Joshua Brindle wrote:
> KaiGai Kohei wrote:
>
>>>> Hmm....
>>>> It seems to me what you pointed out is a bug of my patch. It prevents to deliver
>>>> actual number of type/attribute symbols to policy file, but it is unclear why does
>>>> it makes libsepol ignore the policyvers.
>>>> (I guess it may be a separated matter.)
>>>>
>>>>
>>>>
>>>>> Rather than trying to calculate the length without attributes I just removed
>>>>> the attribute check. This causes attributes to be written for all versions,
>>>>> but this should not cause any problems at all.
>>>>>
>>>>>
>>>> The reason why I injected such an ad-hoc code is that we cannot decide the policy
>>>> version written when type_attr_remove() is invoked.
>>>> Is it impossible to move it to policydb_write()?
>>>> It is invoked after the policyvers is fixed by caller.
>>>>
>>>>
>>> It isn't impossible. You are going to have to make it walk to type
>>> symbol table to calculate the length without attributes, then write
>>> that length instead of the total symtab length.
>>>
>>>
>> The attached patch enables to fixup the number of type/attribute entries
>> to be written. The type_attr_uncount() decrements the number of attribute
>> entries skipped at type_write().
>>
>> At first, I had a plan to invoke type_attr_remove() with
>> hashtab_map_remove_on_error(), but it means the given policydb structure
>> is modified at policydb_write() and implicit changes to external interface.
>>
>>
>>
>
> This does not cause a hierarchy error, is this an expected limitation?
>
> typebounds goodbye_world_t hello_world_t;
>
> allow hello_world_t self: file ~{read };
>
> allow goodbye_world_t self: file *;
I'm going to go ahead and merge this with the expectation that the above
will get fixed.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
