[0/2] libsepol: Add ability to sort ocontexts in libsepol and add option to use it in checkpolicy

Message

James Carter Oct. 11, 2018, 12:35 p.m. UTC

[Resending because I originally only sent these to the new list]

ocontexts (initial sids, fs_use_*, genfscon, portcon, etc) are sorted by libsemanage when using policy modules and by libsepol when using CIL, but they are not sorted by checkpolicy when creating a policy from a policy.conf.

Checkpolicy's behavior allows control over the ordering which determines the matching order for portcons and other ocontext rules, but there are times when that specific control is not desired.

This patch set exposes an internal ocontext sorting function and adds a command line option to checkpolicy to sort ocontexts.


James Carter (2):
  libsepol: Create policydb_sort_ocontexts()
  checkpolicy: Add option to sort ocontexts when creating a binary
    policy

 checkpolicy/checkpolicy.c                  | 22 +++++++++++++++++-----
 libsepol/include/sepol/policydb/policydb.h |  2 ++
 libsepol/src/policydb.c                    |  5 +++++
 3 files changed, 24 insertions(+), 5 deletions(-)