libsepol/cil: Ignore object_r in userrole mappings when creating policy binary

Commit 77779d2ca, which added support for userattributes in CIL, accidentally removed code that ignored object_r when adding userrole mappings to the policydb. This meant that running commands like `semanage user -l` would incorrectly show object_r. This patch adds that code back in. Note that CIL requires that these mappings exist to properly validate file contexts, so pp2cil's behavior of creating these mappings is not modified. Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2025-03-02 08:27:04 +00:00 · 2016-07-26 12:53:08 -04:00 · 2016-07-26 12:53:08 -04:00 · 7a137eb75f
commit 7a137eb75f
parent c17727e54f
1 changed files with 6 additions and 0 deletions
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@ -754,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci
 				goto exit;
 			}

+			if (sepol_role->s.value == 1) {
+				// role is object_r, ignore it since it is implicitly associated
+				// with all users
+				continue;
+			}
+
 			if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) {
 				cil_log(CIL_INFO, "Failed to set role bit for user\n");
 				rc = SEPOL_ERR;