When writing a policy.conf from a kernel policy, if there are
multiple users, roles, or types, then the list needs to be enclosed
by "{" and "}".
When writing a constraint expression, check to see if there are
multiple identifiers in the names string and enclose the list
with "{" and "}" if there are.
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
libsepol/src/kernel_to_conf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 263f9639..d385819e 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -188,7 +188,11 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!names) {
names = strdup("NO_IDENTIFIER");
}
- new_val = create_str("%s %s %s", 3, attr1, op, names);
+ if (strchr(names, ' ')) {
+ new_val = create_str("%s %s { %s }", 3, attr1, op, names);
+ } else {
+ new_val = create_str("%s %s %s", 3, attr1, op, names);
+ }
free(names);
}
} else {
--
2.26.2
