Hi,
It seems that if an interface has a role statement inside it, that interface can’t be used *inside* a tunable_policy block.
For example, the shutdown_run() interface causes this policy to fail compilation:
policy_module(test, 1.0.0)
require {
type staff_t;
role staff_r;
}
gen_tunable(staff_shutdown, false)
tunable_policy(`staff_shutdown', `
shutdown_run(staff_t,staff_r)
')
This is the error given:
test.te":10:ERROR 'syntax error' at token 'role' on line 3360:
role staff_r types shutdown_t;
#line 10
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/test.mod] Error 1
If I manually put the rules that interface generates into the tunable_policy block but place the role statement outside, it compiles fine. The rpm_run() interface also fails to compile when inside a tunable_policy block (presumably for the same reason).
Thanks,
Doug