Home | History | Annotate | Download | only in src
      1 /*
      2  * Copyright 2011 Tresys Technology, LLC. All rights reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions are met:
      6  *
      7  *    1. Redistributions of source code must retain the above copyright notice,
      8  *       this list of conditions and the following disclaimer.
      9  *
     10  *    2. Redistributions in binary form must reproduce the above copyright notice,
     11  *       this list of conditions and the following disclaimer in the documentation
     12  *       and/or other materials provided with the distribution.
     13  *
     14  * THIS SOFTWARE IS PROVIDED BY TRESYS TECHNOLOGY, LLC ``AS IS'' AND ANY EXPRESS
     15  * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
     16  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
     17  * EVENT SHALL TRESYS TECHNOLOGY, LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
     18  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
     19  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
     21  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
     22  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
     23  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  *
     25  * The views and conclusions contained in the software and documentation are those
     26  * of the authors and should not be interpreted as representing official policies,
     27  * either expressed or implied, of Tresys Technology, LLC.
     28  */
     29 
     30 #include <stdlib.h>
     31 #include <stdio.h>
     32 #include <string.h>
     33 #include <stdint.h>
     34 #include <unistd.h>
     35 #include <inttypes.h>
     36 
     37 #include <sepol/policydb/conditional.h>
     38 #include <sepol/errcodes.h>
     39 
     40 #include "cil_internal.h"
     41 #include "cil_flavor.h"
     42 #include "cil_find.h"
     43 #include "cil_mem.h"
     44 #include "cil_tree.h"
     45 #include "cil_list.h"
     46 #include "cil_symtab.h"
     47 
     48 
     49 enum cil_statement_list {
     50 	CIL_LIST_COMMON = 1,
     51 	CIL_LIST_DEFAULT_USER,
     52 	CIL_LIST_DEFAULT_ROLE,
     53 	CIL_LIST_DEFAULT_TYPE,
     54 	CIL_LIST_DEFAULT_RANGE,
     55 	CIL_LIST_SENSALIAS,
     56 	CIL_LIST_CATALIAS,
     57 	CIL_LIST_MLSCONSTRAIN,
     58 	CIL_LIST_MLSVALIDATETRANS,
     59 	CIL_LIST_POLICYCAP,
     60 	CIL_LIST_TYPEATTRIBUTE,
     61 	CIL_LIST_ROLEATTRIBUTE,
     62 	CIL_LIST_BOOL,
     63 	CIL_LIST_TYPE,
     64 	CIL_LIST_TYPEALIAS,
     65 	CIL_LIST_ROLE,
     66 	CIL_LIST_ROLEALLOW,
     67 	CIL_LIST_ROLETRANSITION,
     68 	CIL_LIST_USER,
     69 	CIL_LIST_CONSTRAINT,
     70 	CIL_LIST_VALIDATETRANS,
     71 	CIL_LIST_NUM_LISTS
     72 };
     73 
     74 static int __cil_gather_statements_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
     75 {
     76 	struct cil_list **lists;
     77 	int kind = 0;
     78 
     79 	lists = (struct cil_list **)extra_args;
     80 
     81 	switch (node->flavor) {
     82 	case CIL_BLOCK: {
     83 		struct cil_block *blk = node->data;
     84 		if (blk->is_abstract == CIL_TRUE) {
     85 			*finished = CIL_TREE_SKIP_HEAD;
     86 		}
     87 		break;
     88 	}
     89 	case CIL_MACRO:
     90 		*finished = CIL_TREE_SKIP_HEAD;
     91 		break;
     92 	case CIL_BOOLEANIF:
     93 		*finished = CIL_TREE_SKIP_HEAD;
     94 		break;
     95 	case CIL_COMMON:
     96 		kind = CIL_LIST_COMMON;
     97 		break;
     98 	case CIL_DEFAULTUSER:
     99 		kind = CIL_LIST_DEFAULT_USER;
    100 		break;
    101 	case CIL_DEFAULTROLE:
    102 		kind = CIL_LIST_DEFAULT_ROLE;
    103 		break;
    104 	case CIL_DEFAULTTYPE:
    105 		kind = CIL_LIST_DEFAULT_TYPE;
    106 		break;
    107 	case CIL_DEFAULTRANGE:
    108 		kind = CIL_LIST_DEFAULT_RANGE;
    109 		break;
    110 	case CIL_SENSALIAS:
    111 		kind = CIL_LIST_SENSALIAS;
    112 		break;
    113 	case CIL_CATALIAS:
    114 		kind = CIL_LIST_CATALIAS;
    115 		break;
    116 	case CIL_MLSCONSTRAIN:
    117 		kind = CIL_LIST_MLSCONSTRAIN;
    118 		break;
    119 	case CIL_MLSVALIDATETRANS:
    120 		kind = CIL_LIST_MLSVALIDATETRANS;
    121 		break;
    122 	case CIL_POLICYCAP:
    123 		kind = CIL_LIST_POLICYCAP;
    124 		break;
    125 	case CIL_TYPEATTRIBUTE: {
    126 		struct cil_typeattribute *attr = node->data;
    127 		if (strcmp(attr->datum.fqn, "cil_gen_require") != 0) {
    128 			kind = CIL_LIST_TYPEATTRIBUTE;
    129 		}
    130 		break;
    131 	}
    132 	case CIL_ROLEATTRIBUTE: {
    133 		struct cil_roleattribute *attr = node->data;
    134 		if (strcmp(attr->datum.fqn, "cil_gen_require") != 0) {
    135 			kind = CIL_LIST_ROLEATTRIBUTE;
    136 		}
    137 		break;
    138 	}
    139 	case CIL_BOOL:
    140 		kind = CIL_LIST_BOOL;
    141 		break;
    142 	case CIL_TYPE:
    143 		kind = CIL_LIST_TYPE;
    144 		break;
    145 	case CIL_TYPEALIAS:
    146 		kind = CIL_LIST_TYPEALIAS;
    147 		break;
    148 	case CIL_ROLE: {
    149 		struct cil_role *role = node->data;
    150 		if (strcmp(role->datum.fqn, "object_r") != 0) {
    151 			kind = CIL_LIST_ROLE;
    152 		}
    153 		break;
    154 	}
    155 	case CIL_ROLEALLOW:
    156 		kind = CIL_LIST_ROLEALLOW;
    157 		break;
    158 	case CIL_ROLETRANSITION:
    159 		kind = CIL_LIST_ROLETRANSITION;
    160 		break;
    161 	case CIL_USER:
    162 		kind = CIL_LIST_USER;
    163 		break;
    164 	case CIL_CONSTRAIN:
    165 		kind = CIL_LIST_CONSTRAINT;
    166 		break;
    167 	case CIL_VALIDATETRANS:
    168 		kind = CIL_LIST_VALIDATETRANS;
    169 		break;
    170 	default:
    171 		break;
    172 	}
    173 
    174 	if (kind > 0) {
    175 		cil_list_append(lists[kind], node->flavor, node->data);
    176 	}
    177 
    178 	return SEPOL_OK;
    179 }
    180 
    181 static void cil_gather_statements(struct cil_tree_node *start, struct cil_list *lists[])
    182 {
    183 	cil_tree_walk(start, __cil_gather_statements_helper, NULL, NULL, lists);
    184 }
    185 
    186 static void cil_simple_rules_to_policy(FILE *out, struct cil_list *rules, const char *kind)
    187 {
    188 	struct cil_list_item *i1;
    189 
    190 	cil_list_for_each(i1, rules) {
    191 		fprintf(out, "%s %s;\n", kind, DATUM(i1->data)->fqn);
    192 	}
    193 }
    194 
    195 static void cil_cats_to_policy(FILE *out, struct cil_cats *cats)
    196 {
    197 	const char *lead = "";
    198 	struct cil_cat *first = NULL, *last = NULL, *cat;
    199 	struct cil_list_item *i1;
    200 
    201 	cil_list_for_each(i1, cats->datum_expr) {
    202 		cat = i1->data;
    203 		if (first == NULL) {
    204 			first = cat;
    205 		} else if (last == NULL) {
    206 			if (cat->value == first->value + 1) {
    207 				last = cat;
    208 			} else {
    209 				fprintf(out, "%s%s", lead, DATUM(first)->fqn);
    210 				lead = ",";
    211 				first = cat;
    212 			}
    213 		} else if (cat->value == last->value + 1) {
    214 			last = cat;
    215 		} else {
    216 			fprintf(out, "%s%s", lead, DATUM(first)->fqn);
