!118 Change the author's mail

From: @chang111111 
Reviewed-by: @mailofzxf 
Signed-off-by: @mailofzxf

Optimized-the-way-libsepol-policy-are-generated.patch

@@ -0,0 +1,272 @@
+From ae864f32d4f70e789d5dc3eec74525e508df1720 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Mon, 28 Apr 2025 10:00:40 +0800
+Subject: [PATCH] Optimized the way libsepol policy are generated
+
+There are optimization patches in the kernel community that can save
+ the memory space of the policy, which causes the results of the
+ /sys/fs/selinux/policy generated by the kernel to be inconsistent
+ with the policy generated bt the call sepol_policydb_read.
+
+---
+ libsepol-3.5/include/sepol/policydb.h         |  3 +
+ .../include/sepol/policydb/policydb.h         |  4 +
+ libsepol-3.5/src/hashtab.c                    |  9 +-
+ libsepol-3.5/src/libsepol.map.in              |  1 +
+ libsepol-3.5/src/policydb.c                   | 86 +++++++++++++++++--
+ libsepol-3.5/src/policydb_public.c            |  5 ++
+ 6 files changed, 98 insertions(+), 10 deletions(-)
+
+diff --git a/libsepol-3.5/include/sepol/policydb.h b/libsepol-3.5/include/sepol/policydb.h
+index 792913d..0f74467 100644
+--- a/libsepol-3.5/include/sepol/policydb.h
++++ b/libsepol-3.5/include/sepol/policydb.h
+@@ -111,6 +111,7 @@ extern int sepol_policydb_optimize(sepol_policydb_t * p);
+  * image contents.
+  */
+ extern int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf);
++extern int sepol_policydb_read_canonicalize(sepol_policydb_t * p, sepol_policy_file_t * pf);
+ 
+ /*
+  * Write a policydb to a policy file.
+diff --git a/libsepol-3.5/include/sepol/policydb/policydb.h b/libsepol-3.5/include/sepol/policydb/policydb.h
+index ef1a014..5a84aba 100644
+--- a/libsepol-3.5/include/sepol/policydb/policydb.h
++++ b/libsepol-3.5/include/sepol/policydb/policydb.h
+@@ -727,6 +727,10 @@ extern void policy_file_init(policy_file_t * x);
+ 
+ extern int policydb_read(policydb_t * p, struct policy_file *fp,
+ 			 unsigned int verbose);
++extern int policydb_read_canonicalize(policydb_t * p, struct policy_file *fp,
++				  unsigned int verbose);
++
++
+ extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
+ 			    struct policy_file *fp);
+ 
+diff --git a/libsepol-3.5/src/hashtab.c b/libsepol-3.5/src/hashtab.c
+index 6f01d09..1d6825b 100644
+--- a/libsepol-3.5/src/hashtab.c
++++ b/libsepol-3.5/src/hashtab.c
+@@ -34,15 +34,22 @@
+ 
+ #include "private.h"
+ 
++static size_t hashtab_compute_size(size_t nel)
++{
++	if (nel == 0)
++		return 0;
++	return (size_t)(1 << (32 - __builtin_clz((nel) - 1)));
++}
+ hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+ 						     const_hashtab_key_t key),
+ 			 int (*keycmp) (hashtab_t h,
+ 					const_hashtab_key_t key1,
+ 					const_hashtab_key_t key2),
+-			 unsigned int size)
++			 unsigned int nel)
+ {
+ 
+ 	hashtab_t p;
++	unsigned int size = hashtab_compute_size(nel);
+ 
+ 	p = (hashtab_t) malloc(sizeof(hashtab_val_t));
+ 	if (p == NULL)
+diff --git a/libsepol-3.5/src/libsepol.map.in b/libsepol-3.5/src/libsepol.map.in
