/*
* Copyright 2011 Tresys Technology, LLC. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
* EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* The views and conclusions contained in the software and documentation are those
* of the authors and should not be interpreted as representing official policies,
* either expressed or implied, of Tresys Technology, LLC.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <inttypes.h>
#include <sepol/policydb/conditional.h>
#include <sepol/errcodes.h>
#include "cil_internal.h"
#include "cil_flavor.h"
#include "cil_log.h"
#include "cil_mem.h"
#include "cil_tree.h"
#include "cil_list.h"
#include "cil_policy.h"
#include "cil_symtab.h"
#include "cil_strpool.h"
#define SEPOL_DONE 555
#define CLASS_DECL 0
#define ISIDS 1
#define COMMONS 2
#define CLASSES 3
#define INTERFACES 4
#define SENS 5
#define CATS 6
#define LEVELS 7
#define CONSTRAINS 8
#define TYPEATTRTYPES 9
#define ALIASES 10
#define ALLOWS 11
#define CONDS 12
#define USERROLES 13
#define SIDS 14
#define NETIFCONS 15
#define BUFFER 1024
#define NUM_POLICY_FILES 16
struct cil_args_genpolicy {
struct cil_list *users;
struct cil_list *sens;
struct cil_list *cats;
FILE **file_arr;
};
struct cil_args_booleanif {
FILE **file_arr;
uint32_t *file_index;
};
int cil_expr_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *expr);
int cil_combine_policy(FILE **file_arr, FILE *policy_file)
{
char temp[BUFFER];
int i, rc, rc_read, rc_write;
for(i=0; i<NUM_POLICY_FILES; i++) {
fseek(file_arr[i], 0, SEEK_SET);
while (!feof(file_arr[i])) {
rc_read = fread(temp, 1, BUFFER, file_arr[i]);
if (rc_read == 0 && ferror(file_arr[i])) {
cil_log(CIL_ERR, "Error reading temp policy file\n");
return SEPOL_ERR;
}
rc_write = 0;
while (rc_read > rc_write) {
rc = fwrite(temp+rc_write, 1, rc_read-rc_write, policy_file);
rc_write += rc;
if (rc == 0 && ferror(file_arr[i])) {
cil_log(CIL_ERR, "Error writing to policy.conf\n");
return SEPOL_ERR;
}
}
}
}
return SEPOL_OK;
}
int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i=0; i<sort->count; i++) {
struct cil_portcon *portcon = (struct cil_portcon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "portcon ");
if (portcon->proto == CIL_PROTOCOL_UDP) {
fprintf(file_arr[NETIFCONS], "udp ");
} else if (portcon->proto == CIL_PROTOCOL_TCP) {
fprintf(file_arr[NETIFCONS], "tcp ");
}
fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low);
fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high);
cil_context_to_policy(file_arr, NETIFCONS, portcon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_genfscon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i=0; i<sort->count; i++) {
struct cil_genfscon *genfscon = (struct cil_genfscon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "genfscon %s ", genfscon->fs_str);
fprintf(file_arr[NETIFCONS], "%s ", genfscon->path_str);
cil_context_to_policy(file_arr, NETIFCONS, genfscon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_netifcon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i=0; i<sort->count; i++) {
struct cil_netifcon *netifcon = (struct cil_netifcon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "netifcon %s ", netifcon->interface_str);
cil_context_to_policy(file_arr, NETIFCONS, netifcon->if_context);
fprintf(file_arr[NETIFCONS], " ");
cil_context_to_policy(file_arr, NETIFCONS, netifcon->packet_context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_nodecon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
int rc = SEPOL_ERR;
for (i=0; i<sort->count; i++) {
struct cil_nodecon *nodecon = (struct cil_nodecon*)sort->array[i];
char *buf = NULL;
errno = 0;
if (nodecon->addr->family == AF_INET) {
buf = cil_malloc(INET_ADDRSTRLEN);
inet_ntop(nodecon->addr->family, &nodecon->addr->ip.v4, buf, INET_ADDRSTRLEN);
} else if (nodecon->addr->family == AF_INET6) {
buf = cil_malloc(INET6_ADDRSTRLEN);
inet_ntop(nodecon->addr->family, &nodecon->addr->ip.v6, buf, INET6_ADDRSTRLEN);
}
if (errno != 0) {
cil_log(CIL_INFO, "Failed to convert ip address to string\n");
rc = SEPOL_ERR;
goto exit;
}
fprintf(file_arr[NETIFCONS], "nodecon %s ", buf);
free(buf);
if (nodecon->mask->family == AF_INET) {
buf = cil_malloc(INET_ADDRSTRLEN);
inet_ntop(nodecon->mask->family, &nodecon->mask->ip.v4, buf, INET_ADDRSTRLEN);
} else if (nodecon->mask->family == AF_INET6) {
buf = cil_malloc(INET6_ADDRSTRLEN);
inet_ntop(nodecon->mask->family, &nodecon->mask->ip.v6, buf, INET6_ADDRSTRLEN);
}
if (errno != 0) {
cil_log(CIL_INFO, "Failed to convert mask to string\n");
rc = SEPOL_ERR;
goto exit;
}
fprintf(file_arr[NETIFCONS], "%s ", buf);
free(buf);
cil_context_to_policy(file_arr, NETIFCONS, nodecon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
exit:
return rc;
}
int cil_pirqcon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i = 0; i < sort->count; i++) {
struct cil_pirqcon *pirqcon = (struct cil_pirqcon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "pirqcon %d ", pirqcon->pirq);
cil_context_to_policy(file_arr, NETIFCONS, pirqcon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_iomemcon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i = 0; i < sort->count; i++) {
struct cil_iomemcon *iomemcon = (struct cil_iomemcon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "iomemcon %"PRId64"-%"PRId64" ", iomemcon->iomem_low, iomemcon->iomem_high);
cil_context_to_policy(file_arr, NETIFCONS, iomemcon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_ioportcon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i = 0; i < sort->count; i++) {
struct cil_ioportcon *ioportcon = (struct cil_ioportcon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "ioportcon %d-%d ", ioportcon->ioport_low, ioportcon->ioport_high);
cil_context_to_policy(file_arr, NETIFCONS, ioportcon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_pcidevicecon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i = 0; i < sort->count; i++) {
struct cil_pcidevicecon *pcidevicecon = (struct cil_pcidevicecon*)sort->array[i];
fprintf(file_arr[NETIFCONS], "pcidevicecon %d ", pcidevicecon->dev);
cil_context_to_policy(file_arr, NETIFCONS, pcidevicecon->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_fsuse_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
for (i=0; i<sort->count; i++) {
struct cil_fsuse *fsuse = (struct cil_fsuse*)sort->array[i];
if (fsuse->type == CIL_FSUSE_XATTR) {
fprintf(file_arr[NETIFCONS], "fs_use_xattr ");
} else if (fsuse->type == CIL_FSUSE_TASK) {
fprintf(file_arr[NETIFCONS], "fs_use_task ");
} else if (fsuse->type == CIL_FSUSE_TRANS) {
fprintf(file_arr[NETIFCONS], "fs_use_trans ");
} else {
return SEPOL_ERR;
}
fprintf(file_arr[NETIFCONS], "%s ", fsuse->fs_str);
cil_context_to_policy(file_arr, NETIFCONS, fsuse->context);
fprintf(file_arr[NETIFCONS], ";\n");
}
return SEPOL_OK;
}
int cil_multimap_insert(struct cil_list *list, struct cil_symtab_datum *key, struct cil_symtab_datum *value, uint32_t key_flavor, uint32_t val_flavor)
{
struct cil_list_item *curr_key;
struct cil_multimap_item *new_data;
if (list == NULL || key == NULL) {
return SEPOL_ERR;
}
cil_list_for_each(curr_key, list) {
struct cil_multimap_item *curr_multimap_item = curr_key->data;
if (curr_multimap_item != NULL) {
if (curr_multimap_item->key != NULL && curr_multimap_item->key == key) {
struct cil_list_item *curr_value;
cil_list_for_each(curr_value, curr_multimap_item->values) {
if (curr_value == (struct cil_list_item*)value) {
return SEPOL_OK;;
}
}
cil_list_append(curr_multimap_item->values, val_flavor, value);
}
} else {
cil_log(CIL_INFO, "No data in list item\n");
return SEPOL_ERR;
}
}
new_data = cil_malloc(sizeof(*new_data));
new_data->key = key;
cil_list_init(&new_data->values, CIL_LIST_ITEM);
if (value != NULL) {
cil_list_append(new_data->values, val_flavor, value);
}
cil_list_append(list, key_flavor, new_data);
return SEPOL_OK;
}
int cil_userrole_to_policy(FILE **file_arr, struct cil_list *userroles)
{
struct cil_list_item *current_user;
if (userroles == NULL) {
return SEPOL_OK;
}
cil_list_for_each(current_user, userroles) {
struct cil_multimap_item *user_multimap_item = current_user->data;
struct cil_list_item *current_role;
if (user_multimap_item->values->head == NULL) {
cil_log(CIL_INFO, "No roles associated with user %s\n",
user_multimap_item->key->name);
return SEPOL_ERR;
}
fprintf(file_arr[USERROLES], "user %s roles {", user_multimap_item->key->name);
cil_list_for_each(current_role, user_multimap_item->values) {
fprintf(file_arr[USERROLES], " %s", ((struct cil_role*)current_role->data)->datum.name);
}
fprintf(file_arr[USERROLES], " };\n");
}
return SEPOL_OK;
}
int cil_cat_to_policy(FILE **file_arr, struct cil_list *cats)
{
struct cil_list_item *curr_cat;
if (cats == NULL) {
return SEPOL_OK;
}
cil_list_for_each(curr_cat, cats) {
struct cil_multimap_item *cat_multimap_item = curr_cat->data;
fprintf(file_arr[CATS], "category %s", cat_multimap_item->key->name);
if (cat_multimap_item->values->head == NULL) {
fprintf(file_arr[CATS], ";\n");
} else {
struct cil_list_item *curr_catalias;
fprintf(file_arr[CATS], " alias");
cil_list_for_each(curr_catalias, cat_multimap_item->values) {
