Re: [PATCH] libsepol/cil: Fix bugs when writing policy.conf rules

[jwcart2 <jwcart2@xxxxxxxxxxxxx>]

On 06/14/2017 01:56 PM, Dominick Grift wrote:
> On Wed, Jun 14, 2017 at 01:39:07PM -0400, James Carter wrote:
> > The typebounds rules should end with a ";".
> >
> > The netifcon and nodecon rules should not end with a ";".
> >
> > The default rules are missing a "_". They should be "default_usr",
> > "default_role" and "default_type".
>
> I might be misunderstanding but according to https://selinuxproject.org/page/DefaultRules#default_user it should be "default_user"

You are correct. I should have caught this when I tested it, but I think that I 
converted the cil file and then compiled the cil file instead of the conf file.

Thanks,
Jim

> > Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
> > ---
> >   libsepol/cil/src/cil_policy.c | 12 ++++++------
> >   1 file changed, 6 insertions(+), 6 deletions(-)
> >
> > diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
> > index 2196ae8..f7fe24e 100644
> > --- a/libsepol/cil/src/cil_policy.c
> > +++ b/libsepol/cil/src/cil_policy.c
> > @@ -1069,7 +1069,7 @@ static void cil_typebounds_to_policy(FILE *out, struct cil_list *types)
> >   		child = i1->data;
> >   		if (child->bounds != NULL) {
> >   			parent = child->bounds;
> > -			fprintf(out, "typebounds %s %s\n", parent->datum.fqn, child->datum.fqn);
> > +			fprintf(out, "typebounds %s %s;\n", parent->datum.fqn, child->datum.fqn);
> >   		}
> >   	}
> >   }
> > @@ -1779,7 +1779,7 @@ static void cil_netifcons_to_policy(FILE *out, struct cil_sort *netifcons, int m
> >   		cil_context_to_policy(out, netifcon->if_context, mls);
> >   		fprintf(out, " ");
> >   		cil_context_to_policy(out, netifcon->packet_context, mls);
> > -		fprintf(out, ";\n");
> > +		fprintf(out, "\n");
> >   	}
> >   }
> >   
> > @@ -1836,7 +1836,7 @@ static void cil_nodecons_to_policy(FILE *out, struct cil_sort *nodecons, int mls
> >   		}
> >   
> >   		cil_context_to_policy(out, nodecon->context, mls);
> > -		fprintf(out, ";\n");
> > +		fprintf(out, "\n");
> >   	}
> >   }
> >   
> > @@ -1928,9 +1928,9 @@ void cil_gen_policy(FILE *out, struct cil_db *db)
> >   	cil_commons_to_policy(out, lists[CIL_LIST_COMMON]);
> >   	cil_classes_to_policy(out, db->classorder);
> >   
> > -	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER], CIL_KEY_DEFAULTUSER);
> > -	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_ROLE], CIL_KEY_DEFAULTROLE);
> > -	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_TYPE], CIL_KEY_DEFAULTTYPE);
> > +	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER], "default_usr");
> > +	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_ROLE], "default_role");
> > +	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_TYPE], "default_type");
> >   
> >   	if (db->mls == CIL_TRUE) {
> >   		cil_default_ranges_to_policy(out, lists[CIL_LIST_DEFAULT_RANGE]);
> > --
> > 2.9.4


--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency