From 7450510d9032c0f4d936d4ecb005f0454f65a66e Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Mon, 21 Apr 2025 11:55:41 +0800
Subject: [PATCH] libsepol-Remove-special-handling-of-roles-in-module_to_cil

Reference:https://github.com/SELinuxProject/selinux/commit/be11f48b7a4a0782d79a40ec623e133221c55035

---
 libsepol/src/module_to_cil.c | 50 +-----------------------------------
 1 file changed, 1 insertion(+), 49 deletions(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 604eada..73e5240 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2132,39 +2132,7 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
 	switch (role->flavor) {
 	case ROLE_ROLE:
 		if (scope == SCOPE_DECL) {
-			// Only declare certain roles if we are reading a base module.
-			// These roles are defined in the base module and sometimes in
-			// other non-base modules. If we generated the roles regardless of
-			// the policy type, it would result in duplicate declarations,
-			// which isn't allowed in CIL. Patches have been made to refpolicy
-			// to remove these duplicate role declarations, but we need to be
-			// backwards compatible and support older policies. Since we know
-			// these roles are always declared in base, only print them when we
-			// see them in the base module. If the declarations appear in a
-			// non-base module, ignore their declarations.
-			//
-			// Note that this is a hack, and if a policy author does not define
-			// one of these roles in base, the declaration will not appear in
-			// the resulting policy, likely resulting in a compilation error in
-			// CIL.
-			//
-			// To make things more complicated, the auditadm_r and secadm_r
-			// roles could actually be in either the base module or a non-base
-			// module, or both. So we can't rely on this same behavior. So for
-			// these roles, don't declare them here, even if they are in a base
-			// or non-base module. Instead we will just declare them in the
-			// base module elsewhere.
-			int is_base_role = (!strcmp(key, "user_r") ||
-			                    !strcmp(key, "staff_r") ||
-			                    !strcmp(key, "sysadm_r") ||
-			                    !strcmp(key, "system_r") ||
-			                    !strcmp(key, "unconfined_r"));
-			int is_builtin_role = (!strcmp(key, "auditadm_r") ||
-			                       !strcmp(key, "secadm_r"));
-			if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
-			    (!is_base_role && !is_builtin_role)) {
-				cil_println(indent, "(role %s)", key);
-			}
+			cil_println(indent, "(role %s)", key);
 		}
 
 		if (ebitmap_cardinality(&role->dominates) > 1) {
@@ -3950,17 +3918,6 @@ static int generate_default_object(void)
 	return 0;
 }
 
-static int generate_builtin_roles(void)
-{
-	// due to inconsistentencies between policies and CIL not allowing
-	// duplicate roles, some roles are always created, regardless of if they
-	// are declared in modules or not
-	cil_println(0, "(role auditadm_r)");
-	cil_println(0, "(role secadm_r)");
-
-	return 0;
-}
-
 static int generate_gen_require_attribute(void)
 {
 	cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
@@ -4045,11 +4002,6 @@ int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked)
 			goto exit;
 		}
 
-		rc = generate_builtin_roles();
-		if (rc != 0) {
-			goto exit;
-		}
-
 		// default attribute to be used to mimic gen_require in CIL
 		rc = generate_gen_require_attribute();
 		if (rc != 0) {
-- 
2.33.0