fprintf(file_arr[CATS], " %s", ((struct cil_cat*)curr_catalias->data)->datum.name);
}
fprintf(file_arr[CATS], ";\n");
}
}
return SEPOL_OK;
}
int cil_sens_to_policy(FILE **file_arr, struct cil_list *sens)
{
struct cil_list_item *curr_sens;
if (sens == NULL) {
return SEPOL_OK;
}
cil_list_for_each(curr_sens, sens) {
struct cil_multimap_item *sens_multimap_item = curr_sens->data;
fprintf(file_arr[SENS], "sensitivity %s", sens_multimap_item->key->name);
if (sens_multimap_item->values->head == NULL)
fprintf(file_arr[SENS], ";\n");
else {
struct cil_list_item *curr_sensalias;
fprintf(file_arr[SENS], " alias");
cil_list_for_each(curr_sensalias, sens_multimap_item->values) {
fprintf(file_arr[SENS], " %s", ((struct cil_sens*)curr_sensalias->data)->datum.name);
}
fprintf(file_arr[SENS], ";\n");
}
}
return SEPOL_OK;
}
void cil_cats_to_policy(FILE **file_arr, uint32_t file_index, struct cil_cats *cats)
{
cil_expr_to_policy(file_arr, file_index, cats->datum_expr);
}
void cil_level_to_policy(FILE **file_arr, uint32_t file_index, struct cil_level *level)
{
char *sens_str = level->sens->datum.name;
fprintf(file_arr[file_index], "%s", sens_str);
if (level->cats != NULL) {
fprintf(file_arr[file_index], ":");
cil_cats_to_policy(file_arr, file_index, level->cats);
}
}
void cil_levelrange_to_policy(FILE **file_arr, uint32_t file_index, struct cil_levelrange *lvlrange)
{
struct cil_level *low = lvlrange->low;
struct cil_level *high = lvlrange->high;
cil_level_to_policy(file_arr, file_index, low);
fprintf(file_arr[file_index], "-");
cil_level_to_policy(file_arr, file_index, high);
}
void cil_context_to_policy(FILE **file_arr, uint32_t file_index, struct cil_context *context)
{
char *user_str = ((struct cil_symtab_datum*)context->user)->name;
char *role_str = ((struct cil_symtab_datum*)context->role)->name;
char *type_str = ((struct cil_symtab_datum*)context->type)->name;
struct cil_levelrange *lvlrange = context->range;
fprintf(file_arr[file_index], "%s:%s:%s:", user_str, role_str, type_str);
cil_levelrange_to_policy(file_arr, file_index, lvlrange);
}
void cil_perms_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *list)
{
struct cil_list_item *curr;
fprintf(file_arr[file_index], " {");
cil_list_for_each(curr, list) {
switch (curr->flavor) {
case CIL_LIST:
cil_perms_to_policy(file_arr, file_index, curr->data);
break;
case CIL_STRING:
fprintf(file_arr[file_index], " %s", (char *)curr->data);
break;
case CIL_DATUM:
fprintf(file_arr[file_index], " %s", ((struct cil_symtab_datum *)curr->data)->name);
break;
case CIL_OP: {
enum cil_flavor op_flavor = *((enum cil_flavor *)curr->data);
char *op_str = NULL;
switch (op_flavor) {
case CIL_AND:
op_str = CIL_KEY_AND;
break;
case CIL_OR:
op_str = CIL_KEY_OR;
break;
case CIL_NOT:
op_str = CIL_KEY_NOT;
break;
case CIL_ALL:
op_str = CIL_KEY_ALL;
break;
case CIL_XOR:
op_str = CIL_KEY_XOR;
break;
default:
cil_log(CIL_ERR, "Unknown operator in expression\n");
break;
}
fprintf(file_arr[file_index], " %s", op_str);
break;
}
default:
cil_log(CIL_ERR, "Unknown flavor in expression\n");
break;
}
}
fprintf(file_arr[file_index], " }");
}
void cil_constrain_to_policy_helper(FILE **file_arr, char *kind, struct cil_list *classperms, struct cil_list *expr)
{
struct cil_list_item *curr;
cil_list_for_each(curr, classperms) {
if (curr->flavor == CIL_CLASSPERMS) {
struct cil_classperms *cp = curr->data;
if (FLAVOR(cp->class) == CIL_CLASS) {
fprintf(file_arr[CONSTRAINS], "%s %s", kind, cp->class->datum.name);
cil_perms_to_policy(file_arr, CONSTRAINS, cp->perms);
fprintf(file_arr[CONSTRAINS], "\n\t");
cil_expr_to_policy(file_arr, CONSTRAINS, expr);
fprintf(file_arr[CONSTRAINS], ";\n");
} else { /* MAP */
struct cil_list_item *i = NULL;
cil_list_for_each(i, cp->perms) {
struct cil_perm *cmp = i->data;
cil_constrain_to_policy_helper(file_arr, kind, cmp->classperms, expr);
}
}
} else { /* SET */
struct cil_classperms_set *cp_set = curr->data;
struct cil_classpermission *cp = cp_set->set;
cil_constrain_to_policy_helper(file_arr, kind, cp->classperms, expr);
}
}
}
void cil_constrain_to_policy(FILE **file_arr, __attribute__((unused)) uint32_t file_index, struct cil_constrain *cons, enum cil_flavor flavor)
{
char *kind = NULL;
if (flavor == CIL_CONSTRAIN) {
kind = CIL_KEY_CONSTRAIN;
} else if (flavor == CIL_MLSCONSTRAIN) {
kind = CIL_KEY_MLSCONSTRAIN;
}
cil_constrain_to_policy_helper(file_arr, kind, cons->classperms, cons->datum_expr);
}
void cil_avrule_to_policy_helper(FILE **file_arr, uint32_t file_index, const char *kind, const char *src, const char *tgt, struct cil_list *classperms)
{
struct cil_list_item *i;
cil_list_for_each(i, classperms) {
if (i->flavor == CIL_CLASSPERMS) {
struct cil_classperms *cp = i->data;
if (FLAVOR(cp->class) == CIL_CLASS) {
fprintf(file_arr[file_index], "%s %s %s: %s", kind, src, tgt, cp->class->datum.name);
cil_perms_to_policy(file_arr, file_index, cp->perms);
fprintf(file_arr[file_index], ";\n");
} else { /* MAP */
struct cil_list_item *j = NULL;
cil_list_for_each(j, cp->perms) {
struct cil_perm *cmp = j->data;
cil_avrule_to_policy_helper(file_arr, file_index, kind, src, tgt, cmp->classperms);
}
}
} else { /* SET */
struct cil_list_item *j;
struct cil_classperms_set *cp_set = i->data;
struct cil_classpermission *cp = cp_set->set;
cil_list_for_each(j, cp->classperms) {
cil_avrule_to_policy_helper(file_arr, file_index, kind, src, tgt, j->data);
}
}
}
}
int cil_avrule_to_policy(FILE **file_arr, uint32_t file_index, struct cil_avrule *rule)
{
const char *kind_str = NULL;
const char *src_str = DATUM(rule->src)->name;
const char *tgt_str = DATUM(rule->tgt)->name;
switch (rule->rule_kind) {
case CIL_AVRULE_ALLOWED:
kind_str = "allow";
break;
case CIL_AVRULE_AUDITALLOW:
kind_str = "auditallow";
break;
case CIL_AVRULE_DONTAUDIT:
kind_str = "dontaudit";
break;
case CIL_AVRULE_NEVERALLOW:
kind_str = "neverallow";
break;
default :
cil_log(CIL_INFO, "Unknown avrule with kind=%d src=%s tgt=%s\n",
rule->rule_kind, src_str, tgt_str);
return SEPOL_ERR;
}
cil_avrule_to_policy_helper(file_arr, file_index, kind_str, src_str, tgt_str, rule->perms.classperms);
return SEPOL_OK;
}
int cil_typerule_to_policy(FILE **file_arr, __attribute__((unused)) uint32_t file_index, struct cil_type_rule *rule)
{
char *src_str = ((struct cil_symtab_datum*)rule->src)->name;
char *tgt_str = ((struct cil_symtab_datum*)rule->tgt)->name;
char *obj_str = ((struct cil_symtab_datum*)rule->obj)->name;
char *result_str = ((struct cil_symtab_datum*)rule->result)->name;
switch (rule->rule_kind) {
case CIL_TYPE_TRANSITION:
fprintf(file_arr[ALLOWS], "type_transition %s %s : %s %s;\n", src_str, tgt_str, obj_str, result_str);
break;
case CIL_TYPE_CHANGE:
fprintf(file_arr[ALLOWS], "type_change %s %s : %s %s\n;", src_str, tgt_str, obj_str, result_str);
break;
case CIL_TYPE_MEMBER:
fprintf(file_arr[ALLOWS], "type_member %s %s : %s %s;\n", src_str, tgt_str, obj_str, result_str);
break;
default:
cil_log(CIL_INFO, "Unknown type_rule\n");
return SEPOL_ERR;
}
return SEPOL_OK;
}
int cil_nametypetransition_to_policy(FILE **file_arr, uint32_t file_index, struct cil_nametypetransition *nametypetrans)
{
char *src_str = ((struct cil_symtab_datum*)nametypetrans->src)->name;
char *tgt_str = ((struct cil_symtab_datum*)nametypetrans->tgt)->name;
char *obj_str = ((struct cil_symtab_datum*)nametypetrans->obj)->name;
char *result_str = ((struct cil_symtab_datum*)nametypetrans->result)->name;
fprintf(file_arr[file_index], "type_transition %s %s : %s %s %s;\n", src_str, tgt_str, obj_str, result_str, nametypetrans->name_str);
return SEPOL_OK;
}
static int cil_expr_to_string(struct cil_list *expr, char **out)
{
int rc = SEPOL_ERR;
struct cil_list_item *curr;
char *stack[COND_EXPR_MAXDEPTH] = {};
int pos = 0;
int i;
cil_list_for_each(curr, expr) {
if (pos > COND_EXPR_MAXDEPTH) {
rc = SEPOL_ERR;
goto exit;
}
switch (curr->flavor) {
case CIL_LIST:
rc = cil_expr_to_string(curr->data, &stack[pos]);
if (rc != SEPOL_OK) {
goto exit;
}
pos++;
break;
case CIL_STRING:
stack[pos] = curr->data;
pos++;
break;
case CIL_DATUM:
stack[pos] = ((struct cil_symtab_datum *)curr->data)->name;
pos++;
break;
case CIL_OP: {
int len;
char *expr_str;
enum cil_flavor op_flavor = *((enum cil_flavor *)curr->data);
char *op_str = NULL;
if (pos == 0) {
rc = SEPOL_ERR;
goto exit;
}
switch (op_flavor) {
case CIL_AND:
op_str = CIL_KEY_AND;
break;
case CIL_OR:
op_str = CIL_KEY_OR;
break;
case CIL_NOT:
op_str = CIL_KEY_NOT;
break;
case CIL_ALL:
op_str = CIL_KEY_ALL;
break;
case CIL_EQ:
op_str = CIL_KEY_EQ;
break;
case CIL_NEQ:
op_str = CIL_KEY_NEQ;
break;
case CIL_XOR:
op_str = CIL_KEY_XOR;
break;
case CIL_CONS_DOM:
op_str = CIL_KEY_CONS_DOM;
break;
case CIL_CONS_DOMBY:
op_str = CIL_KEY_CONS_DOMBY;
break;
case CIL_CONS_INCOMP:
op_str = CIL_KEY_CONS_INCOMP;
break;
default:
cil_log(CIL_ERR, "Unknown operator in expression\n");
goto exit;
break;
}
if (op_flavor == CIL_NOT) {
len = strlen(stack[pos-1]) + strlen(op_str) + 4;
expr_str = cil_malloc(len);
snprintf(expr_str, len, "(%s %s)", op_str, stack[pos-1]);
free(stack[pos-1]);
stack[pos-1] = NULL;
pos--;
} else {
if (pos < 2) {
rc = SEPOL_ERR;
goto exit;
}
len = strlen(stack[pos-1]) + strlen(stack[pos-2]) + strlen(op_str) + 5;
expr_str = cil_malloc(len);
snprintf(expr_str, len, "(%s %s %s)", stack[pos-1], op_str, stack[pos-2]);
free(stack[pos-2]);
free(stack[pos-1]);
stack[pos-2] = NULL;
stack[pos-1] = NULL;
pos -= 2;
}
stack[pos] = expr_str;
pos++;
break;
}
case CIL_CONS_OPERAND: {
enum cil_flavor operand_flavor = *((enum cil_flavor *)curr->data);
char *operand_str = NULL;
switch (operand_flavor) {
case CIL_CONS_U1:
operand_str = CIL_KEY_CONS_U1;
break;
case CIL_CONS_U2:
operand_str = CIL_KEY_CONS_U2;
break;
case CIL_CONS_U3:
operand_str = CIL_KEY_CONS_U3;
break;
case CIL_CONS_T1:
operand_str = CIL_KEY_CONS_T1;
break;
case CIL_CONS_T2:
operand_str = CIL_KEY_CONS_T2;
break;
case CIL_CONS_T3:
operand_str = CIL_KEY_CONS_T3;
break;
case CIL_CONS_R1:
operand_str = CIL_KEY_CONS_R1;
break;
case CIL_CONS_R2:
operand_str = CIL_KEY_CONS_R2;
break;
case CIL_CONS_R3:
operand_str = CIL_KEY_CONS_R3;
break;
case CIL_CONS_L1:
operand_str = CIL_KEY_CONS_L1;
break;
case CIL_CONS_L2:
operand_str = CIL_KEY_CONS_L2;
break;
case CIL_CONS_H1:
operand_str = CIL_KEY_CONS_H1;
break;
case CIL_CONS_H2:
operand_str = CIL_KEY_CONS_H2;
break;
default:
cil_log(CIL_ERR, "Unknown operand in expression\n");
goto exit;
break;
}
stack[pos] = operand_str;
pos++;
break;
}
default:
cil_log(CIL_ERR, "Unknown flavor in expression\n");
goto exit;
break;
}
}
*out = stack[0];
return SEPOL_OK;
exit:
for (i = 0; i < pos; i++) {
free(stack[i]);
}
return rc;
}
int cil_expr_to_policy(FILE **file_arr, uint32_t file_index, struct cil_list *expr)
{
int rc = SEPOL_ERR;
char *str_out;
rc = cil_expr_to_string(expr, &str_out);
if (rc != SEPOL_OK) {
goto out;
}
fprintf(file_arr[file_index], "%s", str_out);
free(str_out);
return SEPOL_OK;
out:
return rc;
}
int __cil_booleanif_node_helper(struct cil_tree_node *node, __attribute__((unused)) uint32_t *finished, void *extra_args)
{
int rc = SEPOL_ERR;
struct cil_args_booleanif *args;
FILE **file_arr;
uint32_t *file_index;
args = extra_args;
file_arr = args->file_arr;
file_index = args->file_index;
switch (node->flavor) {
case CIL_AVRULE:
rc = cil_avrule_to_policy(file_arr, *file_index, (struct cil_avrule*)node->data);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "cil_avrule_to_policy failed, rc: %d\n", rc);
return rc;
}
break;
case CIL_TYPE_RULE:
rc = cil_typerule_to_policy(file_arr, *file_index, (struct cil_type_rule*)node->data);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "cil_typerule_to_policy failed, rc: %d\n", rc);
return rc;
}
break;
case CIL_FALSE:
fprintf(file_arr[*file_index], "else {\n");
break;
case CIL_TRUE:
break;
default:
return SEPOL_ERR;
}
return SEPOL_OK;
}
int __cil_booleanif_last_child_helper(struct cil_tree_node *node, void *extra_args)
{
struct cil_args_booleanif *args;
FILE **file_arr;
uint32_t *file_index;
args = extra_args;
file_arr = args->file_arr;
file_index = args->file_index;
if (node->parent->flavor == CIL_FALSE) {
fprintf(file_arr[*file_index], "}\n");
}
return SEPOL_OK;
}
int cil_booleanif_to_policy(FILE **file_arr, uint32_t file_index, struct cil_tree_node *node)
{
int rc = SEPOL_ERR;
struct cil_booleanif *bif = node->data;
struct cil_list *expr = bif->datum_expr;
struct cil_args_booleanif extra_args;
struct cil_tree_node *true_node = NULL;
struct cil_tree_node *false_node = NULL;
struct cil_condblock *cb = NULL;
extra_args.file_arr = file_arr;
extra_args.file_index = &file_index;;
fprintf(file_arr[file_index], "if ");
rc = cil_expr_to_policy(file_arr, file_index, expr);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Failed to write expression\n");
return rc;
}
if (node->cl_head != NULL && node->cl_head->flavor == CIL_CONDBLOCK) {
cb = node->cl_head->data;
if (cb->flavor == CIL_CONDTRUE) {
true_node = node->cl_head;
} else if (cb->flavor == CIL_CONDFALSE) {
false_node = node->cl_head;
}
}
if (node->cl_head != NULL && node->cl_head->next != NULL && node->cl_head->next->flavor == CIL_CONDBLOCK) {
cb = node->cl_head->next->data;
if (cb->flavor == CIL_CONDTRUE) {
true_node = node->cl_head->next;
} else if (cb->flavor == CIL_CONDFALSE) {
false_node = node->cl_head->next;
}
}
fprintf(file_arr[file_index], "{\n");
if (true_node != NULL) {
rc = cil_tree_walk(true_node, __cil_booleanif_node_helper, __cil_booleanif_last_child_helper, NULL, &extra_args);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "Failed to write booleanif content to file, rc: %d\n", rc);
return rc;
}
}
fprintf(file_arr[file_index], "}\n");
if (false_node != NULL) {
fprintf(file_arr[file_index], "else {\n");
