On 10/24/2014 10:15 AM, Lukas Zapletal wrote: > Hello, > > I am working on a policy where we want to modularize certain features > (management of DHCP, DNS and TFTP services). Since users can turn these > features on and off, we would like to introduce SELinux booleans to do > the same. > > Unfortunately when I try to put some macros in the tunable_policy > blocks, I get errors: > > tunable_policy(`foreman_proxy_manage_dhcp', ` > dhcpd_admin(foreman_proxy_t, system_r) > netutils_exec_ping(foreman_proxy_t) > netutils_domtrans_ping(foreman_proxy_t) You would not have both of these within the same block. netutils_domtrans_ping implies netutils_exec_ping. You probably want this on all the time. What types does foreman have to manage under dhcpd? We probably need to add interfaces for this. > ') > > foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on > line 10649: > typeattribute foreman_proxy_t initrc_transition_domain; > /usr/bin/checkmodule: error(s) encountered while parsing > configuration > > It works just fine without the tunable_policy block. > > Where's the snag and how can we workaround it? Thanks! > You are not allowed to put attributes within a boolean block. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
