From dbe890ab9f74c9514a0f8839591eb3c4c70a6e03 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Tue, 16 Mar 2021 14:42:36 -0400
Subject: [PATCH] libsepol: Enclose identifier lists in constraint expressions

When writing a policy.conf from a kernel policy, if there are
multiple users, roles, or types, then the list needs to be enclosed
by "{" and "}".

When writing a constraint expression, check to see if there are
multiple identifiers in the names string and enclose the list
with "{" and "}" if there are.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_conf.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index cd5a517abb59..5db47fe4f567 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -188,7 +188,11 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 				if (!names) {
 					names = strdup("NO_IDENTIFIER");
 				}
-				new_val = create_str("%s %s %s", 3, attr1, op, names);
+				if (strchr(names, ' ')) {
+					new_val = create_str("%s %s { %s }", 3, attr1, op, names);
+				} else {
+					new_val = create_str("%s %s %s", 3, attr1, op, names);
+				}
 				free(names);
 			}
 		} else {
-- 
2.32.0