On Tue, Nov 6, 2018 at 8:19 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote: > > On 11/6/18 11:22 AM, Stephen Smalley wrote: > > On 11/5/18 4:00 PM, Nicolas Iooss wrote: > >> When using checkpolicy to read a binary policy, permissive types are not > >> written in the output file. In order to reproduce this issue, a test > >> policy can be written from minimal.cil with the following commands: > >> > >> $ cd secilc/test/ > >> $ cp minimum.cil my_policy.cil > >> $ echo '(typepermissive TYPE)' >> my_policy.cil > >> $ secilc my_policy.cil > >> $ checkpolicy -bC -o /dev/stdout policy.31 > >> > >> # There is no "(typepermissive TYPE)" in checkpolicy output. > >> > >> This is because TYPE_FLAGS_PERMISSIVE is added to typdatum->flags only > >> when loading a module, which uses the permissive flag in the type > >> properties. A kernel policy defines permissive types in a dedicated > >> bitmap, which gets loaded as p->permissive_map before the types are > >> loaded. Use this bitmap to mark permissive types in the loaded policy. > >> > >> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > > > > Or we could directly use the permissive_map in kernel_to_cil/kernel_to_conf? > > I think that this is the more natural way to do it. > Jim I agree. Please drop my patch and keep yours. Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> Thanks, Nicolas
