Types associated to role attributes in optional blocks are not associated with the roles that have that attribute. The problem is that role_fix_callback is called before the avrule_decls are walked. Example/ class CLASS1 sid kernel class CLASS1 { PERM1 } type TYPE1; type TYPE1A; allow TYPE1 self : CLASS1 PERM1; attribute_role ROLE_ATTR1A; role ROLE1; role ROLE1A; roleattribute ROLE1A ROLE_ATTR1A; role ROLE1 types TYPE1; optional { require { class CLASS1 PERM1; } role ROLE_ATTR1A types TYPE1A; } user USER1 roles ROLE1; sid kernel USER1:ROLE1:TYPE1 In this example ROLE1A will not have TYPE1A associated to it. Call role_fix_callback() after the avrule_decls are walked. Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/src/expand.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index eac7e450..1ee3e48f 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle, if (hashtab_map(state.base->p_roles.table, role_bounds_copy_callback, &state)) goto cleanup; - /* escalate the type_set_t in a role attribute to all regular roles - * that belongs to it. */ - if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) - goto cleanup; /* copy MLS's sensitivity level and categories - this needs to be done * before expanding users (they need to be indexed too) */ @@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle, goto cleanup; } + /* escalate the type_set_t in a role attribute to all regular roles + * that belongs to it. */ + if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) + goto cleanup; + if (copy_and_expand_avrule_block(&state) < 0) { ERR(handle, "Error during expand"); goto cleanup; -- 2.26.2