Re: Compile error: ERROR 'syntax error' at token 'attribute_role'

[Miroslav Grepl <mgrepl@xxxxxxxxxx>]

On 11/01/2013 05:15 PM, Dominick Grift wrote:
> On Fri, 2013-11-01 at 12:11 -0400, JeeHyun Hwang wrote:
> > Thank you for your answer.
> >
> > Is there any way around to disable attribute_role features and RBAC using
> >   configuration setting. I need to compile only TE policies (not RBAC). For
> > example, if I remove files in role folder, does it work?
> No, RBAC is one of the three non-optional security models (among TE and
> IBAC)
>
> > I am using Fedora 18. (But the most recent version Fedora 19 cannot handle
> > this attribute role feature when I tried).
> Fedpra 19 should be able to handle role attributes AFAIK.
Yes, Fedora 19 uses it.
>   its just the
> analysis tools that lack support

> You could however example the role attributes manually in the source
> policy, or fall back on older version of refpolicy
>
> > On Fri, Nov 1, 2013 at 11:54 AM, Dominick Grift <dominick.grift@xxxxxxxxx>wrote:
> >
> > > On Fri, 2013-11-01 at 11:39 -0400, JeeHyun Hwang wrote:
> > > > Hello, all,
> > > >
> > > > I downladed source file of selinux. I made policy.conf using make conf. I
> > > > try to use apol to analyze policy.conf and found the error below. It
> > > seems
> > > > that, attribute_role cannot parsed in libqpol.
> > > >
> > > > ERROR 'syntax error' at token 'attribute_role' on line 1299:
> > > > attribute zarafa_domain;
> > > > attribute_role bootleader_roles;   <-- This is first shown attribute_role
> > > > in policy.conf
> > > i guess libqpol might not support the relatively new role attribute
> > > functionality
> > >
> > > > I also try to compile using checkpolicy using make policy. But, it hangs
> > > > all day. I think that it's the same problem.
> > > Checkpolicy is just slow becuase of the assertion checking it does
> > >
> > > A way to work around that is to use checkmodule instead to create a base
> > > module and to create loadable modules (modular instead of monolitic)
> > >
> > > Then run either semodule_link ... and semodule_expand -a ...
> > >
> > > to make it glue it all together into a single policy.db without checking
> > > assertions (faster)
> > >
> > > > Could you please let me know how to parse 'attribute_role'? Do I miss
> > > > anything.
> > > role attributes work pretty much the same as type attributes.
> > >
> > > basically you associate roles with roleattribute, then you can use that
> > > to write rules that apply to groups of roles rather than single role
> > >
> > > the policy analysis tools may not directly support role attributes yet
> > > but indirectly you should be able to verify that role attributes get
> > > expanded properly with tools like seinfo: seinfo -r, and seinfo -xr
> > >
> > > > Thank you in advance.
> > > > --
> > > > selinux mailing list
> > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > > --
> > > selinux mailing list
> > > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux