Re: Yet another role question
Joe Nall wrote:
It appears that per role template expansion is disabled in the
modules
shipped with fedora selinux-policy 3.5.10 but enabled for modules
compiled with the resulting policy (which uses a different Makefile).
Why is there a difference?
joe
from the policy Makefile:
# perrole-expansion modulename,outputfile
define perrole-expansion
echo "No longer doing perrole-expansion"
# $(verbose) echo
"ifdef(\`""$1""_per_role_template',\`" > $2
# $(call parse-rolemap,$1,$2)
# $(verbose) echo "')" >> $2
# $(verbose) echo
"ifdef(\`""$1""_per_userdomain_template',\`" >>
$2
# $(verbose) echo "errprint(\`Warning: per_userdomain_templates
have been renamed to per_role_templates
(""$1""_per_userdomain_template)'__endline__)" >> $2
# $(call parse-rolemap-compat,$1,$2)
# $(verbose) echo "')" >> $2
endef
from /usr/share/selinux/devel/include/Makefile:
# peruser-expansion modulename,outputfile
define peruser-expansion
$(verbose) echo
"ifdef(\`""$1""_per_role_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
$(verbose) echo
"ifdef(\`""$1""_per_userdomain_template',\`" >>
$2
$(verbose) echo "errprint(\`Warning: per_userdomain_templates
have been renamed to per_role_templates
(""$1""_per_userdomain_template)'__endline__)" >> $2
$(call parse-rolemap-compat,$1,$2)
$(verbose) echo "')" >> $2
endef
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
It is a bug. Automatic
per role expansion is a mistake. Please open a
bugzilla. (With a patch if possible. :^)