@@ -2174,39 +2174,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
switch (role->flavor) {
case ROLE_ROLE:
if (scope == SCOPE_DECL) {
- // Only declare certain roles if we are reading a base module.
- // These roles are defined in the base module and sometimes in
- // other non-base modules. If we generated the roles regardless of
- // the policy type, it would result in duplicate declarations,
- // which isn't allowed in CIL. Patches have been made to refpolicy
- // to remove these duplicate role declarations, but we need to be
- // backwards compatible and support older policies. Since we know
- // these roles are always declared in base, only print them when we
- // see them in the base module. If the declarations appear in a
- // non-base module, ignore their declarations.
- //
- // Note that this is a hack, and if a policy author does not define
- // one of these roles in base, the declaration will not appear in
- // the resulting policy, likely resulting in a compilation error in
- // CIL.
- //
- // To make things more complicated, the auditadm_r and secadm_r
- // roles could actually be in either the base module or a non-base
- // module, or both. So we can't rely on this same behavior. So for
- // these roles, don't declare them here, even if they are in a base
- // or non-base module. Instead we will just declare them in the
- // base module elsewhere.
- int is_base_role = (!strcmp(key, "user_r") ||
- !strcmp(key, "staff_r") ||
- !strcmp(key, "sysadm_r") ||
- !strcmp(key, "system_r") ||
- !strcmp(key, "unconfined_r"));
- int is_builtin_role = (!strcmp(key, "auditadm_r") ||
- !strcmp(key, "secadm_r"));
- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
- (!is_base_role && !is_builtin_role)) {
- cil_println(indent, "(role %s)", key);
- }
+ cil_println(indent, "(role %s)", key);
}
if (ebitmap_cardinality(&role->dominates) > 1) {
@@ -3992,17 +3960,6 @@ static int generate_default_object(void)
return 0;
}
-static int generate_builtin_roles(void)
-{
- // due to inconsistentencies between policies and CIL not allowing
- // duplicate roles, some roles are always created, regardless of if they
- // are declared in modules or not
- cil_println(0, "(role auditadm_r)");
- cil_println(0, "(role secadm_r)");
-
- return 0;
-}
-
static int generate_gen_require_attribute(void)
{
cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
@@ -4087,11 +4044,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
goto exit;
}
- rc = generate_builtin_roles();
- if (rc != 0) {
- goto exit;
- }
-
// default attribute to be used to mimic gen_require in CIL
rc = generate_gen_require_attribute();
if (rc != 0) {
Certain roles (user_r, staff_r, sysadm_r, system_r, unconfined_r, auditadm_r, and secadm_r) have always been handled in a special way when converting a policy module to CIL to avoid having duplicate role declarations. By optionally allowing duplicate role declarations in CIL and by creating an option in libsemanage to make use of duplicate declaration support, the special handling of these roles can be removed. Remove the special handling of certain roles in module_to_cil.c. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/src/module_to_cil.c | 50 +----------------------------------- 1 file changed, 1 insertion(+), 49 deletions(-)