libsepol: Properly handle types associated to role attributes

Types associated to role attributes in optional blocks are not associated with the roles that have that attribute. The problem is that role_fix_callback is called before the avrule_decls are walked. Example/ class CLASS1 sid kernel class CLASS1 { PERM1 } type TYPE1; type TYPE1A; allow TYPE1 self : CLASS1 PERM1; attribute_role ROLE_ATTR1A; role ROLE1; role ROLE1A; roleattribute ROLE1A ROLE_ATTR1A; role ROLE1 types TYPE1; optional { require { class CLASS1 PERM1; } role ROLE_ATTR1A types TYPE1A; } user USER1 roles ROLE1; sid kernel USER1:ROLE1:TYPE1 In this example ROLE1A will not have TYPE1A associated to it. Call role_fix_callback() after the avrule_decls are walked. Signed-off-by: James Carter <jwcart2@gmail.com>
2025-01-31 09:51:59 +00:00 · 2021-03-09 16:36:40 -05:00 · 2021-03-09 16:36:40 -05:00 · 6015b05d06
commit 6015b05d06
parent f7431d0e0e
1 changed files with 5 additions and 4 deletions
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@ -3052,10 +3052,6 @@ int expand_module(sepol_handle_t * handle,
 	if (hashtab_map(state.base->p_roles.table,
 			role_bounds_copy_callback, &state))
 		goto cleanup;
-	/* escalate the type_set_t in a role attribute to all regular roles
-	 * that belongs to it. */
-	if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
-		goto cleanup;

 	/* copy MLS's sensitivity level and categories - this needs to be done
 	 * before expanding users (they need to be indexed too) */
@ -3121,6 +3117,11 @@ int expand_module(sepol_handle_t * handle,
 		goto cleanup;
 	}

+	/* escalate the type_set_t in a role attribute to all regular roles
+	 * that belongs to it. */
+	if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
+		goto cleanup;
+
 	if (copy_and_expand_avrule_block(&state) < 0) {
 		ERR(handle, "Error during expand");
 		goto cleanup;