1 files changed, 70 insertions, 0 deletions
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
new file mode 100644
index 0000000..f01cc3a
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
@@ -0,0 +1,70 @@
+libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the base module
+In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
+either the base module or a non-base module, or they could be in both.
+This means that it is possible for duplicate role declarations to exist.
+CIL does not allow duplicate declarations of anything, but there is no
+way for the pp compiler to know if the roles are declared in which
+module, or if they are in both when compiling a single module. This
+means we cannot use the same hack that we use for user_r, staff_r, etc.,
+to generate CIL role declarations (i.e. only create role declarations
+for these when defined in base).
+So only for these two roles, always declare them as part of base,
+regardless of where or if they are defined. This means that turning off
+the auditadm module will never remove the auditamd_r role (likewise for
+secadm), whereas right now, in some cases it would. This also means that
+role allow rules will still exist for these roles even with the modules
+removed. However, this is okay because the roles would not have any
+types associated with them so no access would be allowed.
+Signed-off-by: Steve Lawrence <slawrence@tresys.com>
+Reported-by: Miroslav Grepl <mgrepl@redhat.com>
+Index: policycoreutils-2.4/hll/pp/pp.c
+===================================================================
+--- policycoreutils-2.4.orig/hll/pp/pp.c
+++ policycoreutils-2.4/hll/pp/pp.c
+@@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc
+                                            !strcmp(key, "sysadm_r") ||
+                                            !strcmp(key, "system_r") ||
+                                            !strcmp(key, "unconfined_r"));
+-                       if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) {
+                       int is_builtin_role = (!strcmp(key, "auditadm_r") ||
+                                               !strcmp(key, "secadm_r"));
+                       if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
+                               (!is_base_role && !is_builtin_role)) {
+                                cil_println(indent, "(role %s)", key);
+                        }
+                }
+@@ -3594,6 +3597,17 @@ static int generate_default_object(void)
+        return 0;
+ }
+ 
+static int generate_builtin_roles(void)
+{
+       // due to inconsistentencies between policies and CIL not allowing
+       // duplicate roles, some roles are always created, regardless of if they
+       // are declared in modules or not
+       cil_println(0, "(role auditadm_r)");
+       cil_println(0, "(role secadm_r)");
+
+       return 0;
+}
+
+ static int generate_gen_require_attribute(void)
+ {
+        cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
+@@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct
+                if (rc != 0) {
+                        goto exit;
+                }
+
+               // roles that can exist in base, non-base module or both
+               rc = generate_builtin_roles();
+               if (rc != 0) {
+                       goto exit;
+               }
+ 
+                // default attribute to be used to mimic gen_require in CIL
+                rc = generate_gen_require_attribute();

diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch new file mode 100644 index 0000000..f01cc3a --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
@@ -0,0 +1,70 @@
	1	libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the base module
	2
	3	In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
	4	either the base module or a non-base module, or they could be in both.
	5	This means that it is possible for duplicate role declarations to exist.
	6	CIL does not allow duplicate declarations of anything, but there is no
	7	way for the pp compiler to know if the roles are declared in which
	8	module, or if they are in both when compiling a single module. This
	9	means we cannot use the same hack that we use for user_r, staff_r, etc.,
	10	to generate CIL role declarations (i.e. only create role declarations
	11	for these when defined in base).
	12
	13	So only for these two roles, always declare them as part of base,
	14	regardless of where or if they are defined. This means that turning off
	15	the auditadm module will never remove the auditamd_r role (likewise for
	16	secadm), whereas right now, in some cases it would. This also means that
	17	role allow rules will still exist for these roles even with the modules
	18	removed. However, this is okay because the roles would not have any
	19	types associated with them so no access would be allowed.
	20
	21	Signed-off-by: Steve Lawrence <slawrence@tresys.com>
	22	Reported-by: Miroslav Grepl <mgrepl@redhat.com>
	23
	24	Index: policycoreutils-2.4/hll/pp/pp.c
	25	===================================================================
	26	--- policycoreutils-2.4.orig/hll/pp/pp.c
	27	+++ policycoreutils-2.4/hll/pp/pp.c
	28	@@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc
	29	!strcmp(key, "sysadm_r") \|\|
	30	!strcmp(key, "system_r") \|\|
	31	!strcmp(key, "unconfined_r"));
	32	- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) \|\| !is_base_role) {
	33	+ int is_builtin_role = (!strcmp(key, "auditadm_r") \|\|
	34	+ !strcmp(key, "secadm_r"));
	35	+ if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) \|\|
	36	+ (!is_base_role && !is_builtin_role)) {
	37	cil_println(indent, "(role %s)", key);
	38	}
	39	}
	40	@@ -3594,6 +3597,17 @@ static int generate_default_object(void)
	41	return 0;
	42	}
	43
	44	+static int generate_builtin_roles(void)
	45	+{
	46	+ // due to inconsistentencies between policies and CIL not allowing
	47	+ // duplicate roles, some roles are always created, regardless of if they
	48	+ // are declared in modules or not
	49	+ cil_println(0, "(role auditadm_r)");
	50	+ cil_println(0, "(role secadm_r)");
	51	+
	52	+ return 0;
	53	+}
	54	+
	55	static int generate_gen_require_attribute(void)
	56	{
	57	cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
	58	@@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct
	59	if (rc != 0) {
	60	goto exit;
	61	}
	62	+
	63	+ // roles that can exist in base, non-base module or both
	64	+ rc = generate_builtin_roles();
	65	+ if (rc != 0) {
	66	+ goto exit;
	67	+ }
	68
	69	// default attribute to be used to mimic gen_require in CIL
	70	rc = generate_gen_require_attribute();