+index 844924f..3061a66 100644
+--- a/libsepol-3.5/src/libsepol.map.in
++++ b/libsepol-3.5/src/libsepol.map.in
+@@ -288,4 +288,5 @@ LIBSEPOL_3.4 {
+ 	sepol_string_to_av_perm;
+ 	sepol_string_to_security_class;
+ 	sepol_validate_transition_reason_buffer;
++	sepol_policydb_read_canonicalize;
+ } LIBSEPOL_3.0;
+diff --git a/libsepol-3.5/src/policydb.c b/libsepol-3.5/src/policydb.c
+index 21bcad7..ecc1480 100644
+--- a/libsepol-3.5/src/policydb.c
++++ b/libsepol-3.5/src/policydb.c
+@@ -2090,7 +2090,7 @@ static int perm_read(policydb_t * p
+ 	return -1;
+ }
+ 
+-static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
++static int common_read_pre(policydb_t * p, hashtab_t h, struct policy_file *fp, int canonicalize)
+ {
+ 	char *key = 0;
+ 	common_datum_t *comdatum;
+@@ -2113,12 +2113,18 @@ static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ 
+ 	comdatum->s.value = le32_to_cpu(buf[1]);
+ 
+-	if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE))
++	nel = le32_to_cpu(buf[3]);
++
++	if (!canonicalize)
++		rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE);
++	else
++		rc = symtab_init(&comdatum->permissions, nel);
++
++	if (rc)
+ 		goto bad;
+ 	comdatum->permissions.nprim = le32_to_cpu(buf[2]);
+ 	if (comdatum->permissions.nprim > PERM_SYMTAB_SIZE)
+ 		goto bad;
+-	nel = le32_to_cpu(buf[3]);
+ 
+ 	key = malloc(len + 1);
+ 	if (!key)
+@@ -2143,6 +2149,16 @@ static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ 	return -1;
+ }
+ 
++static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
++{
++	return common_read_pre(p, h, fp, 1);
++}
++
++static int common_read_canonicalize(policydb_t * p, hashtab_t h, struct policy_file *fp)
++{
++	return common_read_pre(p, h, fp, 1);
++}
++
+ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep,
+ 			    unsigned int ncons,
+ 			    int allowxtarget, struct policy_file *fp)
+@@ -2238,7 +2254,7 @@ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep,
+ 	return 0;
+ }
+ 
+-static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
++static int class_read_pre(policydb_t * p, hashtab_t h, struct policy_file *fp, int canonicalize)
+ {
+ 	char *key = 0;
+ 	class_datum_t *cladatum;
+@@ -2265,12 +2281,17 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ 	if (cladatum->s.value > UINT16_MAX)
+ 		goto bad;
+ 
+-	if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
++	nel = le32_to_cpu(buf[4]);
++	if (!canonicalize)
++		rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE);
++	else
++		rc = symtab_init(&cladatum->permissions, nel);
++	if (rc)
+ 		goto bad;
++
+ 	cladatum->permissions.nprim = le32_to_cpu(buf[3]);
+ 	if (cladatum->permissions.nprim > PERM_SYMTAB_SIZE)
+ 		goto bad;
+-	nel = le32_to_cpu(buf[4]);
+ 
+ 	ncons = le32_to_cpu(buf[5]);
+ 
+@@ -2351,6 +2372,16 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ 	return -1;
+ }
+ 
++static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
++{
++	return class_read_pre(p, h, fp, 0);
++}
++
++static int class_read_canonicalize(policydb_t * p, hashtab_t h, struct policy_file *fp)
