[PATCH 7/8] Revert "checkpolicy,libsepol: move filename transitions to avtab"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This reverts commit e169fe26530ef2c6b3dd126788cc81676359a3b3.

Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
 checkpolicy/checkmodule.c                  |   9 -
 checkpolicy/checkpolicy.c                  |   9 -
 checkpolicy/policy_define.c                |  21 +-
 checkpolicy/test/dispol.c                  |  83 ++--
 libsepol/cil/src/cil_binary.c              |  27 +-
 libsepol/include/sepol/policydb/avtab.h    |   9 -
 libsepol/include/sepol/policydb/hashtab.h  |   8 -
 libsepol/include/sepol/policydb/policydb.h |  22 +
 libsepol/src/avtab.c                       | 199 ---------
 libsepol/src/conditional.c                 |   6 +-
 libsepol/src/expand.c                      |  27 +-
 libsepol/src/kernel_to_cil.c               | 159 +++++--
 libsepol/src/kernel_to_common.h            |   9 -
 libsepol/src/kernel_to_conf.c              | 155 +++++--
 libsepol/src/optimize.c                    |   8 +-
 libsepol/src/policydb.c                    | 343 ++++++++++++++-
 libsepol/src/policydb_validate.c           |  69 +--
 libsepol/src/write.c                       | 463 ++++++---------------
 18 files changed, 822 insertions(+), 804 deletions(-)

diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
index d81d8c97..14e6c891 100644
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@@ -280,15 +280,6 @@ int main(int argc, char **argv)
 		modpolicydb.mls = mlspol;
 		modpolicydb.handle_unknown = handle_unknown;
 
-		/*
-		 * Init and alloc te_avtab for filename transition duplicate
-		 * checking
-		 */
-		if (avtab_init(&modpolicydb.te_avtab))
-			exit(1);
-		if (avtab_alloc(&modpolicydb.te_avtab, 1 << 11))
-			exit(1);
-
 		if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
 			exit(1);
 		}
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 83000bcb..623ba8b2 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -615,15 +615,6 @@ int main(int argc, char **argv)
 		parse_policy.mls = mlspol;
 		parse_policy.handle_unknown = handle_unknown;
 
-		/*
-		 * Init and alloc te_avtab for filename transition duplicate
-		 * checking
-		 */
-		if (avtab_init(&parse_policy.te_avtab))
-			exit(1);
-		if (avtab_alloc(&parse_policy.te_avtab, 1 << 11))
-			exit(1);
-
 		policydbp = &parse_policy;
 
 		if (read_source_policy(policydbp, file, "checkpolicy") < 0)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index dc2ee8f3..cef8f3c4 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3352,7 +3352,6 @@ int define_filename_trans(void)
 	ebitmap_node_t *snode, *tnode, *cnode;
 	filename_trans_rule_t *ftr;
 	type_datum_t *typdatum;
-	avtab_key_t avt_key;
 	uint32_t otype;
 	unsigned int c, s, t;
 	int add, self, rc;
@@ -3444,13 +3443,9 @@ int define_filename_trans(void)
 	ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) {
 		ebitmap_for_each_positive_bit(&e_stypes, snode, s) {
 			ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) {
-				avt_key.specified = AVTAB_TRANSITION;
-				avt_key.source_type = s + 1;
-				avt_key.target_type = t + 1;
-				avt_key.target_class = c + 1;
-				rc = avtab_insert_filename_trans(
-					&policydbp->te_avtab, &avt_key, otype,
-					name, NULL
+				rc = policydb_filetrans_insert(
+					policydbp, s+1, t+1, c+1, name,
+					NULL, otype, NULL
 				);
 				if (rc != SEPOL_OK) {
 					if (rc == SEPOL_EEXIST) {
@@ -3466,13 +3461,9 @@ int define_filename_trans(void)
 				}
 			}
 			if (self) {
-				avt_key.specified = AVTAB_TRANSITION;
-				avt_key.source_type = s + 1;
-				avt_key.target_type = t + 1;
-				avt_key.target_class = c + 1;
-				rc = avtab_insert_filename_trans(
-					&policydbp->te_avtab, &avt_key, otype,
-					name, NULL
+				rc = policydb_filetrans_insert(
+					policydbp, s+1, s+1, c+1, name,
+					NULL, otype, NULL
 				);
 				if (rc != SEPOL_OK) {
 					if (rc == SEPOL_EEXIST) {
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 861fa903..e45528b9 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -63,6 +63,7 @@ static struct command {
 	{CMD,       'a',  "display type attributes"},
 	{CMD,       'p',  "display the list of permissive types"},
 	{CMD,       'u',  "display unknown handling setting"},
+	{CMD,       'F',  "display filename_trans rules"},
 	{HEADER, 0, ""},
 	{CMD|NOOPT, 'f',  "set output file"},
 	{CMD|NOOPT, 'm',  "display menu"},
@@ -125,26 +126,6 @@ static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
 	return 0;
 }
 
-typedef struct {
-	avtab_key_t *key;
-	policydb_t *p;
-	FILE *fp;
-} render_name_trans_args_t;
-
-static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
-{
-	char *name = k;
-	uint32_t *otype = d;
-	render_name_trans_args_t *args = a;
-
-	fprintf(args->fp, "type_transition ");
-	render_key(args->key, args->p, args->fp);
-	render_type(*otype, args->p, args->fp);
-	fprintf(args->fp, " \"%s\";\n", name);
-
-	return 0;
-}
-
 /* 'what' values for this function */
 #define	RENDER_UNCONDITIONAL	0x0001	/* render all regardless of enabled state */
 #define RENDER_ENABLED		0x0002
@@ -197,19 +178,10 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha
 		}
 	} else if (key->specified & AVTAB_TYPE) {
 		if (key->specified & AVTAB_TRANSITION) {
-			if (datum->trans->otype) {
-				fprintf(fp, "type_transition ");
-				render_key(key, p, fp);
-				render_type(datum->trans->otype, p, fp);
-				fprintf(fp, ";\n");
-			}
-			render_name_trans_args_t args = {
-				.key = key,
-				.p = p,
-				.fp = fp,
-			};
-			hashtab_map(datum->trans->name_trans.table,
-				    render_name_trans_helper, &args);
+			fprintf(fp, "type_transition ");
+			render_key(key, p, fp);
+			render_type(datum->trans->otype, p, fp);
+			fprintf(fp, ";\n");
 		}
 		if (key->specified & AVTAB_MEMBER) {
 			fprintf(fp, "type_member ");
@@ -476,6 +448,48 @@ static void display_role_trans(policydb_t *p, FILE *fp)
 	}
 }
 
+struct filenametr_display_args {
+	policydb_t *p;
+	FILE *fp;
+};
+
+static int filenametr_display(hashtab_key_t key,
+			      hashtab_datum_t datum,
+			      void *ptr)
+{
+	struct filename_trans_key *ft = (struct filename_trans_key *)key;
+	struct filename_trans_datum *ftdatum = datum;
+	struct filenametr_display_args *args = ptr;
+	policydb_t *p = args->p;
+	FILE *fp = args->fp;
+	ebitmap_node_t *node;
+	uint32_t bit;
+
+	do {
+		ebitmap_for_each_positive_bit(&ftdatum->stypes, node, bit) {
+			display_id(p, fp, SYM_TYPES, bit, "");
+			display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
+			display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
+			display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, "");
+			fprintf(fp, " %s\n", ft->name);
+		}
+		ftdatum = ftdatum->next;
+	} while (ftdatum);
+
+	return 0;
+}
+
+
+static void display_filename_trans(policydb_t *p, FILE *fp)
+{
+	struct filenametr_display_args args;
+
+	fprintf(fp, "filename_trans rules:\n");
+	args.p = p;
+	args.fp = fp;
+	hashtab_map(p->filename_trans, filenametr_display, &args);
+}
+
 static int menu(void)
 {
 	unsigned int i;
@@ -678,6 +692,9 @@ int main(int argc, char **argv)
 			if (out_fp != stdout)
 				printf("\nOutput to file: %s\n", OutfileName);
 			break;
+		case 'F':
+			display_filename_trans(&policydb, out_fp);
+			break;
 		case 'q':
 			policydb_destroy(&policydb);
 			exit(0);
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 7150d405..3f264594 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1005,12 +1005,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
 	}
 	
 	existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
-	/*
-	 * There might be empty transition node containing filename transitions
-	 * only. That is okay, we can merge them later.
-	 */
-	if (existing && !(existing->key.specified & AVTAB_TRANSITION &&
-	    !existing->datum.trans->otype)) {
+	if (existing) {
 		/* Don't add duplicate type rule and warn if they conflict.
 		 * A warning should have been previously given if there is a
 		 * non-duplicate rule using the same key.
@@ -1034,13 +1029,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
 	}
 
 	if (!cond_node) {
-		/* If we have node from empty filename transition, use it */
-		if (existing && existing->key.specified & AVTAB_TRANSITION &&
-		    !existing->datum.trans->otype)
-			existing->datum.trans->otype = avtab_datum.trans->otype;
-		else
-			rc = avtab_insert(&pdb->te_avtab, &avtab_key,
-					  &avtab_datum);
+		rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum);
 	} else {
 		existing = avtab_search_node(&pdb->te_cond_avtab, &avtab_key);
 		if (existing) {
@@ -1200,18 +1189,16 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb,
 	class_datum_t *sepol_obj = NULL;
 	uint32_t otype;
 	struct cil_list_item *c;
-	avtab_key_t avt_key;
 
 	cil_list_for_each(c, class_list) {
 		rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
 		if (rc != SEPOL_OK) return rc;
 
