@@ -1218,6 +1218,7 @@ int cil_userprefixes_to_string_nopdb(struct cil_db *db, char **out, size_t *size
struct cil_list_item *curr;
struct cil_userprefix *userprefix = NULL;
struct cil_user *user = NULL;
+ struct cil_role *role = NULL;
*out = NULL;
@@ -1230,7 +1231,8 @@ int cil_userprefixes_to_string_nopdb(struct cil_db *db, char **out, size_t *size
cil_list_for_each(curr, db->userprefixes) {
userprefix = curr->data;
user = userprefix->user;
- str_len += strlen("user ") + strlen(user->datum.fqn) + strlen(" prefix ") + strlen(userprefix->prefix_str) + 2;
+ role = userprefix->role;
+ str_len += strlen("user ") + strlen(user->datum.fqn) + strlen(" prefix ") + strlen(role->datum.fqn) + 2;
}
*size = str_len * sizeof(char);
@@ -1241,9 +1243,10 @@ int cil_userprefixes_to_string_nopdb(struct cil_db *db, char **out, size_t *size
cil_list_for_each(curr, db->userprefixes) {
userprefix = curr->data;
user = userprefix->user;
+ role = userprefix->role;
buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
- userprefix->prefix_str);
+ role->datum.fqn);
str_len -= buf_pos;
str_tmp += buf_pos;
}
@@ -481,6 +481,7 @@ struct cil_userprefix {
char *user_str;
struct cil_user *user;
char *prefix_str;
+ struct cil_role *role;
};
struct cil_selinuxuser {
@@ -952,7 +952,7 @@ int cil_resolve_userprefix(struct cil_tree_node *current, void *extra_args)
{
struct cil_userprefix *userprefix = current->data;
struct cil_symtab_datum *user_datum = NULL;
- struct cil_tree_node *user_node = NULL;
+ struct cil_symtab_datum *role_datum = NULL;
int rc = SEPOL_ERR;
rc = cil_resolve_name(current, userprefix->user_str, CIL_SYM_USERS, extra_args, &user_datum);
@@ -960,15 +960,13 @@ int cil_resolve_userprefix(struct cil_tree_node *current, void *extra_args)
goto exit;
}
- user_node = user_datum->nodes->head->data;
-
- if (user_node->flavor != CIL_USER) {
- cil_log(CIL_ERR, "Userprefix must be a user: %s\n", user_datum->fqn);
- rc = SEPOL_ERR;
+ rc = cil_resolve_name(current, userprefix->prefix_str, CIL_SYM_ROLES, extra_args, &role_datum);
+ if (rc != SEPOL_OK) {
goto exit;
}
userprefix->user = (struct cil_user*)user_datum;
+ userprefix->role = (struct cil_role*)role_datum;
exit:
return rc;
This ensures that the role in the userprefix statement is valid. Idea and implementation by Gary Tierney. Signed-off-by: Dominick Grift <dac.override@gmail.com> --- libsepol/cil/src/cil.c | 7 +++++-- libsepol/cil/src/cil_internal.h | 1 + libsepol/cil/src/cil_resolve_ast.c | 10 ++++------ 3 files changed, 10 insertions(+), 8 deletions(-)