|
I've got your point, for lower version policy non-process class object won't be supported in the role_transition rule, so it makes sense to discard all such rules. Thanks a lot! Best regards, Harry > Date: Wed, 23 Mar 2011 15:05:06 -0400 > From: method@xxxxxxxxxxxxxxx > To: qingtao.cao@xxxxxxxxxxxxx > CC: sds@xxxxxxxxxxxxx; jmorris@xxxxxxxxx; eparis@xxxxxxxxxxxxxx; selinux@xxxxxxxxxxxxx > Subject: Re: [v0 PATCH 3/5] Handle the class in role_trans structure > > Harry Ciao wrote: > > From: Harry Ciao<harrytaurus2002@xxxxxxxxxxx> > <snip> > > > --- a/libsepol/src/write.c > > +++ b/libsepol/src/write.c > > @@ -462,11 +462,14 @@ static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) > > return POLICYDB_SUCCESS; > > } > > > > -static int role_trans_write(role_trans_t * r, struct policy_file *fp)! > > +static int role_trans_write(policydb_t *p, struct policy_file *fp) > > { > > + role_trans_t *r = p->role_tr; > > role_trans_t *tr; > > uint32_t buf[3]; > > size_t nel, items; > > + int new_roletr = (p->policy_type == POLICY_KERN&& > > + p->policyvers>= POLICYDB_VERSION_ROLETRANS); > > > > nel = 0; > > for (tr = r; tr; tr = tr->next) > > @@ -478,9 +481,18 @@ static int role_trans_write(role_trans_t * r, struct policy_file *fp) > > for (tr = r; tr; tr = tr->next) { > > buf[0] = cpu_to_le32(tr->role); > > buf[1] = cpu_to_le32(tr->type); > > - buf[2] = cpu_to_le32(tr->new_role); > > - items = put_entry(buf, sizeof(uint32_t), 3, fp); > > - if (items != 3) > > + items = put_entry(buf, sizeof(uint32_t), 2, fp); > > + if (items ! != 2) > > + return POLICYDB_ERROR; > > + if (new_ roletr) { > > + buf[0] = cpu_to_le32(tr->cclass); > > + items = put_entry(buf, sizeof(uint32_t), 1, fp); > > + if (items != 1) > > + return POLICYDB_ERROR; > > + } > > + buf[0] = cpu_to_le32(tr->new_role); > > + items = put_entry(buf, sizeof(uint32_t), 1, fp); > > + if (items != 1) > > return POLICYDB_ERROR; > > } > > > > You need to do something like range_write if you end up having a class set from > the parser but you are building a lower version of the policy. The range write > warning is: > > for (rt = p->range_tr; rt; rt = rt->next) { > if (!new_rangetr && rt->target_class != SECCLASS_PROCESS) { > if (!warning_issued) > WARN(fp->handle, "Discarding range_transition " > ! "rules for security classes other than " > "\"process\""); > warning_issued = 1; > continue; > } > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