    217 			lead = ",";
    218 			if (last->value >= first->value + 1) {
    219 				fprintf(out, ".");
    220 			} else {
    221 				fprintf(out, ",");
    222 			}
    223 			fprintf(out, "%s", DATUM(last)->fqn);
    224 			first = cat;
    225 			last = NULL;
    226 		}
    227 	}
    228 	if (first) {
    229 		fprintf(out, "%s%s", lead, DATUM(first)->fqn);
    230 		if (last != NULL) {
    231 			if (last->value >= first->value + 1) {
    232 				fprintf(out, ".");
    233 			} else {
    234 				fprintf(out, ",");
    235 			}
    236 			fprintf(out, "%s", DATUM(last)->fqn);
    237 		}
    238 	}
    239 }
    240 
    241 static void cil_level_to_policy(FILE *out, struct cil_level *level)
    242 {
    243 	fprintf(out, "%s", DATUM(level->sens)->fqn);
    244 	if (level->cats != NULL) {
    245 		fprintf(out, ":");
    246 		cil_cats_to_policy(out, level->cats);
    247 	}
    248 }
    249 
    250 static int cil_levels_simple_and_equal(struct cil_level *l1, struct cil_level *l2)
    251 {
    252 	/* Mostly just want to detect s0 - s0 ranges */
    253 	if (l1 == l2)
    254 		return CIL_TRUE;
    255 
    256 	if (l1->sens == l2->sens && (l1->cats == NULL && l2->cats == NULL))
    257 		return CIL_TRUE;
    258 
    259 	return CIL_FALSE;
    260 }
    261 
    262 static void cil_levelrange_to_policy(FILE *out, struct cil_levelrange *lvlrange)
    263 {
    264 	cil_level_to_policy(out, lvlrange->low);
    265 	if (cil_levels_simple_and_equal(lvlrange->low, lvlrange->high) == CIL_FALSE) {
    266 		fprintf(out, " - ");
    267 		cil_level_to_policy(out, lvlrange->high);
    268 	}
    269 }
    270 
    271 static void cil_context_to_policy(FILE *out, struct cil_context *context, int mls)
    272 {
    273 	fprintf(out, "%s:", DATUM(context->user)->fqn);
    274 	fprintf(out, "%s:", DATUM(context->role)->fqn);
    275 	fprintf(out, "%s", DATUM(context->type)->fqn);
    276 	if (mls) {
    277 		fprintf(out, ":");
    278 		cil_levelrange_to_policy(out, context->range);
    279 	}
    280 }
    281 
    282 static void cil_cond_expr_to_policy(FILE *out, struct cil_list *expr, int first)
    283 {
    284 	struct cil_list_item *i1 = expr->head;
    285 
    286 	if (i1->flavor == CIL_OP) {
    287 		enum cil_flavor op = (enum cil_flavor)i1->data;
    288 		fprintf(out, "(");
    289 		switch (op) {
    290 		case CIL_NOT:
    291 			fprintf(out, "! ");
    292 			cil_cond_expr_to_policy(out, i1->next->data, CIL_FALSE);
    293 			break;
    294 		case CIL_OR:
    295 			cil_cond_expr_to_policy(out, i1->next->data, CIL_FALSE);
    296 			fprintf(out, " || ");
    297 			cil_cond_expr_to_policy(out, i1->next->next->data, CIL_FALSE);
    298 			break;
    299 		case CIL_AND:
    300 			cil_cond_expr_to_policy(out, i1->next->data, CIL_FALSE);
    301 			fprintf(out, " && ");
    302 			cil_cond_expr_to_policy(out, i1->next->next->data, CIL_FALSE);
    303 			break;
    304 		case CIL_XOR:
    305 			cil_cond_expr_to_policy(out, i1->next->data, CIL_FALSE);
    306 			fprintf(out, " ^ ");
    307 			cil_cond_expr_to_policy(out, i1->next->next->data, CIL_FALSE);
    308 			break;
    309 		case CIL_EQ:
    310 			cil_cond_expr_to_policy(out, i1->next->data, CIL_FALSE);
    311 			fprintf(out, " == ");
    312 			cil_cond_expr_to_policy(out, i1->next->next->data, CIL_FALSE);
    313 			break;
    314 		case CIL_NEQ:
    315 			cil_cond_expr_to_policy(out, i1->next->data, CIL_FALSE);
    316 			fprintf(out, " != ");
    317 			cil_cond_expr_to_policy(out, i1->next->next->data, CIL_FALSE);
    318 			break;
    319 		default:
    320 			fprintf(out, "???");
    321 			break;
    322 		}
    323 		fprintf(out, ")");
    324 	} else if (i1->flavor == CIL_DATUM) {
    325 		if (first == CIL_TRUE) {
    326 			fprintf(out, "(");
    327 		}
    328 		fprintf(out, "%s", DATUM(i1->data)->fqn);
    329 		if (first == CIL_TRUE) {
    330 			fprintf(out, ")");
    331 		}
    332 	} else if (i1->flavor == CIL_LIST) {
    333 		cil_cond_expr_to_policy(out, i1->data, CIL_FALSE);
    334 	} else {
    335 		fprintf(out, "???");
    336 	}
    337 }
    338 
    339 static size_t __cil_userattribute_len(struct cil_db *db, struct cil_userattribute *attr)
    340 {
    341 	ebitmap_node_t *unode;
    342 	unsigned int i;
    343 	size_t len = 0;
    344 
    345 	ebitmap_for_each_bit(attr->users, unode, i) {
    346 		if (!ebitmap_get_bit(attr->users, i))
    347 			continue;
    348 		len += strlen(DATUM(db->val_to_user[i])->fqn);
    349 		len++;
    350 	}
    351 
    352 	return len;
    353 }
    354 
    355 static size_t __cil_cons_leaf_operand_len(struct cil_db *db, struct cil_list_item *operand)
    356 {
    357 	struct cil_list_item *i1;
    358 	enum cil_flavor flavor = operand->flavor;
    359 	size_t len = 0;
    360 
    361 	if (flavor == CIL_CONS_OPERAND) {
    362 		len = 2;
    363 	} else if (flavor == CIL_DATUM) {
    364 		struct cil_tree_node *node = NODE(operand->data);
    365 		if (node->flavor == CIL_USERATTRIBUTE) {
    366 			len = __cil_userattribute_len(db, operand->data);
    367 			len++; /* "{" */
    368 		} else {
    369 			len = strlen(DATUM(operand->data)->fqn);
    370 		}
    371 	} else if (flavor == CIL_LIST) {
    372 		len = 1; /* "{" */
    373 		cil_list_for_each(i1, (struct cil_list *)operand->data) {
    374 			struct cil_tree_node *node = NODE(operand->data);
    375 			if (node->flavor == CIL_USERATTRIBUTE) {
    376 				len = __cil_userattribute_len(db, operand->data);
    377 			} else {
    378 				len += strlen(DATUM(operand->data)->fqn);
    379 				len++; /* " " or "}" */
    380 			}
    381 		}
    382 	}
    383 
    384 	return len;
    385 }
    386 
    387 static size_t __cil_cons_leaf_op_len(struct cil_list_item *op)
    388 {
    389 	enum cil_flavor flavor = (enum cil_flavor)op->data;
    390 	size_t len;
    391 
    392 	switch (flavor) {
    393 	case CIL_EQ:
    394 		len = 4; /* " == " */
    395 		break;
    396 	case CIL_NEQ:
    397 		len = 4; /* " != " */
    398 		break;
    399 	case CIL_CONS_DOM:
    400 		len = 5; /* " dom " */
    401 		break;
    402 	case CIL_CONS_DOMBY:
    403 		len = 7; /* " domby " */
    404 		break;
    405 	case CIL_CONS_INCOMP:
    406 		len = 8; /* " incomp " */
    407 		break;
    408 	default:
    409 		/* Should be impossible to be here */
    410 		len = 5; /* " ??? " */
    411 	}
    412 
    413 	return len;
    414 }
    415 
    416 static size_t cil_cons_expr_len(struct cil_db *db, struct cil_list *cons_expr)
    417 {
    418 	struct cil_list_item *i1;
    419 	enum cil_flavor op;
    420 	size_t len;
    421 
    422 	i1 = cons_expr->head;
    423 
    424 	op = (enum cil_flavor)i1->data;
    425 	switch (op) {
    426 	case CIL_NOT:
    427 		len = 6; /* "(not )" */
    428 		len += cil_cons_expr_len(db, i1->next->data);
    429 		break;
    430 	case CIL_AND:
    431 		len = 7; /* "( and )" */
    432 		len += cil_cons_expr_len(db, i1->next->data);
    433 		len += cil_cons_expr_len(db, i1->next->next->data);
