On 11/01/2013 05:15 PM, Dominick Grift wrote:
On Fri, 2013-11-01 at 12:11 -0400, JeeHyun Hwang wrote:
Thank you for your answer.
Is there any way around to disable attribute_role features and RBAC using
configuration setting. I need to compile only TE policies (not RBAC). For
example, if I remove files in role folder, does it work?
No, RBAC is one of the three non-optional security models (among TE and
IBAC)
I am using Fedora 18. (But the most recent version Fedora 19 cannot handle
this attribute role feature when I tried).
Fedpra 19 should be able to handle role attributes AFAIK.
Yes, Fedora 19 uses it.
its just the
analysis tools that lack support
You could however example the role attributes manually in the source
policy, or fall back on older version of refpolicy
On Fri, Nov 1, 2013 at 11:54 AM, Dominick Grift <dominick.grift@xxxxxxxxx>wrote:
On Fri, 2013-11-01 at 11:39 -0400, JeeHyun Hwang wrote:
Hello, all,
I downladed source file of selinux. I made policy.conf using make conf. I
try to use apol to analyze policy.conf and found the error below. It
seems
that, attribute_role cannot parsed in libqpol.
ERROR 'syntax error' at token 'attribute_role' on line 1299:
attribute zarafa_domain;
attribute_role bootleader_roles; <-- This is first shown attribute_role
in policy.conf
i guess libqpol might not support the relatively new role attribute
functionality
I also try to compile using checkpolicy using make policy. But, it hangs
all day. I think that it's the same problem.
Checkpolicy is just slow becuase of the assertion checking it does
A way to work around that is to use checkmodule instead to create a base
module and to create loadable modules (modular instead of monolitic)
Then run either semodule_link ... and semodule_expand -a ...
to make it glue it all together into a single policy.db without checking
assertions (faster)
Could you please let me know how to parse 'attribute_role'? Do I miss
anything.
role attributes work pretty much the same as type attributes.
basically you associate roles with roleattribute, then you can use that
to write rules that apply to groups of roles rather than single role
the policy analysis tools may not directly support role attributes yet
but indirectly you should be able to verify that role attributes get
expanded properly with tools like seinfo: seinfo -r, and seinfo -xr
Thank you in advance.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux