Types associated to role attributes in optional blocks are not
associated with the roles that have that attribute. The problem
is that role_fix_callback is called before the avrule_decls are
walked.
Example/
class CLASS1
sid kernel
class CLASS1 { PERM1 }
type TYPE1;
type TYPE1A;
allow TYPE1 self : CLASS1 PERM1;
attribute_role ROLE_ATTR1A;
role ROLE1;
role ROLE1A;
roleattribute ROLE1A ROLE_ATTR1A;
role ROLE1 types TYPE1;
optional {
require {
class CLASS1 PERM1;
}
role ROLE_ATTR1A types TYPE1A;
}
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1
In this example ROLE1A will not have TYPE1A associated to it.
Call role_fix_callback() after the avrule_decls are walked.
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
libsepol/src/expand.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index eac7e450..1ee3e48f 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle,
if (hashtab_map(state.base->p_roles.table,
role_bounds_copy_callback, &state))
goto cleanup;
- /* escalate the type_set_t in a role attribute to all regular roles
- * that belongs to it. */
- if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
- goto cleanup;
/* copy MLS's sensitivity level and categories - this needs to be done
* before expanding users (they need to be indexed too) */
@@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle,
goto cleanup;
}
+ /* escalate the type_set_t in a role attribute to all regular roles
+ * that belongs to it. */
+ if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
+ goto cleanup;
+
if (copy_and_expand_avrule_block(&state) < 0) {
ERR(handle, "Error during expand");
goto cleanup;
--
2.26.2
