Yet another role question

[Daniel J Walsh]

Joe Nall wrote:
> It appears that per role template expansion is disabled in the modules
> shipped with fedora selinux-policy 3.5.10 but enabled for modules
> compiled with the resulting policy (which uses a different Makefile).
> 
> Why is there a difference?
> 
> joe
> 
> from the policy Makefile:
> 
> # perrole-expansion modulename,outputfile
> define perrole-expansion
>         echo "No longer doing perrole-expansion"
> #       $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
> #       $(call parse-rolemap,$1,$2)
> #       $(verbose) echo "')" >> $2
> 
> #       $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
> #       $(verbose) echo "errprint(\`Warning: per_userdomain_templates
> have been renamed to per_role_templates
> (""$1""_per_userdomain_template)'__endline__)" >> $2
> #       $(call parse-rolemap-compat,$1,$2)
> #       $(verbose) echo "')" >> $2
> endef
> 
> from /usr/share/selinux/devel/include/Makefile:
> 
> # peruser-expansion modulename,outputfile
> define peruser-expansion
>         $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
>         $(call parse-rolemap,$1,$2)
>         $(verbose) echo "')" >> $2
> 
>         $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
>         $(verbose) echo "errprint(\`Warning: per_userdomain_templates
> have been renamed to per_role_templates
> (""$1""_per_userdomain_template)'__endline__)" >> $2
>         $(call parse-rolemap-compat,$1,$2)
>         $(verbose) echo "')" >> $2
> endef
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
It is a bug.  Automatic per role expansion is a mistake.   Please open a
bugzilla.  (With a patch if possible.  :^)