packages/libsepol
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libsepol/backport-libsepol-Remove-special-handling-of-roles-in-module_to_cil.patch
changhan b581452fae
backport libsepol: Remove special handling of roles in module_to_cil.c 
Signed-off-by: changhan <changhan@xfusion.com>
2025-04-21 04:01:57 +00:00

90 lines
3.6 KiB
Diff
Raw Blame History

From 7450510d9032c0f4d936d4ecb005f0454f65a66e Mon Sep 17 00:00:00 2001
From: changhan <changhan@xfusion.com>
Date: Mon, 21 Apr 2025 11:55:41 +0800
Subject: [PATCH] libsepol-Remove-special-handling-of-roles-in-module_to_cil
Reference:https://github.com/SELinuxProject/selinux/commit/be11f48b7a4a0782d79a40ec623e133221c55035
---
libsepol/src/module_to_cil.c | 50 +-----------------------------------
1 file changed, 1 insertion(+), 49 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 604eada..73e5240 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2132,39 +2132,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
switch (role->flavor) {
case ROLE_ROLE:
if (scope == SCOPE_DECL) {
- // Only declare certain roles if we are reading a base module.
- // These roles are defined in the base module and sometimes in
- // other non-base modules. If we generated the roles regardless of
- // the policy type, it would result in duplicate declarations,
- // which isn't allowed in CIL. Patches have been made to refpolicy
- // to remove these duplicate role declarations, but we need to be
- // backwards compatible and support older policies. Since we know
- // these roles are always declared in base, only print them when we
- // see them in the base module. If the declarations appear in a
- // non-base module, ignore their declarations.
- //
- // Note that this is a hack, and if a policy author does not define
- // one of these roles in base, the declaration will not appear in
- // the resulting policy, likely resulting in a compilation error in
- // CIL.
- //
- // To make things more complicated, the auditadm_r and secadm_r
- // roles could actually be in either the base module or a non-base
- // module, or both. So we can't rely on this same behavior. So for
- // these roles, don't declare them here, even if they are in a base
- // or non-base module. Instead we will just declare them in the
- // base module elsewhere.
- int is_base_role = (!strcmp(key, "user_r") ||
- !strcmp(key, "staff_r") ||
- !strcmp(key, "sysadm_r") ||
- !strcmp(key, "system_r") ||
- !strcmp(key, "unconfined_r"));
- int is_builtin_role = (!strcmp(key, "auditadm_r") ||
- !strcmp(key, "secadm_r"));
- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
- (!is_base_role && !is_builtin_role)) {
- cil_println(indent, "(role %s)", key);
- }
+ cil_println(indent, "(role %s)", key);
}
if (ebitmap_cardinality(&role->dominates) > 1) {
@@ -3950,17 +3918,6 @@ static int generate_default_object(void)
return 0;
}
-static int generate_builtin_roles(void)
-{
- // due to inconsistentencies between policies and CIL not allowing
- // duplicate roles, some roles are always created, regardless of if they
- // are declared in modules or not
- cil_println(0, "(role auditadm_r)");
- cil_println(0, "(role secadm_r)");
-
- return 0;
-}
-
static int generate_gen_require_attribute(void)
{
cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
@@ -4045,11 +4002,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
goto exit;
}
- rc = generate_builtin_roles();
- if (rc != 0) {
- goto exit;
- }
-
// default attribute to be used to mimic gen_require in CIL
rc = generate_gen_require_attribute();
if (rc != 0) {
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink