Commit 77779d2ca, which added support for userattributes in CIL, accidentally removed code that ignored object_r when adding userrole mappings to the policydb. This meant that running commands like `semanage user -l` would incorrectly show object_r. This patch adds that code back in. Note that CIL requires that these mappings exist to properly validate file contexts, so pp2cil's behavior of creating these mappings is not modified. Signed-off-by: Steve Lawrence <slawrence@xxxxxxxxxx> --- libsepol/cil/src/cil_binary.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 5d03127..46fea4b 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -754,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } + if (sepol_role->s.value == 1) { + // role is object_r, ignore it since it is implicitly associated + // with all users + continue; + } + if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) { cil_log(CIL_INFO, "Failed to set role bit for user\n"); rc = SEPOL_ERR; -- 2.5.5 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.