diff mbox

libsepol: fix pp module to cil nodecon statement

Message ID 1485364636-21338-1-git-send-email-slawrence@tresys.com (mailing list archive)
State Not Applicable
Headers show

Commit Message

Steve Lawrence Jan. 25, 2017, 5:17 p.m. UTC 
Policy modules do not have the concept of named IP addresses like CIL
does. So when converting nodecode statements from pp policy modules to
CIL, we need to wrap the IP address and mask parameters in parentheses
so that the CIL compiler does not try to resolve them as named
addresses, but instead treats them as anonymous.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
---
 libsepol/src/module_to_cil.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

James Carter Jan. 25, 2017, 7:55 p.m. UTC | #1 
On 01/25/2017 12:17 PM, Steve Lawrence wrote:
> Policy modules do not have the concept of named IP addresses like CIL
> does. So when converting nodecode statements from pp policy modules to
> CIL, we need to wrap the IP address and mask parameters in parentheses
> so that the CIL compiler does not try to resolve them as named
> addresses, but instead treats them as anonymous.
>
> Signed-off-by: Steve Lawrence <slawrence@tresys.com>

Applied,

Thanks,
Jim

> ---
>  libsepol/src/module_to_cil.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 51a4784..2acb600 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2721,7 +2721,7 @@ static int ocontext_selinux_node_to_cil(struct policydb *pdb, struct ocontext *n
>  			goto exit;
>  		}
>
> -		cil_printf("(nodecon %s %s ", addr, mask);
> +		cil_printf("(nodecon (%s) (%s) ", addr, mask);
>
>  		context_to_cil(pdb, &node->context[0]);
>
> @@ -2753,7 +2753,7 @@ static int ocontext_selinux_node6_to_cil(struct policydb *pdb, struct ocontext *
>  			goto exit;
>  		}
>
> -		cil_printf("(nodecon %s %s ", addr, mask);
> +		cil_printf("(nodecon (%s) (%s) ", addr, mask);
>
>  		context_to_cil(pdb, &node->context[0]);
>
>
diff mbox

Patch

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 51a4784..2acb600 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2721,7 +2721,7 @@  static int ocontext_selinux_node_to_cil(struct policydb *pdb, struct ocontext *n
 			goto exit;
 		}
 
-		cil_printf("(nodecon %s %s ", addr, mask);
+		cil_printf("(nodecon (%s) (%s) ", addr, mask);
 
 		context_to_cil(pdb, &node->context[0]);
 
@@ -2753,7 +2753,7 @@  static int ocontext_selinux_node6_to_cil(struct policydb *pdb, struct ocontext *
 			goto exit;
 		}
 
-		cil_printf("(nodecon %s %s ", addr, mask);
+		cil_printf("(nodecon (%s) (%s) ", addr, mask);
 
 		context_to_cil(pdb, &node->context[0]);