Greetings everyone! I'm trying to set up a demonstration of SELinux functionality for a few people, and have been hitting my head against a brick wall on it for 2 days, was hoping that maybe you guys could give me some advice...Background: System: Fedora Core 3, updated to latest packages via "yum update" Strict policy, version 1.19.10-2, and the strict policy sources installed. The Goal: To demonstrate locking down access to a file to only a certain role, privileged_r. User account should have to access that role via the newrole command. The current problem: According to the policy writing docs, a role should be created via the full_user_role() macro. So, in domains/misc/custom_policy.te, I placed the following line (along with other custom rules that have already been compiled successfully and work): full_user_role(privileged) The docs also say that new user roles should be added to the in_user_role macro within macros/user_macros.te, so I did that as well, making that macro look like this: undefine(`in_user_role') define(`in_user_role', ` role user_r types $1; role staff_r types $1; role privileged_r type $1; ') Now, when trying to compile the policy after that, I get the following error: /usr/bin/checkpolicy: loading policy configuration from policy.conf domains/misc/custom_policy.te:13:ERROR 'unknown type privileged_userhelper_t' at token ';' on line 115000: #line 13 allow privileged_mozilla_t privileged_userhelper_t:process transition; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/strict/policy/policy.18] Error 1 I've been banging my head against the wall on this one for a day and a half - have searched the web, read numerous docs on creating policy, looked at how the full_user_role macro is used elsewhere in the policy, and I simply can't figure out what I'm doing wrong. Anyone have any ideas? Jeremy -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list