[refpolicy] [PATCH] Role type statements no longer declare the role

Christopher J. PeBenito cpebenito at tresys.com
Mon Apr 27 19:07:03 UTC 2015

On 4/27/2015 2:55 PM, Sven Vermeulen wrote:
> On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
>> On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
>>> Back in the older days, role type statements automatically declared the role. This was later changed.
>>> I expect that these macro date from that period and that they should be updated to declare the role.
>> This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
>> just want to hear opinions
> I think I'm okay with the suggestion. At first I was wondering if it is more of
> cosmetic nature than actually necessary, but then I found that kernel.te
> is declaring the basic roles already as well, and that I had declared the
> role specifically in some other modules that I'm using.
> Do you think the default role declarations in kernel.te can be dismissed if
> your change is put through, or is the declaration of sysadm_r, staff_r, user_r
> and unconfined_r in kernel.te needed due to other dependencies?
> I can confirm that a duplicate role declaration does not seem to give any
> issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
> answered before going forward with the change.

The reason the role declarations are in kernel.te is because of the user
declarations in policy/users.  If you turn off unconfined, then base
fails to compile.

One option may be to eliminate all user declarations except system_u,
and then it would be up to the distros/users to create their own users
(even if it is just to restore what we currently have).  That being
said, I don't like that option much, as refpolicy can't work out of the box.

Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list