rc = cil_tree_walk(false_node, __cil_booleanif_node_helper, __cil_booleanif_last_child_helper, NULL, &extra_args);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "Failed to write booleanif false content to file, rc: %d\n", rc);
return rc;
}
fprintf(file_arr[file_index], "}\n");
}
return SEPOL_OK;
}
int cil_name_to_policy(FILE **file_arr, struct cil_tree_node *current)
{
uint32_t flavor = current->flavor;
int rc = SEPOL_ERR;
switch(flavor) {
case CIL_TYPEATTRIBUTE:
fprintf(file_arr[TYPEATTRTYPES], "attribute %s;\n", ((struct cil_symtab_datum*)current->data)->name);
break;
case CIL_TYPE:
fprintf(file_arr[TYPEATTRTYPES], "type %s;\n", ((struct cil_symtab_datum*)current->data)->name);
break;
case CIL_TYPEALIAS: {
struct cil_alias *alias = current->data;
fprintf(file_arr[ALIASES], "typealias %s alias %s;\n", ((struct cil_symtab_datum*)alias->actual)->name, ((struct cil_symtab_datum*)current->data)->name);
break;
}
case CIL_TYPEBOUNDS: {
struct cil_bounds *bnds = current->data;
fprintf(file_arr[ALLOWS], "typebounds %s %s;\n", bnds->parent_str, bnds->child_str);
break;
}
case CIL_TYPEPERMISSIVE: {
struct cil_typepermissive *typeperm = (struct cil_typepermissive*)current->data;
fprintf(file_arr[TYPEATTRTYPES], "permissive %s;\n", ((struct cil_symtab_datum*)typeperm->type)->name);
break;
}
case CIL_ROLE:
fprintf(file_arr[TYPEATTRTYPES], "role %s;\n", ((struct cil_symtab_datum*)current->data)->name);
break;
case CIL_BOOL: {
const char *boolean = ((struct cil_bool*)current->data)->value ? "true" : "false";
fprintf(file_arr[TYPEATTRTYPES], "bool %s %s;\n", ((struct cil_symtab_datum*)current->data)->name, boolean);
break;
}
case CIL_COMMON:
fprintf(file_arr[COMMONS], "common %s", ((struct cil_symtab_datum*)current->data)->name);
if (current->cl_head != NULL) {
current = current->cl_head;
fprintf(file_arr[COMMONS], " {");
} else {
cil_log(CIL_INFO, "No permissions given\n");
return SEPOL_ERR;
}
while (current != NULL) {
if (current->flavor == CIL_PERM) {
fprintf(file_arr[COMMONS], "%s ", ((struct cil_symtab_datum*)current->data)->name);
} else {
cil_log(CIL_INFO, "Improper data type found in common permissions: %d\n", current->flavor);
return SEPOL_ERR;
}
current = current->next;
}
fprintf(file_arr[COMMONS], "}\n");
return SEPOL_DONE;
case CIL_AVRULE: {
struct cil_avrule *avrule = (struct cil_avrule*)current->data;
rc = cil_avrule_to_policy(file_arr, ALLOWS, avrule);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "Failed to write avrule to policy\n");
return rc;
}
break;
}
case CIL_TYPE_RULE: {
struct cil_type_rule *rule = (struct cil_type_rule*)current->data;
rc = cil_typerule_to_policy(file_arr, ALLOWS, rule);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "Failed to write type rule to policy\n");
return rc;
}
break;
}
case CIL_NAMETYPETRANSITION: {
struct cil_nametypetransition *nametypetrans = (struct cil_nametypetransition*)current->data;
rc = cil_nametypetransition_to_policy(file_arr, ALLOWS, nametypetrans);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "Failed to write nametypetransition to policy\n");
return rc;
}
}
case CIL_ROLETRANSITION: {
struct cil_roletransition *roletrans = (struct cil_roletransition*)current->data;
char *src_str = ((struct cil_symtab_datum*)roletrans->src)->name;
char *tgt_str = ((struct cil_symtab_datum*)roletrans->tgt)->name;
char *obj_str = ((struct cil_symtab_datum*)roletrans->obj)->name;
char *result_str = ((struct cil_symtab_datum*)roletrans->result)->name;
fprintf(file_arr[ALLOWS], "role_transition %s %s:%s %s;\n", src_str, tgt_str, obj_str, result_str);
break;
}
case CIL_ROLEALLOW: {
struct cil_roleallow *roleallow = (struct cil_roleallow*)current->data;
char *src_str = ((struct cil_symtab_datum*)roleallow->src)->name;
char *tgt_str = ((struct cil_symtab_datum*)roleallow->tgt)->name;
fprintf(file_arr[ALLOWS], "roleallow %s %s;\n", src_str, tgt_str);
break;
}
case CIL_ROLETYPE: {
struct cil_roletype *roletype = (struct cil_roletype*)current->data;
char *role_str = ((struct cil_symtab_datum*)roletype->role)->name;
char *type_str = ((struct cil_symtab_datum*)roletype->type)->name;
fprintf(file_arr[ALIASES], "role %s types %s\n", role_str, type_str);
break;
}
case CIL_LEVEL:
fprintf(file_arr[LEVELS], "level ");
cil_level_to_policy(file_arr, LEVELS, (struct cil_level*)current->data);
fprintf(file_arr[LEVELS], ";\n");
break;
case CIL_CONSTRAIN:
cil_constrain_to_policy(file_arr, CONSTRAINS, (struct cil_constrain*)current->data, flavor);
break;
case CIL_MLSCONSTRAIN:
cil_constrain_to_policy(file_arr, CONSTRAINS, (struct cil_constrain*)current->data, flavor);
break;
case CIL_VALIDATETRANS: {
struct cil_validatetrans *vt = current->data;