    434 		break;
    435 	case CIL_OR:
    436 		len = 6; /* "( or )" */
    437 		len += cil_cons_expr_len(db, i1->next->data);
    438 		len += cil_cons_expr_len(db, i1->next->next->data);
    439 		break;
    440 	default:
    441 		len = 2; /* "()" */
    442 		len += __cil_cons_leaf_operand_len(db, i1->next);
    443 		len += __cil_cons_leaf_op_len(i1);
    444 		len += __cil_cons_leaf_operand_len(db, i1->next->next);
    445 	}
    446 
    447 	return len;
    448 }
    449 
    450 static char *__cil_userattribute_to_string(struct cil_db *db, struct cil_userattribute *attr, char *new)
    451 {
    452 	ebitmap_node_t *unode;
    453 	unsigned int i;
    454 	char *str;
    455 	size_t len;
    456 
    457 	ebitmap_for_each_bit(attr->users, unode, i) {
    458 		if (!ebitmap_get_bit(attr->users, i))
    459 			continue;
    460 		str = DATUM(db->val_to_user[i])->fqn;
    461 		len = strlen(str);
    462 		memcpy(new, str, len);
    463 		new += len;
    464 		*new++ = ' ';
    465 	}
    466 
    467 	return new;
    468 }
    469 
    470 static char *__cil_cons_leaf_operand_to_string(struct cil_db *db, struct cil_list_item *operand, char *new)
    471 {
    472 	struct cil_list_item *i1;
    473 	enum cil_flavor flavor = operand->flavor;
    474 	const char *o_str;
    475 	size_t o_len;
    476 
    477 	if (flavor == CIL_CONS_OPERAND) {
    478 		enum cil_flavor o_flavor = (enum cil_flavor)operand->data;
    479 		switch (o_flavor) {
    480 		case CIL_CONS_U1:
    481 			o_str = "u1";
    482 			break;
    483 		case CIL_CONS_U2:
    484 			o_str = "u2";
    485 			break;
    486 		case CIL_CONS_U3:
    487 			o_str = "u3";
    488 			break;
    489 		case CIL_CONS_R1:
    490 			o_str = "r1";
    491 			break;
    492 		case CIL_CONS_R2:
    493 			o_str = "r2";
    494 			break;
    495 		case CIL_CONS_R3:
    496 			o_str = "r3";
    497 			break;
    498 		case CIL_CONS_T1:
    499 			o_str = "t1";
    500 			break;
    501 		case CIL_CONS_T2:
    502 			o_str = "t2";
    503 			break;
    504 		case CIL_CONS_T3:
    505 			o_str = "t3";
    506 			break;
    507 		case CIL_CONS_L1:
    508 			o_str = "l1";
    509 			break;
    510 		case CIL_CONS_L2:
    511 			o_str = "l2";
    512 			break;
    513 		case CIL_CONS_H1:
    514 			o_str = "h1";
    515 			break;
    516 		case CIL_CONS_H2:
    517 			o_str = "h2";
    518 			break;
    519 		default:
    520 			/* Impossible */
    521 			o_str = "??";
    522 		}
    523 		strcpy(new, o_str);
    524 		new += 2;
    525 	} else if (flavor == CIL_DATUM) {
    526 		struct cil_tree_node *node = NODE(operand->data);
    527 		if (node->flavor == CIL_USERATTRIBUTE) {
    528 			*new++ = '{';
    529 			new = __cil_userattribute_to_string(db, operand->data, new);
    530 			new--;
    531 			*new++ = '}';
    532 		} else {
    533 			o_str = DATUM(operand->data)->fqn;
    534 			o_len = strlen(o_str);
    535 			memcpy(new, o_str, o_len);
    536 			new += o_len;
    537 		}
    538 	} else if (flavor == CIL_LIST) {
    539 		*new++ = '{';
    540 		cil_list_for_each(i1, (struct cil_list *)operand->data) {
    541 			struct cil_tree_node *node = NODE(operand->data);
    542 			if (node->flavor == CIL_USERATTRIBUTE) {
    543 				new = __cil_userattribute_to_string(db, operand->data, new);
    544 			} else {
    545 				o_str = DATUM(operand->data)->fqn;
    546 				o_len = strlen(o_str);
    547 				memcpy(new, o_str, o_len);
    548 				new += o_len;
    549 				*new++ = ' ';
    550 			}
    551 		}
    552 		new--;
    553 		*new++ = '}';
    554 	}
    555 
    556 	return new;
    557 }
    558 
    559 static char *__cil_cons_leaf_op_to_string(struct cil_list_item *op, char *new)
    560 {
    561 	enum cil_flavor flavor = (enum cil_flavor)op->data;
    562 	const char *op_str;
    563 	size_t len;
    564 
    565 	switch (flavor) {
    566 	case CIL_EQ:
    567 		op_str = " == ";
    568 		len = 4;
    569 		break;
    570 	case CIL_NEQ:
    571 		op_str = " != ";
    572 		len = 4;
    573 		break;
    574 	case CIL_CONS_DOM:
    575 		op_str = " dom ";
    576 		len = 5;
    577 		break;
    578 	case CIL_CONS_DOMBY:
    579 		op_str = " domby ";
    580 		len = 7;
    581 		break;
    582 	case CIL_CONS_INCOMP:
    583 		op_str = " incomp ";
    584 		len = 8;
    585 		break;
    586 	default:
    587 		/* Should be impossible to be here */
    588 		op_str = " ??? ";
    589 		len = 5;
    590 	}
    591 
    592 	strcpy(new, op_str);
    593 	new += len;
    594 
    595 	return new;
    596 }
    597 
    598 static char *__cil_cons_expr_to_string(struct cil_db *db, struct cil_list *cons_expr, char *new)
    599 {
    600 	struct cil_list_item *i1;
    601 	enum cil_flavor op;
    602 
    603 	i1 = cons_expr->head;
    604 
    605 	op = (enum cil_flavor)i1->data;
    606 	switch (op) {
    607 	case CIL_NOT:
    608 		*new++ = '(';
    609 		strcpy(new, "not ");
    610 		new += 4;
    611 		new = __cil_cons_expr_to_string(db, i1->next->data, new);
    612 		*new++ = ')';
    613 		break;
    614 	case CIL_AND:
    615 		*new++ = '(';
    616 		new = __cil_cons_expr_to_string(db, i1->next->data, new);
    617 		strcpy(new, " and ");
    618 		new += 5;
    619 		new = __cil_cons_expr_to_string(db, i1->next->next->data, new);
    620 		*new++ = ')';
    621 		break;
    622 	case CIL_OR:
    623 		*new++ = '(';
    624 		new = __cil_cons_expr_to_string(db, i1->next->data, new);
    625 		strcpy(new, " or ");
    626 		new += 4;
    627 		new = __cil_cons_expr_to_string(db, i1->next->next->data, new);
    628 		*new++ = ')';
    629 		break;
    630 	default:
    631 		*new++ = '(';
    632 		new = __cil_cons_leaf_operand_to_string(db, i1->next, new);
    633 		new = __cil_cons_leaf_op_to_string(i1, new);
    634 		new = __cil_cons_leaf_operand_to_string(db, i1->next->next, new);
    635 		*new++ = ')';
    636 	}
    637 
    638 	return new;
    639 }
    640 
    641 static char *cil_cons_expr_to_string(struct cil_db *db, struct cil_list *cons_expr)
    642 {
    643 	char *new, *tail;
    644 	size_t len = cil_cons_expr_len(db, cons_expr);
    645 
    646 	new = cil_malloc(len+1);
    647 	tail = __cil_cons_expr_to_string(db, cons_expr, new);
    648 	*tail = '\0';
    649 
    650 	return new;
    651 }
    652 
    653 static void cil_classperms_to_string(struct cil_classperms *classperms, struct cil_list *classperms_strs)
    654 {
    655 	struct cil_list_item *i1;
    656 	size_t len = 0;
    657 	char *new, *curr;
    658 
    659 	len += strlen(DATUM(classperms->class)->fqn) + 1;
    660 	cil_list_for_each(i1, classperms->perms) {
    661 		len += strlen(DATUM(i1->data)->fqn) + 1;
    662 	}
    663 	len += 4; /* for "{ " and " }" */
    664 
    665 	new = cil_malloc(len);
    666 	curr = new;
    667 
    668 	curr[len-1] = '\0';
    669 
    670 	len = strlen(DATUM(classperms->class)->fqn);
    671 	memcpy(curr, DATUM(classperms->class)->fqn, len);
    672 	curr += len;
    673 	*curr++ = ' ';
