Optional policy block on some macros

[Miroslav Grepl]

On 10/24/2014 07:37 PM, Daniel J Walsh wrote:
> On 10/24/2014 10:15 AM, Lukas Zapletal wrote:
>> Hello,
>>
>> I am working on a policy where we want to modularize certain features
>> (management of DHCP, DNS and TFTP services). Since users can turn these
>> features on and off, we would like to introduce SELinux booleans to do
>> the same.
>>
>> Unfortunately when I try to put some macros in the tunable_policy
>> blocks, I get errors:
>>
>> tunable_policy(`foreman_proxy_manage_dhcp', `
>>    dhcpd_admin(foreman_proxy_t, system_r)
>>    netutils_exec_ping(foreman_proxy_t)
>>    netutils_domtrans_ping(foreman_proxy_t)
> You would not have both of these within the same block.
> netutils_domtrans_ping implies netutils_exec_ping.
> You probably want this on all the time.
>
> What types does foreman have to manage under dhcpd?  We probably need to
> add interfaces for this.
>> ')
>>
>> foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on
>> line 10649:
>> typeattribute foreman_proxy_t initrc_transition_domain;
>> /usr/bin/checkmodule:  error(s) encountered while parsing
>> configuration
>>
>> It works just fine without the tunable_policy block.
>>
>> Where's the snag and how can we workaround it? Thanks!
You would need to re-write

dhcpd_admin()

interface. It's caused by

init_labeled_script_domtrans()

where we use

typeattribute $1 initrc_transition_domain;

Is this on RHEL7? You don't need to have it in RHEL7 because of systemd. We should probably re-write/fix this init_t/initrc_t/unconfined_services_t concept in Fedora22.

If you use RHEL6, you need to write own _admin() interface to make it working with tunable statement.


>>
> You are not allowed to put attributes within a boolean block.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux