!123 [sync] PR-122: Revert libsepol-Remove-special-handling-of-roles-in-module_to_cil
From: @openeuler-sync-bot Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot
Gitee
commit
ce9c8ff040
@ -1,89 +0,0 @@
|
||||
From 7450510d9032c0f4d936d4ecb005f0454f65a66e Mon Sep 17 00:00:00 2001
|
||||
From: James Carter <jwcart2@gmail.com>
|
||||
Date: Mon, 21 Apr 2025 11:55:41 +0800
|
||||
Subject: [PATCH] libsepol-Remove-special-handling-of-roles-in-module_to_cil
|
||||
|
||||
Reference:https://github.com/SELinuxProject/selinux/commit/be11f48b7a4a0782d79a40ec623e133221c55035
|
||||
|
||||
---
|
||||
libsepol/src/module_to_cil.c | 50 +-----------------------------------
|
||||
1 file changed, 1 insertion(+), 49 deletions(-)
|
||||
|
||||
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
|
||||
index 604eada..73e5240 100644
|
||||
--- a/libsepol/src/module_to_cil.c
|
||||
+++ b/libsepol/src/module_to_cil.c
|
||||
@@ -2132,39 +2132,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
|
||||
switch (role->flavor) {
|
||||
case ROLE_ROLE:
|
||||
if (scope == SCOPE_DECL) {
|
||||
- // Only declare certain roles if we are reading a base module.
|
||||
- // These roles are defined in the base module and sometimes in
|
||||
- // other non-base modules. If we generated the roles regardless of
|
||||
- // the policy type, it would result in duplicate declarations,
|
||||
- // which isn't allowed in CIL. Patches have been made to refpolicy
|
||||
- // to remove these duplicate role declarations, but we need to be
|
||||
- // backwards compatible and support older policies. Since we know
|
||||
- // these roles are always declared in base, only print them when we
|
||||
- // see them in the base module. If the declarations appear in a
|
||||
- // non-base module, ignore their declarations.
|
||||
- //
|
||||
- // Note that this is a hack, and if a policy author does not define
|
||||
- // one of these roles in base, the declaration will not appear in
|
||||
- // the resulting policy, likely resulting in a compilation error in
|
||||
- // CIL.
|
||||
- //
|
||||
- // To make things more complicated, the auditadm_r and secadm_r
|
||||
- // roles could actually be in either the base module or a non-base
|
||||
- // module, or both. So we can't rely on this same behavior. So for
|
||||
- // these roles, don't declare them here, even if they are in a base
|
||||
- // or non-base module. Instead we will just declare them in the
|
||||
- // base module elsewhere.
|
||||
- int is_base_role = (!strcmp(key, "user_r") ||
|
||||
- !strcmp(key, "staff_r") ||
|
||||
- !strcmp(key, "sysadm_r") ||
|
||||
- !strcmp(key, "system_r") ||
|
||||
- !strcmp(key, "unconfined_r"));
|
||||
- int is_builtin_role = (!strcmp(key, "auditadm_r") ||
|
||||
- !strcmp(key, "secadm_r"));
|
||||
- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
|
||||
- (!is_base_role && !is_builtin_role)) {
|
||||
- cil_println(indent, "(role %s)", key);
|
||||
- }
|
||||
+ cil_println(indent, "(role %s)", key);
|
||||
}
|
||||
|
||||
if (ebitmap_cardinality(&role->dominates) > 1) {
|
||||
@@ -3950,17 +3918,6 @@ static int generate_default_object(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int generate_builtin_roles(void)
|
||||
-{
|
||||
- // due to inconsistentencies between policies and CIL not allowing
|
||||
- // duplicate roles, some roles are always created, regardless of if they
|
||||
- // are declared in modules or not
|
||||
- cil_println(0, "(role auditadm_r)");
|
||||
- cil_println(0, "(role secadm_r)");
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
static int generate_gen_require_attribute(void)
|
||||
{
|
||||
cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
|
||||
@@ -4045,11 +4002,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
- rc = generate_builtin_roles();
|
||||
- if (rc != 0) {
|
||||
- goto exit;
|
||||
- }
|
||||
-
|
||||
// default attribute to be used to mimic gen_require in CIL
|
||||
rc = generate_gen_require_attribute();
|
||||
if (rc != 0) {
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libsepol
|
||||
Version: 3.5
|
||||
Release: 9
|
||||
Release: 10
|
||||
Summary: SELinux binary policy manipulation library
|
||||
License: LGPLv2+
|
||||
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
@ -41,7 +41,6 @@ Patch0032: backport-libsepol-mls-Do-not-destroy-context-on-memory-error.pat
|
||||
Patch0033: backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
|
||||
Patch0034: backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
|
||||
Patch0035: backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch
|
||||
Patch0036: backport-libsepol-Remove-special-handling-of-roles-in-module_to_cil.patch
|
||||
|
||||
Patch9000: Optimized-the-way-libsepol-policy-are-generated.patch
|
||||
|
||||
@ -104,6 +103,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Thu May 8 2025 jinlun <jinlun@huawei.com> - 3.5-10
|
||||
- Revert "libsepol-Remove-special-handling-of-roles-in-module_to_cil"
|
||||
|
||||
* Mon Apr 28 2025 changhan <changhan@xfusion.com> - 3.5-9
|
||||
- Change the author's mail
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user