Re: Compile error: ERROR 'syntax error' at token 'attribute_role'

JeeHyun Hwang <jhwang4@xxxxxxxx> · Fri, 1 Nov 2013 12:11:34 -0400

Thank you for your answer. Is there any way around to disable attribute_role features and RBAC using  configuration setting. I need to compile only TE policies (not RBAC). For example, if I remove files in role folder, does it work? 

I am using Fedora 18. (But the most recent version Fedora 19 cannot handle this attribute role feature when I tried).

On Fri, Nov 1, 2013 at 11:54 AM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:

On Fri, 2013-11-01 at 11:39 -0400, JeeHyun Hwang wrote:

> Hello, all,

>

> I downladed source file of selinux. I made policy.conf using make conf. I

> try to use apol to analyze policy.conf and found the error below. It seems

> that, attribute_role cannot parsed in libqpol.

>

> ERROR 'syntax error' at token 'attribute_role' on line 1299:

> attribute zarafa_domain;

> attribute_role bootleader_roles;   <-- This is first shown attribute_role

> in policy.conf

>

i guess libqpol might not support the relatively new role attribute

functionality

> I also try to compile using checkpolicy using make policy. But, it hangs

> all day. I think that it's the same problem.

>

Checkpolicy is just slow becuase of the assertion checking it does

A way to work around that is to use checkmodule instead to create a base

module and to create loadable modules (modular instead of monolitic)

Then run either semodule_link ... and semodule_expand -a ...

to make it glue it all together into a single policy.db without checking

assertions (faster)

> Could you please let me know how to parse 'attribute_role'? Do I miss

> anything.

>

role attributes work pretty much the same as type attributes.

basically you associate roles with roleattribute, then you can use that

to write rules that apply to groups of roles rather than single role

the policy analysis tools may not directly support role attributes yet

but indirectly you should be able to verify that role attributes get

expanded properly with tools like seinfo: seinfo -r, and seinfo -xr

> Thank you in advance.

> --

> selinux mailing list

> selinux@xxxxxxxxxxxxxxxxxxxxxxx

> https://admin.fedoraproject.org/mailman/listinfo/selinux

--

selinux mailing list

selinux@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/selinux

-- 
Best wishes,
JeeHyun Hwang

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux