Since CIL treats files as modules and does not have a separate module statement it can cause confusion when a Refpolicy module has a name that is different than its base filename because older SELinux userspaces will refer to the module by its module name while a CIL-based userspace will refer to it by its filename.
Because of this, have checkmodule fail when compiling a module and the output base filename is different than the module name. Signed-off-by: James Carter <[email protected]> --- checkpolicy/checkmodule.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index 5957d29..418f77b 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -19,6 +19,7 @@ #include <stdio.h> #include <errno.h> #include <sys/mman.h> +#include <libgen.h> #include <sepol/module_to_cil.h> #include <sepol/policydb/policydb.h> @@ -258,6 +259,25 @@ int main(int argc, char **argv) } } + if (policy_type != POLICY_BASE && outfile) { + char *mod_name = modpolicydb.name; + char *out_path = strdup(outfile); + if (out_path == NULL) { + fprintf(stderr, "%s: out of memory\n", argv[0]); + exit(1); + } + char *out_name = basename(out_path); + char *separator = strrchr(out_name, '.'); + if (separator) { + *separator = '\0'; + } + if (strcmp(mod_name, out_name) != 0) { + fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name); + exit(1); + } + free(out_path); + } + if (modpolicydb.policy_type == POLICY_BASE && !cil) { /* Verify that we can successfully expand the base module. */ policydb_t kernpolicydb; -- 2.5.5 _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
