When converting pp files to CIL or generating CIL using checkpolicy
or checkmodule use CIL's HLL line mark annotations to record the
original file and line numbers for neverallow rules so that CIL can
produce more informative error messages. (Unfortunately, the original
line number information is not saved in pp files, so there is no benefit
for policy modules.)
This is only done for neverallow rules currently.
Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
---
libsepol/src/module_to_cil.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 38f0dc3..b9a4af7 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1073,6 +1073,10 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
struct type_set *ts;
for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) {
+ if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) {
+ cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename);
+ }
+
ts = &avrule->stypes;
rc = process_typeset(indent, pdb, ts, attr_list, &snames, &num_snames);
if (rc != 0) {
@@ -1103,6 +1107,10 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
names_destroy(&snames, &num_snames);
names_destroy(&tnames, &num_tnames);
+
+ if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) {
+ cil_println(0, ";;* lme\n");
+ }
}
return 0;
--
2.5.5
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
