Re: Use of optional_policy in templates (compiler bug or feature?)

[Joe Nall <joe@xxxxxxxx>]

On Oct 16, 2008, at 9:50 AM, Joshua Brindle wrote:

> Joe Nall wrote:
> > On Oct 16, 2008, at 7:49 AM, Christopher J. PeBenito wrote:
> >
> > > On Wed, 2008-10-15 at 14:59 -0500, Joe Nall wrote:
> > > > On Oct 15, 2008, at 1:46 PM, Christopher J. PeBenito wrote:
> > > >
> > > > > On Wed, 2008-10-15 at 11:02 -0500, Joe Nall wrote:
> > > > > > Is it legitimate to define a type within an optional_policy  
> > > > > > within a
> > > > > > template?
> > > > >
> > > > > Yes.
> > > > >
> > > > > > I ask because there are a number of compile issues with policy  
> > > > > > that
> > > > > > look like:
> > > > > >
> > > > > > template(`wm_domain_template',`
> > > > > > ...
> > > > > >       optional_policy(`
> > > > > >               dbus_system_bus_client_template($1_wm,$1_wm_t)
> > > > > > # does not compile
> > > > > > #               dbus_user_bus_client_template($1,$1_wm,$1_wm_t)
> > > > > >       ')
> > > > > > ...
> > > > > > ')
> > > > >
> > > > > I can't reproduce this by just adding it to a random module;  
> > > > > there are
> > > > > likely more factors that just the above template calls.
> > > >
> > > > Using stock Fedora targeted policy:
> > > >
> > > > policy_module(swo,1.0.0)
> > > >
> > > > userdom_unpriv_user_template(swo)
> > > > dbus_chat_user_bus(swo,swo_t)
> > >
> > > Well this is a weird case, because you have this situation:
> > >
> > > optional {
> > >    # optionally declare the type
> > >    # from userdom_unpriv_user_template(swo)
> > >    type swo_dbusd_t;
> > > }
> > >
> > > # unconditionally require the type for this module
> > > # from dbus_chat_user_bus(swo,swo_t)
> > > require {
> > >    type swo_dbusd_t;
> > > }
> > >
> > >
> > > but even if you make the second interface call optional too, you'll
> > > still get the compile error.
> >
> > Weird wrong or weird corner case that ought to work?
>
> Weird unsupported. It was thought non-trivial to deterministically  
> enable optionals in cases like this.

So all optional policy in templates using a given derived type have to  
be in the same optional block?

Dan took the per role expansion out of the core policy in fedora and  
put the per role templates in an optional blocks in role based .te  
files. This tickles this 'Weird unsupported' corner of the compiler  
repeatedly. The weird thing to me is that it mostly works. The big  
exceptions are in the X and dbus policies which have all sorts of  
nested optional interactions (just like the code).

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.