diff options
Diffstat (limited to 'sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch')
-rw-r--r-- | sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch b/sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch new file mode 100644 index 000000000000..6ed451649e3e --- /dev/null +++ b/sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch @@ -0,0 +1,61 @@ +From 7a09af2123bc0d86787ef82fc2ff43810f1712c0 Mon Sep 17 00:00:00 2001 +From: Steve Lawrence <slawrence@tresys.com> +Date: Wed, 19 Nov 2014 11:21:42 -0500 +Subject: [PATCH 1/2] policycoreutils: pp: add roletype statements for both + declared and required type/typeattributes + +Currently, roletype statements are only added for types when they are +declared (not required). This means that in policy like: + + require { + type foo_t; + } + type bar_t; + role staff_r types foo_t, bar_t; + +only bar_t is associated with staff_r. This patch moves the code that +generates roletype statements for types to outside the SCOPE_DECL check +so that roletype statements are generated for all types, regardless of +the required/declared scope. It further moves the code outside of the +type/typeattribute flavor check so that roletype statements are also +generated for typeattributes. + +Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be> +Signed-off-by: Steve Lawrence <slawrence@tresys.com> +Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> +Tested-by: Jason Zaman <jason@perfinion.com> +--- + policycoreutils/hll/pp/pp.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/policycoreutils/hll/pp/pp.c b/policycoreutils/hll/pp/pp.c +index b1ef27f..4b9f310 100644 +--- a/policycoreutils/hll/pp/pp.c ++++ b/policycoreutils/hll/pp/pp.c +@@ -2083,6 +2083,11 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN + cil_println(indent, "(typeattributeset " GEN_REQUIRE_ATTR " %s)", key); + } + ++ rc = roletype_role_in_ancestor_to_cil(pdb, decl_stack, key, indent); ++ if (rc != 0) { ++ goto exit; ++ } ++ + switch(type->flavor) { + case TYPE_TYPE: + if (scope == SCOPE_DECL) { +@@ -2090,11 +2095,6 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN + // object_r is implicit in checkmodule, but not with CIL, + // create it as part of base + cil_println(indent, "(roletype " DEFAULT_OBJECT " %s)", key); +- +- rc = roletype_role_in_ancestor_to_cil(pdb, decl_stack, key, indent); +- if (rc != 0) { +- goto exit; +- } + } + + if (type->flags & TYPE_FLAGS_PERMISSIVE) { +-- +2.0.4 + |