-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
Currently used in Rawhide and soon will be in Fedora 16
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wS0gACgkQrlYvE4MpobNUkwCeJof8VGo0boBlRoaHexg3bFVh
ci8AnjxdXGaMOfmm8eTCyFfUslWOaJKS
=oewS
-----END PGP SIGNATURE-----
>From f09f957bbe3f1da326585aad44d1819041f84931 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Mon, 31 Oct 2011 10:55:03 -0400
Subject: [PATCH 62/63] libsepol: expand: do filename_trans type comparison on
mapped representation
The filename_trans code had a bug where duplicate detection was being
done between the unmapped type value of a new rule and the type value of
rules already in policy. This meant that duplicates were not being
silently dropped and were instead outputting a message that there was a
problem. It made things hard because the message WAS using the mapped
type to convert to the string representation, so it didn't look like a
dup!
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
libsepol/src/expand.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 2861776..493e478 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1329,6 +1329,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
cur_rule = rules;
while (cur_rule) {
+ uint32_t mapped_otype;
+
ebitmap_init(&stypes);
ebitmap_init(&ttypes);
@@ -1344,6 +1346,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
return -1;
}
+ mapped_otype = state->typemap[cur_rule->otype - 1];
+
ebitmap_for_each_bit(&stypes, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -1358,7 +1362,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
(cur_trans->tclass == cur_rule->tclass) &&
(!strcmp(cur_trans->name, cur_rule->name))) {
/* duplicate rule, who cares */
- if (cur_trans->otype == cur_rule->otype)
+ if (cur_trans->otype == mapped_otype)
break;
ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
@@ -1367,7 +1371,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
state->out->p_type_val_to_name[j],
state->out->p_class_val_to_name[cur_trans->tclass - 1],
state->out->p_type_val_to_name[cur_trans->otype - 1],
- state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]);
+ state->out->p_type_val_to_name[mapped_otype - 1]);
return -1;
}
@@ -1397,7 +1401,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
new_trans->stype = i + 1;
new_trans->ttype = j + 1;
new_trans->tclass = cur_rule->tclass;
- new_trans->otype = state->typemap[cur_rule->otype - 1];
+ new_trans->otype = mapped_otype;
}
}
--
1.7.7
