The kernel removed [1] some unused initial SIDs. Also libsepol got support for omitting unused ones [2]. Currently in traditional policy all initial SIDs have to be defined and also the order of declarations has to follow the order of the libsepol internal representation. Support omitting unused initial SIDs in the traditional policy and do not require a specific order of declarations. [1]: https://github.com/SELinuxProject/selinux-kernel/commit/e3e0b582c321aefd72db0e7083a0adfe285e96b5 [2]: https://github.com/SELinuxProject/selinux/commit/8677ce5e8f592950ae6f14cea1b68a20ddc1ac25 Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- checkpolicy/policy_define.c | 39 ++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 8bf36859..8f55650d 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -54,6 +54,7 @@ #include <sepol/policydb/services.h> #include <sepol/policydb/conditional.h> #include <sepol/policydb/hierarchy.h> +#include <sepol/policydb/initialsids.h> #include <sepol/policydb/polcaps.h> #include "queue.h" #include "checkpolicy.h" @@ -287,6 +288,7 @@ int define_polcap(void) int define_initial_sid(void) { char *id = 0; + sepol_security_id_t sid; ocontext_t *newc = 0, *c, *head; if (pass == 2) { @@ -300,28 +302,30 @@ int define_initial_sid(void) yyerror("no sid name for SID definition?"); return -1; } - newc = (ocontext_t *) malloc(sizeof(ocontext_t)); - if (!newc) { - yyerror("out of memory"); + + sid = selinux_str_to_sid(id); + if (sid == 0) { + yyerror2("invalid initial SID %s", id); goto bad; } - memset(newc, 0, sizeof(ocontext_t)); - newc->u.name = id; - context_init(&newc->context[0]); - head = policydbp->ocontexts[OCON_ISID]; + head = policydbp->ocontexts[OCON_ISID]; for (c = head; c; c = c->next) { - if (!strcmp(newc->u.name, c->u.name)) { + if (sid == c->sid[0]) { yyerror2("duplicate initial SID %s", id); goto bad; } } - if (head) { - newc->sid[0] = head->sid[0] + 1; - } else { - newc->sid[0] = 1; + newc = (ocontext_t *) malloc(sizeof(ocontext_t)); + if (!newc) { + yyerror("out of memory"); + goto bad; } + memset(newc, 0, sizeof(ocontext_t)); + newc->u.name = id; + context_init(&newc->context[0]); + newc->sid[0] = sid; newc->next = head; policydbp->ocontexts[OCON_ISID] = newc; @@ -4567,6 +4571,7 @@ static int parse_security_context(context_struct_t * c) int define_initial_sid_context(void) { char *id; + sepol_security_id_t sid; ocontext_t *c, *head; if (pass == 1) { @@ -4581,9 +4586,17 @@ int define_initial_sid_context(void) yyerror("no sid name for SID context definition?"); return -1; } + + sid = selinux_str_to_sid(id); + if (sid == 0) { + yyerror2("invalid initial SID %s", id); + free(id); + return -1; + } + head = policydbp->ocontexts[OCON_ISID]; for (c = head; c; c = c->next) { - if (!strcmp(id, c->u.name)) + if (sid == c->sid[0]) break; } -- 2.36.1