++{
++	return class_read_pre(p, h, fp, 1);
++}
++
+ static int role_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+ {
+ 	char *key = 0;
+@@ -3507,6 +3538,11 @@ static int (*read_f[SYM_NUM]) (policydb_t * p, hashtab_t h,
+ common_read, class_read, role_read, type_read, user_read,
+ 	    cond_read_bool, sens_read, cat_read,};
+ 
++static int (*read_f_canonicalize[SYM_NUM]) (policydb_t * p, hashtab_t h,
++			       struct policy_file * fp) = {
++common_read_canonicalize, class_read_canonicalize, role_read, type_read, user_read,
++	    cond_read_bool, sens_read, cat_read,};
++
+ /************** module reading functions below **************/
+ 
+ static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp)
+@@ -4226,7 +4262,7 @@ static sepol_access_vector_t policydb_string_to_av_perm(
+  * Read the configuration data from a policy database binary
+  * representation file into a policy database structure.
+  */
+-int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
++int policydb_read_pre(policydb_t * p, struct policy_file *fp, unsigned verbose, int canonicalize)
+ {
+ 
+ 	unsigned int i, j, r_policyvers;
+@@ -4444,9 +4480,26 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+ 			ERR(fp->handle, "unexpected items in symbol table with no symbol");
+ 			goto bad;
+ 		}
+-		for (j = 0; j < nel; j++) {
+-			if (read_f[i] (p, p->symtab[i].table, fp))
++
++		if (canonicalize) {
++			hashtab_destroy(p->symtab[i].table);
++			if (symtab_init(&p->symtab[i], nel))
+ 				goto bad;
++			if (i == SYM_ROLES) {
++				if (roles_init(p))
++					goto bad;
++			}
++		}
++
++
++		for (j = 0; j < nel; j++) {
++			if (canonicalize) {
++				if (read_f_canonicalize[i] (p, p->symtab[i].table, fp))
++					goto bad;
++			} else {
++				if (read_f[i] (p, p->symtab[i].table, fp))
++					goto bad;
++			}
+ 		}
+ 
+ 		p->symtab[i].nprim = nprim;
+@@ -4579,9 +4632,24 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+ 
+ 	return POLICYDB_SUCCESS;
+       bad:
++	if (canonicalize) {
++		for (i = 0; i < SYM_NUM; i++) {
++			hashtab_destroy(p->symtab[i].table);
++		}
++	}
+ 	return POLICYDB_ERROR;
+ }
+ 
++int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
++{
++	return policydb_read_pre(p, fp, verbose, 0);
++}
++
++int policydb_read_canonicalize(policydb_t * p, struct policy_file *fp, unsigned verbose)
++{
++	return policydb_read_pre(p, fp, verbose, 1);
++}
++
+ int policydb_reindex_users(policydb_t * p)
+ {
+ 	unsigned int i = SYM_USERS;
+diff --git a/libsepol-3.5/src/policydb_public.c b/libsepol-3.5/src/policydb_public.c
+index 0218c94..bbc2583 100644
+--- a/libsepol-3.5/src/policydb_public.c
++++ b/libsepol-3.5/src/policydb_public.c
+@@ -212,3 +212,8 @@ int sepol_policydb_compat_net(const sepol_policydb_t * p)
+ 	return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
+ 		NULL);
+ }
++
++int sepol_policydb_read_canonicalize(sepol_policydb_t * p, sepol_policy_file_t * pf)
++{
++	return policydb_read_canonicalize(&p->p, &pf->pf, 0);
++}
+-- 
+2.33.0
+

