On Wed, Mar 17, 2021 at 5:29 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> On Tue, Mar 16, 2021 at 9:40 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > If a role attribute with no roles associated with it is used in a
> > constraint expression, then the role bitmap will be empty. This is
> > not a problem for the kernel, but does cause problems when
> > converting a kernel policy to policy.conf.
> >
> > When creating a policy.conf from a kernel policy, if an empty bitmap
> > is encountered, use the string "NO_IDENTIFIER". An error will occur
> > if an attempt is made to compile the resulting policy, but this is
> > better than exiting with an error without creating a policy.conf.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
>
> For these 2 patches:
> Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
>
These 2 patches have been merged.
Thanks,
Jim
> > ---
> > libsepol/src/kernel_to_conf.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> > index a22f196d..263f9639 100644
> > --- a/libsepol/src/kernel_to_conf.c
> > +++ b/libsepol/src/kernel_to_conf.c
> > @@ -186,7 +186,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
> > names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
> > }
> > if (!names) {
> > - goto exit;
> > + names = strdup("NO_IDENTIFIER");
> > }
> > new_val = create_str("%s %s %s", 3, attr1, op, names);
> > free(names);
> > --
> > 2.26.2
> >
>
