From patchwork Mon Nov  4 14:24:58 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 13861492
X-Patchwork-Delegate: plautrba@redhat.com
Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com
 [209.85.219.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAD8B1B3929
	for <selinux@vger.kernel.org>; Mon,  4 Nov 2024 14:25:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730730306; cv=none;
 b=oAKRt93PF8Py090IIfpjiqJcNo8kVhxC4m/aSBby0hW4uRKEmnCX+6Jsk9pWSBg0PZQb4N/Baga/gugXZXj3a8jdHNmF1vOjvocF+8sv507nbMue+8g78JZsXEw4jcQvZXEUqkWslw4LFmAL6MLD7cPDfpLKY/izbF7ArWGMO+I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730730306; c=relaxed/simple;
	bh=76hhXpdXHmBs5G/PXJviwhjZ2sbOlXh40F3/HV2UEp4=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=gjB+xs+nitLXoIa2RZskX10CI2C8lP6l7OtiFIAn+WtvE+khsLZTQIKrcltjyi2MeDryuqTgL4hYNjjOh2HPjD7zQ7F01EqO6AGFxoEv8YjkEENqll6TtcSF16eBdEEE1IO4V+1BIBUwEmVRLdeOG39ma6paJ6NAzQwI0U4atBM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=NrKxOzE9; arc=none smtp.client-ip=209.85.219.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="NrKxOzE9"
Received: by mail-qv1-f45.google.com with SMTP id
 6a1803df08f44-6cbcd8ce5f9so34170456d6.2
        for <selinux@vger.kernel.org>; Mon, 04 Nov 2024 06:25:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1730730303; x=1731335103;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=jd3GUXp1f2Qcu1vhJw8oqGKULheSxj5abFjp3yvnLu4=;
        b=NrKxOzE92PlvXNxuygHwIZtw9z5KxRnzaey+J6pZp0wMHbAbfOcgAvIyx8II9yjp/o
         y+SJUiliRfn7pk8reiNZGB1RNfllOPvFFT/uSe7B271ok/j4cQY9mrTiRlzarjAQBy6g
         oA4oq+M7woH4WWhJhnI7ZXOW6VQDIM6XqNIJpP53SdP3KSOj/iC7h9P6tXAxGqZg+l+5
         5ABXadsT9S1cIMSLHkD0fLZM0ZntYYG7Fl3RN/x0d3FXjnHpP7t5nvdlYbMceADxG/b0
         +cuIGIfgpoNP8yk4HWN99oB2g49V7ToI9HkCDVarK93NTXq7WJjQKlU1DAuf+35azCvk
         Rr4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1730730303; x=1731335103;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jd3GUXp1f2Qcu1vhJw8oqGKULheSxj5abFjp3yvnLu4=;
        b=ZkXZR3qWwKDGOBGyU0+tuW2nVtW0u/UdHC1RU5dHqixCYaseVaWhQ4DEs4zS7LGZmh
         bFzAmeL2g7aAbQEdhvyoCBJiQW6CPzF/7GrCgfm82kmUZ6MpplCz9+6u6HkE47gwkpDE
         TgObacdNidtdgczRRri+Ok8dlaGEU+SeldFVpngUUiOUQOem6DRZWfEwcZGSjZAj+hbb
         QyNGJdvSfXIXxkn2OzrO0DXxv3tL4MimnbKJekWdGrO7RgX/osp7Sq7SZyRUj2CP/9Nw
         zNRMm9orPFpaT5oV3yvUENKsOUHms5jkf0AbIW8iT9cIIG5ZKsSByLMtoGE5w8hKR/S4
         zayA==
X-Gm-Message-State: AOJu0YxjySUJdxgT+z8X8TKy3py7WLOjQRxfglIX755tAlkWBcgHyOy3
	owXhE4pxkRsHLDd84rxk1oifLvmeGrZHsD+9YOxj0ktBZEFqoFJlf0W17g==
X-Google-Smtp-Source: 
 AGHT+IEryZKcck8Vc8zixaHzn+DJvSDM6JfTl9gsUkMOoZR94lf/NFJ60D2ndvLHyAnVTZqd6INfxA==
X-Received: by 2002:a05:6214:5d0d:b0:6d1:7433:3670 with SMTP id
 6a1803df08f44-6d35c0a41b6mr207308456d6.4.1730730303348;
        Mon, 04 Nov 2024 06:25:03 -0800 (PST)
Received: from electric.. (c-69-140-100-37.hsd1.md.comcast.net.
 [69.140.100.37])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6d35415a703sm48572386d6.85.2024.11.04.06.25.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Nov 2024 06:25:02 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: cgoettsche@seltendoof.de,
	pebenito@ieee.org,
	James Carter <jwcart2@gmail.com>
Subject: [PATCH 1/3] libsepol/cil: Optionally allow duplicate role
 declarations
Date: Mon,  4 Nov 2024 09:24:58 -0500
Message-ID: <20241104142500.20055-1-jwcart2@gmail.com>
X-Mailer: git-send-email 2.47.0
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Allow duplicate role declarations (along with duplicate type and
type attribute declarations and context rules) if the multiple_decls
field in the CIL db has been set. This field can be set by a call to
cil_set_multiple_decls().