-		avt_key.specified = AVTAB_TRANSITION;
-		avt_key.source_type = sepol_src->s.value;
-		avt_key.target_type = sepol_tgt->s.value;
-		avt_key.target_class = sepol_obj->s.value;
-		rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key,
-			sepol_result->s.value, name, &otype);
+		rc = policydb_filetrans_insert(
+			pdb, sepol_src->s.value, sepol_tgt->s.value,
+			sepol_obj->s.value, name, NULL,
+			sepol_result->s.value, &otype
+		);
 		if (rc != SEPOL_OK) {
 			if (rc == SEPOL_EEXIST) {
 				if (sepol_result->s.value!= otype) {
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index 5dc720cc..ca009c16 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -42,7 +42,6 @@
 
 #include <sys/types.h>
 #include <stdint.h>
-#include <sepol/policydb/symtab.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -73,7 +72,6 @@ typedef struct avtab_key {
 
 typedef struct avtab_trans {
 	uint32_t otype;		/* resulting type of the new object */
-	symtab_t name_trans;	/* filename transitions */
 } avtab_trans_t;
 
 typedef struct avtab_extended_perms {
@@ -117,8 +115,6 @@ extern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d);
 
 extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k);
 
-extern void avtab_trans_destroy(avtab_trans_t *trans);
-
 extern void avtab_destroy(avtab_t * h);
 
 extern int avtab_map(const avtab_t * h,
@@ -152,11 +148,6 @@ extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified);
 /* avtab_alloc uses one bucket per 2-4 elements, so adjust to get maximum buckets */
 #define MAX_AVTAB_SIZE (MAX_AVTAB_HASH_BUCKETS << 1)
 
-extern int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
-				       uint32_t otype, const char *name,
-				       uint32_t *present_otype);
-extern int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a);
-
 #ifdef __cplusplus
 }
 #endif
diff --git a/libsepol/include/sepol/policydb/hashtab.h b/libsepol/include/sepol/policydb/hashtab.h
index 354ebb43..dca8c983 100644
--- a/libsepol/include/sepol/policydb/hashtab.h
+++ b/libsepol/include/sepol/policydb/hashtab.h
@@ -110,14 +110,6 @@ extern int hashtab_map(hashtab_t h,
 
 extern void hashtab_hash_eval(hashtab_t h, char *tag);
 
-/* Returns number of elements in the hashtab h or 0 is h is NULL */
-static inline uint32_t hashtab_nel(hashtab_t h)
-{
-	if (!h)
-		return 0;
-	return h->nel;
-}
-
 #ifdef __cplusplus
 }
 #endif
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 8bb11d18..b014b7a8 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -161,6 +161,19 @@ typedef struct role_allow {
 	struct role_allow *next;
 } role_allow_t;
 
+/* filename_trans rules */
+typedef struct filename_trans_key {
+	uint32_t ttype;
+	uint32_t tclass;
+	char *name;
+} filename_trans_key_t;
+
+typedef struct filename_trans_datum {
+	ebitmap_t stypes;
+	uint32_t otype;
+	struct filename_trans_datum *next;
+} filename_trans_datum_t;
+
 /* Type attributes */
 typedef struct type_datum {
 	symtab_datum_t s;
@@ -579,6 +592,10 @@ typedef struct policydb {
 	/* range transitions table (range_trans_key -> mls_range) */
 	hashtab_t range_tr;
 
+	/* file transitions with the last path component */
+	hashtab_t filename_trans;
+	uint32_t filename_trans_count;
+
 	ebitmap_t *type_attr_map;
 
 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
@@ -637,6 +654,11 @@ extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
 
 extern int policydb_sort_ocontexts(policydb_t *p);
 
+extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype,
+				     uint32_t ttype, uint32_t tclass,
+				     const char *name, char **name_alloc,
+				     uint32_t otype, uint32_t *present_otype);
+
 /* Deprecated */
 extern int policydb_context_isvalid(const policydb_t * p,
 				    const context_struct_t * c);
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index eef259cf..4c292e8b 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -315,20 +315,6 @@ avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified)
 	return NULL;
 }
 
