Policy modules do not have the concept of named IP addresses like CIL
does. So when converting nodecode statements from pp policy modules to
CIL, we need to wrap the IP address and mask parameters in parentheses
so that the CIL compiler does not try to resolve them as named
addresses, but instead treats them as anonymous.
Signed-off-by: Steve Lawrence <slawrence@xxxxxxxxxx>
---
libsepol/src/module_to_cil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 51a4784..2acb600 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2721,7 +2721,7 @@ static int ocontext_selinux_node_to_cil(struct policydb *pdb, struct ocontext *n
goto exit;
}
- cil_printf("(nodecon %s %s ", addr, mask);
+ cil_printf("(nodecon (%s) (%s) ", addr, mask);
context_to_cil(pdb, &node->context[0]);
@@ -2753,7 +2753,7 @@ static int ocontext_selinux_node6_to_cil(struct policydb *pdb, struct ocontext *
goto exit;
}
- cil_printf("(nodecon %s %s ", addr, mask);
+ cil_printf("(nodecon (%s) (%s) ", addr, mask);
context_to_cil(pdb, &node->context[0]);
--
2.7.4
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
