expand_role_attributes() would merge the sub role attribute's roles ebitmap into that of the parent, then clear it off from the parent's roles ebitmap. This supports the assertion in role_fix_callback() that any role attribute's roles ebitmap contains just regular roles. expand_role_attribute() works on base.p_roles table but not any block/decl's p_roles table, so the above assertion in role_fix_callback could fail when it is called for block/decl and some role attribute is added into another. Since the effect of get_local_role() would have been complemented by the populate_roleattributes() at the end of the link phase, there is no needs(and wrong) to call role_fix_callback() for block/decl in the expand phase. Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx> --- libsepol/src/expand.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index b42acbe..96ed473 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -2832,9 +2832,6 @@ int expand_module(sepol_handle_t * handle, if (hashtab_map (decl->p_roles.table, role_copy_callback, &state)) goto cleanup; - if (hashtab_map - (decl->p_roles.table, role_fix_callback, &state)) - goto cleanup; /* copy users */ if (hashtab_map -- 1.7.0.4 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
