On Fri, 2013-11-01 at 12:11 -0400, JeeHyun Hwang wrote: > Thank you for your answer. > > Is there any way around to disable attribute_role features and RBAC using > configuration setting. I need to compile only TE policies (not RBAC). For > example, if I remove files in role folder, does it work? > No, RBAC is one of the three non-optional security models (among TE and IBAC) > I am using Fedora 18. (But the most recent version Fedora 19 cannot handle > this attribute role feature when I tried). > Fedpra 19 should be able to handle role attributes AFAIK. its just the analysis tools that lack support You could however example the role attributes manually in the source policy, or fall back on older version of refpolicy > > > > On Fri, Nov 1, 2013 at 11:54 AM, Dominick Grift <dominick.grift@xxxxxxxxx>wrote: > > > On Fri, 2013-11-01 at 11:39 -0400, JeeHyun Hwang wrote: > > > Hello, all, > > > > > > I downladed source file of selinux. I made policy.conf using make conf. I > > > try to use apol to analyze policy.conf and found the error below. It > > seems > > > that, attribute_role cannot parsed in libqpol. > > > > > > ERROR 'syntax error' at token 'attribute_role' on line 1299: > > > attribute zarafa_domain; > > > attribute_role bootleader_roles; <-- This is first shown attribute_role > > > in policy.conf > > > > > > > i guess libqpol might not support the relatively new role attribute > > functionality > > > > > I also try to compile using checkpolicy using make policy. But, it hangs > > > all day. I think that it's the same problem. > > > > > > > Checkpolicy is just slow becuase of the assertion checking it does > > > > A way to work around that is to use checkmodule instead to create a base > > module and to create loadable modules (modular instead of monolitic) > > > > Then run either semodule_link ... and semodule_expand -a ... > > > > to make it glue it all together into a single policy.db without checking > > assertions (faster) > > > > > Could you please let me know how to parse 'attribute_role'? Do I miss > > > anything. > > > > > > > role attributes work pretty much the same as type attributes. > > > > basically you associate roles with roleattribute, then you can use that > > to write rules that apply to groups of roles rather than single role > > > > the policy analysis tools may not directly support role attributes yet > > but indirectly you should be able to verify that role attributes get > > expanded properly with tools like seinfo: seinfo -r, and seinfo -xr > > > > > Thank you in advance. > > > -- > > > selinux mailing list > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