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_build_ast.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 19fbb04e..80e9c679 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -137,6 +137,7 @@ static int cil_allow_multiple_decls(struct cil_db *db, enum cil_flavor f_new, en
 	switch (f_new) {
 	case CIL_TYPE:
 	case CIL_TYPEATTRIBUTE:
+	case CIL_ROLE:
 		if (db->multiple_decls) {
 			return CIL_TRUE;
 		}
@@ -1744,7 +1745,12 @@ int cil_gen_role(struct cil_db *db, struct cil_tree_node *parse_current, struct
 
 	rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)role, (hashtab_key_t)key, CIL_SYM_ROLES, CIL_ROLE);
 	if (rc != SEPOL_OK) {
-		goto exit;
+		if (rc == SEPOL_EEXIST) {
+			cil_destroy_role(role);
+			role = NULL;
+		} else {
+			goto exit;
+		}
 	}
 
 	return SEPOL_OK;

From patchwork Mon Nov  4 14:24:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 13861493
X-Patchwork-Delegate: plautrba@redhat.com
Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com
 [209.85.222.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1C3F189909
	for <selinux@vger.kernel.org>; Mon,  4 Nov 2024 14:25:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730730307; cv=none;
 b=br5QQNu4Xvh8uKnBGe3luLxtoKA6s2mGh1A1QLsn1SpQCKfKuuR6tj7xGke3uOvVh9V0HiFAnh9X3JS0PS+KE4l8YT/y9y4NdLNRlq0KjoSHhf/EgEeq+E8qYf5jk/GGeYx8FTe6q+VIte/6Qde3fkLuAksfo6Pz3knHRhkYdsI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730730307; c=relaxed/simple;
	bh=rOulzeykjR2Rd51pDXp58oXyIJnyywwvjYYKdzItass=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=d5jT4umzbbTvyurABS4FtTRd5I4blxwjBR4WfXeH1hbV1slU8v6Vj2e+KotPc4+CzTTIbbnTgGSGrl3oLNUQqjGXMUbfoFLKtBvD03bDm2cC0suvvPsyDeouiXx15omwqDcrWsihQHZfZtISV8Z0G+xkKg2D290UN4fCyVqjlAw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=eiB1BaKi; arc=none smtp.client-ip=209.85.222.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="eiB1BaKi"
Received: by mail-qk1-f176.google.com with SMTP id
 af79cd13be357-7b153047b29so282889585a.3
        for <selinux@vger.kernel.org>; Mon, 04 Nov 2024 06:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1730730304; x=1731335104;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QO3RZRQWu9YuXgK5XSF8AhYkxKNzw2Js3K3btSZezoA=;
        b=eiB1BaKiUdnU8aFqQbqxwohfDZb/E7uD740ckgN/CCzWT/YXam9DWP07r7eNsXgLaP
         tUmDLl6jyozsXs2U4CT8cbC5nOOhFlicVc0v0ShOKnpCZZncHNpHynIQ0rOM9ynidMRf
         Gq1QzZZsjGz6LZOhadA7w7EAEIS+MEYTI42abY4lGgKrIeR/XOL1NKVniJqgKsXaZqDE
         Wi/jOeYxcyMHoAcExmJisSs7m7007vX+oB0iuw9iujXuA/VliaeE/xJGRAJgkKDoixWd
         /SXup8gldB0LOQy7KXr4VKphC0+b9Rv9jHw6nA/eWJSGngVjbNo5kzUYDaMjTEPwUN3R
