Parse error on almost empty policy files

Question

Parse error on almost empty policy files

Closed this issue 2 years ago · 0 comments

We have a number of policies that are really just .fc files with a module name
foo.te:

policy_module(foo,1.0.3)

foo.if exists but is empty

foo.fc

/opt/ourstuff/bin/app5exe     --      gen_context(system_u:object_r:our_app_t,s0)

This could obviously be done differently, but there was a desire to keep the .fc with the rpm rather than in a system wide policy.

This policy will fail in selint with:

selint -r .
Note: Check E-007 is not performed because no permission macro has been parsed.
foo.te:2: (F): syntax error, unexpected end of file (F-001)
    2 |
      | ^
foo.te:2: (F): Error: Invalid statement (F-001)
    2 |
      | ^

but adding a comment makes selint happy:

policy_module(foo,1.0.3)
# no op