    674 
    675 	*curr++ = '{';
    676 	*curr++ = ' ';
    677 	cil_list_for_each(i1, classperms->perms) {
    678 		len = strlen(DATUM(i1->data)->fqn);
    679 		memcpy(curr, DATUM(i1->data)->fqn, len);
    680 		curr += len;
    681 		*curr++ = ' ';
    682 	}
    683 	*curr++ = '}';
    684 
    685 	cil_list_append(classperms_strs, CIL_STRING, new);
    686 }
    687 
    688 static void cil_classperms_to_strings(struct cil_list *classperms, struct cil_list *classperms_strs)
    689 {
    690 	struct cil_list_item *i1;
    691 
    692 	cil_list_for_each(i1, classperms) {
    693 		if (i1->flavor == CIL_CLASSPERMS) {
    694 			struct cil_classperms *cp = i1->data;
    695 			if (FLAVOR(cp->class) == CIL_CLASS) {
    696 				cil_classperms_to_string(cp, classperms_strs);
    697 			} else { /* MAP */
    698 				struct cil_list_item *i2 = NULL;
    699 				cil_list_for_each(i2, cp->perms) {
    700 					struct cil_perm *cmp = i2->data;
    701 					cil_classperms_to_strings(cmp->classperms, classperms_strs);
    702 				}
    703 			}
    704 		} else { /* SET */
    705 			struct cil_classperms_set *cp_set = i1->data;
    706 			struct cil_classpermission *cp = cp_set->set;
    707 			cil_classperms_to_strings(cp->classperms, classperms_strs);
    708 		}
    709 	}
    710 }
    711 
    712 static void cil_class_decls_to_policy(FILE *out, struct cil_list *classorder)
    713 {
    714 	struct cil_list_item *i1;
    715 
    716 	cil_list_for_each(i1, classorder) {
    717 		fprintf(out, "class %s\n", DATUM(i1->data)->fqn);
    718 	}
    719 }
    720 
    721 static void cil_sid_decls_to_policy(FILE *out, struct cil_list *sidorder)
    722 {
    723 	struct cil_list_item *i1;
    724 
    725 	cil_list_for_each(i1, sidorder) {
    726 		fprintf(out, "sid %s\n", DATUM(i1->data)->fqn);
    727 	}
    728 }
    729 
    730 static void cil_commons_to_policy(FILE *out, struct cil_list *commons)
    731 {
    732 	struct cil_list_item *i1;
    733 	struct cil_class* common;
    734 	struct cil_tree_node *node;
    735 	struct cil_tree_node *perm;
    736 
    737 	cil_list_for_each(i1, commons) {
    738 		common = i1->data;
    739 		node = NODE(&common->datum);
    740 		perm = node->cl_head;
    741 
    742 		fprintf(out, "common %s {", common->datum.fqn);
    743 		while (perm != NULL) {
    744 			fprintf(out, "%s ", DATUM(perm->data)->fqn);
    745 			perm = perm->next;
    746 		}
    747 		fprintf(out, "}\n");
    748 	}
    749 }
    750 
    751 static void cil_classes_to_policy(FILE *out, struct cil_list *classorder)
    752 {
    753 	struct cil_list_item *i1;
    754 	struct cil_class *class;
    755 	struct cil_tree_node *node;
    756 
    757 	cil_list_for_each(i1, classorder) {
    758 		class = i1->data;
    759 		node = NODE(&class->datum);
    760 
    761 		fprintf(out, "class %s", class->datum.fqn);
    762 		if (class->common != NULL) {
    763 			fprintf(out, " inherits %s", class->common->datum.fqn);
    764 		}
    765 		if (node->cl_head != NULL) {
    766 			struct cil_tree_node *perm = node->cl_head;
    767 			fprintf(out, " {");
    768 			while (perm != NULL) {
    769 				fprintf(out, " %s", DATUM(perm->data)->fqn);
    770 				perm = perm->next;
    771 			}
    772 			fprintf(out, " }");
    773 		}
    774 		fprintf(out, "\n");
    775 	}
    776 }
    777 
    778 static void cil_defaults_to_policy(FILE *out, struct cil_list *defaults, char *kind)
    779 {
    780 	struct cil_list_item *i1, *i2, *i3;
    781 	struct cil_default *def;
    782 	struct cil_list *class_list;
    783 
    784 	cil_list_for_each(i1, defaults) {
    785 		def = i1->data;
    786 		fprintf(out, "%s {",kind);
    787 		cil_list_for_each(i2, def->class_datums) {
    788 			class_list = cil_expand_class(i2->data);
    789 			cil_list_for_each(i3, class_list) {
    790 				fprintf(out, " %s", DATUM(i3->data)->fqn);
    791 			}
    792 			cil_list_destroy(&class_list, CIL_FALSE);
    793 		}
    794 		fprintf(out, " }");
    795 		if (def->object == CIL_DEFAULT_SOURCE) {
    796 			fprintf(out," %s",CIL_KEY_SOURCE);
    797 		} else if (def->object == CIL_DEFAULT_TARGET) {
    798 			fprintf(out," %s",CIL_KEY_TARGET);
    799 		}
    800 		fprintf(out,";\n");
    801 	}
    802 }
    803 
    804 static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
    805 {
    806 	struct cil_list_item *i1, *i2, *i3;
    807 	struct cil_defaultrange *def;
    808 	struct cil_list *class_list;
    809 
    810 	cil_list_for_each(i1, defaults) {
    811 		def = i1->data;
    812 		fprintf(out, "default_range {");
    813 		cil_list_for_each(i2, def->class_datums) {
    814 			class_list = cil_expand_class(i2->data);
    815 			cil_list_for_each(i3, class_list) {
    816 				fprintf(out, " %s", DATUM(i3->data)->fqn);
    817 			}
    818 			cil_list_destroy(&class_list, CIL_FALSE);
    819 		}
    820 		fprintf(out, " }");
    821 
    822 		switch (def->object_range) {
    823 		case CIL_DEFAULT_SOURCE_LOW:
    824 			fprintf(out," %s %s", CIL_KEY_SOURCE, CIL_KEY_LOW);
    825 			break;
    826 		case CIL_DEFAULT_SOURCE_HIGH:
    827 			fprintf(out," %s %s", CIL_KEY_SOURCE, CIL_KEY_HIGH);
    828 			break;
    829 		case CIL_DEFAULT_SOURCE_LOW_HIGH:
    830 			fprintf(out," %s %s", CIL_KEY_SOURCE, CIL_KEY_LOW_HIGH);
    831 			break;
    832 		case CIL_DEFAULT_TARGET_LOW:
    833 			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW);
    834 			break;
    835 		case CIL_DEFAULT_TARGET_HIGH:
    836 			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_HIGH);
    837 			break;
    838 		case CIL_DEFAULT_TARGET_LOW_HIGH:
    839 			fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
    840 			break;
    841 		default:
    842 			break;
    843 		}
    844 		fprintf(out,";\n");
    845 	}
    846 }
    847 
    848 static void cil_sensitivities_to_policy(FILE *out, struct cil_list *sensorder, struct cil_list *all_aliases)
    849 {
    850 	struct cil_list_item *i1, *i2;
    851 	struct cil_sens *sens;
    852 	struct cil_list *aliases = NULL;
    853 	struct cil_alias *alias;
    854 	struct cil_sens *actual;
    855 	int num_aliases;
    856 
    857 	cil_list_for_each(i1, sensorder) {
    858 		sens = i1->data;
    859 		num_aliases = 0;
    860 		cil_list_for_each(i2, all_aliases) {
    861 			alias = i2->data;
    862 			actual = alias->actual;
    863 			if (sens == actual) {
    864 				if (num_aliases == 0) {
    865 					cil_list_init(&aliases, CIL_LIST);
    866 				}
    867 				cil_list_append(aliases, CIL_SENSALIAS, alias);
    868 				num_aliases++;
    869 			}
    870 		}
    871 		fprintf(out, "sensitivity %s", sens->datum.fqn);
    872 		if (num_aliases > 0) {
    873 			fprintf(out, " alias");
    874 			if (num_aliases > 1) {
    875 				fprintf(out, " {");
    876 			}
    877 			cil_list_for_each(i2, aliases) {
    878 				alias = i2->data;
    879 				fprintf(out, " %s", alias->datum.fqn);
    880 			}
    881 			if (num_aliases > 1) {
    882 				fprintf(out, " }");
    883 			}
    884 			cil_list_destroy(&aliases, CIL_FALSE);
    885 		}
    886 		fprintf(out, ";\n");
    887 	}
    888 }
    889 
    890 static void cil_dominance_to_policy(FILE *out, struct cil_list *sensorder)
    891 {
    892 	struct cil_list_item *item;
    893 	struct cil_sens *sens;
    894 
    895 	fprintf(out, "dominance {");
    896 	cil_list_for_each(item, sensorder) {
    897 		sens = item->data;
    898 		fprintf(out, " %s", sens->datum.fqn);
    899 	}
    900 	fprintf(out, " }\n");
    901 }
    902 
    903 static void cil_categories_to_policy(FILE *out, struct cil_list *catorder, struct cil_list *all_aliases)
    904 {
    905 	struct cil_list_item *i1, *i2;
    906 	struct cil_sens *cat;
    907 	struct cil_list *aliases = NULL;
    908 	struct cil_alias *alias;
    909 	struct cil_sens *actual;
    910 	int num_aliases;
    911 
    912 	cil_list_for_each(i1, catorder) {
    913 		cat = i1->data;
    914 		num_aliases = 0;
    915 		cil_list_for_each(i2, all_aliases) {
    916 			alias = i2->data;
    917 			actual = alias->actual;
    918 			if (cat == actual) {
    919 				if (num_aliases == 0) {
    920 					cil_list_init(&aliases, CIL_LIST);
    921 				}
    922 				cil_list_append(aliases, CIL_CATALIAS, alias);
    923 				num_aliases++;
    924 			}
    925 		}
    926 		fprintf(out, "category %s",cat->datum.fqn);
    927 		if (num_aliases > 0) {
    928 			fprintf(out, " alias");
    929 			if (num_aliases > 1) {
    930 				fprintf(out, " { ");
    931 			}
    932 			cil_list_for_each(i2, aliases) {
    933 				alias = i2->data;
    934 				fprintf(out, " %s", alias->datum.fqn);
    935 			}
    936 			if (num_aliases > 1) {
    937 				fprintf(out, " }");
    938 			}
    939 			cil_list_destroy(&aliases, CIL_FALSE);
    940 		}
    941 		fprintf(out, ";\n");
    942 	}
    943 }
    944 
    945 static void cil_levels_to_policy(FILE *out, struct cil_list *sensorder)
    946 {
    947 	struct cil_list_item *i1, *i2;
    948 	struct cil_sens *sens;
    949 
    950 	cil_list_for_each(i1, sensorder) {
    951 		sens = i1->data;
    952 		if (sens->cats_list) {
    953 			cil_list_for_each(i2, sens->cats_list) {
    954 				fprintf(out, "level %s:",sens->datum.fqn);
    955 				cil_cats_to_policy(out, i2->data);
    956 				fprintf(out,";\n");
    957 			}
    958 		} else {
    959 			fprintf(out, "level %s;\n",sens->datum.fqn);
    960 		}
    961 	}
    962 }
    963 
    964 static void cil_mlsconstrains_to_policy(FILE *out, struct cil_db *db, struct cil_list *mlsconstrains)
    965 {
    966 	struct cil_list_item *i1, *i2;
    967 	struct cil_constrain *cons;
    968 	struct cil_list *classperms_strs;
    969 	char *cp_str;
    970 	char *expr_str;
    971 
    972 	cil_list_for_each(i1, mlsconstrains) {
    973 		cons = i1->data;
    974 		cil_list_init(&classperms_strs, CIL_LIST);
    975 		cil_classperms_to_strings(cons->classperms, classperms_strs);
    976 		expr_str = cil_cons_expr_to_string(db, cons->datum_expr);
    977 		cil_list_for_each(i2, classperms_strs) {
    978 			cp_str = i2->data;
    979 			fprintf(out, "mlsconstrain %s %s;\n", cp_str, expr_str);
    980 			free(cp_str);
    981 		}
    982 		free(expr_str);
    983 		cil_list_destroy(&classperms_strs, CIL_FALSE);
    984 	}
    985 }
    986 
    987 static void cil_validatetrans_to_policy(FILE *out, struct cil_db *db, struct cil_list *validatetrans, char *kind)
    988 {
    989 	struct cil_list_item *i1, *i2;
    990 	struct cil_validatetrans *trans;
    991 	struct cil_list *class_list;
    992 	struct cil_class *class;
    993 	char *expr_str;
    994 
    995 	cil_list_for_each(i1, validatetrans) {
    996 		trans = i1->data;
    997 		class_list = cil_expand_class(trans->class);
    998 		expr_str = cil_cons_expr_to_string(db, trans->datum_expr);
    999 		cil_list_for_each(i2, class_list) {
   1000 			class = i2->data;
   1001 			fprintf(out, "%s %s %s;\n", kind, class->datum.fqn, expr_str);
   1002 		}
   1003 		free(expr_str);
   1004 		cil_list_destroy(&class_list, CIL_FALSE);
   1005 	}
   1006 }
   1007 
   1008 static void cil_bools_to_policy(FILE *out, struct cil_list *bools)
   1009 {
   1010 	struct cil_list_item *i1;
   1011 	struct cil_bool *bool;
   1012 	const char *value;
   1013 
   1014 	cil_list_for_each(i1, bools) {
   1015 		bool = i1->data;
   1016 		value = bool->value ? "true" : "false";
   1017 		fprintf(out, "bool %s %s;\n", bool->datum.fqn, value);
   1018 	}
   1019 }
   1020 
   1021 static void cil_typealiases_to_policy(FILE *out, struct cil_list *types, struct cil_list *all_aliases)
   1022 {
   1023 	struct cil_list_item *i1, *i2;
   1024 	struct cil_type *type;
   1025 	struct cil_list *aliases = NULL;
   1026 	struct cil_alias *alias;
   1027 	struct cil_type *actual;
   1028 	int num_aliases;
   1029 
   1030 	cil_list_for_each(i1, types) {
   1031 		type = i1->data;
   1032 		num_aliases = 0;
   1033 		cil_list_for_each(i2, all_aliases) {
   1034 			alias = i2->data;
   1035 			actual = alias->actual;
   1036 			if (type == actual) {
   1037 				if (num_aliases == 0) {
   1038 					cil_list_init(&aliases, CIL_LIST);
   1039 				}
   1040 				cil_list_append(aliases, CIL_TYPEALIAS, alias);
   1041 				num_aliases++;
   1042 			}
   1043 		}
   1044 		if (num_aliases > 0) {
   1045 			fprintf(out, "typealias %s alias", type->datum.fqn);
   1046 			if (num_aliases > 1) {
   1047 				fprintf(out, " {");
   1048 			}
   1049 			cil_list_for_each(i2, aliases) {
   1050 				alias = i2->data;
   1051 				fprintf(out, " %s", alias->datum.fqn);
   1052 			}
   1053 			if (num_aliases > 1) {
   1054 				fprintf(out, " }");
   1055 			}
   1056 			fprintf(out, ";\n");
   1057 			cil_list_destroy(&aliases, CIL_FALSE);
   1058 		}
   1059 	}
   1060 }
   1061 
   1062 static void cil_typebounds_to_policy(FILE *out, struct cil_list *types)
   1063 {
   1064 	struct cil_list_item *i1;
   1065 	struct cil_type *child;
   1066 	struct cil_type *parent;
   1067 
   1068 	cil_list_for_each(i1, types) {
   1069 		child = i1->data;
   1070 		if (child->bounds != NULL) {
   1071 			parent = child->bounds;
   1072 			fprintf(out, "typebounds %s %s\n", parent->datum.fqn, child->datum.fqn);
   1073 		}
   1074 	}
   1075 }
   1076 
   1077 static void cil_typeattributes_to_policy(FILE *out, struct cil_list *types, struct cil_list *attributes)
   1078 {
   1079 	struct cil_list_item *i1, *i2;
   1080 	struct cil_type *type;
   1081 	struct cil_typeattribute *attribute;
   1082 	int first = CIL_TRUE;
   1083 
   1084 	cil_list_for_each(i1, types) {
   1085 		type = i1->data;
   1086 		cil_list_for_each(i2, attributes) {
   1087 			attribute = i2->data;
   1088 			if (!attribute->used)
   1089 				continue;
   1090 			if (ebitmap_get_bit(attribute->types, type->value)) {
   1091 				if (first) {
   1092 					fprintf(out, "typeattribute %s %s", type->datum.fqn, attribute->datum.fqn);
   1093 					first = CIL_FALSE;
   1094 				} else {
   1095 					fprintf(out, ", %s", attribute->datum.fqn);
   1096 				}
