libsepol: use mapped role number instead of module role number

When expanding a module which includes role transitions we were comparing the numeric value of the base policy role with the numberic value of the unmapped role in the module. Comparisions between role values need to both be in terms of the mapped role in the base module. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Harry Ciao <qingtao.cao@windriver.com>
2025-04-18 13:25:26 +00:00 · 2011-04-20 15:18:02 -04:00 · 2011-04-20 15:18:02 -04:00 · 1867652e54
commit 1867652e54
parent 78b4b56857
1 changed files with 8 additions and 5 deletions
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@ -1249,23 +1249,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)

 					cur_trans = state->out->role_tr;
 					while (cur_trans) {
+						unsigned int mapped_role;
+
+						mapped_role = state->rolemap[cur->new_role - 1];
+
 						if ((cur_trans->role ==
 								i + 1) &&
 						    (cur_trans->type ==
 								j + 1) &&
 						    (cur_trans->tclass ==
 								k + 1)) {
-							if (cur_trans->
-							    new_role ==
-								cur->new_role) {
+							if (cur_trans->new_role == mapped_role) {
 								break;
 							} else {
 								ERR(state->handle,
-									"Conflicting role trans rule %s %s : %s %s",
+									"Conflicting role trans rule %s %s : %s { %s vs %s }",
 									state->out->p_role_val_to_name[i],
 									state->out->p_type_val_to_name[j],
 									state->out->p_class_val_to_name[k],
-									state->out->p_role_val_to_name[cur->new_role - 1]);
+									state->out->p_role_val_to_name[mapped_role - 1],
+									state->out->p_role_val_to_name[cur_trans->new_role - 1]);
 								return -1;
 							}
 						}