-static int avtab_trans_destroy_helper(hashtab_key_t k, hashtab_datum_t d,
-				      void *a __attribute__ ((unused)))
-{
-	free(k);
-	free(d);
-	return 0;
-}
-
-void avtab_trans_destroy(avtab_trans_t *trans)
-{
-	hashtab_map(trans->name_trans.table, avtab_trans_destroy_helper, NULL);
-	symtab_destroy(&trans->name_trans);
-}
-
 void avtab_destroy(avtab_t * h)
 {
 	unsigned int i;
@@ -343,7 +329,6 @@ void avtab_destroy(avtab_t * h)
 			if (cur->key.specified & AVTAB_XPERMS) {
 				free(cur->datum.xperms);
 			} else if (cur->key.specified & AVTAB_TRANSITION) {
-				avtab_trans_destroy(cur->datum.trans);
 				free(cur->datum.trans);
 			}
 			temp = cur;
@@ -675,187 +660,3 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
 	avtab_destroy(a);
 	return -1;
 }
-
-/* policydb filename transition compatibility */
-
-int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
-				uint32_t otype, const char *name,
-				uint32_t *present_otype)
-{
-	int rc = SEPOL_ENOMEM;
-	avtab_trans_t new_trans = {0};
-	avtab_datum_t new_datum = {.trans = &new_trans};
-	avtab_datum_t *datum;
-	avtab_ptr_t node;
-	char *name_key = NULL;
-	uint32_t *otype_datum = NULL;
-
-	datum = avtab_search(a, key);
-	if (!datum) {
-		/*
-		 * insert is actually unique, but with this function we can get
-		 * the inserted node and therefore the datum
-		 */
-		node = avtab_insert_nonunique(a, key, &new_datum);
-		if (!node)
-			return SEPOL_ENOMEM;
-		datum = &node->datum;
-	}
-
-	if (!datum->trans->name_trans.table) {
-		rc = symtab_init(&datum->trans->name_trans, 1 << 8);
-		if (rc < 0)
-			return rc;
-	}
-
-	rc = SEPOL_ENOMEM;
-	name_key = strdup(name);
-	if (!name_key)
-		goto bad;
-
-	rc = SEPOL_ENOMEM;
-	otype_datum = malloc(sizeof(*otype_datum));
-	if (!otype_datum)
-		goto bad;
-	*otype_datum = otype;
-
-	rc = hashtab_insert(datum->trans->name_trans.table, name_key,
-			    otype_datum);
-	if (rc < 0)
-		goto bad;
-
-	return SEPOL_OK;
-
-bad:
-	free(name_key);
-	free(otype_datum);
-	if (rc == SEPOL_EEXIST && present_otype) {
-		otype_datum = hashtab_search(datum->trans->name_trans.table,
-					     name);
-		if (otype_datum)
-			*present_otype = *otype_datum;
-	}
-	return rc;
-}
-
-static int filename_trans_read_one(avtab_t *a, void *fp)
-{
-	int rc;
-	uint32_t buf[4], len, otype;
-	char *name = NULL;
-	avtab_key_t key;
-
-	/* read length of the name and the name */
-	rc = next_entry(buf, fp, sizeof(uint32_t));
-	if (rc < 0)
-		return SEPOL_ERR;
-	len = le32_to_cpu(*buf);
-	rc = str_read(&name, fp, len);
-	if (rc < 0)
-		return SEPOL_ERR;
-
-	/* read stype, ttype, tclass and otype */
-	rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
-	if (rc < 0)
-		goto err;
-
-	key.specified = AVTAB_TRANSITION;
-	key.source_type = le32_to_cpu(buf[0]);
-	key.target_type = le32_to_cpu(buf[1]);
-	key.target_class = le32_to_cpu(buf[2]);
-	otype = le32_to_cpu(buf[3]);
-
-	rc = avtab_insert_filename_trans(a, &key, otype, name, NULL);
-	if (rc)
-		goto err;
-
-	free(name);
-	return SEPOL_OK;
-err:
-	free(name);
-	return SEPOL_ERR;
-}
-
-static int filename_trans_comp_read_one(avtab_t *a, void *fp)
-{
-	int rc;
-	uint32_t buf[3], len, ndatum, i, bit, otype;
-	char *name = NULL;
-	avtab_key_t key;
-	ebitmap_t stypes;
-	ebitmap_node_t *node;
-
-	/* read length of the name and the name */
-	rc = next_entry(buf, fp, sizeof(uint32_t));
-	if (rc < 0)
-		return SEPOL_ERR;
-	len = le32_to_cpu(*buf);
-	rc = str_read(&name, fp, len);
-	if (rc < 0)
-		return SEPOL_ERR;
-
-	/* read ttype, tclass, ndatum */
-	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
-	if (rc < 0)
-		goto err;
-
-	key.specified = AVTAB_TRANSITION;
-	key.target_type = le32_to_cpu(buf[0]);
-	key.target_class = le32_to_cpu(buf[1]);
-
-	ndatum = le32_to_cpu(buf[2]);
-	for (i = 0; i < ndatum; i++) {
-		rc = ebitmap_read(&stypes, fp);
-		if (rc < 0)
-			goto err;
-
-		rc = next_entry(buf, fp, sizeof(uint32_t));
-		if (rc < 0)
-			goto err_ebitmap;
-		otype = le32_to_cpu(*buf);
-
-		ebitmap_for_each_positive_bit(&stypes, node, bit) {
-			key.source_type = bit + 1;
-
-			rc = avtab_insert_filename_trans(a, &key, otype, name,
-				NULL);
-			if (rc < 0)
-				goto err_ebitmap;
-		}
-	}
-
-	free(name);
-	return SEPOL_OK;
-
-err_ebitmap:
-	ebitmap_destroy(&stypes);
-err:
-	free(name);
-	return rc;
-}
-
-int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a)
-{
-	uint32_t buf[1], nel, i;
-	int rc;
-
-	rc = next_entry(buf, fp, sizeof(uint32_t));
-	if (rc < 0)
-		return rc;
-	nel = le32_to_cpu(*buf);
-
-	if (vers < POLICYDB_VERSION_COMP_FTRANS) {
-		for (i = 0; i < nel; i++) {
-			rc = filename_trans_read_one(a, fp);
-			if (rc < 0)
-				return rc;
-		}
-	} else {
-		for (i = 0; i < nel; i++) {
-			rc = filename_trans_comp_read_one(a, fp);
-			if (rc < 0)
-				return rc;
-		}
-	}
-	return SEPOL_OK;
-}
diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index 7900e928..24380ea0 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -624,7 +624,6 @@ static int cond_insertf(avtab_t * a
 	struct policydb *p = data->p;
 	cond_av_list_t *other = data->other, *list, *cur;
 	avtab_ptr_t node_ptr;
-	avtab_datum_t *existing;
 	uint8_t found;
 
 	/*
@@ -633,10 +632,7 @@ static int cond_insertf(avtab_t * a
 	 * cond_te_avtab.
 	 */
 	if (k->specified & AVTAB_TYPE) {
-		existing = avtab_search(&p->te_avtab, k);
-		/* empty transition rule is not a conflict */
-		if (existing && !(k->specified & AVTAB_TRANSITION
-		    && !existing->trans->otype)) {
+		if (avtab_search(&p->te_avtab, k)) {
 			WARN(NULL, "security: type rule already exists outside of a conditional.");
 			return -1;
 		}
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 878b0f21..6793a27d 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1413,17 +1413,14 @@ static int expand_filename_trans_helper(expand_state_t *state,
 {
 	uint32_t mapped_otype, present_otype;
 	int rc;
-	avtab_key_t avt_key;
 
 	mapped_otype = state->typemap[rule->otype - 1];
 
-	avt_key.specified = AVTAB_TRANSITION;
-	avt_key.source_type = s + 1;
-	avt_key.target_type = t + 1;
-	avt_key.target_class = rule->tclass;
-
-	rc = avtab_insert_filename_trans(&state->out->te_avtab, &avt_key,
-		mapped_otype, rule->name, &present_otype);
+	rc = policydb_filetrans_insert(
+		state->out, s + 1, t + 1,
+		rule->tclass, rule->name,
+		NULL, mapped_otype, &present_otype
+	);
 	if (rc == SEPOL_EEXIST) {
 		/* duplicate rule, ignore */
 		if (present_otype == mapped_otype)
@@ -1737,16 +1734,6 @@ static int expand_terule_helper(sepol_handle_t * handle,
 		 * either in the global scope or in another
 		 * conditional AV tab */
 		node = avtab_search_node(&p->te_avtab, &avkey);
-
-		/*
-		 * if node does not already contain transition, it is not a
-		 * conflict and transition otype will be set to node found by
-		 * find_avtab_node()
-		 */
-		if (specified & AVRULE_TRANSITION && node &&
-		    !node->datum.trans->otype)
-			node = NULL;
-
 		if (node) {
 			conflict = 1;
 		} else {
@@ -1754,10 +1741,6 @@ static int expand_terule_helper(sepol_handle_t * handle,
 			if (node && node->parse_context != other) {
 				conflict = 2;
 			}
-			/*
-			 * conditional avtab does not contain filename
-			 * transitions, no need to check for otype == 0
-			 */
 		}
 
 		if (conflict) {
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 8ed695f1..316679cc 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1700,24 +1700,14 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms)
 	return xpermsbuf;
 }
 
-static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
+static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
 {
-	char *name = k;
-	uint32_t *otype = d;
-	name_trans_to_strs_args_t *args = a;
-	return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\" %s)", 6,
-				   args->flavor, args->src, args->tgt,
-				   args->class, name,
-				   args->pdb->p_type_val_to_name[*otype - 1]);
-}
-
-static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs)
-{
-	int rc = SEPOL_OK;
-	uint32_t data = datum->data;
+	uint32_t data = key->specified & AVTAB_TRANSITION
+		? datum->trans->otype : datum->data;
 	type_datum_t *type;
 	const char *flavor, *tgt;
 	char *src, *class, *perms, *new;
+	char *rule = NULL;
 
 	switch (0xFFF & key->specified) {
 	case AVTAB_ALLOWED:
@@ -1750,7 +1740,7 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
 		break;
 	default:
 		ERR(NULL, "Unknown avtab type: %i", key->specified);
-		return SEPOL_ERR;
+		goto exit;
 	}
 
 	src = pdb->p_type_val_to_name[key->source_type - 1];
@@ -1767,44 +1757,33 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
 		perms = sepol_av_to_string(pdb, key->target_class, data);
 		if (perms == NULL) {
 			ERR(NULL, "Failed to generate permission string");
-			return SEPOL_ERR;
+			goto exit;
 		}
-		rc = strs_create_and_add(strs, "(%s %s %s (%s (%s)))", 5,
-					 flavor, src, tgt, class, perms + 1);
+		rule = create_str("(%s %s %s (%s (%s)))", 5,
+				  flavor, src, tgt, class, perms+1);
 	} else if (key->specified & AVTAB_XPERMS) {
 		perms = xperms_to_str(datum->xperms);
 		if (perms == NULL) {
 			ERR(NULL, "Failed to generate extended permission string");
-			return SEPOL_ERR;
+			goto exit;
 		}
 
-		rc = strs_create_and_add(strs, "(%s %s %s (%s %s (%s)))", 6,
-					 flavor, src, tgt, "ioctl", class, perms);
-	} else if (key->specified & AVTAB_TRANSITION) {
-		if (datum->trans->otype) {
-			rc = strs_create_and_add(strs, "(%s %s %s %s %s)", 5,
-						 flavor, src, tgt, class,
-						 pdb->p_type_val_to_name[datum->trans->otype - 1]);
-			if (rc < 0)
-				return rc;
-		}
-		name_trans_to_strs_args_t args = {
-			.pdb = pdb,
-			.strs = strs,
-			.flavor = flavor,
-			.src = src,
-			.tgt = tgt,
-			.class = class,
-		};
-		rc = hashtab_map(datum->trans->name_trans.table,
-				 name_trans_to_strs_helper, &args);
+		rule = create_str("(%s %s %s (%s %s (%s)))", 6,
+				  flavor, src, tgt, "ioctl", class, perms);
 	} else {
 		new = pdb->p_type_val_to_name[data - 1];
 
