From dbc9a61819ea9a6b61bb29a2765b319ac974a775 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@windriver.com>
Date: Tue, 2 Aug 2011 18:03:53 +0800
Subject: [PATCH] libsepol: Only call role_fix_callback for base.p_roles during
 expansion.

expand_role_attributes() would merge the sub role attribute's roles
ebitmap into that of the parent, then clear it off from the parent's
roles ebitmap. This supports the assertion in role_fix_callback() that
any role attribute's roles ebitmap contains just regular roles.

expand_role_attribute() works on base.p_roles table but not any
block/decl's p_roles table, so the above assertion in role_fix_callback
could fail when it is called for block/decl and some role attribute is
added into another.

Since the effect of get_local_role() would have been complemented by
the populate_roleattributes() at the end of the link phase, there is
no needs(and wrong) to call role_fix_callback() for block/decl in the
expand phase.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
---
 libsepol/src/expand.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 58fb9886..06f11f40 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2835,9 +2835,6 @@ int expand_module(sepol_handle_t * handle,
 		if (hashtab_map
 		    (decl->p_roles.table, role_copy_callback, &state))
 			goto cleanup;
-		if (hashtab_map
-		    (decl->p_roles.table, role_fix_callback, &state))
-			goto cleanup;
 
 		/* copy users */
 		if (hashtab_map