   1097 			}
   1098 		}
   1099 		if (!first) {
   1100 			fprintf(out, ";\n");
   1101 			first = CIL_TRUE;
   1102 		}
   1103 	}
   1104 }
   1105 
   1106 static void cil_xperms_to_policy(FILE *out, struct cil_permissionx *permx)
   1107 {
   1108 	ebitmap_node_t *node;
   1109 	unsigned int i, first = 0, last = 0;
   1110 	int need_first = CIL_TRUE, need_last = CIL_TRUE;
   1111 	const char *kind;
   1112 
   1113 	if (permx->kind == CIL_PERMX_KIND_IOCTL) {
   1114 		kind = "ioctl";
   1115 	} else {
   1116 		kind = "???";
   1117 	}
   1118 
   1119 	fprintf(out, "%s %s {", DATUM(permx->obj)->fqn, kind);
   1120 
   1121 	ebitmap_for_each_bit(permx->perms, node, i) {
   1122 		if (!ebitmap_get_bit(permx->perms, i))
   1123 			continue;
   1124 		if (need_first == CIL_TRUE) {
   1125 			first = i;
   1126 			need_first = CIL_FALSE;
   1127 		} else if (need_last == CIL_TRUE) {
   1128 			if (i == first+1) {
   1129 				last = i;
   1130 				need_last = CIL_FALSE;
   1131 			} else {
   1132 				fprintf(out, " 0x%x", first);
   1133 				first = i;
   1134 			}
   1135 		} else if (i == last+1) {
   1136 			last = i;
   1137 		} else {
   1138 			if (last > first+1) {
   1139 				fprintf(out, " 0x%x-0x%x", first, last);
   1140 			} else {
   1141 				fprintf(out, " 0x%x 0x%x", first, last);
   1142 			}
   1143 			first = i;
   1144 			need_last = CIL_TRUE;
   1145 		}
   1146 	}
   1147 	if (need_first == CIL_FALSE) {
   1148 		if (need_last == CIL_FALSE) {
   1149 			fprintf(out, " 0x%x-0x%x", first, last);
   1150 		} else {
   1151 			fprintf(out, " 0x%x", first);
   1152 		}
   1153 	}
   1154 	fprintf(out," }");
   1155 }
   1156 
   1157 static void cil_av_rulex_to_policy(FILE *out, struct cil_avrule *rule)
   1158 {
   1159 	const char *kind;
   1160 	struct cil_symtab_datum *src, *tgt;
   1161 
   1162 	src = rule->src;
   1163 	tgt = rule->tgt;
   1164 
   1165 	switch (rule->rule_kind) {
   1166 	case CIL_AVRULE_ALLOWED:
   1167 		kind = "allowxperm";
   1168 		break;
   1169 	case CIL_AVRULE_AUDITALLOW:
   1170 		kind = "auditallowxperm";
   1171 		break;
   1172 	case CIL_AVRULE_DONTAUDIT:
   1173 		kind = "dontauditxperm";
   1174 		break;
   1175 	case CIL_AVRULE_NEVERALLOW:
   1176 		kind = "neverallowxperm";
   1177 		break;
   1178 	default:
   1179 		kind = "???";
   1180 		break;
   1181 	}
   1182 
   1183 	fprintf(out, "%s %s %s : ", kind, src->fqn, tgt->fqn);
   1184 	cil_xperms_to_policy(out, rule->perms.x.permx);
   1185 	fprintf(out, ";\n");
   1186 }
   1187 
   1188 static void cil_av_rule_to_policy(FILE *out, struct cil_avrule *rule)
   1189 {
   1190 	const char *kind;
   1191 	struct cil_symtab_datum *src, *tgt;
   1192 	struct cil_list *classperms_strs;
   1193 	struct cil_list_item *i1;
   1194 
   1195 	src = rule->src;
   1196 	tgt = rule->tgt;
   1197 
   1198 	switch (rule->rule_kind) {
   1199 	case CIL_AVRULE_ALLOWED:
   1200 		kind = "allow";
   1201 		break;
   1202 	case CIL_AVRULE_AUDITALLOW:
   1203 		kind = "auditallow";
   1204 		break;
   1205 	case CIL_AVRULE_DONTAUDIT:
   1206 		kind = "dontaudit";
   1207 		break;
   1208 	case CIL_AVRULE_NEVERALLOW:
   1209 		kind = "neverallow";
   1210 		break;
   1211 	default:
   1212 		kind = "???";
   1213 		break;
   1214 	}
   1215 
   1216 	cil_list_init(&classperms_strs, CIL_LIST);
   1217 	cil_classperms_to_strings(rule->perms.classperms, classperms_strs);
   1218 	cil_list_for_each(i1, classperms_strs) {
   1219 		char *cp_str = i1->data;
   1220 		fprintf(out, "%s %s %s : %s;\n", kind, src->fqn, tgt->fqn, cp_str);
   1221 		free(cp_str);
   1222 	}
   1223 	cil_list_destroy(&classperms_strs, CIL_FALSE);
   1224 }
   1225 
   1226 static void cil_type_rule_to_policy(FILE *out, struct cil_type_rule *rule)
   1227 {
   1228 	const char *kind;
   1229 	struct cil_symtab_datum *src, *tgt, *res;
   1230 	struct cil_list *class_list;
   1231 	struct cil_list_item *i1;
   1232 
   1233 	src = rule->src;
   1234 	tgt = rule->tgt;
   1235 	res = rule->result;
   1236 
   1237 	switch (rule->rule_kind) {
   1238 	case CIL_TYPE_TRANSITION:
   1239 		kind = "type_transition";
   1240 		break;
   1241 	case CIL_TYPE_MEMBER:
   1242 		kind = "type_member";
   1243 		break;
   1244 	case CIL_TYPE_CHANGE:
   1245 		kind = "type_change";
   1246 		break;
   1247 	default:
   1248 		kind = "???";
   1249 		break;
   1250 	}
   1251 
   1252 	class_list = cil_expand_class(rule->obj);
   1253 	cil_list_for_each(i1, class_list) {
   1254 		fprintf(out, "%s %s %s : %s %s;\n", kind, src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn);
   1255 	}
   1256 	cil_list_destroy(&class_list, CIL_FALSE);
   1257 }
   1258 
   1259 static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetransition *trans)
   1260 {
   1261 	struct cil_symtab_datum *src, *tgt, *res;
   1262 	struct cil_name *name;
   1263 	struct cil_list *class_list;
   1264 	struct cil_list_item *i1;
   1265 
   1266 	src = trans->src;
   1267 	tgt = trans->tgt;
   1268 	name = trans->name;
   1269 	res = trans->result;
   1270 
   1271 	class_list = cil_expand_class(trans->obj);
   1272 	cil_list_for_each(i1, class_list) {
   1273 		fprintf(out, "type_transition %s %s : %s %s \"%s\";\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn);
   1274 	}
   1275 	cil_list_destroy(&class_list, CIL_FALSE);
   1276 }
   1277 
   1278 static void cil_rangetransition_to_policy(FILE *out, struct cil_rangetransition *trans)
   1279 {
   1280 	struct cil_symtab_datum *src, *exec;
   1281 	struct cil_list *class_list;
   1282 	struct cil_list_item *i1;
   1283 
   1284 	src = trans->src;
   1285 	exec = trans->exec;
   1286 
   1287 	class_list = cil_expand_class(trans->obj);
   1288 	cil_list_for_each(i1, class_list) {
   1289 		fprintf(out, "range_transition %s %s : %s ", src->fqn, exec->fqn, DATUM(i1->data)->fqn);
   1290 		cil_levelrange_to_policy(out, trans->range);
   1291 		fprintf(out, ";\n");
   1292 	}
   1293 	cil_list_destroy(&class_list, CIL_FALSE);
   1294 }
   1295 
   1296 static void cil_typepermissive_to_policy(FILE *out, struct cil_typepermissive *rule)
   1297 {
   1298 	fprintf(out, "permissive %s;\n", DATUM(rule->type)->fqn);
   1299 }
   1300 
   1301 struct block_te_rules_extra {
   1302 	FILE *out;
   1303 	enum cil_flavor flavor;
   1304 	uint32_t rule_kind;
   1305 };
   1306 
   1307 static int __cil_block_te_rules_to_policy_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
   1308 {
   1309 	struct block_te_rules_extra *args = extra_args;
   1310 
   1311 	switch (node->flavor) {
   1312 	case CIL_BLOCK: {
   1313 		struct cil_block *blk = node->data;
   1314 		if (blk->is_abstract == CIL_TRUE) {
   1315 			*finished = CIL_TREE_SKIP_HEAD;
   1316 		}
   1317 		break;
   1318 	}
   1319 	case CIL_MACRO:
   1320 		*finished = CIL_TREE_SKIP_HEAD;
   1321 		break;
   1322 	case CIL_BOOLEANIF:
   1323 		*finished = CIL_TREE_SKIP_HEAD;
   1324 		break;
   1325 	case CIL_AVRULE:
   1326 	case CIL_AVRULEX:
   1327 		if (args->flavor == node->flavor) {
