libsepol: fix pp module to cil nodecon statement

Policy modules do not have the concept of named IP addresses like CIL
does. So when converting nodecode statements from pp policy modules to
CIL, we need to wrap the IP address and mask parameters in parentheses
so that the CIL compiler does not try to resolve them as named
addresses, but instead treats them as anonymous.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This commit is contained in:
Steve Lawrence 2017-01-25 12:17:16 -05:00 committed by James Carter
parent 05abcb1d13
commit 1ef665cb92
1 changed files with 2 additions and 2 deletions

View File

@ -2721,7 +2721,7 @@ static int ocontext_selinux_node_to_cil(struct policydb *pdb, struct ocontext *n
goto exit;
}
cil_printf("(nodecon %s %s ", addr, mask);
cil_printf("(nodecon (%s) (%s) ", addr, mask);
context_to_cil(pdb, &node->context[0]);
@ -2753,7 +2753,7 @@ static int ocontext_selinux_node6_to_cil(struct policydb *pdb, struct ocontext *
goto exit;
}
cil_printf("(nodecon %s %s ", addr, mask);
cil_printf("(nodecon (%s) (%s) ", addr, mask);
context_to_cil(pdb, &node->context[0]);