-		rc = strs_create_and_add(strs, "(%s %s %s %s %s)", 5, flavor, src, tgt, class, new);
+		rule = create_str("(%s %s %s %s %s)", 5, flavor, src, tgt, class, new);
 	}
 
-	return rc;
+	if (!rule) {
+		goto exit;
+	}
+
+	return rule;
+
+exit:
+	return NULL;
 }
 
 struct map_avtab_args {
@@ -1819,12 +1798,23 @@ static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void *
 	uint32_t flavor = map_args->flavor;
 	struct policydb *pdb = map_args->pdb;
 	struct strs *strs = map_args->strs;
+	char *rule;
 	int rc = 0;
 
 	if (key->specified & flavor) {
-		rc = avtab_node_to_strs(pdb, key, datum, strs);
+		rule = avtab_node_to_str(pdb, key, datum);
+		if (!rule) {
+			rc = -1;
+			goto exit;
+		}
+		rc = strs_add(strs, rule);
+		if (rc != 0) {
+			free(rule);
+			goto exit;
+		}
 	}
 
+exit:
 	return rc;
 }
 
@@ -1878,6 +1868,77 @@ exit:
 	return rc;
 }
 
+struct map_filename_trans_args {
+	struct policydb *pdb;
+	struct strs *strs;
+};
+
+static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+{
+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+	filename_trans_datum_t *datum = data;
+	struct map_filename_trans_args *map_args = arg;
+	struct policydb *pdb = map_args->pdb;
+	struct strs *strs = map_args->strs;
+	char *src, *tgt, *class, *filename, *new;
+	struct ebitmap_node *node;
+	uint32_t bit;
+	int rc;
+
+	tgt = pdb->p_type_val_to_name[ft->ttype - 1];
+	class = pdb->p_class_val_to_name[ft->tclass - 1];
+	filename = ft->name;
+	do {
+		new = pdb->p_type_val_to_name[datum->otype - 1];
+
+		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
+			src = pdb->p_type_val_to_name[bit];
+			rc = strs_create_and_add(strs,
+						 "(typetransition %s %s %s \"%s\" %s)",
+						 5, src, tgt, class, filename, new);
+			if (rc)
+				return rc;
+		}
+
+		datum = datum->next;
+	} while (datum);
+
+	return 0;
+}
+
+static int write_filename_trans_rules_to_cil(FILE *out, struct policydb *pdb)
+{
+	struct map_filename_trans_args args;
+	struct strs *strs;
+	int rc = 0;
+
+	rc = strs_init(&strs, 100);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	args.pdb = pdb;
+	args.strs = strs;
+
+	rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	strs_sort(strs);
+	strs_write_each(strs, out);
+
+exit:
+	strs_free_all(strs);
+	strs_destroy(&strs);
+
+	if (rc != 0) {
+		ERR(NULL, "Error writing filename typetransition rules to CIL");
+	}
+
+	return rc;
+}
+
 static char *level_to_str(struct policydb *pdb, struct mls_level *level)
 {
 	ebitmap_t *cats = &level->cat;
@@ -1997,6 +2058,7 @@ static int write_cond_av_list_to_cil(FILE *out, struct policydb *pdb, cond_av_li
 	avtab_key_t *key;
 	avtab_datum_t *datum;
 	struct strs *strs;
+	char *rule;
 	unsigned i;
 	int rc;
 
@@ -2012,8 +2074,14 @@ static int write_cond_av_list_to_cil(FILE *out, struct policydb *pdb, cond_av_li
 			key = &node->key;
 			datum = &node->datum;
 			if (key->specified & flavor) {
-				rc = avtab_node_to_strs(pdb, key, datum, strs);
+				rule = avtab_node_to_str(pdb, key, datum);
+				if (!rule) {
+					rc = -1;
+					goto exit;
+				}
+				rc = strs_add(strs, rule);
 				if (rc != 0) {
+					free(rule);
 					goto exit;
 				}
 			}
@@ -3261,6 +3329,11 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb)
 		goto exit;
 	}
 
+	rc = write_filename_trans_rules_to_cil(out, pdb);
+	if (rc != 0) {
+		goto exit;
+	}
+
 	if (pdb->mls) {
 		rc = write_range_trans_rules_to_cil(out, pdb);
 		if (rc != 0) {
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index b8ea237d..9e567eb8 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -83,15 +83,6 @@ struct strs {
 	size_t size;
 };
 
-typedef struct {
-	policydb_t *pdb;
-	struct strs *strs;
-	const char *flavor;
-	const char *src;
-	const char *tgt;
-	const char *class;
-} name_trans_to_strs_args_t;
-
 void sepol_indent(FILE *out, int indent);
 __attribute__ ((format(printf, 2, 3)))
 void sepol_printf(FILE *out, const char *fmt, ...);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index eb14ccf1..aa161b08 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -1678,24 +1678,13 @@ exit:
 	return rc;
 }
 
-static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
+static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
 {
-	char *name = k;
-	uint32_t *otype = d;
-	name_trans_to_strs_args_t *args = a;
-	return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\";", 6,
-				   args->flavor, args->src, args->tgt,
-				   args->class,
-				   args->pdb->p_type_val_to_name[*otype - 1],
-				   name);
-}
-
-static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs)
-{
-	int rc = SEPOL_OK;
-	uint32_t data = datum->data;
+	uint32_t data = key->specified & AVTAB_TRANSITION
+		? datum->trans->otype : datum->data;
 	type_datum_t *type;
 	const char *flavor, *src, *tgt, *class, *perms, *new;
+	char *rule = NULL;
 
 	switch (0xFFF & key->specified) {
 	case AVTAB_ALLOWED:
@@ -1728,7 +1717,7 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
 		break;
 	default:
 		ERR(NULL, "Unknown avtab type: %i", key->specified);
-		return SEPOL_ERR;
+		goto exit;
 	}
 
 	src = pdb->p_type_val_to_name[key->source_type - 1];
@@ -1745,42 +1734,32 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
 		perms = sepol_av_to_string(pdb, key->target_class, data);
 		if (perms == NULL) {
 			ERR(NULL, "Failed to generate permission string");
-			return SEPOL_ERR;
+			goto exit;
 		}
-		rc = strs_create_and_add(strs, "%s %s %s:%s { %s };", 5,
-					 flavor, src, tgt, class, perms + 1);
+		rule = create_str("%s %s %s:%s { %s };", 5,
+				  flavor, src, tgt, class, perms+1);
 	} else if (key->specified & AVTAB_XPERMS) {
 		perms = sepol_extended_perms_to_string(datum->xperms);
 		if (perms == NULL) {
 			ERR(NULL, "Failed to generate extended permission string");
-			return SEPOL_ERR;
-		}
-		rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms);
-	} else if (key->specified & AVTAB_TRANSITION) {
-		if (datum->trans->otype) {
-			rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5,
-						 flavor, src, tgt, class,
-						 pdb->p_type_val_to_name[datum->trans->otype - 1]);
-			if (rc < 0)
-				return rc;
+			goto exit;
 		}
-		name_trans_to_strs_args_t args = {
-			.pdb = pdb,
-			.strs = strs,
-			.flavor = flavor,
-			.src = src,
-			.tgt = tgt,
-			.class = class,
-		};
-		rc = hashtab_map(datum->trans->name_trans.table,
-				 name_trans_to_strs_helper, &args);
+
+		rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms);
 	} else {
 		new = pdb->p_type_val_to_name[data - 1];
 
-		rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, flavor, src, tgt, class, new);
+		rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, new);
 	}
 
-	return rc;
+	if (!rule) {
+		goto exit;
+	}
+
+	return rule;
+
+exit:
+	return NULL;
 }
 
 struct map_avtab_args {
@@ -1795,12 +1774,23 @@ static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void *
 	uint32_t flavor = map_args->flavor;
 	struct policydb *pdb = map_args->pdb;
 	struct strs *strs = map_args->strs;
+	char *rule;
 	int rc = 0;
 
 	if (key->specified & flavor) {
-		rc = avtab_node_to_strs(pdb, key, datum, strs);
+		rule = avtab_node_to_str(pdb, key, datum);
+		if (!rule) {
+			rc = -1;
+			goto exit;
+		}
+		rc = strs_add(strs, rule);
+		if (rc != 0) {
+			free(rule);
+			goto exit;
+		}
 	}
 
