[refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier

From: jwcart2@tycho.nsa.gov (James Carter)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [m4-isms patch 3/6] Add role rule to make translation easier
Date: Wed, 25 Aug 2010 10:11:37 -0400	[thread overview]
Message-ID: <1282745497.25778.18.camel@moss-lions.epoch.ncsc.mil> (raw)
In-Reply-To: <4C75127E.5000300@tresys.com>

On Wed, 2010-08-25 at 08:54 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > By adding this rule, I can assume that every role rule of the form "role
> > foo_r;" is a declaration and those of the form "role foo_r types bar_t;"
> > are adding types to an existing role.  This makes translating to a
> > different language easier.
> 
> This is a straightforward one.  I don't have a problem with it, though 
> by requiring a role declaration statement imposes a new requirement that 
> didn't previously exist.
> 

But the fact that multiple role declarations are allowed is a deficiency
of the current policy language.  CIL will have a roletype statement
which will eliminate the need for allowing multiple role declarations.  

I think that having this extra rule won't harm Refpolicy while being
beneficial for translating Refpolicy to CIL.

> > ---
> >   policy/modules/services/nx.te |    1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
> > index ebb9582..a3559f2 100644
> > --- a/policy/modules/services/nx.te
> > +++ b/policy/modules/services/nx.te
> > @@ -12,6 +12,7 @@ domain_entry_file(nx_server_t, nx_server_exec_t)
> >   domain_user_exemption_target(nx_server_t)
> >   # we need an extra role because nxserver is called from sshd
> >   # cjp: do we really need this?
> > +role nx_server_r;
> >   role nx_server_r types nx_server_t;
> >   allow system_r nx_server_r;
> >
> >
> 
> 

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency