As per the issue below, libsepol segfaults on loading old kernel policies that contain duplicate filename transition rules. The segfault is due to the fact that the val_to_name arrays have not yet been populated at this point in the policydb_read() processing. Since this warning apparently never worked since it was first introduced, drop it and just silently discard the duplicate like the kernel does. I was not able to produce a policy with such duplicates using the current policy toolchain, either via CIL or via binary modules with manual semodule_link/expand. Fixes: https://github.com/SELinuxProject/selinux/issues/239 Fixes: 8fdb2255215a1f14 ("libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs") Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- libsepol/src/policydb.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 5b289a52..3992ea56 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -2655,15 +2655,8 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp) * Some old policies were wrongly generated with * duplicate filename transition rules. For backward * compatibility, do not reject such policies, just - * issue a warning and ignore the duplicate. + * ignore the duplicate. */ - WARN(fp->handle, - "Duplicate name-based type_transition %s %s:%s \"%s\": %s, ignoring", - p->p_type_val_to_name[ft->stype - 1], - p->p_type_val_to_name[ft->ttype - 1], - p->p_class_val_to_name[ft->tclass - 1], - ft->name, - p->p_type_val_to_name[otype->otype - 1]); free(ft); free(name); free(otype); -- 2.23.3