fprintf(file_arr[CONSTRAINS], "validatetrans");
fprintf(file_arr[CONSTRAINS], " %s ", ((struct cil_class*)vt->class)->datum.name);
cil_expr_to_policy(file_arr, CONSTRAINS, vt->datum_expr);
fprintf(file_arr[CONSTRAINS], ";\n");
break;
}
case CIL_MLSVALIDATETRANS: {
struct cil_validatetrans *vt = current->data;
fprintf(file_arr[CONSTRAINS], "mlsvalidatetrans");
fprintf(file_arr[CONSTRAINS], " %s " , ((struct cil_class*)vt->class)->datum.name);
cil_expr_to_policy(file_arr, CONSTRAINS, vt->datum_expr);
fprintf(file_arr[CONSTRAINS], ";\n");
break;
}
case CIL_SID:
fprintf(file_arr[ISIDS], "sid %s\n", ((struct cil_symtab_datum*)current->data)->name);
break;
case CIL_SIDCONTEXT: {
struct cil_sidcontext *sidcon = (struct cil_sidcontext*)current->data;
fprintf(file_arr[SIDS], "sid %s ", sidcon->sid_str);
cil_context_to_policy(file_arr, SIDS, sidcon->context);
fprintf(file_arr[SIDS], "\n");
break;
}
case CIL_POLICYCAP:
fprintf(file_arr[TYPEATTRTYPES], "policycap %s;\n", ((struct cil_symtab_datum*)current->data)->name);
break;
default:
break;
}
return SEPOL_OK;
}
int __cil_gen_policy_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
{
int rc = SEPOL_ERR;
struct cil_args_genpolicy *args = NULL;
struct cil_list *users = NULL;
struct cil_list *sens = NULL;
struct cil_list *cats = NULL;
FILE **file_arr = NULL;
if (extra_args == NULL) {
return SEPOL_ERR;
}
*finished = CIL_TREE_SKIP_NOTHING;
args = extra_args;
users = args->users;
sens = args->sens;
cats = args->cats;
file_arr = args->file_arr;
if (node->cl_head != NULL) {
if (node->flavor == CIL_MACRO) {
*finished = CIL_TREE_SKIP_HEAD;
return SEPOL_OK;
}
if (node->flavor == CIL_BOOLEANIF) {
rc = cil_booleanif_to_policy(file_arr, CONDS, node);
if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "Failed to write booleanif contents to file\n");
return rc;
}
*finished = CIL_TREE_SKIP_HEAD;
return SEPOL_OK;
}
if (node->flavor == CIL_BLOCK && ((struct cil_block*)node->data)->is_abstract == CIL_TRUE) {
*finished = CIL_TREE_SKIP_HEAD;
return SEPOL_OK;
}
if (node->flavor != CIL_ROOT) {
rc = cil_name_to_policy(file_arr, node);
if (rc != SEPOL_OK && rc != SEPOL_DONE) {
cil_log(CIL_ERR, "Error converting node to policy %d\n", node->flavor);
return SEPOL_ERR;
}
}
} else {
switch (node->flavor) {
case CIL_USER:
cil_multimap_insert(users, node->data, NULL, CIL_USERROLE, CIL_NONE);
break;
case CIL_CATALIAS: {
struct cil_alias *alias = node->data;
struct cil_symtab_datum *datum = alias->actual;
cil_multimap_insert(cats, datum, node->data, CIL_CAT, CIL_CATALIAS);
}
break;
case CIL_SENSALIAS: {
struct cil_alias *alias = node->data;
struct cil_symtab_datum *datum = alias->actual;
cil_multimap_insert(sens, datum, node->data, CIL_SENS, CIL_SENSALIAS);
}
break;
default:
rc = cil_name_to_policy(file_arr, node);
if (rc != SEPOL_OK && rc != SEPOL_DONE) {
cil_log(CIL_ERR, "Error converting node to policy %d\n", rc);
return SEPOL_ERR;
}
break;
}
}
return SEPOL_OK;
}
int cil_gen_policy(struct cil_db *db)
{
struct cil_tree_node *curr = db->ast->root;
struct cil_list_item *item;
int rc = SEPOL_ERR;
FILE *policy_file;
FILE **file_arr = cil_malloc(sizeof(FILE*) * NUM_POLICY_FILES);
char *file_path_arr[NUM_POLICY_FILES];
char temp[32];
struct cil_list *users = NULL;
struct cil_list *cats = NULL;
struct cil_list *sens = NULL;
struct cil_args_genpolicy extra_args;
cil_list_init(&users, CIL_LIST_ITEM);
cil_list_init(&cats, CIL_LIST_ITEM);
cil_list_init(&sens, CIL_LIST_ITEM);
strcpy(temp, "/tmp/cil_classdecl-XXXXXX");
file_arr[CLASS_DECL] = fdopen(mkstemp(temp), "w+");
file_path_arr[CLASS_DECL] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_isids-XXXXXX");
file_arr[ISIDS] = fdopen(mkstemp(temp), "w+");
file_path_arr[ISIDS] = cil_strpool_add(temp);
strcpy(temp,"/tmp/cil_common-XXXXXX");
file_arr[COMMONS] = fdopen(mkstemp(temp), "w+");
file_path_arr[COMMONS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_class-XXXXXX");
file_arr[CLASSES] = fdopen(mkstemp(temp), "w+");
file_path_arr[CLASSES] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_interf-XXXXXX");
file_arr[INTERFACES] = fdopen(mkstemp(temp), "w+");
file_path_arr[INTERFACES] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_sens-XXXXXX");
file_arr[SENS] = fdopen(mkstemp(temp), "w+");
file_path_arr[SENS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_cats-XXXXXX");
file_arr[CATS] = fdopen(mkstemp(temp), "w+");
file_path_arr[CATS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_levels-XXXXXX");
file_arr[LEVELS] = fdopen(mkstemp(temp), "w+");
file_path_arr[LEVELS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_mlscon-XXXXXX");
