| From 3264000bb0c156ca30e1adddfcab148015d7a6f5 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 17 Jun 2020 15:22:16 -0400 |
| Subject: scripts/selinux/mdp: fix initial SID handling |
| |
| From: Stephen Smalley <stephen.smalley.work@gmail.com> |
| |
| [ Upstream commit 382c2b5d23b4245f1818f69286db334355488dc4 ] |
| |
| commit e3e0b582c321 ("selinux: remove unused initial SIDs and improve |
| handling") broke scripts/selinux/mdp since the unused initial SID names |
| were removed and the corresponding generation of policy initial SID |
| definitions by mdp was not updated accordingly. Fix it. With latest |
| upstream checkpolicy it is no longer necessary to include the SID context |
| definitions for the unused initial SIDs but retain them for compatibility |
| with older checkpolicy. |
| |
| Fixes: e3e0b582c321 ("selinux: remove unused initial SIDs and improve handling") |
| Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> |
| Signed-off-by: Paul Moore <paul@paul-moore.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| scripts/selinux/mdp/mdp.c | 23 ++++++++++++++++++----- |
| 1 file changed, 18 insertions(+), 5 deletions(-) |
| |
| diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c |
| index 576d11a60417b..6ceb88eb9b590 100644 |
| --- a/scripts/selinux/mdp/mdp.c |
| +++ b/scripts/selinux/mdp/mdp.c |
| @@ -67,8 +67,14 @@ int main(int argc, char *argv[]) |
| |
| initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); |
| /* print out the sids */ |
| - for (i = 1; i < initial_sid_to_string_len; i++) |
| - fprintf(fout, "sid %s\n", initial_sid_to_string[i]); |
| + for (i = 1; i < initial_sid_to_string_len; i++) { |
| + const char *name = initial_sid_to_string[i]; |
| + |
| + if (name) |
| + fprintf(fout, "sid %s\n", name); |
| + else |
| + fprintf(fout, "sid unused%d\n", i); |
| + } |
| fprintf(fout, "\n"); |
| |
| /* print out the class permissions */ |
| @@ -126,9 +132,16 @@ int main(int argc, char *argv[]) |
| #define OBJUSERROLETYPE "user_u:object_r:base_t" |
| |
| /* default sids */ |
| - for (i = 1; i < initial_sid_to_string_len; i++) |
| - fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n", |
| - initial_sid_to_string[i], mls ? ":" SYSTEMLOW : ""); |
| + for (i = 1; i < initial_sid_to_string_len; i++) { |
| + const char *name = initial_sid_to_string[i]; |
| + |
| + if (name) |
| + fprintf(fout, "sid %s ", name); |
| + else |
| + fprintf(fout, "sid unused%d\n", i); |
| + fprintf(fout, SUBJUSERROLETYPE "%s\n", |
| + mls ? ":" SYSTEMLOW : ""); |
| + } |
| fprintf(fout, "\n"); |
| |
| #define FS_USE(behavior, fstype) \ |
| -- |
| 2.25.1 |
| |