On Wed, Mar 17, 2021 at 5:29 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote: > > On Tue, Mar 16, 2021 at 9:40 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > If a role attribute with no roles associated with it is used in a > > constraint expression, then the role bitmap will be empty. This is > > not a problem for the kernel, but does cause problems when > > converting a kernel policy to policy.conf. > > > > When creating a policy.conf from a kernel policy, if an empty bitmap > > is encountered, use the string "NO_IDENTIFIER". An error will occur > > if an attempt is made to compile the resulting policy, but this is > > better than exiting with an error without creating a policy.conf. > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > For these 2 patches: > Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > These 2 patches have been merged. Thanks, Jim > > --- > > libsepol/src/kernel_to_conf.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > > index a22f196d..263f9639 100644 > > --- a/libsepol/src/kernel_to_conf.c > > +++ b/libsepol/src/kernel_to_conf.c > > @@ -186,7 +186,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr > > names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1); > > } > > if (!names) { > > - goto exit; > > + names = strdup("NO_IDENTIFIER"); > > } > > new_val = create_str("%s %s %s", 3, attr1, op, names); > > free(names); > > -- > > 2.26.2 > > >