policycoreutils: pp: add roletype statements for both declared and required type/typeattributes

Currently, roletype statements are only added for types when they are
declared (not required). This means that in policy like:

  require {
    type foo_t;
  }
  type bar_t;
  role staff_r types foo_t, bar_t;

only bar_t is associated with staff_r. This patch moves the code that
generates roletype statements for types to outside the SCOPE_DECL check
so that roletype statements are generated for all types, regardless of
the required/declared scope. It further moves the code outside of the
type/typeattribute flavor check so that roletype statements are also
generated for typeattributes.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Tested-by: Jason Zaman <jason@perfinion.com>

policycoreutils/hll/pp/pp.c

@@ -2083,6 +2083,11 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
 		cil_println(indent, "(typeattributeset " GEN_REQUIRE_ATTR " %s)", key);
 	}
 
+	rc = roletype_role_in_ancestor_to_cil(pdb, decl_stack, key, indent);
+	if (rc != 0) {
+		goto exit;
+	}
+
 	switch(type->flavor) {
 	case TYPE_TYPE:
 		if (scope == SCOPE_DECL) {
@@ -2090,11 +2095,6 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
 			// object_r is implicit in checkmodule, but not with CIL,
 			// create it as part of base
 			cil_println(indent, "(roletype " DEFAULT_OBJECT " %s)", key);
-
-			rc = roletype_role_in_ancestor_to_cil(pdb, decl_stack, key, indent);
-			if (rc != 0) {
-				goto exit;
-			}
 		}
 
 		if (type->flags & TYPE_FLAGS_PERMISSIVE) {