         A47Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1730730304; x=1731335104;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=QO3RZRQWu9YuXgK5XSF8AhYkxKNzw2Js3K3btSZezoA=;
        b=tbt9hnxDjTOxz8F52QiXqtIv+o7JrFzNJXAIEdBy2Ck8a0TPJUk6ieefqfjc2QLY3G
         VUbmU6qZOqHNyK1utFkyj3NwTQ3MYYJWSjkXM8OtEopIuUVEIhqtC06lTflkGR2uVTQf
         DPsAucsk1lXBicUCceZJi2MeaBq/pCMAKNR5mCIPpPdr3uKLL9HlhRz7H7Mlbr0tekqE
         B8jOlsKwAjdN4ms/HX0TemNjAyukgvj0E+YferiOaI7UsoE0absnnXOjXZf9Su5MCeOc
         TK+dVsSnN4RAfYIa2LQR83UB4wOYFaqEeXS9szNuGfy5sC+ymKeq7fh37YGTPNOlBkvp
         UrxA==
X-Gm-Message-State: AOJu0YxdpwOQ4eWV5EGmkjPBgXu4kXdBBwwafsbt4lvz2/J7brOGq+NX
	ah2Kj/uu/ZZGb04a6+kOhwHdlhqvaVkJsqr+OGZx73WDgspLWKPHHUAigQ==
X-Google-Smtp-Source: 
 AGHT+IEPjBaUKsDboX0sMQSvo1YV41E7oPZbdMUKt5DXMfzj+Z8zEmxnfRiocQ+mHkIw4Cy9gCBLkg==
X-Received: by 2002:a05:6214:3186:b0:6cc:3a:a7f0 with SMTP id
 6a1803df08f44-6d185857230mr506483796d6.44.1730730304256;
        Mon, 04 Nov 2024 06:25:04 -0800 (PST)
Received: from electric.. (c-69-140-100-37.hsd1.md.comcast.net.
 [69.140.100.37])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6d35415a703sm48572386d6.85.2024.11.04.06.25.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Nov 2024 06:25:03 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: cgoettsche@seltendoof.de,
	pebenito@ieee.org,
	James Carter <jwcart2@gmail.com>
Subject: [PATCH 2/3] libsemanage: Optionally allow duplicate declarations
Date: Mon,  4 Nov 2024 09:24:59 -0500
Message-ID: <20241104142500.20055-2-jwcart2@gmail.com>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <20241104142500.20055-1-jwcart2@gmail.com>
References: <20241104142500.20055-1-jwcart2@gmail.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Add a configuration option that when set to "true" allows duplicate
type, type attribute, and role declarations and duplicate context
rules.

The default is set to "true" to support the removal of the special
handling of certain roles when converting a policy module to CIL
without causing problems for existing policies.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsemanage/man/man5/semanage.conf.5 |  5 +++++
 libsemanage/src/conf-parse.y         | 15 ++++++++++++++-
 libsemanage/src/conf-scan.l          |  1 +
 libsemanage/src/direct_api.c         |  1 +
 libsemanage/src/semanage_conf.h      |  1 +
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
index 380b58be..71712562 100644
--- a/libsemanage/man/man5/semanage.conf.5
+++ b/libsemanage/man/man5/semanage.conf.5
@@ -126,6 +126,11 @@ In order to compile the original HLL file into CIL, the same HLL file will need
 When set to "true", the kernel policy will be optimized upon rebuilds.
 It can be set to either "true" or "false" and by default it is set to "false".
 