+exit:
 	return rc;
 }
 
@@ -1854,6 +1844,77 @@ exit:
 	return rc;
 }
 
+struct map_filename_trans_args {
+	struct policydb *pdb;
+	struct strs *strs;
+};
+
+static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+{
+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+	filename_trans_datum_t *datum = data;
+	struct map_filename_trans_args *map_args = arg;
+	struct policydb *pdb = map_args->pdb;
+	struct strs *strs = map_args->strs;
+	char *src, *tgt, *class, *filename, *new;
+	struct ebitmap_node *node;
+	uint32_t bit;
+	int rc;
+
+	tgt = pdb->p_type_val_to_name[ft->ttype - 1];
+	class = pdb->p_class_val_to_name[ft->tclass - 1];
+	filename = ft->name;
+	do {
+		new = pdb->p_type_val_to_name[datum->otype - 1];
+
+		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
+			src = pdb->p_type_val_to_name[bit];
+			rc = strs_create_and_add(strs,
+						 "type_transition %s %s:%s %s \"%s\";",
+						 5, src, tgt, class, new, filename);
+			if (rc)
+				return rc;
+		}
+
+		datum = datum->next;
+	} while (datum);
+
+	return 0;
+}
+
+static int write_filename_trans_rules_to_conf(FILE *out, struct policydb *pdb)
+{
+	struct map_filename_trans_args args;
+	struct strs *strs;
+	int rc = 0;
+
+	rc = strs_init(&strs, 100);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	args.pdb = pdb;
+	args.strs = strs;
+
+	rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	strs_sort(strs);
+	strs_write_each(strs, out);
+
+exit:
+	strs_free_all(strs);
+	strs_destroy(&strs);
+
+	if (rc != 0) {
+		ERR(NULL, "Error writing filename typetransition rules to policy.conf");
+	}
+
+	return rc;
+}
+
 static char *level_to_str(struct policydb *pdb, struct mls_level *level)
 {
 	ebitmap_t *cats = &level->cat;
@@ -1973,6 +2034,7 @@ static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_l
 	avtab_key_t *key;
 	avtab_datum_t *datum;
 	struct strs *strs;
+	char *rule;
 	unsigned i;
 	int rc;
 
@@ -1988,8 +2050,14 @@ static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_l
 			key = &node->key;
 			datum = &node->datum;
 			if (key->specified & flavor) {
-				rc = avtab_node_to_strs(pdb, key, datum, strs);
+				rule = avtab_node_to_str(pdb, key, datum);
+				if (!rule) {
+					rc = -1;
+					goto exit;
+				}
+				rc = strs_add(strs, rule);
 				if (rc != 0) {
+					free(rule);
 					goto exit;
 				}
 			}
@@ -3135,6 +3203,7 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb)
 	if (rc != 0) {
 		goto exit;
 	}
+	write_filename_trans_rules_to_conf(out, pdb);
 
 	if (pdb->mls) {
 		rc = write_range_trans_rules_to_conf(out, pdb);
diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
index 7948d983..2d4a2d7a 100644
--- a/libsepol/src/optimize.c
+++ b/libsepol/src/optimize.c
@@ -308,10 +308,8 @@ static void optimize_avtab(policydb_t *p, const struct type_vec *type_map)
 				*cur = tmp->next;
 				if (tmp->key.specified & AVTAB_XPERMS)
 					free(tmp->datum.xperms);
-				if (tmp->key.specified & AVTAB_TRANSITION) {
-					avtab_trans_destroy(tmp->datum.trans);
+				if (tmp->key.specified & AVTAB_TRANSITION)
 					free(tmp->datum.trans);
-				}
 				free(tmp);
 
 				tab->nel--;
@@ -431,10 +429,8 @@ static void optimize_cond_avtab(policydb_t *p, const struct type_vec *type_map)
 				*cur = tmp->next;
 				if (tmp->key.specified & AVTAB_XPERMS)
 					free(tmp->datum.xperms);
-				if (tmp->key.specified & AVTAB_TRANSITION) {
-					avtab_trans_destroy(tmp->datum.trans);
+				if (tmp->key.specified & AVTAB_TRANSITION)
 					free(tmp->datum.trans);
-				}
 				free(tmp);
 
 				tab->nel--;
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index c1ce9c34..605d290a 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -801,6 +801,47 @@ static int roles_init(policydb_t * p)
 	goto out;
 }
 
+ignore_unsigned_overflow_
+static inline unsigned long
+partial_name_hash(unsigned long c, unsigned long prevhash)
+{
+	return (prevhash + (c << 4) + (c >> 4)) * 11;
+}
+
+static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
+{
+	const filename_trans_key_t *ft = (const filename_trans_key_t *)k;
+	unsigned long hash;
+	unsigned int byte_num;
+	unsigned char focus;
+
+	hash = ft->ttype ^ ft->tclass;
+
+	byte_num = 0;
+	while ((focus = ft->name[byte_num++]))
+		hash = partial_name_hash(focus, hash);
+	return hash & (h->size - 1);
+}
+
+static int filenametr_cmp(hashtab_t h __attribute__ ((unused)),
+			  const_hashtab_key_t k1, const_hashtab_key_t k2)
+{
+	const filename_trans_key_t *ft1 = (const filename_trans_key_t *)k1;
+	const filename_trans_key_t *ft2 = (const filename_trans_key_t *)k2;
+	int v;
+
+	v = spaceship_cmp(ft1->ttype, ft2->ttype);
+	if (v)
+		return v;
+
+	v = spaceship_cmp(ft1->tclass, ft2->tclass);
+	if (v)
+		return v;
+
+	return strcmp(ft1->name, ft2->name);
+
+}
+
 static unsigned int rangetr_hash(hashtab_t h, const_hashtab_key_t k)
 {
 	const struct range_trans *key = (const struct range_trans *)k;
@@ -868,6 +909,12 @@ int policydb_init(policydb_t * p)
 	if (rc)
 		goto err;
 
+	p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp, (1 << 10));
+	if (!p->filename_trans) {
+		rc = -ENOMEM;
+		goto err;
+	}
+
 	p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
 	if (!p->range_tr) {
 		rc = -ENOMEM;
@@ -879,6 +926,7 @@ int policydb_init(policydb_t * p)
 
 	return 0;
 err:
+	hashtab_destroy(p->filename_trans);
 	hashtab_destroy(p->range_tr);
 	for (i = 0; i < SYM_NUM; i++) {
 		hashtab_destroy(p->symtab[i].table);
@@ -1364,6 +1412,23 @@ static int (*destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
 common_destroy, class_destroy, role_destroy, type_destroy, user_destroy,
 	    cond_destroy_bool, sens_destroy, cat_destroy,};
 
+static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum,
+			      void *p __attribute__ ((unused)))
+{
+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+	filename_trans_datum_t *fd = datum, *next;
+
+	free(ft->name);
+	free(key);
+	do {
+		next = fd->next;
+		ebitmap_destroy(&fd->stypes);
+		free(fd);
+		fd = next;
+	} while (fd);
+	return 0;
+}
+
 static int range_tr_destroy(hashtab_key_t key, hashtab_datum_t datum,
 			    void *p __attribute__ ((unused)))
 {
@@ -1499,6 +1564,9 @@ void policydb_destroy(policydb_t * p)
 	if (lra)
 		free(lra);
 
+	hashtab_map(p->filename_trans, filenametr_destroy, NULL);
+	hashtab_destroy(p->filename_trans);
+
 	hashtab_map(p->range_tr, range_tr_destroy, NULL);
 	hashtab_destroy(p->range_tr);
 
@@ -2528,6 +2596,279 @@ static int role_allow_read(role_allow_t ** r, struct policy_file *fp)
 	return 0;
 }
 
