From patchwork Thu Jul 28 14:39:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@tycho.nsa.gov>
X-Patchwork-Id: 9251247
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5F6376075F for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 28 Jul 2016 14:40:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4EC9527BA5
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 28 Jul 2016 14:40:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 409C027CF9; Thu, 28 Jul 2016 14:40:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 45CE427BA5
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 28 Jul 2016 14:40:06 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,434,1464652800"; d="scan'208";a="18013222"
IronPort-PHdr: =?us-ascii?q?9a23=3Ad757JByb13oxI9vXCy+O+j09IxM/srCxBDY+r6Qd?=
	=?us-ascii?q?0e8WIJqq85mqBkHD//Il1AaPBtSDrawbwLWI+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?=
	=?us-ascii?q?d7yzRNGZ0Jr//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe?=
	=?us-ascii?q?1XwWR1OQDbxE6ktY+N5porzwB887JkrZYBAu3GePEjQLhZCik2G3wk783s8x/Y?=
	=?us-ascii?q?RE2A4WVPfH8Rl09qCg3I91nRV43tvzGy4uhi0yCAIZfeUaE/WTPk6bxiDhDvln?=
	=?us-ascii?q?FUZHYC7GjLh5ko3+pgqxW7qkk6mdbZ?=
X-IPAS-Result: =?us-ascii?q?A2EeBgBiGJpX/wHyM5BdHAEBgyeBQw+6YyWHOUwBAQEBAQE?=
	=?us-ascii?q?CAlongjIEAxCCGwIkExQgDgMJAhcpCAgDAS0VHwsFGASIELwEjwkRAWiFDwWIH?=
	=?us-ascii?q?YctiWYCjn0CiWiFUwKQJlSBTYJJUodCgTUBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 28 Jul 2016 14:40:03 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6SEd6LG012817;
	Thu, 28 Jul 2016 10:39:16 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u6SEd39K132898 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 28 Jul 2016 10:39:03 -0400
Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	u6SEd3wo012812
	for <selinux@tycho.nsa.gov>; Thu, 28 Jul 2016 10:39:03 -0400
From: James Carter <jwcart2@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: [PATCH] libsepol/cil: Warn instead of fail if permission is not
	resolve
Date: Thu, 28 Jul 2016 10:39:14 -0400
Message-Id: <1469716754-11698-1-git-send-email-jwcart2@tycho.nsa.gov>
X-Mailer: git-send-email 2.7.4
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

If a policy module package has been created with a policy that contains
a permission and then is used on a system without that permission CIL
will fail with an error when it cannot resolve the permission.

This will prevent the installation on policy and the user will not
know that the policy has not been installed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/cil/src/cil_resolve_ast.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 70e4462..8348d57 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -131,10 +131,10 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
 				}
 			}
 			if (rc != SEPOL_OK) {
-				cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
-				goto exit;
+				cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+			} else {
+				cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
 			}
-			cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
 		} else {
 			cil_list_append(*perm_datums, curr->flavor, curr->data);
 		}
@@ -3660,7 +3660,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 			rc = SEPOL_OK;
 		}
 
-		cil_tree_log(node, lvl, "Failed to resolve '%s' in %s statement", args->last_resolved_name, cil_node_to_string(node));
+		cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node));
 		goto exit;
 	}