+.TP
+.B multiple-decls
+When set to "true", duplicate type, type attribute, and role declarations will be allowed.
+It can be set to either "true" or "false" and by default it is set to "true".
+
 .SH "SEE ALSO"
 .TP
 semanage(8)
diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
index eac91344..beab85a2 100644
--- a/libsemanage/src/conf-parse.y
+++ b/libsemanage/src/conf-parse.y
@@ -59,7 +59,7 @@ static int parse_errors;
         char *s;
 }
 
-%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
+%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY MULTIPLE_DECLS
 %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
 %token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
 %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
@@ -96,6 +96,7 @@ single_opt:     module_store
 	|	bzip_small
 	|	remove_hll
 	|	optimize_policy
+	|	multiple_decls
         ;
 
 module_store:   MODULE_STORE '=' ARG {
@@ -280,6 +281,17 @@ optimize_policy:  OPTIMIZE_POLICY '=' ARG {
 	free($3);
 }
 
+multiple_decls:  MULTIPLE_DECLS '=' ARG {
+	if (strcasecmp($3, "false") == 0) {
+		current_conf->multiple_decls = 0;
+	} else if (strcasecmp($3, "true") == 0) {
+		current_conf->multiple_decls = 1;
+	} else {
+		yyerror("multiple-decls can only be 'true' or 'false'");
+	}
+	free($3);
+}
+
 command_block: 
                 command_start external_opts BLOCK_END  {
                         if (new_external->path == NULL) {
@@ -365,6 +377,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
 	conf->ignore_module_cache = 0;
 	conf->remove_hll = 0;
 	conf->optimize_policy = 0;
+	conf->multiple_decls = 1;
 
 	conf->save_previous = 0;
 	conf->save_linked = 0;
diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
index b06a896c..6438516b 100644
--- a/libsemanage/src/conf-scan.l
+++ b/libsemanage/src/conf-scan.l
@@ -55,6 +55,7 @@ bzip-blocksize	return BZIP_BLOCKSIZE;
 bzip-small	return BZIP_SMALL;
 remove-hll	return REMOVE_HLL;
 optimize-policy return OPTIMIZE_POLICY;
+multiple-decls return MULTIPLE_DECLS;
 "[load_policy]"   return LOAD_POLICY_START;
 "[setfiles]"      return SETFILES_START;
 "[sefcontext_compile]"      return SEFCONTEXT_COMPILE_START;
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 7631c7bf..43ab2f4c 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -1346,6 +1346,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 		cil_set_preserve_tunables(cildb, preserve_tunables);
 		cil_set_target_platform(cildb, sh->conf->target_platform);
 		cil_set_policy_version(cildb, sh->conf->policyvers);
+		cil_set_multiple_decls(cildb, sh->conf->multiple_decls);
 
 		if (sh->conf->handle_unknown != -1) {
 			cil_set_handle_unknown(cildb, sh->conf->handle_unknown);
diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
index 23c4b8b4..5db08f0c 100644
--- a/libsemanage/src/semanage_conf.h
+++ b/libsemanage/src/semanage_conf.h
@@ -48,6 +48,7 @@ typedef struct semanage_conf {
 	int remove_hll;
 	int ignore_module_cache;
 	int optimize_policy;
+	int multiple_decls;
 	char *ignoredirs;	/* ";" separated of list for genhomedircon to ignore */
 	struct external_prog *load_policy;
 	struct external_prog *setfiles;

