packages/libsepol
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:ce9c8ff040e424f95d0fd400319d96089c7e392a
Branches Tags
packages:main
..
compare: packages:9d061dda21da94eadbda597870ab84bdfbb4123b
Branches Tags
packages:main

No commits in common. "ce9c8ff040e424f95d0fd400319d96089c7e392a" and "9d061dda21da94eadbda597870ab84bdfbb4123b" have entirely different histories.
ce9c8ff040 ... 9d061dda21

2 changed files with 91 additions and 4 deletions
Show Stats Expand all files Collapse all files

89
backport-libsepol-Remove-special-handling-of-roles-in-module_to_cil.patch Normal file
View File

@ -0,0 +1,89 @@
From 7450510d9032c0f4d936d4ecb005f0454f65a66e Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Mon, 21 Apr 2025 11:55:41 +0800
Subject: [PATCH] libsepol-Remove-special-handling-of-roles-in-module_to_cil
Reference:https://github.com/SELinuxProject/selinux/commit/be11f48b7a4a0782d79a40ec623e133221c55035
---
libsepol/src/module_to_cil.c | 50 +-----------------------------------
1 file changed, 1 insertion(+), 49 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 604eada..73e5240 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2132,39 +2132,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
switch (role->flavor) {
case ROLE_ROLE:
if (scope == SCOPE_DECL) {
- // Only declare certain roles if we are reading a base module.
- // These roles are defined in the base module and sometimes in
- // other non-base modules. If we generated the roles regardless of
- // the policy type, it would result in duplicate declarations,
- // which isn't allowed in CIL. Patches have been made to refpolicy
- // to remove these duplicate role declarations, but we need to be
- // backwards compatible and support older policies. Since we know
- // these roles are always declared in base, only print them when we
- // see them in the base module. If the declarations appear in a
- // non-base module, ignore their declarations.
- //
- // Note that this is a hack, and if a policy author does not define
- // one of these roles in base, the declaration will not appear in
- // the resulting policy, likely resulting in a compilation error in
- // CIL.
- //
- // To make things more complicated, the auditadm_r and secadm_r
- // roles could actually be in either the base module or a non-base
- // module, or both. So we can't rely on this same behavior. So for
- // these roles, don't declare them here, even if they are in a base
- // or non-base module. Instead we will just declare them in the
- // base module elsewhere.
- int is_base_role = (!strcmp(key, "user_r") ||
- !strcmp(key, "staff_r") ||
- !strcmp(key, "sysadm_r") ||
- !strcmp(key, "system_r") ||
- !strcmp(key, "unconfined_r"));
- int is_builtin_role = (!strcmp(key, "auditadm_r") ||
- !strcmp(key, "secadm_r"));
- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
- (!is_base_role && !is_builtin_role)) {
- cil_println(indent, "(role %s)", key);
- }
+ cil_println(indent, "(role %s)", key);
}
if (ebitmap_cardinality(&role->dominates) > 1) {
@@ -3950,17 +3918,6 @@ static int generate_default_object(void)
return 0;
}
-static int generate_builtin_roles(void)
-{
- // due to inconsistentencies between policies and CIL not allowing
- // duplicate roles, some roles are always created, regardless of if they
- // are declared in modules or not
- cil_println(0, "(role auditadm_r)");
- cil_println(0, "(role secadm_r)");
-
- return 0;
-}
-
static int generate_gen_require_attribute(void)
{
cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
@@ -4045,11 +4002,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
goto exit;
}
- rc = generate_builtin_roles();
- if (rc != 0) {
- goto exit;
- }
-
// default attribute to be used to mimic gen_require in CIL
rc = generate_gen_require_attribute();
if (rc != 0) {
--
2.33.0

6
libsepol.spec
View File

@ -1,6 +1,6 @@
Name: libsepol Name: libsepol
Version: 3.5 Version: 3.5
Release: 10 Release: 9
Summary: SELinux binary policy manipulation library Summary: SELinux binary policy manipulation library
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/SELinuxProject/selinux/wiki/Releases URL: https://github.com/SELinuxProject/selinux/wiki/Releases
@ -41,6 +41,7 @@ Patch0032: backport-libsepol-mls-Do-not-destroy-context-on-memory-error.pat
Patch0033: backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch Patch0033: backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
Patch0034: backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch Patch0034: backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
Patch0035: backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch Patch0035: backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch
Patch0036: backport-libsepol-Remove-special-handling-of-roles-in-module_to_cil.patch
Patch9000: Optimized-the-way-libsepol-policy-are-generated.patch Patch9000: Optimized-the-way-libsepol-policy-are-generated.patch
@ -103,9 +104,6 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Thu May 8 2025 jinlun <jinlun@huawei.com> - 3.5-10
- Revert "libsepol-Remove-special-handling-of-roles-in-module_to_cil"
* Mon Apr 28 2025 changhan <changhan@xfusion.com> - 3.5-9 * Mon Apr 28 2025 changhan <changhan@xfusion.com> - 3.5-9
- Change the author's mail - Change the author's mail