   1328 			struct cil_avrule *rule = node->data;
   1329 			if (args->rule_kind == rule->rule_kind) {
   1330 				if (rule->is_extended) {
   1331 					cil_av_rulex_to_policy(args->out, rule);
   1332 				} else {
   1333 					cil_av_rule_to_policy(args->out, rule);
   1334 				}
   1335 			}
   1336 		}
   1337 		break;
   1338 	case CIL_TYPE_RULE:
   1339 		if (args->flavor == node->flavor) {
   1340 			struct cil_type_rule *rule = node->data;
   1341 			if (args->rule_kind == rule->rule_kind) {
   1342 				cil_type_rule_to_policy(args->out, rule);
   1343 			}
   1344 		}
   1345 
   1346 		break;
   1347 	case CIL_NAMETYPETRANSITION:
   1348 		if (args->flavor == node->flavor) {
   1349 			cil_nametypetransition_to_policy(args->out, node->data);
   1350 		}
   1351 		break;
   1352 	case CIL_RANGETRANSITION:
   1353 		if (args->flavor == node->flavor) {
   1354 			cil_rangetransition_to_policy(args->out, node->data);
   1355 		}
   1356 
   1357 		break;
   1358 	case CIL_TYPEPERMISSIVE:
   1359 		if (args->flavor == node->flavor) {
   1360 			cil_typepermissive_to_policy(args->out, node->data);
   1361 		}
   1362 		break;
   1363 	default:
   1364 		break;
   1365 	}
   1366 
   1367 	return SEPOL_OK;
   1368 }
   1369 
   1370 static void cil_block_te_rules_to_policy(FILE *out, struct cil_tree_node *start, int mls)
   1371 {
   1372 	struct block_te_rules_extra args;
   1373 
   1374 	args.out = out;
   1375 
   1376 	args.flavor = CIL_TYPEPERMISSIVE;
   1377 	args.rule_kind = 0;
   1378 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1379 
   1380 	args.flavor = CIL_AVRULE;
   1381 	args.rule_kind = CIL_AVRULE_ALLOWED;
   1382 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1383 	args.rule_kind = CIL_AVRULE_AUDITALLOW;
   1384 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1385 	args.rule_kind = CIL_AVRULE_DONTAUDIT;
   1386 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1387 	args.rule_kind = CIL_AVRULE_NEVERALLOW;
   1388 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1389 
   1390 	args.flavor = CIL_AVRULEX;
   1391 	args.rule_kind = CIL_AVRULE_ALLOWED;
   1392 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1393 	args.rule_kind = CIL_AVRULE_AUDITALLOW;
   1394 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1395 	args.rule_kind = CIL_AVRULE_DONTAUDIT;
   1396 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1397 	args.rule_kind = CIL_AVRULE_NEVERALLOW;
   1398 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1399 
   1400 	args.flavor = CIL_TYPE_RULE;
   1401 	args.rule_kind = CIL_TYPE_TRANSITION;
   1402 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1403 	args.rule_kind = CIL_TYPE_MEMBER;
   1404 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1405 	args.rule_kind = CIL_TYPE_CHANGE;
   1406 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1407 	args.rule_kind = CIL_AVRULE_TYPE;
   1408 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1409 
   1410 	args.flavor = CIL_NAMETYPETRANSITION;
   1411 	args.rule_kind = 0;
   1412 	cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1413 
   1414 	if (mls == CIL_TRUE) {
   1415 		args.flavor = CIL_RANGETRANSITION;
   1416 		args.rule_kind = 0;
   1417 		cil_tree_walk(start, __cil_block_te_rules_to_policy_helper, NULL, NULL, &args);
   1418 	}
   1419 }
   1420 
   1421 struct te_rules_extra {
   1422 	FILE *out;
   1423 	int mls;
   1424 };
   1425 
   1426 static int __cil_te_rules_to_policy_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
   1427 {
   1428 	struct te_rules_extra *args = extra_args;
   1429 
   1430 	switch (node->flavor) {
   1431 	case CIL_BLOCK: {
   1432 		struct cil_block *blk = node->data;
   1433 		if (blk->is_abstract == CIL_TRUE) {
   1434 			*finished = CIL_TREE_SKIP_HEAD;
   1435 		}
   1436 		break;
   1437 	}
   1438 	case CIL_MACRO:
   1439 		*finished = CIL_TREE_SKIP_HEAD;
   1440 		break;
   1441 	case CIL_BOOLEANIF: {
   1442 		struct cil_booleanif *bool = node->data;
   1443 		struct cil_tree_node *n;
   1444 		struct cil_condblock *cb;
   1445 
   1446 		fprintf(args->out, "if ");
   1447 		cil_cond_expr_to_policy(args->out, bool->datum_expr, CIL_TRUE);
   1448 		fprintf(args->out," {\n");
   1449 		n = node->cl_head;
   1450 		cb = n != NULL ? n->data : NULL;
   1451 		if (cb && cb->flavor == CIL_CONDTRUE) {
   1452 			cil_block_te_rules_to_policy(args->out, n, args->mls);
   1453 			n = n->next;
   1454 			cb = n != NULL ? n->data : NULL;
   1455 		}
   1456 		if (cb && cb->flavor == CIL_CONDFALSE) {
   1457 			fprintf(args->out,"} else {\n");
   1458 			cil_block_te_rules_to_policy(args->out, n, args->mls);
   1459 		}
   1460 		fprintf(args->out,"}\n");
   1461 		*finished = CIL_TREE_SKIP_HEAD;
   1462 		break;
   1463 	}
   1464 	default:
   1465 		break;
   1466 	}
   1467 
   1468 	return SEPOL_OK;
   1469 }
   1470 
   1471 static void cil_te_rules_to_policy(FILE *out, struct cil_tree_node *head, int mls)
   1472 {
   1473 	struct te_rules_extra args;
   1474 
   1475 	args.out = out;
   1476 	args.mls = mls;
   1477 
   1478 	cil_block_te_rules_to_policy(out, head, mls);
   1479 	cil_tree_walk(head, __cil_te_rules_to_policy_helper, NULL, NULL, &args);
   1480 }
   1481 
   1482 static void cil_roles_to_policy(FILE *out, struct cil_list *rules)
   1483 {
   1484 	struct cil_list_item *i1;
   1485 	struct cil_role *role;
   1486 
   1487 	cil_list_for_each(i1, rules) {
   1488 		role = i1->data;
   1489 		if (strcmp(role->datum.fqn,"object_r") == 0)
   1490 			continue;
   1491 		fprintf(out, "role %s;\n", role->datum.fqn);
   1492 	}
   1493 }
   1494 
   1495 static void cil_role_types_to_policy(FILE *out, struct cil_list *roles, struct cil_list *types)
   1496 {
   1497 	struct cil_list_item *i1, *i2;
   1498 	struct cil_role *role;
   1499 	struct cil_type *type;
   1500 	int first = CIL_TRUE;
   1501 
   1502 	cil_list_for_each(i1, roles) {
   1503 		role = i1->data;
   1504 		if (strcmp(role->datum.fqn,"object_r") == 0)
   1505 			continue;
   1506 		if (role->types) {
   1507 			cil_list_for_each(i2, types) {
   1508 				type = i2->data;
   1509 				if (ebitmap_get_bit(role->types, type->value)) {
   1510 					if (first) {
   1511 						fprintf(out, "role %s types { %s", role->datum.fqn, type->datum.fqn);
   1512 						first = CIL_FALSE;
   1513 					} else {
   1514 						fprintf(out, " %s", type->datum.fqn);
   1515 					}
   1516 				}
   1517 			}
   1518 			if (!first) {
   1519 				fprintf(out, " }");
   1520 				first = CIL_TRUE;
   1521 			}
   1522 			fprintf(out, ";\n");
   1523 		}
   1524 	}
   1525 }
   1526 
   1527 static void cil_roleattributes_to_policy(FILE *out, struct cil_list *roles, struct cil_list *attributes)
   1528 {
   1529 	struct cil_list_item *i1, *i2;
   1530 	struct cil_role *role;
   1531 	struct cil_roleattribute *attribute;
   1532 	int first = CIL_TRUE;
   1533 
   1534 	cil_list_for_each(i1, roles) {
   1535 		role = i1->data;
   1536 		if (strcmp(role->datum.fqn,"object_r") == 0)
   1537 			continue;
