[PATCH] libsepol: Properly handle types associated to role attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Types associated to role attributes in optional blocks are not
associated with the roles that have that attribute. The problem
is that role_fix_callback is called before the avrule_decls are
walked.

Example/
  class CLASS1
  sid kernel
  class CLASS1 { PERM1 }
  type TYPE1;
  type TYPE1A;
  allow TYPE1 self : CLASS1 PERM1;
  attribute_role ROLE_ATTR1A;
  role ROLE1;
  role ROLE1A;
  roleattribute ROLE1A ROLE_ATTR1A;
  role ROLE1 types TYPE1;
  optional {
    require {
      class CLASS1 PERM1;
    }
    role ROLE_ATTR1A types TYPE1A;
  }
  user USER1 roles ROLE1;
  sid kernel USER1:ROLE1:TYPE1

In this example ROLE1A will not have TYPE1A associated to it.

Call role_fix_callback() after the avrule_decls are walked.

Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
 libsepol/src/expand.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index eac7e450..1ee3e48f 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -3017,10 +3017,6 @@ int expand_module(sepol_handle_t * handle,
 	if (hashtab_map(state.base->p_roles.table,
 			role_bounds_copy_callback, &state))
 		goto cleanup;
-	/* escalate the type_set_t in a role attribute to all regular roles
-	 * that belongs to it. */
-	if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
-		goto cleanup;
 
 	/* copy MLS's sensitivity level and categories - this needs to be done
 	 * before expanding users (they need to be indexed too) */
@@ -3086,6 +3082,11 @@ int expand_module(sepol_handle_t * handle,
 		goto cleanup;
 	}
 
+	/* escalate the type_set_t in a role attribute to all regular roles
+	 * that belongs to it. */
+	if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
+		goto cleanup;
+
 	if (copy_and_expand_avrule_block(&state) < 0) {
 		ERR(handle, "Error during expand");
 		goto cleanup;
-- 
2.26.2




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux