I've been attempting to convert a monolithic policy (really a modular base policy with
no modules) to CIL, however it fails with:
Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil
when running: semodule -s modular-test -i base.pp
The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role
statement is ignored for the base policy:
case ROLE_ROLE:
if (scope == SCOPE_DECL) {
if (pdb->policy_type == SEPOL_POLICY_MOD) {
// roles are defined twice, once in a module and once in base.
// CIL doesn't allow duplicate declarations, so only take the
// roles defined in the modules
cil_println(indent, "(role %s)", key);
Question: Should these type of policies be supported, if so should the CIL compiler
cope with duplicate role statements or the conversion service modified to remove duplicates.
Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot
view the failed conversion.
I built the CIL module using pp directly (cat base.pp | ./pp > base.cil), then added the
(role ...) statement, this compiled okay using secilc.
Richard
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