+int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype,
+			      uint32_t tclass, const char *name,
+			      char **name_alloc, uint32_t otype,
+			      uint32_t *present_otype)
+{
+	filename_trans_key_t *ft, key;
+	filename_trans_datum_t *datum, *last;
+
+	key.ttype = ttype;
+	key.tclass = tclass;
+	key.name = (char *)name;
+
+	last = NULL;
+	datum = hashtab_search(p->filename_trans, (hashtab_key_t)&key);
+	while (datum) {
+		if (ebitmap_get_bit(&datum->stypes, stype - 1)) {
+			if (present_otype)
+				*present_otype = datum->otype;
+			return SEPOL_EEXIST;
+		}
+		if (datum->otype == otype)
+			break;
+		last = datum;
+		datum = datum->next;
+	}
+	if (!datum) {
+		datum = malloc(sizeof(*datum));
+		if (!datum)
+			return SEPOL_ENOMEM;
+
+		ebitmap_init(&datum->stypes);
+		datum->otype = otype;
+		datum->next = NULL;
+
+		if (last) {
+			last->next = datum;
+		} else {
+			char *name_dup;
+
+			if (name_alloc) {
+				name_dup = *name_alloc;
+				*name_alloc = NULL;
+			} else {
+				name_dup = strdup(name);
+				if (!name_dup) {
+					free(datum);
+					return SEPOL_ENOMEM;
+				}
+			}
+
+			ft = malloc(sizeof(*ft));
+			if (!ft) {
+				free(name_dup);
+				free(datum);
+				return SEPOL_ENOMEM;
+			}
+
+			ft->ttype = ttype;
+			ft->tclass = tclass;
+			ft->name = name_dup;
+
+			if (hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
+					   (hashtab_datum_t)datum)) {
+				free(name_dup);
+				free(datum);
+				free(ft);
+				return SEPOL_ENOMEM;
+			}
+		}
+	}
+
+	p->filename_trans_count++;
+	return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
+}
+
+static int filename_trans_read_one_compat(policydb_t *p, struct policy_file *fp)
+{
+	uint32_t buf[4], len, stype, ttype, tclass, otype;
+	char *name = NULL;
+	int rc;
+
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
+		return -1;
+	len = le32_to_cpu(buf[0]);
+	if (zero_or_saturated(len))
+		return -1;
+
+	name = calloc(len + 1, sizeof(*name));
+	if (!name)
+		return -1;
+
+	rc = next_entry(name, fp, len);
+	if (rc < 0)
+		goto err;
+
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
+	if (rc < 0)
+		goto err;
+
+	stype = le32_to_cpu(buf[0]);
+	if (stype == 0)
+		goto err;
+
+	ttype  = le32_to_cpu(buf[1]);
+	tclass = le32_to_cpu(buf[2]);
+	otype  = le32_to_cpu(buf[3]);
+
+	rc = policydb_filetrans_insert(p, stype, ttype, tclass, name, &name,
+				       otype, NULL);
+	if (rc) {
+		if (rc != SEPOL_EEXIST)
+			goto err;
+		/*
+		 * Some old policies were wrongly generated with
+		 * duplicate filename transition rules.  For backward
+		 * compatibility, do not reject such policies, just
+		 * ignore the duplicate.
+		 */
+	}
+	free(name);
+	return 0;
+err:
+	free(name);
+	return -1;
+}
+
+static int filename_trans_check_datum(filename_trans_datum_t *datum)
+{
+	ebitmap_t stypes, otypes;
+	int rc = -1;
+
+	ebitmap_init(&stypes);
+	ebitmap_init(&otypes);
+
+	while (datum) {
+		if (ebitmap_get_bit(&otypes, datum->otype))
+			goto out;
+
+		if (ebitmap_set_bit(&otypes, datum->otype, 1))
+			goto out;
+
+		if (ebitmap_match_any(&stypes, &datum->stypes))
+			goto out;
+
+		if (ebitmap_union(&stypes, &datum->stypes))
+			goto out;
+
+		datum = datum->next;
+	}
+	rc = 0;
+out:
+	ebitmap_destroy(&stypes);
+	ebitmap_destroy(&otypes);
+	return rc;
+}
+
+static int filename_trans_read_one(policydb_t *p, struct policy_file *fp)
+{
+	filename_trans_key_t *ft = NULL;
+	filename_trans_datum_t **dst, *datum, *first = NULL;
+	unsigned int i;
+	uint32_t buf[3], len, ttype, tclass, ndatum;
+	char *name = NULL;
+	int rc;
+
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
+		return -1;
+	len = le32_to_cpu(buf[0]);
+	if (zero_or_saturated(len))
+		return -1;
+
+	name = calloc(len + 1, sizeof(*name));
+	if (!name)
+		return -1;
+
+	rc = next_entry(name, fp, len);
+	if (rc < 0)
+		goto err;
+
+	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+	if (rc < 0)
+		goto err;
+
+	ttype = le32_to_cpu(buf[0]);
+	tclass = le32_to_cpu(buf[1]);
+	ndatum = le32_to_cpu(buf[2]);
+	if (ndatum == 0)
+		goto err;
+
+	dst = &first;
+	for (i = 0; i < ndatum; i++) {
+		datum = malloc(sizeof(*datum));
+		if (!datum)
+			goto err;
+
+		datum->next = NULL;
+		*dst = datum;
+
+		/* ebitmap_read() will at least init the bitmap */
+		rc = ebitmap_read(&datum->stypes, fp);
+		if (rc < 0)
+			goto err;
+
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
+			goto err;
+
+		datum->otype = le32_to_cpu(buf[0]);
+
+		p->filename_trans_count += ebitmap_cardinality(&datum->stypes);
+
+		dst = &datum->next;
+	}
+
+	if (ndatum > 1 && filename_trans_check_datum(first))
+		goto err;
+
+	ft = malloc(sizeof(*ft));
+	if (!ft)
+		goto err;
+
+	ft->ttype = ttype;
+	ft->tclass = tclass;
+	ft->name = name;
+
+	rc = hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
+			    (hashtab_datum_t)first);
+	if (rc)
+		goto err;
+
+	return 0;
+err:
+	free(ft);
+	free(name);
+	while (first) {
+		datum = first;
+		first = first->next;
+
+		ebitmap_destroy(&datum->stypes);
+		free(datum);
+	}
+	return -1;
+}
+
+static int filename_trans_read(policydb_t *p, struct policy_file *fp)
+{
+	unsigned int i;
+	uint32_t buf[1], nel;
+	int rc;
+
+	rc = next_entry(buf, fp, sizeof(uint32_t));
+	if (rc < 0)
+		return -1;
+	nel = le32_to_cpu(buf[0]);
+
+	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
+		for (i = 0; i < nel; i++) {
+			rc = filename_trans_read_one_compat(p, fp);
+			if (rc < 0)
+				return -1;
+		}
+	} else {
+		for (i = 0; i < nel; i++) {
+			rc = filename_trans_read_one(p, fp);
+			if (rc < 0)
+				return -1;
+		}
+	}
+	return 0;
+}
+
 static int ocontext_read_xen(const struct policydb_compat_info *info,
 	policydb_t *p, struct policy_file *fp)
 {
@@ -4129,7 +4470,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
 		if (role_allow_read(&p->role_allow, fp))
 			goto bad;
 		if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS &&
-		    avtab_filename_trans_read(fp, r_policyvers, &p->te_avtab))
+		    filename_trans_read(p, fp))
 			goto bad;
 	} else {
 		/* first read the AV rule blocks, then the scope tables */
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 89306185..f402b506 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -829,18 +829,6 @@ static int validate_xperms(const avtab_extended_perms_t *xperms)
 bad:
 	return -1;
 }
-
-static int validate_name_trans_helper(hashtab_key_t k __attribute__ ((unused)),
-				      hashtab_datum_t d, void *a)
-{
-	uint32_t *otype = d;
-	map_arg_t *margs = a;
-
-	if (validate_simpletype(*otype, margs->policy, margs->flavors))
-		return -1;
-	return 0;
-}
-
 static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
 {
 	map_arg_t *margs = args;
@@ -848,23 +836,10 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
 	if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
 		return -1;
 
-	if (k->specified & AVTAB_TRANSITION) {
-		/* if otype is set (non-zero), it must by a valid simple type */
-		if (d->trans->otype && validate_simpletype(d->trans->otype, margs->policy, margs->flavors))
-			return -1;
-
-		/* also each transition must be non empty */
-		if (!d->trans->otype &&
-		    !hashtab_nel(d->trans->name_trans.table))
-			return -1;
-
-		/* and each filename transition must be also valid */
-		if (hashtab_map(d->trans->name_trans.table,
-				validate_name_trans_helper, margs))
-			return -1;
-	} else if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) {
+	uint32_t otype = k->specified & AVTAB_TRANSITION
+		? d->trans->otype : d->data;
+	if ((k->specified & AVTAB_TYPE) && validate_simpletype(otype, margs->policy, margs->flavors))
 		return -1;
-	}
 
 	if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms))
 		return -1;
@@ -1117,6 +1092,41 @@ bad:
 	return -1;
 }
 
