On 08/02/2011 06:03 AM, Harry Ciao wrote: > expand_role_attributes() would merge the sub role attribute's roles > ebitmap into that of the parent, then clear it off from the parent's > roles ebitmap. This supports the assertion in role_fix_callback() that > any role attribute's roles ebitmap contains just regular roles. > > expand_role_attribute() works on base.p_roles table but not any > block/decl's p_roles table, so the above assertion in role_fix_callback > could fail when it is called for block/decl and some role attribute is > added into another. > > Since the effect of get_local_role() would have been complemented by > the populate_roleattributes() at the end of the link phase, there is > no needs(and wrong) to call role_fix_callback() for block/decl in the > expand phase. > > Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx> > --- > libsepol/src/expand.c | 3 --- > 1 files changed, 0 insertions(+), 3 deletions(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index b42acbe..96ed473 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -2832,9 +2832,6 @@ int expand_module(sepol_handle_t * handle, > if (hashtab_map > (decl->p_roles.table, role_copy_callback, &state)) > goto cleanup; > - if (hashtab_map > - (decl->p_roles.table, role_fix_callback, &state)) > - goto cleanup; > > /* copy users */ > if (hashtab_map This looks good, and I'm fine with committing this. However, I did find what appears to be an unrelated problem. It looks like the role attributes are getting written to the policy db as if they were roles. I don't think this will break anything (I think), but considering that the kernel doesn't know anything about role_attributes, it seems odd to me that they are in the binary. Note: I found this by looking at a downgraded policy.24 in apol, so this could potentially be a downgrade issue. But from looking at the code, I believe role attributes are being written as if they're roles. - Steve -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
