71 lines
2.1 KiB
Diff
71 lines
2.1 KiB
Diff
From 6015b05d068515201f5d053910c6587fff8407d4 Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Tue, 9 Mar 2021 16:36:40 -0500
|
|
Subject: [PATCH] libsepol: Properly handle types associated to role attributes
|
|
|
|
Types associated to role attributes in optional blocks are not
|
|
associated with the roles that have that attribute. The problem
|
|
is that role_fix_callback is called before the avrule_decls are
|
|
walked.
|
|
|
|
Example/
|
|
class CLASS1
|
|
sid kernel
|
|
class CLASS1 { PERM1 }
|
|
type TYPE1;
|
|
type TYPE1A;
|
|
allow TYPE1 self : CLASS1 PERM1;
|
|
attribute_role ROLE_ATTR1A;
|
|
role ROLE1;
|
|
role ROLE1A;
|
|
roleattribute ROLE1A ROLE_ATTR1A;
|
|
role ROLE1 types TYPE1;
|
|
optional {
|
|
require {
|
|
class CLASS1 PERM1;
|
|
}
|
|
role ROLE_ATTR1A types TYPE1A;
|
|
}
|
|
user USER1 roles ROLE1;
|
|
sid kernel USER1:ROLE1:TYPE1
|
|
|
|
In this example ROLE1A will not have TYPE1A associated to it.
|
|
|
|
Call role_fix_callback() after the avrule_decls are walked.
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libsepol/src/expand.c | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
|
|
index 2d9cb566fe1e..a656ffad3a71 100644
|
|
--- a/libsepol/src/expand.c
|
|
+++ b/libsepol/src/expand.c
|
|
@@ -3052,10 +3052,6 @@ int expand_module(sepol_handle_t * handle,
|
|
if (hashtab_map(state.base->p_roles.table,
|
|
role_bounds_copy_callback, &state))
|
|
goto cleanup;
|
|
- /* escalate the type_set_t in a role attribute to all regular roles
|
|
- * that belongs to it. */
|
|
- if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
|
|
- goto cleanup;
|
|
|
|
/* copy MLS's sensitivity level and categories - this needs to be done
|
|
* before expanding users (they need to be indexed too) */
|
|
@@ -3121,6 +3117,11 @@ int expand_module(sepol_handle_t * handle,
|
|
goto cleanup;
|
|
}
|
|
|
|
+ /* escalate the type_set_t in a role attribute to all regular roles
|
|
+ * that belongs to it. */
|
|
+ if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
|
|
+ goto cleanup;
|
|
+
|
|
if (copy_and_expand_avrule_block(&state) < 0) {
|
|
ERR(handle, "Error during expand");
|
|
goto cleanup;
|
|
--
|
|
2.32.0
|
|
|