On Fri, 2013-11-01 at 11:39 -0400, JeeHyun Hwang wrote: > Hello, all, > > I downladed source file of selinux. I made policy.conf using make conf. I > try to use apol to analyze policy.conf and found the error below. It seems > that, attribute_role cannot parsed in libqpol. > > ERROR 'syntax error' at token 'attribute_role' on line 1299: > attribute zarafa_domain; > attribute_role bootleader_roles; <-- This is first shown attribute_role > in policy.conf > i guess libqpol might not support the relatively new role attribute functionality > I also try to compile using checkpolicy using make policy. But, it hangs > all day. I think that it's the same problem. > Checkpolicy is just slow becuase of the assertion checking it does A way to work around that is to use checkmodule instead to create a base module and to create loadable modules (modular instead of monolitic) Then run either semodule_link ... and semodule_expand -a ... to make it glue it all together into a single policy.db without checking assertions (faster) > Could you please let me know how to parse 'attribute_role'? Do I miss > anything. > role attributes work pretty much the same as type attributes. basically you associate roles with roleattribute, then you can use that to write rules that apply to groups of roles rather than single role the policy analysis tools may not directly support role attributes yet but indirectly you should be able to verify that role attributes get expanded properly with tools like seinfo: seinfo -r, and seinfo -xr > Thank you in advance. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
