mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-12 08:29:26 +00:00
policycoreutils/hll/pp: only print certain roles when declared in base modules
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are declared in the base module, and sometimes in non-base modules. This could result in duplicate declarations of roles, which isn't allowed in CIL. So for these roles, only generate their declarations if they appear in a base module, otherwise ignore their declarations. All other roles are printed regardlss of their declaration location. Note that this means that if a policy author does not include one of the roles in the base module then they will not be included in the resulting policy, likely causing a compliation error in CIL. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
This commit is contained in:
parent
ff5bbe6dcf
commit
7f16505a31
@ -1889,8 +1889,30 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
|
|||||||
switch (role->flavor) {
|
switch (role->flavor) {
|
||||||
case ROLE_ROLE:
|
case ROLE_ROLE:
|
||||||
if (scope == SCOPE_DECL) {
|
if (scope == SCOPE_DECL) {
|
||||||
|
// Only declare certain roles if we are reading a base module.
|
||||||
|
// These roles are defined in the base module and sometimes in
|
||||||
|
// other non-base modules. If we generated the roles regardless of
|
||||||
|
// the policy type, it would result in duplicate declarations,
|
||||||
|
// which isn't allowed in CIL. Patches have been made to refpolicy
|
||||||
|
// to remove these duplicate role declarations, but we need to be
|
||||||
|
// backwards compatable and support older policies. Since we know
|
||||||
|
// these roles are always declared in base, only print them when we
|
||||||
|
// see them in the base module. If the declarations appear in a
|
||||||
|
// non-base module, ignore their declarations.
|
||||||
|
//
|
||||||
|
// Note that this is a hack, and if a policy author does not define
|
||||||
|
// one of these roles in base, the declaration will not appeaer in
|
||||||
|
// the resulting policy, likely resulting in a compilation error in
|
||||||
|
// CIL.
|
||||||
|
int is_base_role = (!strcmp(key, "user_r") ||
|
||||||
|
!strcmp(key, "staff_r") ||
|
||||||
|
!strcmp(key, "sysadm_r") ||
|
||||||
|
!strcmp(key, "system_r") ||
|
||||||
|
!strcmp(key, "unconfined_r"));
|
||||||
|
if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) {
|
||||||
cil_println(indent, "(role %s)", key);
|
cil_println(indent, "(role %s)", key);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (ebitmap_cardinality(&role->dominates) > 1) {
|
if (ebitmap_cardinality(&role->dominates) > 1) {
|
||||||
log_err("Warning: role 'dominance' statment unsupported in CIL. Dropping from output.");
|
log_err("Warning: role 'dominance' statment unsupported in CIL. Dropping from output.");
|
||||||
|
Loading…
Reference in New Issue
Block a user