-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 12/01/2011 11:10 AM, Konstantin Ryabitsev wrote:

Hi, all:

I have the following in my .te file:

optional_policy(` gen_require(` type guest_t; role guest_r; ')

my_app_run(guest_t, guest_r) ')

But really, I'd like to make it a boolean that an admin can toggle -- I'm not really keen on allowing guest_u to use this application by default. Something like:

tunable_policy(`allow_guest_myapp_exec');

How would I combine tunable_policy with optional_policy?

Best,

Well in a perfect world...

optional_policy(` gen_require(` type guest_t; role guest_r; ') tunable_policy(`allow_guest_myapp_exec', ` my_app_run(guest_t, guest_r) ')

') Except this will not work, because you can not have role assignement within a tunable. The latest policy from upstream is working around this by using roleattributes.

But til now, I separated out my interface into to .

interface(`myapp_role',` gen_require(` type myapp_t; ')

role $1 types myapp_t; ')

optional_policy(` gen_require(` type guest_t; role guest_r; ') myapp_role(guest_r) tunable_policy(`allow_guest_myapp_exec', ` my_app_domtrans(guest_t) ')

')