+static int validate_filename_trans(hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+	const filename_trans_key_t *ftk = (filename_trans_key_t *)k;
+	const filename_trans_datum_t *ftd = d;
+	validate_t *flavors = (validate_t *)args;
+
+	if (validate_value(ftk->ttype, &flavors[SYM_TYPES]))
+		goto bad;
+	if (validate_value(ftk->tclass, &flavors[SYM_CLASSES]))
+		goto bad;
+	if (!ftd)
+		goto bad;
+	for (; ftd; ftd = ftd->next) {
+		if (validate_ebitmap(&ftd->stypes, &flavors[SYM_TYPES]))
+			goto bad;
+		if (validate_value(ftd->otype, &flavors[SYM_TYPES]))
+			goto bad;
+	}
+
+	return 0;
+
+bad:
+	return -1;
+}
+
+static int validate_filename_trans_hashtab(sepol_handle_t *handle, hashtab_t filename_trans, validate_t flavors[])
+{
+	if (hashtab_map(filename_trans, validate_filename_trans, flavors)) {
+		ERR(handle, "Invalid filename trans");
+		return -1;
+	}
+
+	return 0;
+}
+
 static int validate_context(const context_struct_t *con, validate_t flavors[], int mls)
 {
 	if (validate_value(con->user, &flavors[SYM_USERS]))
@@ -1546,6 +1556,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
 			goto bad;
 		if (validate_role_allows(handle, p->role_allow, flavors))
 			goto bad;
+		if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS)
+			if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors))
+				goto bad;
 	} else {
 		if (validate_avrule_blocks(handle, p->global, p, flavors))
 			goto bad;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index c4d593ab..0d3d5f14 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -116,14 +116,6 @@ static int avtab_write_item(policydb_t * p,
 				&& p->policyvers < POLICYDB_VERSION_AVTAB);
 	unsigned int i;
 
-	/* skip entries which only contain filename transitions */
-	if (cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) {
-		/* if oldvers, reduce nel, because this node will be skipped */
-		if (oldvers && nel)
-			(*nel)--;
-		return 0;
-	}
-
 	if (oldvers) {
 		/* Generate the old avtab format.
 		   Requires merging similar entries if uncond avtab. */
@@ -321,23 +313,8 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
 		avtab_reset_merged(a);
 		nel = a->nel;
 	} else {
-		/*
-		 * New avtab format.  nel is good to go unless we need to skip
-		 * filename transitions.
-		 */
-		nel = a->nel;
-		/*
-		 * entries containing only filename transitions are skipped and
-		 * written out later
-		 */
-		for (i = 0; i < a->nslot; i++) {
-			for (cur = a->htable[i]; cur; cur = cur->next) {
-				if (cur->key.specified & AVTAB_TRANSITION &&
-				    !cur->datum.trans->otype)
-					nel--;
-			}
-		}
-		nel = cpu_to_le32(nel);
+		/* New avtab format.  nel is good to go. */
+		nel = cpu_to_le32(a->nel);
 		items = put_entry(&nel, sizeof(uint32_t), 1, fp);
 		if (items != 1)
 			return POLICYDB_ERROR;
@@ -381,307 +358,6 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
 	return rc;
 }
 
-/* policydb filename transition compatibility */
-
-typedef struct filenametr_key {
-	uint32_t ttype;
-	uint32_t tclass;
-	char *name;
-} filenametr_key_t;
-
-typedef struct filenametr_datum {
-	ebitmap_t stypes;
-	uint32_t otype;
-	struct filenametr_datum *next;
-} filenametr_datum_t;
-
-ignore_unsigned_overflow_
-static inline unsigned long
-partial_name_hash(unsigned long c, unsigned long prevhash)
-{
-	return (prevhash + (c << 4) + (c >> 4)) * 11;
-}
-
-static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
-{
-	const filenametr_key_t *ft = (const filenametr_key_t *)k;
-	unsigned long hash;
-	unsigned int byte_num;
-	unsigned char focus;
-
-	hash = ft->ttype ^ ft->tclass;
-
-	byte_num = 0;
-	while ((focus = ft->name[byte_num++]))
-		hash = partial_name_hash(focus, hash);
-	return hash & (h->size - 1);
-}
-
-static int filenametr_cmp(hashtab_t h __attribute__ ((unused)),
-			  const_hashtab_key_t k1, const_hashtab_key_t k2)
-{
-	const filenametr_key_t *ft1 = (const filenametr_key_t *)k1;
-	const filenametr_key_t *ft2 = (const filenametr_key_t *)k2;
-	int v;
-
-	v = spaceship_cmp(ft1->ttype, ft2->ttype);
-	if (v)
-		return v;
-
-	v = spaceship_cmp(ft1->tclass, ft2->tclass);
-	if (v)
-		return v;
-
-	return strcmp(ft1->name, ft2->name);
-}
-
-static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum,
-			      void *p __attribute__ ((unused)))
-{
-	filenametr_key_t *ft = (filenametr_key_t *)key;
-	filenametr_datum_t *fd = datum, *next;
-
-	free(ft->name);
-	free(key);
-	do {
-		next = fd->next;
-		ebitmap_destroy(&fd->stypes);
-		free(fd);
-		fd = next;
-	} while (fd);
-	return 0;
-}
-
-typedef struct {
-	void *fp;
-	avtab_key_t *key;
-} name_trans_write_args_t;
-
-static int name_trans_write_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
-{
-	char *name = k;
-	uint32_t *otype = d;
-	name_trans_write_args_t *args = a;
-	size_t items;
-	uint32_t len, buf[4];
-
-	len = strlen(name);
-	buf[0] = cpu_to_le32(len);
-	items = put_entry(buf, sizeof(uint32_t), 1, args->fp);
-	if (items != 1)
-		return -1;
-
-	items = put_entry(name, sizeof(char), len,args-> fp);
-	if (items != len)
-		return -1;
-
-	buf[0] = cpu_to_le32(args->key->source_type);
-	buf[1] = cpu_to_le32(args->key->target_type);
-	buf[2] = cpu_to_le32(args->key->target_class);
-	buf[3] = cpu_to_le32(*otype);
-
-	items = put_entry(buf, sizeof(uint32_t), 4, args->fp);
-	if (items != 4)
-		return -1;
-	return 0;
-}
-
-typedef struct {
-	hashtab_t fnts_tab;
-	avtab_key_t *av_key;
-} name_trans_insert_args_t;
-
-static int name_trans_insert_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
-{
-	char *name = k;
-	uint32_t *otype = d;
-	name_trans_insert_args_t *args = a;
-	filenametr_key_t key, *ft = NULL;
-	filenametr_datum_t *last, *datum = NULL;
-	int rc;
-
-	key.ttype = args->av_key->target_type;
-	key.tclass = args->av_key->target_class;
-	key.name = name;
-
-	last = NULL;
-	datum = hashtab_search(args->fnts_tab, (hashtab_key_t)&key);
-	while (datum) {
-		if (ebitmap_get_bit(&datum->stypes, args->av_key->source_type - 1)) {
-			datum = NULL;
-			goto bad;
-		}
-		if (datum->otype == *otype)
-			break;
-		last = datum;
-		datum = datum->next;
-	}
-	if (!datum) {
-		datum = malloc(sizeof(filenametr_datum_t));
-		if (!datum)
-			goto bad;
-
-		ebitmap_init(&datum->stypes);
-		datum->otype = *otype;
-		datum->next = NULL;
-
-		if (last) {
-			last->next = datum;
-		} else {
-			ft = malloc(sizeof(filenametr_key_t));
-			if (!ft)
-				goto bad;
-
-			ft->ttype = args->av_key->target_type;
-			ft->tclass = args->av_key->target_class;
-			ft->name = strdup(name);
-			if (!ft->name)
-				goto bad;
-
-			rc = hashtab_insert(args->fnts_tab, (hashtab_key_t)ft, datum);
-			if (rc)
-				goto bad;
-		}
-	}
-
-	return ebitmap_set_bit(&datum->stypes, args->av_key->source_type - 1, 1);
-
-bad:
-	if (ft != NULL)
-		free(ft->name);
-	free(ft);
-	free(datum);
-	return -1;
-}
-
-static int filenametr_comp_write_one(hashtab_key_t key, void *data, void *ptr)
-{
-	uint32_t buf[3];
-	size_t items, len, ndatum;
-	filenametr_key_t *ft = (filenametr_key_t *)key;
-	filenametr_datum_t *datum;
-	void *fp = ptr;
-
-	len = strlen(ft->name);
-	buf[0] = cpu_to_le32(len);
-	items = put_entry(buf, sizeof(uint32_t), 1, fp);
-	if (items != 1)
-		return POLICYDB_ERROR;
-
-	items = put_entry(ft->name, sizeof(char), len, fp);
-	if (items != len)
-		return POLICYDB_ERROR;
-
-	ndatum = 0;
-	datum = data;
-	do {
-		ndatum++;
-		datum = datum->next;
-	} while (datum);
-
-	buf[0] = cpu_to_le32(ft->ttype);
-	buf[1] = cpu_to_le32(ft->tclass);
-	buf[2] = cpu_to_le32(ndatum);
-	items = put_entry(buf, sizeof(uint32_t), 3, fp);
-	if (items != 3)
-		return POLICYDB_ERROR;
-
-	datum = data;
-	do {
-		if (ebitmap_write(&datum->stypes, fp))
-			return POLICYDB_ERROR;
-
-		buf[0] = cpu_to_le32(datum->otype);
-		items = put_entry(buf, sizeof(uint32_t), 1, fp);
-		if (items != 1)
-			return POLICYDB_ERROR;
-
-		datum = datum->next;
-	} while (datum);
-
-	return 0;
-}
-
-static int avtab_filename_trans_write(policydb_t *pol, avtab_t *a,
-				      policy_file_t *fp)
-{
-	policydb_t *p = pol;
-	uint32_t buf[1];
-	int rc;
-	size_t items;
-	uint32_t i, nel = 0;
-	struct avtab_node *cur;
-	hashtab_t fnts_tab;
-	name_trans_write_args_t write_args = { .fp = fp };
-	name_trans_insert_args_t insert_args;
-
-	/* count number of filename transitions */
-	for (i = 0; i < a->nslot; i++) {
-		for (cur = a->htable[i]; cur; cur = cur->next) {
-			if (cur->key.specified & AVTAB_TRANSITION) {
-				nel += hashtab_nel(cur->datum.trans->name_trans.table);
-			}
-		}
-	}
-
-	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
-		buf[0] = cpu_to_le32(nel);
-		items = put_entry(buf, sizeof(uint32_t), 1, fp);
-		if (items != 1)
-			return -1;
-
-		/* write filename transitions */
-		for (i = 0; i < a->nslot; i++) {
-			for (cur = a->htable[i]; cur; cur = cur->next) {
-				if (cur->key.specified & AVTAB_TRANSITION) {
-					write_args.key = &cur->key;
-					rc = hashtab_map(cur->datum.trans->name_trans.table,
-							 name_trans_write_helper,
-							 &write_args);
-					if (rc)
-						return -1;
-				}
-			}
-		}
-		return 0;
-	}
-
-	/* init filename transitions */
-	fnts_tab = hashtab_create(filenametr_hash, filenametr_cmp, nel);
-	if (!fnts_tab)
-		return -1;
-	insert_args.fnts_tab = fnts_tab;
-
-	for (i = 0; i < a->nslot; i++) {
-		for (cur = a->htable[i]; cur; cur = cur->next) {
-			if (cur->key.specified & AVTAB_TRANSITION) {
-				insert_args.av_key = &cur->key;
-				rc = hashtab_map(cur->datum.trans->name_trans.table,
-						 name_trans_insert_helper,
-						 &insert_args);
-			}
-		}
-	}
-
-	rc = -1;
-	/* write compressed filename transitions */
-	buf[0] = cpu_to_le32(fnts_tab->nel);
-	items = put_entry(buf, sizeof(uint32_t), 1, fp);
-	if (items != 1)
-		goto out;
-
-	rc = hashtab_map(fnts_tab, filenametr_comp_write_one, fp);
-
-out:
-	/* destroy temp filename transitions table */
-	hashtab_map(fnts_tab, filenametr_destroy, NULL);
-	hashtab_destroy(fnts_tab);
-
-	return rc ? -1 : 0;
-}
-
-/* end policydb filename transition compatibility */
-
 /*
  * Write a semantic MLS level structure to a policydb binary 
  * representation file.
@@ -904,6 +580,118 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
 	return POLICYDB_SUCCESS;
 }
 
