libsepol: role_fix_callback skips out-of-scope roles during expansion.

If a role identifier is out of scope it would be skipped over during
expansion, accordingly, be it a role attribute, it should be skipped
over as well when role_fix_callback tries to propagate its capability
to all its sub-roles.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Harry Ciao 2012-02-25 09:40:08 +08:00 committed by Eric Paris
parent 46ce32a6ee
commit 2ef297d4c8
1 changed files with 5 additions and 0 deletions

View File

@ -723,6 +723,11 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
return 0; return 0;
} }
if (!is_id_enabled(id, state->base, SYM_ROLES)) {
/* identifier's scope is not enabled */
return 0;
}
if (role->flavor != ROLE_ATTRIB) if (role->flavor != ROLE_ATTRIB)
return 0; return 0;