Joe Nall wrote:
> It appears that per role template expansion is disabled in the modules
> shipped with fedora selinux-policy 3.5.10 but enabled for modules
> compiled with the resulting policy (which uses a different Makefile).
>
> Why is there a difference?
>
> joe
>
> from the policy Makefile:
>
> # perrole-expansion modulename,outputfile
> define perrole-expansion
> echo "No longer doing perrole-expansion"
> # $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
> # $(call parse-rolemap,$1,$2)
> # $(verbose) echo "')" >> $2
>
> # $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
> # $(verbose) echo "errprint(\`Warning: per_userdomain_templates
> have been renamed to per_role_templates
> (""$1""_per_userdomain_template)'__endline__)" >> $2
> # $(call parse-rolemap-compat,$1,$2)
> # $(verbose) echo "')" >> $2
> endef
>
> from /usr/share/selinux/devel/include/Makefile:
>
> # peruser-expansion modulename,outputfile
> define peruser-expansion
> $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
> $(call parse-rolemap,$1,$2)
> $(verbose) echo "')" >> $2
>
> $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
> $(verbose) echo "errprint(\`Warning: per_userdomain_templates
> have been renamed to per_role_templates
> (""$1""_per_userdomain_template)'__endline__)" >> $2
> $(call parse-rolemap-compat,$1,$2)
> $(verbose) echo "')" >> $2
> endef
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
It is a bug. Automatic per role expansion is a mistake. Please open a
bugzilla. (With a patch if possible. :^)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