backport-libsepol-Initialize-strs-on-declaration.patch

@@ -0,0 +1,63 @@
+From cd8302f0a6f38671cc0265b8ebc2cd4ea4a7b61f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:18 +0200
+Subject: [PATCH] libsepol: Initialize "strs" on declaration
+
+The value of "strs" was not always initialized before being used by
+strs_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1485|
+ \# 1486|   exit:
+ \# 1487|-> 	strs_destroy(&strs);
+ \# 1488|
+ \# 1489|   	if (rc != 0) {
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1459|
+ \# 1460|   exit:
+ \# 1461|-> 	strs_destroy(&strs);
+ \# 1462|
+ \# 1463|   	if (rc != 0) {
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_cil.c  | 2 +-
+ libsepol/src/kernel_to_conf.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index 7243b3c0..2d563e7d 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -1436,7 +1436,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_cil(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
++	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index ca91ffae..661546af 100644
+--- a/libsepol/src/kernel_to_conf.c
++++ b/libsepol/src/kernel_to_conf.c
+@@ -1419,7 +1419,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_conf(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
++	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+-- 
+2.33.0
+

backport-libsepol-Remove-special-handling-of-roles-in-module_to_cil.patch

@@ -0,0 +1,89 @@
+From 7450510d9032c0f4d936d4ecb005f0454f65a66e Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 21 Apr 2025 11:55:41 +0800
+Subject: [PATCH] libsepol-Remove-special-handling-of-roles-in-module_to_cil
+
+Reference:https://github.com/SELinuxProject/selinux/commit/be11f48b7a4a0782d79a40ec623e133221c55035
+
+---
+ libsepol/src/module_to_cil.c | 50 +-----------------------------------
+ 1 file changed, 1 insertion(+), 49 deletions(-)
+
+diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
+index 604eada..73e5240 100644
+--- a/libsepol/src/module_to_cil.c
++++ b/libsepol/src/module_to_cil.c
+@@ -2132,39 +2132,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
+ 	switch (role->flavor) {
+ 	case ROLE_ROLE:
+ 		if (scope == SCOPE_DECL) {
+-			// Only declare certain roles if we are reading a base module.
+-			// These roles are defined in the base module and sometimes in
+-			// other non-base modules. If we generated the roles regardless of
+-			// the policy type, it would result in duplicate declarations,
+-			// which isn't allowed in CIL. Patches have been made to refpolicy
+-			// to remove these duplicate role declarations, but we need to be
+-			// backwards compatible and support older policies. Since we know
+-			// these roles are always declared in base, only print them when we
+-			// see them in the base module. If the declarations appear in a
+-			// non-base module, ignore their declarations.
+-			//
+-			// Note that this is a hack, and if a policy author does not define
+-			// one of these roles in base, the declaration will not appear in
+-			// the resulting policy, likely resulting in a compilation error in
+-			// CIL.
+-			//
+-			// To make things more complicated, the auditadm_r and secadm_r
+-			// roles could actually be in either the base module or a non-base
+-			// module, or both. So we can't rely on this same behavior. So for
+-			// these roles, don't declare them here, even if they are in a base
+-			// or non-base module. Instead we will just declare them in the
+-			// base module elsewhere.
+-			int is_base_role = (!strcmp(key, "user_r") ||
+-			                    !strcmp(key, "staff_r") ||
+-			                    !strcmp(key, "sysadm_r") ||
+-			                    !strcmp(key, "system_r") ||
+-			                    !strcmp(key, "unconfined_r"));
+-			int is_builtin_role = (!strcmp(key, "auditadm_r") ||
+-			                       !strcmp(key, "secadm_r"));
+-			if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
+-			    (!is_base_role && !is_builtin_role)) {
+-				cil_println(indent, "(role %s)", key);
+-			}
++			cil_println(indent, "(role %s)", key);
+ 		}
+ 
+ 		if (ebitmap_cardinality(&role->dominates) > 1) {
+@@ -3950,17 +3918,6 @@ static int generate_default_object(void)
+ 	return 0;
+ }
+ 
+-static int generate_builtin_roles(void)
+-{
+-	// due to inconsistentencies between policies and CIL not allowing
+-	// duplicate roles, some roles are always created, regardless of if they
+-	// are declared in modules or not
+-	cil_println(0, "(role auditadm_r)");
+-	cil_println(0, "(role secadm_r)");
+-
+-	return 0;
+-}
+-
+ static int generate_gen_require_attribute(void)
+ {
+ 	cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
+@@ -4045,11 +4002,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
+ 			goto exit;
+ 		}
+ 
+-		rc = generate_builtin_roles();
+-		if (rc != 0) {
+-			goto exit;
+-		}
+-
+ 		// default attribute to be used to mimic gen_require in CIL
+ 		rc = generate_gen_require_attribute();
+ 		if (rc != 0) {
+-- 
+2.33.0
+

