Compile error: ERROR 'syntax error' at token 'attribute_role'

JeeHyun Hwang jhwang4 at ncsu.edu
Fri Nov 1 16:11:34 UTC 2013 

Thank you for your answer.

Is there any way around to disable attribute_role features and RBAC using
 configuration setting. I need to compile only TE policies (not RBAC). For
example, if I remove files in role folder, does it work?

I am using Fedora 18. (But the most recent version Fedora 19 cannot handle
this attribute role feature when I tried).




On Fri, Nov 1, 2013 at 11:54 AM, Dominick Grift <dominick.grift at gmail.com>wrote:

> On Fri, 2013-11-01 at 11:39 -0400, JeeHyun Hwang wrote:
> > Hello, all,
> >
> > I downladed source file of selinux. I made policy.conf using make conf. I
> > try to use apol to analyze policy.conf and found the error below. It
> seems
> > that, attribute_role cannot parsed in libqpol.
> >
> > ERROR 'syntax error' at token 'attribute_role' on line 1299:
> > attribute zarafa_domain;
> > attribute_role bootleader_roles;   <-- This is first shown attribute_role
> > in policy.conf
> >
>
> i guess libqpol might not support the relatively new role attribute
> functionality
>
> > I also try to compile using checkpolicy using make policy. But, it hangs
> > all day. I think that it's the same problem.
> >
>
> Checkpolicy is just slow becuase of the assertion checking it does
>
> A way to work around that is to use checkmodule instead to create a base
> module and to create loadable modules (modular instead of monolitic)
>
> Then run either semodule_link ... and semodule_expand -a ...
>
> to make it glue it all together into a single policy.db without checking
> assertions (faster)
>
> > Could you please let me know how to parse 'attribute_role'? Do I miss
> > anything.
> >
>
> role attributes work pretty much the same as type attributes.
>
> basically you associate roles with roleattribute, then you can use that
> to write rules that apply to groups of roles rather than single role
>
> the policy analysis tools may not directly support role attributes yet
> but indirectly you should be able to verify that role attributes get
> expanded properly with tools like seinfo: seinfo -r, and seinfo -xr
>
> > Thank you in advance.
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux




-- 
Best wishes,
JeeHyun Hwang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20131101/e0af69c1/attachment.html>

More information about the selinux mailing list