From 8b71d70b5533b81d72f055d9e20e1f1db16c5858 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 25 Oct 2013 12:08:23 -0400
Subject: [PATCH] Add separate role declarations as required by modern
 checkpolicy.

Sadly, make test still fails on some tests.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 libsepol/tests/policies/test-cond/refpolicy-base.conf    | 1 +
 libsepol/tests/policies/test-deps/base-metreq.conf       | 4 ++++
 libsepol/tests/policies/test-deps/base-notmetreq.conf    | 4 ++++
 libsepol/tests/policies/test-expander/alias-base.conf    | 3 +++
 .../tests/policies/test-expander/base-base-only.conf     | 1 +
 libsepol/tests/policies/test-expander/role-base.conf     | 4 ++++
 libsepol/tests/policies/test-expander/small-base.conf    | 3 +++
 libsepol/tests/policies/test-expander/user-base.conf     | 5 +++++
 libsepol/tests/policies/test-linker/module1.conf         | 7 +++++++
 libsepol/tests/policies/test-linker/module2.conf         | 4 ++++
 libsepol/tests/policies/test-linker/small-base.conf      | 9 ++++++++-
 11 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/libsepol/tests/policies/test-cond/refpolicy-base.conf b/libsepol/tests/policies/test-cond/refpolicy-base.conf
index 60da11a4..1c1ef9ac 100644
--- a/libsepol/tests/policies/test-cond/refpolicy-base.conf
+++ b/libsepol/tests/policies/test-cond/refpolicy-base.conf
@@ -1393,6 +1393,7 @@ role system_r;
 role sysadm_r;
 role staff_r;
 role user_r;
+role secadm_r;
 	typeattribute kernel_t domain;
 	allow kernel_t self:dir { read getattr lock search ioctl };
 	allow kernel_t self:lnk_file { read getattr lock ioctl };
diff --git a/libsepol/tests/policies/test-deps/base-metreq.conf b/libsepol/tests/policies/test-deps/base-metreq.conf
index 9b7ade50..bfb4c56b 100644
--- a/libsepol/tests/policies/test-deps/base-metreq.conf
+++ b/libsepol/tests/policies/test-deps/base-metreq.conf
@@ -426,15 +426,19 @@ attribute files;
 
 type net_foo_t, foo;
 type sys_foo_t, foo, system;
+role system_r;
 role system_r types sys_foo_t;
 
 type user_t, domain;
+role user_r;
 role user_r types user_t;
 
 type sysadm_t, domain, system;
+role sysadm_r;
 role sysadm_r types sysadm_t;
 
 type system_t, domain, system, foo;
+role system_r;
 role system_r types { system_t sys_foo_t };
 
 type file_t;
diff --git a/libsepol/tests/policies/test-deps/base-notmetreq.conf b/libsepol/tests/policies/test-deps/base-notmetreq.conf
index cf6aa0a9..f2630e7b 100644
--- a/libsepol/tests/policies/test-deps/base-notmetreq.conf
+++ b/libsepol/tests/policies/test-deps/base-notmetreq.conf
@@ -421,15 +421,19 @@ attribute files;
 
 type net_foo_t, foo;
 type sys_foo_t, foo, system;
+role system_r;
 role system_r types sys_foo_t;
 
 type user_t, domain;
+role user_r;
 role user_r types user_t;
 
 type sysadm_t, domain, system;
+role sysadm_r;
 role sysadm_r types sysadm_t;
 
 type system_t, domain, system, foo;
+role system_r;
 role system_r types { system_t sys_foo_t };
 
 type file_t;
diff --git a/libsepol/tests/policies/test-expander/alias-base.conf b/libsepol/tests/policies/test-expander/alias-base.conf
index f3d0a6ca..4ed46d24 100644
--- a/libsepol/tests/policies/test-expander/alias-base.conf
+++ b/libsepol/tests/policies/test-expander/alias-base.conf
@@ -440,6 +440,9 @@ optional {
 type fs_t;
 type system_t;
 type user_t;
+role system_r;
+role user_r;
+role sysadm_r;
 role system_r types system_t;
 role user_r types user_t;
 role sysadm_r types system_t;
diff --git a/libsepol/tests/policies/test-expander/base-base-only.conf b/libsepol/tests/policies/test-expander/base-base-only.conf
index 80b87cc9..4eae73ea 100644
--- a/libsepol/tests/policies/test-expander/base-base-only.conf
+++ b/libsepol/tests/policies/test-expander/base-base-only.conf
@@ -34,6 +34,7 @@ mlsconstrain file { read }
 