backport-libsepol-cil-Check-that-sym_index-is-within-bounds.patch

@@ -0,0 +1,40 @@
+From 6b5626fd30292b148fa8b732a38a03af1705b655 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 23 Jul 2024 16:41:57 +0200
+Subject: [PATCH] libsepol/cil: Check that sym_index is within bounds
+
+Make sure sym_index is within the bounds of symtab array before using it
+to index the array.
+
+Fixes:
+  Error: OVERRUN (CWE-119):
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN".
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name".
+  \# 3187|                   switch (curr->flavor) {
+  \# 3188|                   case CIL_STRING:
+  \# 3189|->                         rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum);
+  \# 3190|                           if (rc != SEPOL_OK) {
+  \# 3191|                                   goto exit;
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_resolve_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 427a320c..da8863c4 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -4291,7 +4291,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
+	struct cil_db *db = args->db;
+ 	struct cil_tree_node *node = NULL;
+ 
+-	if (name == NULL) {
++	if (name == NULL || sym_index >= CIL_SYM_NUM) {
+ 		cil_log(CIL_ERR, "Invalid call to cil_resolve_name\n");
+ 		goto exit;
+ 	}
+-- 
+2.33.0
+

backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch

@@ -0,0 +1,81 @@
+From 0dac9813e1ea44d35b8bb8b72203ddb41c4ed751 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:15 +0200
+Subject: [PATCH] libsepol/cil: Initialize avtab_datum on declaration
+
+avtab_datum.xperms was not always initialized before being used.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:977:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1059:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1057|   			}
+ \# 1058|   		}
+ \# 1059|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1060|   	}
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:1348:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1384:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1382|   	} else {
+ \# 1383|   		avtab_datum.data = data;
+ \# 1384|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1385|   	}
+ \# 1386|
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 3dec1883..3d920182 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -975,7 +975,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
++	avtab_datum_t avtab_datum = { .data = res, .xperms = NULL };
+ 	avtab_ptr_t existing;	
+ 
+ 	avtab_key.source_type = src;
+@@ -997,8 +997,6 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ 		goto exit;
+ 	}
+ 
+-	avtab_datum.data = res;
+-	
+ 	existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
+ 	if (existing) {
+ 		/* Don't add duplicate type rule and warn if they conflict.
+@@ -1346,7 +1344,7 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
++	avtab_datum_t avtab_datum = { .data = data, .xperms = NULL };
+ 	avtab_datum_t *avtab_dup = NULL;
+ 
+ 	avtab_key.source_type = src;
+@@ -1372,7 +1370,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 	if (!cond_node) {
+ 		avtab_dup = avtab_search(&pdb->te_avtab, &avtab_key);
+ 		if (!avtab_dup) {
+-			avtab_datum.data = data;
+ 			rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum);
+ 		} else {
+ 			if (kind == CIL_AVRULE_DONTAUDIT)
+@@ -1381,7 +1378,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 				avtab_dup->data |= data;
+ 		}
+ 	} else {
+-		avtab_datum.data = data;
+ 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ 	}
+ 
+-- 
+2.33.0
+

backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch

@@ -0,0 +1,40 @@
+From ae3c44c2d44b5e2f1c87b4b095d522a7f11add7a Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 21 Apr 2025 11:34:35 +0800
+Subject: [PATCH] libsepol-cil-Optionally-allow-duplicate-role-declarations
+
+Reference:https://github.com/SELinuxProject/selinux/commit/7492632a6b6a1081d0c057a2ecfc193be9989515
+
+---
+ libsepol/cil/src/cil_build_ast.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 4177c9f..8264984 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -92,6 +92,7 @@ static int cil_allow_multiple_decls(struct cil_db *db, enum cil_flavor f_new, en
+ 	switch (f_new) {
+ 	case CIL_TYPE:
+ 	case CIL_TYPEATTRIBUTE:
++	case CIL_ROLE:
+ 		if (db->multiple_decls) {
+ 			return CIL_TRUE;
+ 		}
+@@ -1750,7 +1751,12 @@ int cil_gen_role(struct cil_db *db, struct cil_tree_node *parse_current, struct
+ 
+ 	rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)role, (hashtab_key_t)key, CIL_SYM_ROLES, CIL_ROLE);
+ 	if (rc != SEPOL_OK) {
+-		goto exit;
++		if (rc == SEPOL_EEXIST) {
++ 			cil_destroy_role(role);
++ 			role = NULL;
++ 		} else {
++ 			goto exit;
++ 		}
+ 	}
+ 
+ 	return SEPOL_OK;
+-- 
+2.33.0
+

backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch

@@ -0,0 +1,40 @@
+From 00fb52ce34773c34591166fd58b2f3d035ff47c9 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:17 +0200
+Subject: [PATCH] libsepol/cil/cil_post: Initialize tmp on declaration
+
+tmp.node was not always initialized before being used by
+ebitmap_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer.
+libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy".
+ \# 1380|   				if (rc != SEPOL_OK) {
+ \# 1381|   					cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n");
+ \# 1382|-> 					ebitmap_destroy(&tmp);
+ \# 1383|   					goto exit;
+ \# 1384|   				}
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index ac99997f..d63a5496 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -1315,6 +1315,8 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max,
+ 	curr = expr->head;
+ 	flavor = expr->flavor;
+ 
++	ebitmap_init(&tmp);
++
+ 	if (curr->flavor == CIL_OP) {
+ 		enum cil_flavor op = (enum cil_flavor)(uintptr_t)curr->data;
+ 
+-- 
+2.33.0
+

backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch

@@ -0,0 +1,74 @@
+From 575d1cfaac7d58b7333580fdc6203c166b89e271 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:16 +0200
+Subject: [PATCH] libsepol/mls: Do not destroy context on memory error
+
+In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized
+space and context_destroy should not be used on it.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy".
+ \#  697|   	ERR(handle, "could not check if mls context %s contains %s",
+ \#  698|   	    mls1, mls2);
+ \#  699|-> 	context_destroy(ctx1);
+ \#  700|   	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy".
+ \#  698|   	    mls1, mls2);
+ \#  699|   	context_destroy(ctx1);
+ \#  700|-> 	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+ \#  702|   	free(ctx2);
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/mls.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
+index 45db8920..a37405d1 100644
+--- a/libsepol/src/mls.c
++++ b/libsepol/src/mls.c
+@@ -672,8 +672,10 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	context_struct_t *ctx1 = NULL, *ctx2 = NULL;
+ 	ctx1 = malloc(sizeof(context_struct_t));
+ 	ctx2 = malloc(sizeof(context_struct_t));
+-	if (ctx1 == NULL || ctx2 == NULL)
++	if (ctx1 == NULL || ctx2 == NULL){
++		ERR(handle, "out of memory");
+ 		goto omem;
++	}
+ 	context_init(ctx1);
+ 	context_init(ctx2);
+ 
+@@ -690,16 +692,14 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	free(ctx2);
+ 	return STATUS_SUCCESS;
+ 
+-      omem:
+-	ERR(handle, "out of memory");
+-
+       err:
+-	ERR(handle, "could not check if mls context %s contains %s",
+-	    mls1, mls2);
+ 	context_destroy(ctx1);
+ 	context_destroy(ctx2);
++      omem:
+ 	free(ctx1);
+ 	free(ctx2);
++	ERR(handle, "could not check if mls context %s contains %s",
++	    mls1, mls2);
+ 	return STATUS_ERR;
+ }
+ 
+-- 
+2.33.0
+

