On Thu, Jan 5, 2023 at 12:27 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Do not write class definitions for classes without any permission and > any inherited common class. The classes are already declared in > write_class_decl_rules_to_conf(). Skipping those empty definitions, > which are equal to the corresponding class declarations, will enable to > parse the generated policy conf file with checkpolicy, as checkpolicy > does not accept class declarations after initial sid declarations. > > This will enable simple round-trip tests with checkpolicy. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > libsepol/src/kernel_to_conf.c | 21 +++++++++++++-------- > 1 file changed, 13 insertions(+), 8 deletions(-) > > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index 63dffd9b..73b72b5d 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) > class = pdb->class_val_to_struct[i]; > if (!class) continue; > name = pdb->p_class_val_to_name[i]; > - sepol_printf(out, "class %s", name); > - if (class->comkey) { > - sepol_printf(out, " inherits %s", class->comkey); > - } > perms = class_or_common_perms_to_str(&class->permissions); > - if (perms) { > - sepol_printf(out, " { %s }", perms); > - free(perms); > + /* Do not write empty classes, their declaration was alreedy > + * printed in write_class_decl_rules_to_conf() */ > + if (perms || class->comkey) { > + sepol_printf(out, "class %s", name); > + if (class->comkey) { > + sepol_printf(out, " inherits %s", class->comkey); > + } > + > + if (perms) { > + sepol_printf(out, " { %s }", perms); > + free(perms); > + } > + sepol_printf(out, "\n"); > } > - sepol_printf(out, "\n"); > } > > exit: > -- > 2.39.0 >