From 6015b05d068515201f5d053910c6587fff8407d4 Mon Sep 17 00:00:00 2001 From: James Carter Date: Tue, 9 Mar 2021 16:36:40 -0500 Subject: [PATCH] libsepol: Properly handle types associated to role attributes Types associated to role attributes in optional blocks are not associated with the roles that have that attribute. The problem is that role_fix_callback is called before the avrule_decls are walked. Example/ class CLASS1 sid kernel class CLASS1 { PERM1 } type TYPE1; type TYPE1A; allow TYPE1 self : CLASS1 PERM1; attribute_role ROLE_ATTR1A; role ROLE1; role ROLE1A; roleattribute ROLE1A ROLE_ATTR1A; role ROLE1 types TYPE1; optional { require { class CLASS1 PERM1; } role ROLE_ATTR1A types TYPE1A; } user USER1 roles ROLE1; sid kernel USER1:ROLE1:TYPE1 In this example ROLE1A will not have TYPE1A associated to it. Call role_fix_callback() after the avrule_decls are walked. Signed-off-by: James Carter --- libsepol/src/expand.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 2d9cb566fe1e..a656ffad3a71 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -3052,10 +3052,6 @@ int expand_module(sepol_handle_t * handle, if (hashtab_map(state.base->p_roles.table, role_bounds_copy_callback, &state)) goto cleanup; - /* escalate the type_set_t in a role attribute to all regular roles - * that belongs to it. */ - if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) - goto cleanup; /* copy MLS's sensitivity level and categories - this needs to be done * before expanding users (they need to be indexed too) */ @@ -3121,6 +3117,11 @@ int expand_module(sepol_handle_t * handle, goto cleanup; } + /* escalate the type_set_t in a role attribute to all regular roles + * that belongs to it. */ + if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) + goto cleanup; + if (copy_and_expand_avrule_block(&state) < 0) { ERR(handle, "Error during expand"); goto cleanup; -- 2.32.0