backport-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch

@@ -0,0 +1,51 @@
+From 1f080ffd7ab24b0ad2b46f79db63d62c2ae2747c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 19 Jul 2024 18:17:13 +0200
+Subject: [PATCH] libsepol/sepol_compute_sid: Do not destroy uninitialized
+ context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid context_destroy() on "newcontext" before context_init() is called.
+
+Fixes:
+  libsepol-3.6/src/services.c:1335: var_decl: Declaring variable "newcontext" without initializer.
+  libsepol-3.6/src/services.c:1462: uninit_use_in_call: Using uninitialized value "newcontext.range.level[0].cat.node" when calling "context_destroy".
+  \# 1460|   	rc = sepol_sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+  \# 1461|         out:
+  \# 1462|-> 	context_destroy(&newcontext);
+  \# 1463|   	return rc;
+  \# 1464|   }
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libsepol/src/services.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 36e2368f..f3231f17 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -1362,14 +1362,12 @@ static int sepol_compute_sid(sepol_security_id_t ssid,
+ 	scontext = sepol_sidtab_search(sidtab, ssid);
+ 	if (!scontext) {
+ 		ERR(NULL, "unrecognized SID %d", ssid);
+-		rc = -EINVAL;
+-		goto out;
++		return -EINVAL;
+ 	}
+ 	tcontext = sepol_sidtab_search(sidtab, tsid);
+ 	if (!tcontext) {
+ 		ERR(NULL, "unrecognized SID %d", tsid);
+-		rc = -EINVAL;
+-		goto out;
++		return -EINVAL;
+ 	}
+ 
+ 	if (tclass && tclass <= policydb->p_classes.nprim)
+-- 
+2.33.0
+

libsepol.spec

@@ -1,6 +1,6 @@
 Name:           libsepol
 Version:        3.5
-Release:        4
+Release:        9
 Summary:        SELinux binary policy manipulation library
 License:        LGPLv2+
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -34,6 +34,16 @@ Patch0025:      backport-libsepol-ensure-transitivity-in-compare-functions.patch
 Patch0026:      backport-libsepol-cil-ensure-transitivity-in-compare-functions.patch
 Patch0027:      backport-libsepol-cil-Check-common-perms-when-verifiying-all.patch
 Patch0028:      backport-libsepol-cil-Fix-detected-RESOURCE_LEAK-CWE-772.patch
+Patch0029:      backport-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
+Patch0030:      backport-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
+Patch0031:      backport-libsepol-Initialize-strs-on-declaration.patch
+Patch0032:      backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
+Patch0033:      backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
+Patch0034:      backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
+Patch0035:      backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch
+Patch0036:      backport-libsepol-Remove-special-handling-of-roles-in-module_to_cil.patch
+
+Patch9000:      Optimized-the-way-libsepol-policy-are-generated.patch
 
 BuildRequires:  gcc flex
 
@@ -94,6 +104,21 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
 %{_mandir}/man3/*
 
 %changelog
+* Mon Apr 28 2025 changhan <changhan@xfusion.com> - 3.5-9
+- Change the author's mail
+
+* Mon Apr 28 2025 jinlun <jinlun@huawei.com> - 3.5-8
+- Optimized the way libsepol policy are generated
+
+* Mon Apr 21 2025 changhan <changhan@xfusion.com>  - 3.5-7
+- backport libsepol: Remove special handling of roles in module_to_cil.c
+
+* Mon Apr 21 2025 changhan <changhan@xfusion.com>  - 3.5-6
+- backport libsepol/cil: Optionally allow duplicate role declarations
+
+* Tue Mar 18 2025 Linux_zhang <zhangruifang@h-partners.com> - 3.5-5
+- backport patches from upstream
+
 * Tue Oct 15 2024 yanglongkang <yanglongkang@h-partners.com> - 3.5-4
 - backport bugfix from upstream