Do not write class definitions for classes without any permission and any inherited common class. The classes are already declared in write_class_decl_rules_to_conf(). Skipping those empty definitions, which are equal to the corresponding class declarations, will enable to parse the generated policy conf file with checkpolicy, as checkpolicy does not accept class declarations after initial sid declarations. This will enable simple round-trip tests with checkpolicy. Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libsepol/src/kernel_to_conf.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 63dffd9b..73b72b5d 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) class = pdb->class_val_to_struct[i]; if (!class) continue; name = pdb->p_class_val_to_name[i]; - sepol_printf(out, "class %s", name); - if (class->comkey) { - sepol_printf(out, " inherits %s", class->comkey); - } perms = class_or_common_perms_to_str(&class->permissions); - if (perms) { - sepol_printf(out, " { %s }", perms); - free(perms); + /* Do not write empty classes, their declaration was alreedy + * printed in write_class_decl_rules_to_conf() */ + if (perms || class->comkey) { + sepol_printf(out, "class %s", name); + if (class->comkey) { + sepol_printf(out, " inherits %s", class->comkey); + } + + if (perms) { + sepol_printf(out, " { %s }", perms); + free(perms); + } + sepol_printf(out, "\n"); } - sepol_printf(out, "\n"); } exit: -- 2.39.0