 attribute myattr;
 type mytype_t;
+role myrole_r;
 role myrole_r types mytype_t;
 bool mybool true;
 gen_user(myuser_u,, myrole_r, s0, s0 - s0:c0)
diff --git a/libsepol/tests/policies/test-expander/role-base.conf b/libsepol/tests/policies/test-expander/role-base.conf
index 219987c6..b43389fa 100644
--- a/libsepol/tests/policies/test-expander/role-base.conf
+++ b/libsepol/tests/policies/test-expander/role-base.conf
@@ -415,12 +415,16 @@ mlsconstrain file { write setattr append unlink link rename ioctl lock execute r
 
 # Role mapping test
 type role_check_1_1_t;
+role role_check_1;
 role role_check_1 types role_check_1_1_t;
 
 ########
 type fs_t;
 type system_t;
 type user_t;
+role system_r;
+role user_r;
+role sysadm_r;
 role system_r types system_t;
 role user_r types user_t;
 role sysadm_r types system_t;
diff --git a/libsepol/tests/policies/test-expander/small-base.conf b/libsepol/tests/policies/test-expander/small-base.conf
index 6f45a287..7c5d77af 100644
--- a/libsepol/tests/policies/test-expander/small-base.conf
+++ b/libsepol/tests/policies/test-expander/small-base.conf
@@ -467,12 +467,15 @@ optional {
 
 type net_foo_t, foo;
 type sys_foo_t, foo, system;
+role system_r;
 role system_r types sys_foo_t;
 
 type user_t, domain;
+role user_r;
 role user_r types user_t;
 
 type sysadm_t, domain, system;
+role sysadm_r;
 role sysadm_r types sysadm_t;
 
 type system_t, domain, system, foo;
diff --git a/libsepol/tests/policies/test-expander/user-base.conf b/libsepol/tests/policies/test-expander/user-base.conf
index 660152eb..b60672fa 100644
--- a/libsepol/tests/policies/test-expander/user-base.conf
+++ b/libsepol/tests/policies/test-expander/user-base.conf
@@ -416,6 +416,8 @@ mlsconstrain file { write setattr append unlink link rename ioctl lock execute r
 # User mapping test
 type user_check_1_1_t;
 type user_check_1_2_t;
+role user_check_1_1_r;
+role user_check_1_2_r;
 role user_check_1_1_r types user_check_1_1_t;
 role user_check_1_2_r types user_check_1_2_t;
 
@@ -423,6 +425,9 @@ role user_check_1_2_r types user_check_1_2_t;
 type fs_t;
 type system_t;
 type user_t;
+role system_r;
+role user_r;
+role sysadm_r;
 role system_r types system_t;
 role user_r types user_t;
 role sysadm_r types system_t;
diff --git a/libsepol/tests/policies/test-linker/module1.conf b/libsepol/tests/policies/test-linker/module1.conf
index 7cfb6cb0..2d5fc313 100644
--- a/libsepol/tests/policies/test-linker/module1.conf
+++ b/libsepol/tests/policies/test-linker/module1.conf
@@ -19,6 +19,7 @@ type g_m1_type_2;
 typeattribute g_m1_type_2 g_m1_attr_1;
 
 #add role in module test
+role g_m1_role_1;
 role g_m1_role_1 types g_m1_type_1;
 
 # test for attr declared in base, added to in module
@@ -38,12 +39,15 @@ attribute g_m1_attr_2;
 
 #add type to base role test
 role g_b_role_2 types g_m1_type_1;
+role g_b_role_3;
 role g_b_role_3 types g_m1_type_2;
 