+static int filename_write_one_compat(hashtab_key_t key, void *data, void *ptr)
+{
+	uint32_t bit, buf[4];
+	size_t items, len;
+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+	filename_trans_datum_t *datum = data;
+	ebitmap_node_t *node;
+	void *fp = ptr;
+
+	len = strlen(ft->name);
+	do {
+		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
+			buf[0] = cpu_to_le32(len);
+			items = put_entry(buf, sizeof(uint32_t), 1, fp);
+			if (items != 1)
+				return POLICYDB_ERROR;
+
+			items = put_entry(ft->name, sizeof(char), len, fp);
+			if (items != len)
+				return POLICYDB_ERROR;
+
+			buf[0] = cpu_to_le32(bit + 1);
+			buf[1] = cpu_to_le32(ft->ttype);
+			buf[2] = cpu_to_le32(ft->tclass);
+			buf[3] = cpu_to_le32(datum->otype);
+			items = put_entry(buf, sizeof(uint32_t), 4, fp);
+			if (items != 4)
+				return POLICYDB_ERROR;
+		}
+
+		datum = datum->next;
+	} while (datum);
+
+	return 0;
+}
+
+static int filename_write_one(hashtab_key_t key, void *data, void *ptr)
+{
+	uint32_t buf[3];
+	size_t items, len, ndatum;
+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+	filename_trans_datum_t *datum;
+	void *fp = ptr;
+
+	len = strlen(ft->name);
+	buf[0] = cpu_to_le32(len);
+	items = put_entry(buf, sizeof(uint32_t), 1, fp);
+	if (items != 1)
+		return POLICYDB_ERROR;
+
+	items = put_entry(ft->name, sizeof(char), len, fp);
+	if (items != len)
+		return POLICYDB_ERROR;
+
+	ndatum = 0;
+	datum = data;
+	do {
+		ndatum++;
+		datum = datum->next;
+	} while (datum);
+
+	buf[0] = cpu_to_le32(ft->ttype);
+	buf[1] = cpu_to_le32(ft->tclass);
+	buf[2] = cpu_to_le32(ndatum);
+	items = put_entry(buf, sizeof(uint32_t), 3, fp);
+	if (items != 3)
+		return POLICYDB_ERROR;
+
+	datum = data;
+	do {
+		if (ebitmap_write(&datum->stypes, fp))
+			return POLICYDB_ERROR;
+
+		buf[0] = cpu_to_le32(datum->otype);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+
+		datum = datum->next;
+	} while (datum);
+
+	return 0;
+}
+
+static int filename_trans_write(struct policydb *p, void *fp)
+{
+	size_t items;
+	uint32_t buf[1];
+	int rc;
+
+	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
+		return 0;
+
+	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
+		buf[0] = cpu_to_le32(p->filename_trans_count);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+
+		rc = hashtab_map(p->filename_trans, filename_write_one_compat,
+				 fp);
+	} else {
+		buf[0] = cpu_to_le32(p->filename_trans->nel);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+
+		rc = hashtab_map(p->filename_trans, filename_write_one, fp);
+	}
+	return rc;
+}
+
 static int role_set_write(role_set_t * x, struct policy_file *fp)
 {
 	size_t items;
@@ -2414,21 +2202,6 @@ static int role_attr_uncount(hashtab_key_t key __attribute__ ((unused)),
 	return 0;
 }
 
-static int avtab_has_filename_transitions(avtab_t *a)
-{
-	uint32_t i;
-	struct avtab_node *cur;
-	for (i = 0; i < a->nslot; i++) {
-		for (cur = a->htable[i]; cur; cur = cur->next) {
-			if (cur->key.specified & AVTAB_TRANSITION) {
-				if (hashtab_nel(cur->datum.trans->name_trans.table))
-					return 1;
-			}
-		}
-	}
-	return 0;
-}
-
 /*
  * Write the configuration data in a policy database
  * structure to a policy database binary representation
@@ -2608,11 +2381,11 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
 		if (role_allow_write(p->role_allow, fp))
 			return POLICYDB_ERROR;
 		if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) {
-			if (avtab_filename_trans_write(p, &p->te_avtab, fp))
+			if (filename_trans_write(p, fp))
 				return POLICYDB_ERROR;
-		} else if (avtab_has_filename_transitions(&p->te_avtab)) {
-			WARN(fp->handle,
-			     "Discarding filename type transition rules");
+		} else {
+			if (p->filename_trans)
+				WARN(fp->handle, "Discarding filename type transition rules");
 		}
 	} else {
 		if (avrule_block_write(p->global, num_syms, p, fp) == -1) {
-- 
2.41.0




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux