It appears that per role template expansion is disabled in the modules
shipped with fedora selinux-policy 3.5.10 but enabled for modules
compiled with the resulting policy (which uses a different Makefile).
Why is there a difference?
joe
from the policy Makefile:
# perrole-expansion modulename,outputfile
define perrole-expansion
echo "No longer doing perrole-expansion"
# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
# $(call parse-rolemap,$1,$2)
# $(verbose) echo "')" >> $2
# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`"
>> $2
# $(verbose) echo "errprint(\`Warning: per_userdomain_templates
have been renamed to per_role_templates
(""$1""_per_userdomain_template)'__endline__)" >> $2
# $(call parse-rolemap-compat,$1,$2)
# $(verbose) echo "')" >> $2
endef
from /usr/share/selinux/devel/include/Makefile:
# peruser-expansion modulename,outputfile
define peruser-expansion
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`"
>> $2
$(verbose) echo "errprint(\`Warning: per_userdomain_templates
have been renamed to per_role_templates
(""$1""_per_userdomain_template)'__endline__)" >> $2
$(call parse-rolemap-compat,$1,$2)
$(verbose) echo "')" >> $2
endef