From patchwork Mon Nov  4 14:25:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@gmail.com>
X-Patchwork-Id: 13861494
X-Patchwork-Delegate: plautrba@redhat.com
Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com
 [209.85.222.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32F4A1B4F1A
	for <selinux@vger.kernel.org>; Mon,  4 Nov 2024 14:25:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730730307; cv=none;
 b=UFM34r/7zUta/Zi2AeLZPOm/LYOH3E4kMNrew6AZuiqh//A9ZLtRXRriOwSPf241aDBnhvCFQsn5waMbIrYe5XO2E0DvHzSwkYU8kmz8jhfbd/2dw+Ie9N079q+GGVgk6oTmBuqtd6Jij2TXcwSfMMdcq1nwmxlXH4hVDo2ETUI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730730307; c=relaxed/simple;
	bh=3e/kLn9bv4xSd3jlSjWiuDcbs9bLPtY64NnEmxx6s6k=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=gk7MOJB/kucAWdwxcjQ/xtTe1zXX7nKgY5wZc4iTW7FfXB9MndFefyELwj6zqDTAppBlDHF+Qdpz3mziHuDejMfLZQ/0JJJg2dVZlVQ0gIW5d2KQ15F3XsSLecKerRa8rXMasUqZ+eQ5pYikj1U0O6Hd135vSr6iPZcxKdqJfUk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=RRn9A5YI; arc=none smtp.client-ip=209.85.222.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="RRn9A5YI"
Received: by mail-qk1-f173.google.com with SMTP id
 af79cd13be357-7b1488fde46so353748585a.2
        for <selinux@vger.kernel.org>; Mon, 04 Nov 2024 06:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1730730305; x=1731335105;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jsj+Vgq939eD6mxUAIbpHtc9DB4IiwhNmgTVas/h+T8=;
        b=RRn9A5YIWisHsjFEHNFn4Y9E8GKTVzUmjM52IhcF+rgnfZqFd3pxPxlazyE1uCk2GO
         goPqynAsgmfSMnbHdGdW//CkPsv/s92W79YegmUKKi2NPWPis2OFfk9yHZTp5IO5ztXG
         s5vPOki17qsNXlhHUJf1tJIemS7kOt1EcLqJcJIgiUDlpTSTcARWxWf2tSR+vh3psy9i
         qn5rIf7zm5yZm5U/nsmO+KQAA+fxSa0fggiTfA/97QYG2wf4A0nrutjChfzST6gWImO/
         D03v4E++ehb2TPI/6A8+o+xvJTFj8c2bmCigpfCvjyWQSXv+N0eoO/PgDTzmMAsEnMwy
         fORQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1730730305; x=1731335105;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jsj+Vgq939eD6mxUAIbpHtc9DB4IiwhNmgTVas/h+T8=;
        b=VJnUdr7WziMNXcABG36Jr6QGhNY5dxllwZyNTi7/+DFZEDc0R/bZqRi/Hs7VIhZ/lt
         LqxgNkqn0KP1XJ354H3bYz0ocwJy7N09Tto3K+z8OPrrf/KldbufPaa/7lSLO/dZGUxo
         EZfsqQkSyeSieMmK1nSYdafFlAsbt5a0D6fk4A9qOin7dMKURMA6Lv5ybdyfKmZo55xY
         QPkzwt9GVSa5ZpzJGk6IHaBAV2f/aI1d9yPRY1JxKq9ItAHOI9flO9DYJ+ZFGPyB+Ima
         XQCZKmL92hErsxVsfx+VFGUmIWl3s7g2hYn6HuJ1ovs+IPLJfpabT8fENsEHtjMF7NU/
         9NRg==
X-Gm-Message-State: AOJu0YytuA2TDHg00MGu/cGJLGMe5R7u3z57WOj8AfpA7j8tzeE4B8gZ
	7l7QwaGJYw7kfuhL9ze/pXTS5LVHgX6Pt/Y58pqbMnMolx+D07SoEdArjQ==
X-Google-Smtp-Source: 
 AGHT+IGfBL0E4KuccV0xYMaqG2fzPpnYSvKnnIO1NXJOYx0ObVbsl5xc0CYlP8z1rT3mPW9nujlFog==
X-Received: by 2002:a05:6214:3c98:b0:6cb:f79a:cb38 with SMTP id
 6a1803df08f44-6d185672abemr533703086d6.5.1730730304860;
        Mon, 04 Nov 2024 06:25:04 -0800 (PST)
Received: from electric.. (c-69-140-100-37.hsd1.md.comcast.net.
 [69.140.100.37])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6d35415a703sm48572386d6.85.2024.11.04.06.25.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Nov 2024 06:25:04 -0800 (PST)
From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: cgoettsche@seltendoof.de,
	pebenito@ieee.org,
	James Carter <jwcart2@gmail.com>
Subject: [PATCH 3/3] libsepol: Remove special handling of roles in
 module_to_cil.c
Date: Mon,  4 Nov 2024 09:25:00 -0500
Message-ID: <20241104142500.20055-3-jwcart2@gmail.com>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <20241104142500.20055-1-jwcart2@gmail.com>
References: <20241104142500.20055-1-jwcart2@gmail.com>
Precedence: bulk
X-Mailing-List: selinux@vger.kernel.org
List-Id: <selinux.vger.kernel.org>
List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Certain roles (user_r, staff_r, sysadm_r, system_r, unconfined_r,
auditadm_r, and secadm_r) have always been handled in a special
way when converting a policy module to CIL to avoid having
duplicate role declarations. By optionally allowing duplicate role
declarations in CIL and by creating an option in libsemanage to
make use of duplicate declaration support, the special handling of
these roles can be removed.

