From 7450510d9032c0f4d936d4ecb005f0454f65a66e Mon Sep 17 00:00:00 2001 From: changhan Date: Mon, 21 Apr 2025 11:55:41 +0800 Subject: [PATCH] libsepol-Remove-special-handling-of-roles-in-module_to_cil Reference:https://github.com/SELinuxProject/selinux/commit/be11f48b7a4a0782d79a40ec623e133221c55035 --- libsepol/src/module_to_cil.c | 50 +----------------------------------- 1 file changed, 1 insertion(+), 49 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 604eada..73e5240 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2132,39 +2132,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN switch (role->flavor) { case ROLE_ROLE: if (scope == SCOPE_DECL) { - // Only declare certain roles if we are reading a base module. - // These roles are defined in the base module and sometimes in - // other non-base modules. If we generated the roles regardless of - // the policy type, it would result in duplicate declarations, - // which isn't allowed in CIL. Patches have been made to refpolicy - // to remove these duplicate role declarations, but we need to be - // backwards compatible and support older policies. Since we know - // these roles are always declared in base, only print them when we - // see them in the base module. If the declarations appear in a - // non-base module, ignore their declarations. - // - // Note that this is a hack, and if a policy author does not define - // one of these roles in base, the declaration will not appear in - // the resulting policy, likely resulting in a compilation error in - // CIL. - // - // To make things more complicated, the auditadm_r and secadm_r - // roles could actually be in either the base module or a non-base - // module, or both. So we can't rely on this same behavior. So for - // these roles, don't declare them here, even if they are in a base - // or non-base module. Instead we will just declare them in the - // base module elsewhere. - int is_base_role = (!strcmp(key, "user_r") || - !strcmp(key, "staff_r") || - !strcmp(key, "sysadm_r") || - !strcmp(key, "system_r") || - !strcmp(key, "unconfined_r")); - int is_builtin_role = (!strcmp(key, "auditadm_r") || - !strcmp(key, "secadm_r")); - if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || - (!is_base_role && !is_builtin_role)) { - cil_println(indent, "(role %s)", key); - } + cil_println(indent, "(role %s)", key); } if (ebitmap_cardinality(&role->dominates) > 1) { @@ -3950,17 +3918,6 @@ static int generate_default_object(void) return 0; } -static int generate_builtin_roles(void) -{ - // due to inconsistentencies between policies and CIL not allowing - // duplicate roles, some roles are always created, regardless of if they - // are declared in modules or not - cil_println(0, "(role auditadm_r)"); - cil_println(0, "(role secadm_r)"); - - return 0; -} - static int generate_gen_require_attribute(void) { cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")"); @@ -4045,11 +4002,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked) goto exit; } - rc = generate_builtin_roles(); - if (rc != 0) { - goto exit; - } - // default attribute to be used to mimic gen_require in CIL rc = generate_gen_require_attribute(); if (rc != 0) { -- 2.33.0