 #add type to base optional role test
+role o1_b_role_2;
 role o1_b_role_2 types g_m1_type_1;
 
 #optional base role w/ adds in 2 modules
+role o4_b_role_1;
 role o4_b_role_1 types g_m1_type_2;
 
 # attr a added to in base optional, declared/added to in module, added to in other module
@@ -78,6 +82,7 @@ optional {
 	type o1_m1_type_2, o1_m1_attr_1;
 	
 	type o1_m1_type_1;
+	role o1_m1_role_1;
 	role o1_m1_role_1 types o1_m1_type_1;
 
 	type o1_m1_type_3;
@@ -101,6 +106,7 @@ optional {
 	
 	type tag_o2_m1;
 
+	role g_b_role_4;
 	role g_b_role_4 types g_m1_type_2;
 }
 
@@ -112,6 +118,7 @@ optional {
 	type tag_o3_m1;
 
 	type o3_m1_type_1;	
+	role o3_b_role_1;
         role o3_b_role_1 types o3_m1_type_1;
 
 	type o3_m1_type_2, g_b_attr_6;
diff --git a/libsepol/tests/policies/test-linker/module2.conf b/libsepol/tests/policies/test-linker/module2.conf
index 3820cb7f..7a31109b 100644
--- a/libsepol/tests/policies/test-linker/module2.conf
+++ b/libsepol/tests/policies/test-linker/module2.conf
@@ -12,6 +12,7 @@ require {
 type tag_g_m2;
 
 type g_m2_type_1;
+role g_m2_role_1;
 role g_m2_role_1 types g_m2_type_1;
 
 type g_m2_type_4, g_b_attr_5;
@@ -19,9 +20,11 @@ type g_m2_type_5, g_b_attr_6;
 
 #add types to role declared in base test
 type g_m2_type_2;
+role g_b_role_3;
 role g_b_role_3 types g_m2_type_2;
 
 #optional base role w/ adds in 2 modules
+role o4_b_role_1;
 role o4_b_role_1 types g_m2_type_1;
 
 # attr a added to in base optional, declared/added to in module, added to in other module
@@ -45,6 +48,7 @@ optional {
 	type tag_o1_m2;
 
 	type o1_m2_type_1;
+	role o1_m2_role_1;
 	role o1_m2_role_1 types o1_m2_type_1;
 }
 
diff --git a/libsepol/tests/policies/test-linker/small-base.conf b/libsepol/tests/policies/test-linker/small-base.conf
index 2f166c9d..3a66f913 100644
--- a/libsepol/tests/policies/test-linker/small-base.conf
+++ b/libsepol/tests/policies/test-linker/small-base.conf
@@ -435,6 +435,10 @@ type g_b_type_1, g_b_attr_1;
 type g_b_type_2, g_b_attr_2;
 type g_b_type_3;
 
+role g_b_role_1;
+role g_b_role_2;
+role g_b_role_3;
+role g_b_role_4;
 role g_b_role_1 types g_b_type_1;
 role g_b_role_2 types g_b_type_2;
 role g_b_role_3 types g_b_type_2;
@@ -464,8 +468,9 @@ optional {
 	attribute o1_b_attr_1;
 	type o1_b_type_1, o1_b_attr_1;
 	bool o1_b_bool_1 true;
+	role o1_b_role_1;
 	role o1_b_role_1 types o1_b_type_1;
-
+	role o1_b_role_2;
 	role o1_b_role_2 types o1_b_type_1;
 
 	attribute o1_b_attr_2;
@@ -501,6 +506,7 @@ optional {
 	type o3_b_type_1;
 	bool o3_b_bool_1 true;
 
+	role o3_b_role_1;
 	role o3_b_role_1 types o3_b_type_1;
 
 	allow g_b_type_1 invalid_type : sem { create destroy };
@@ -519,6 +525,7 @@ optional {
 
 	attribute o4_b_attr_1;
 
+	role o4_b_role_1;
 	role o4_b_role_1 types g_m1_type_1;
 
 	# test for attr declared in module optional, added to in base optional