Optional policy block on some macros
Daniel J Walsh
dwalsh at redhat.com
Fri Oct 24 17:37:19 UTC 2014
On 10/24/2014 10:15 AM, Lukas Zapletal wrote:
> Hello,
>
> I am working on a policy where we want to modularize certain features
> (management of DHCP, DNS and TFTP services). Since users can turn these
> features on and off, we would like to introduce SELinux booleans to do
> the same.
>
> Unfortunately when I try to put some macros in the tunable_policy
> blocks, I get errors:
>
> tunable_policy(`foreman_proxy_manage_dhcp', `
> dhcpd_admin(foreman_proxy_t, system_r)
> netutils_exec_ping(foreman_proxy_t)
> netutils_domtrans_ping(foreman_proxy_t)
You would not have both of these within the same block.
netutils_domtrans_ping implies netutils_exec_ping.
You probably want this on all the time.
What types does foreman have to manage under dhcpd? We probably need to
add interfaces for this.
> ')
>
> foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on
> line 10649:
> typeattribute foreman_proxy_t initrc_transition_domain;
> /usr/bin/checkmodule: error(s) encountered while parsing
> configuration
>
> It works just fine without the tunable_policy block.
>
> Where's the snag and how can we workaround it? Thanks!
>
You are not allowed to put attributes within a boolean block.
More information about the selinux
mailing list