policycoreutils/hll/pp: only print certain roles when declared in base modules

Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.

Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This commit is contained in:
Steve Lawrence 2014-10-02 11:53:01 -04:00
parent ff5bbe6dcf
commit 7f16505a31

View File

@ -1889,8 +1889,30 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
switch (role->flavor) { switch (role->flavor) {
case ROLE_ROLE: case ROLE_ROLE:
if (scope == SCOPE_DECL) { if (scope == SCOPE_DECL) {
// Only declare certain roles if we are reading a base module.
// These roles are defined in the base module and sometimes in
// other non-base modules. If we generated the roles regardless of
// the policy type, it would result in duplicate declarations,
// which isn't allowed in CIL. Patches have been made to refpolicy
// to remove these duplicate role declarations, but we need to be
// backwards compatable and support older policies. Since we know
// these roles are always declared in base, only print them when we
// see them in the base module. If the declarations appear in a
// non-base module, ignore their declarations.
//
// Note that this is a hack, and if a policy author does not define
// one of these roles in base, the declaration will not appeaer in
// the resulting policy, likely resulting in a compilation error in
// CIL.
int is_base_role = (!strcmp(key, "user_r") ||
!strcmp(key, "staff_r") ||
!strcmp(key, "sysadm_r") ||
!strcmp(key, "system_r") ||
!strcmp(key, "unconfined_r"));
if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) {
cil_println(indent, "(role %s)", key); cil_println(indent, "(role %s)", key);
} }
}
if (ebitmap_cardinality(&role->dominates) > 1) { if (ebitmap_cardinality(&role->dominates) > 1) {
log_err("Warning: role 'dominance' statment unsupported in CIL. Dropping from output."); log_err("Warning: role 'dominance' statment unsupported in CIL. Dropping from output.");