role statement outside, it compiles fine. The rpm_run() interface also fails to compile when inside a tunable_policy block (presumably for the same reason).
Thanks, Doug
Yes, it is intended. If we need to have a such rule (conditional) we use ifdef for these cases.
selinux@lists.fedoraproject.org