Remove the special handling of certain roles in module_to_cil.c.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/module_to_cil.c | 50 +-----------------------------------
 1 file changed, 1 insertion(+), 49 deletions(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 79636897..0ede0c9b 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2174,39 +2174,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
 	switch (role->flavor) {
 	case ROLE_ROLE:
 		if (scope == SCOPE_DECL) {
-			// Only declare certain roles if we are reading a base module.
-			// These roles are defined in the base module and sometimes in
-			// other non-base modules. If we generated the roles regardless of
-			// the policy type, it would result in duplicate declarations,
-			// which isn't allowed in CIL. Patches have been made to refpolicy
-			// to remove these duplicate role declarations, but we need to be
-			// backwards compatible and support older policies. Since we know
-			// these roles are always declared in base, only print them when we
-			// see them in the base module. If the declarations appear in a
-			// non-base module, ignore their declarations.
-			//
-			// Note that this is a hack, and if a policy author does not define
-			// one of these roles in base, the declaration will not appear in
-			// the resulting policy, likely resulting in a compilation error in
-			// CIL.
-			//
-			// To make things more complicated, the auditadm_r and secadm_r
-			// roles could actually be in either the base module or a non-base
-			// module, or both. So we can't rely on this same behavior. So for
-			// these roles, don't declare them here, even if they are in a base
-			// or non-base module. Instead we will just declare them in the
-			// base module elsewhere.
-			int is_base_role = (!strcmp(key, "user_r") ||
-			                    !strcmp(key, "staff_r") ||
-			                    !strcmp(key, "sysadm_r") ||
-			                    !strcmp(key, "system_r") ||
-			                    !strcmp(key, "unconfined_r"));
-			int is_builtin_role = (!strcmp(key, "auditadm_r") ||
-			                       !strcmp(key, "secadm_r"));
-			if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
-			    (!is_base_role && !is_builtin_role)) {
-				cil_println(indent, "(role %s)", key);
-			}
+			cil_println(indent, "(role %s)", key);
 		}
 
 		if (ebitmap_cardinality(&role->dominates) > 1) {
@@ -3992,17 +3960,6 @@ static int generate_default_object(void)
 	return 0;
 }
 
-static int generate_builtin_roles(void)
-{
-	// due to inconsistentencies between policies and CIL not allowing
-	// duplicate roles, some roles are always created, regardless of if they
-	// are declared in modules or not
-	cil_println(0, "(role auditadm_r)");
-	cil_println(0, "(role secadm_r)");
-
-	return 0;
-}
-
 static int generate_gen_require_attribute(void)
 {
 	cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
@@ -4087,11 +4044,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
 			goto exit;
 		}
 
-		rc = generate_builtin_roles();
-		if (rc != 0) {
-			goto exit;
-		}
-
 		// default attribute to be used to mimic gen_require in CIL
 		rc = generate_gen_require_attribute();
 		if (rc != 0) {