In the following example, "relabeltoo" is not a valid permission
in the loaded policy nor in the new module. Before, CIL would not
complain about the invalid permission and proceed to install the module:
$ cat test.cil
(mlsconstrain (db_procedure (create relabeltoo)) (eq l2 h2))
With this patch, an error is now prompted to a user:
$ sudo semodule -i foo.cil
Failed to resolve permission relabeltoo
Failed to resolve mlsconstrain statement at /etc/selinux/mls/tmp/modules/400/test/cil:1
semodule: Failed!
Signed-off-by: Yuli Khodorkovskiy <yuli@xxxxxxxxxxxxxxx>
---
libsepol/cil/src/cil_resolve_ast.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index ea08087d..22d37f05 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -135,8 +135,11 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
if (class_flavor == CIL_MAP_CLASS) {
cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
goto exit;
+ } else if (class_flavor == CIL_CLASS) {
+ cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
+ goto exit;
}
- cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+
/* Use an empty list to represent unknown perm */
cil_list_init(&empty_list, perm_strs->flavor);
cil_list_append(*perm_datums, CIL_LIST, empty_list);
--
2.19.0
