libsepol: do not write object_r types to policy file
Originally object_r's types bitmap was empty since we exempt
object_r from the normal user-role and role-type checks. CIL
however sets object_r's types to all types to avoid special case
logic. However, the kernel does not load object_r types from the
policy file; it predefines object_r and merely validates that the
object_r definition in the policy has the expected value. Thus,
the actual policy file and the /sys/fs/selinux/policy file were
differing in their object_r entry. Fix this by not writing object_r's
types to the policy file, since they are ignored by the kernel
anyway.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
1 file changed