file_arr[CONSTRAINS] = fdopen(mkstemp(temp), "w+");
file_path_arr[CONSTRAINS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_attrtypes-XXXXXX");
file_arr[TYPEATTRTYPES] = fdopen(mkstemp(temp), "w+");
file_path_arr[TYPEATTRTYPES] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_aliases-XXXXXX");
file_arr[ALIASES] = fdopen(mkstemp(temp), "w+");
file_path_arr[ALIASES] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_allows-XXXXXX");
file_arr[ALLOWS] = fdopen(mkstemp(temp), "w+");
file_path_arr[ALLOWS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_conds-XXXXXX");
file_arr[CONDS] = fdopen(mkstemp(temp), "w+");
file_path_arr[CONDS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_userroles-XXXXXX");
file_arr[USERROLES] = fdopen(mkstemp(temp), "w+");
file_path_arr[USERROLES] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_sids-XXXXXX");
file_arr[SIDS] = fdopen(mkstemp(temp), "w+");
file_path_arr[SIDS] = cil_strpool_add(temp);
strcpy(temp, "/tmp/cil_netifcons-XXXXXX");
file_arr[NETIFCONS] = fdopen(mkstemp(temp), "w+");
file_path_arr[NETIFCONS] = cil_strpool_add(temp);
policy_file = fopen("policy.conf", "w+");
cil_list_for_each(item, db->sidorder) {
fprintf(file_arr[ISIDS], "sid %s ", ((struct cil_sid*)item->data)->datum.name);
}
cil_list_for_each(item, db->classorder) {
struct cil_class *class = item->data;
struct cil_tree_node *node = class->datum.nodes->head->data;
fprintf(file_arr[CLASS_DECL], "class %s\n", class->datum.name);
fprintf(file_arr[CLASSES], "class %s ", class->datum.name);
if (class->common != NULL) {
fprintf(file_arr[CLASSES], "inherits %s ", class->common->datum.name);
}
if (node->cl_head != NULL) {
struct cil_tree_node *curr_perm = node->cl_head;
fprintf(file_arr[CLASSES], "{ ");
while (curr_perm != NULL) {
fprintf(file_arr[CLASSES], "%s ", ((struct cil_symtab_datum*)curr_perm->data)->name);
curr_perm = curr_perm->next;
}
fprintf(file_arr[CLASSES], "}");
}
fprintf(file_arr[CLASSES], "\n");
}
if (db->catorder->head != NULL) {
cil_list_for_each(item, db->catorder) {
cil_multimap_insert(cats, item->data, NULL, CIL_CAT, 0);
}
}
if (db->sensitivityorder->head != NULL) {
fprintf(file_arr[SENS], "sensitivityorder { ");
cil_list_for_each(item, db->sensitivityorder) {
fprintf(file_arr[SENS], "%s ", ((struct cil_sens*)item->data)->datum.name);
}
fprintf(file_arr[SENS], "};\n");
}
extra_args.users = users;
extra_args.sens = sens;
extra_args.cats = cats;
extra_args.file_arr= file_arr;
rc = cil_tree_walk(curr, __cil_gen_policy_node_helper, NULL, NULL, &extra_args);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error walking tree\n");
return rc;
}
rc = cil_netifcon_to_policy(file_arr, db->netifcon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_genfscon_to_policy(file_arr, db->genfscon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_portcon_to_policy(file_arr, db->portcon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_nodecon_to_policy(file_arr, db->nodecon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_fsuse_to_policy(file_arr, db->fsuse);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_pirqcon_to_policy(file_arr, db->pirqcon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_iomemcon_to_policy(file_arr, db->iomemcon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_ioportcon_to_policy(file_arr, db->ioportcon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_pcidevicecon_to_policy(file_arr, db->pcidevicecon);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
rc = cil_userrole_to_policy(file_arr, users);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return SEPOL_ERR;
}
rc = cil_sens_to_policy(file_arr, sens);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return SEPOL_ERR;
}
rc = cil_cat_to_policy(file_arr, cats);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return SEPOL_ERR;
}
rc = cil_combine_policy(file_arr, policy_file);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Error creating policy.conf\n");
return SEPOL_ERR;
}
// Remove temp files
int i;
for (i=0; i<NUM_POLICY_FILES; i++) {
rc = fclose(file_arr[i]);
if (rc != 0) {
cil_log(CIL_ERR, "Error closing temporary file\n");
return SEPOL_ERR;
}
rc = unlink(file_path_arr[i]);
if (rc != 0) {
cil_log(CIL_ERR, "Error unlinking temporary files\n");
return SEPOL_ERR;
}
}
rc = fclose(policy_file);
if (rc != 0) {
cil_log(CIL_ERR, "Error closing policy.conf\n");
return SEPOL_ERR;
}
free(file_arr);
cil_list_destroy(&users, CIL_FALSE);
cil_list_destroy(&cats, CIL_FALSE);
cil_list_destroy(&sens, CIL_FALSE);
return SEPOL_OK;
}