   1538 		cil_list_for_each(i2, attributes) {
   1539 			attribute = i2->data;
   1540 			if (ebitmap_get_bit(attribute->roles, role->value)) {
   1541 				if (first) {
   1542 					fprintf(out, "roleattribute %s %s", role->datum.fqn, attribute->datum.fqn);
   1543 					first = CIL_FALSE;
   1544 				} else {
   1545 					fprintf(out, ", %s", attribute->datum.fqn);
   1546 				}
   1547 			}
   1548 		}
   1549 		if (!first) {
   1550 			fprintf(out, ";\n");
   1551 			first = CIL_TRUE;
   1552 		}
   1553 	}
   1554 }
   1555 
   1556 static void cil_roleallows_to_policy(FILE *out, struct cil_list *roleallows)
   1557 {
   1558 	struct cil_list_item *i1;
   1559 	struct cil_roleallow *allow;
   1560 
   1561 	cil_list_for_each(i1, roleallows) {
   1562 		allow = i1->data;
   1563 		fprintf(out, "allow %s %s;\n", DATUM(allow->src)->fqn, DATUM(allow->tgt)->fqn);
   1564 	}
   1565 }
   1566 
   1567 static void cil_roletransitions_to_policy(FILE *out, struct cil_list *roletransitions)
   1568 {
   1569 	struct cil_list_item *i1, *i2;
   1570 	struct cil_list *class_list;
   1571 	struct cil_roletransition *trans;
   1572 
   1573 
   1574 	cil_list_for_each(i1, roletransitions) {
   1575 		trans = i1->data;
   1576 		class_list = cil_expand_class(trans->obj);
   1577 		cil_list_for_each(i2, class_list) {
   1578 			fprintf(out, "role_transition %s %s : %s %s;\n", DATUM(trans->src)->fqn, DATUM(trans->tgt)->fqn, DATUM(i2->data)->fqn, DATUM(trans->result)->fqn);
   1579 		}
   1580 		cil_list_destroy(&class_list, CIL_FALSE);
   1581 	}
   1582 }
   1583 
   1584 static void cil_users_to_policy(FILE *out, int mls, struct cil_list *users, struct cil_list *all_roles)
   1585 {
   1586 	struct cil_list_item *i1, *i2;
   1587 	struct cil_user *user;
   1588 	struct cil_list *roles = NULL;
   1589 	struct cil_role *role;
   1590 	int num_roles;
   1591 
   1592 	cil_list_for_each(i1, users) {
   1593 		user = i1->data;
   1594 		num_roles = 0;
   1595 		fprintf(out, "user %s",user->datum.fqn);
   1596 		cil_list_for_each(i2, all_roles) {
   1597 			role = i2->data;
   1598 			if (ebitmap_get_bit(user->roles, role->value)) {
   1599 				if (num_roles == 0) {
   1600 					cil_list_init(&roles, CIL_LIST);
   1601 				}
   1602 				cil_list_append(roles, CIL_ROLE, role);
   1603 				num_roles++;
   1604 			}
   1605 		}
   1606 		if (num_roles > 0) {
   1607 			fprintf(out, " roles");
   1608 			if (num_roles > 1) {
   1609 				fprintf(out, " {");
   1610 			}
   1611 			cil_list_for_each(i2, roles) {
   1612 				role = i2->data;
   1613 				fprintf(out, " %s", role->datum.fqn);
   1614 			}
   1615 			if (num_roles > 1) {
   1616 				fprintf(out, " }");
   1617 			}
   1618 			cil_list_destroy(&roles, CIL_FALSE);
   1619 		}
   1620 
   1621 		if (mls == CIL_TRUE && user->dftlevel != NULL) {
   1622 			fprintf(out, " level ");
   1623 			cil_level_to_policy(out, user->dftlevel);
   1624 		}
   1625 
   1626 		if (mls == CIL_TRUE && user->range != NULL) {
   1627 			fprintf(out, " range ");
   1628 			cil_levelrange_to_policy(out, user->range);
   1629 		}
   1630 
   1631 		fprintf(out,";\n");
   1632 	}
   1633 }
   1634 
   1635 static void cil_constrains_to_policy(FILE *out, struct cil_db *db, struct cil_list *constrains)
   1636 {
   1637 	struct cil_list_item *i1, *i2;
   1638 	struct cil_constrain *cons;
   1639 	struct cil_list *classperms_strs;
   1640 	char *cp_str;
   1641 	char *expr_str;
   1642 
   1643 	cil_list_for_each(i1, constrains) {
   1644 		cons = i1->data;
   1645 		cil_list_init(&classperms_strs, CIL_LIST);
   1646 		cil_classperms_to_strings(cons->classperms, classperms_strs);
   1647 		expr_str = cil_cons_expr_to_string(db, cons->datum_expr);
   1648 		cil_list_for_each(i2, classperms_strs) {
   1649 			cp_str = i2->data;
   1650 			fprintf(out, "constrain %s %s;\n",cp_str, expr_str);
   1651 			free(cp_str);
   1652 		}
   1653 		free(expr_str);
   1654 		cil_list_destroy(&classperms_strs, CIL_FALSE);
   1655 	}
   1656 }
   1657 
   1658 static void cil_sid_contexts_to_policy(FILE *out, struct cil_list *sids, int mls)
   1659 {
   1660 	struct cil_list_item *i1;
   1661 	struct cil_sid *sid;
   1662 
   1663 	cil_list_for_each(i1, sids) {
   1664 		sid = i1->data;
   1665 		fprintf(out, "sid %s ", sid->datum.fqn);
   1666 		cil_context_to_policy(out, sid->context, mls);
   1667 		fprintf(out,"\n");
   1668 	}
   1669 }
   1670 
   1671 static void cil_fsuses_to_policy(FILE *out, struct cil_sort *fsuses, int mls)
   1672 {
   1673 	unsigned i;
   1674 	struct cil_fsuse *fsuse;
   1675 
   1676 	for (i=0; i<fsuses->count; i++) {
   1677 		fsuse = fsuses->array[i];
   1678 		if (fsuse->type == CIL_FSUSE_XATTR) {
   1679 			fprintf(out, "fs_use_xattr %s ", fsuse->fs_str);
   1680 			cil_context_to_policy(out, fsuse->context, mls);
   1681 			fprintf(out,";\n");
   1682 		}
   1683 	}
   1684 
   1685 	for (i=0; i<fsuses->count; i++) {
   1686 		fsuse = fsuses->array[i];
   1687 		if (fsuse->type == CIL_FSUSE_TASK) {
   1688 			fprintf(out, "fs_use_task %s ", fsuse->fs_str);
   1689 			cil_context_to_policy(out, fsuse->context, mls);
   1690 			fprintf(out,";\n");
   1691 		}
   1692 	}
   1693 
   1694 	for (i=0; i<fsuses->count; i++) {
   1695 		fsuse = fsuses->array[i];
   1696 		if (fsuse->type == CIL_FSUSE_TRANS) {
   1697 			fprintf(out, "fs_use_trans %s ", fsuse->fs_str);
   1698 			cil_context_to_policy(out, fsuse->context, mls);
   1699 			fprintf(out,";\n");
   1700 		}
   1701 	}
   1702 }
   1703 
   1704 static void cil_genfscons_to_policy(FILE *out, struct cil_sort *genfscons, int mls)
   1705 {
   1706 	unsigned i;
   1707 	struct cil_genfscon *genfscon;
   1708 
   1709 	for (i=0; i<genfscons->count; i++) {
   1710 		genfscon = genfscons->array[i];
   1711 		fprintf(out, "genfscon %s %s ", genfscon->fs_str, genfscon->path_str);
   1712 		cil_context_to_policy(out, genfscon->context, mls);
   1713 		fprintf(out, "\n");
   1714 	}
   1715 }
   1716 
   1717 static void cil_portcons_to_policy(FILE *out, struct cil_sort *portcons, int mls)
   1718 {
   1719 	unsigned i;
   1720 	struct cil_portcon *portcon;
   1721 
   1722 	for (i=0; i<portcons->count; i++) {
   1723 		portcon = portcons->array[i];
   1724 		fprintf(out, "portcon ");
   1725 		if (portcon->proto == CIL_PROTOCOL_UDP) {
   1726 			fprintf(out, "udp ");
   1727 		} else if (portcon->proto == CIL_PROTOCOL_TCP) {
   1728 			fprintf(out, "tcp ");
   1729 		} else if (portcon->proto == CIL_PROTOCOL_DCCP) {
   1730 			fprintf(out, "dccp ");
   1731 		}
   1732 		if (portcon->port_low == portcon->port_high) {
   1733 			fprintf(out, "%d ", portcon->port_low);
   1734 		} else {
   1735 			fprintf(out, "%d-%d ", portcon->port_low, portcon->port_high);
   1736 		}
   1737 		cil_context_to_policy(out, portcon->context, mls);
   1738 		fprintf(out, "\n");
   1739 	}
   1740 }
   1741 
   1742 static void cil_netifcons_to_policy(FILE *out, struct cil_sort *netifcons, int mls)
   1743 {
   1744 	unsigned i;
   1745 	struct cil_netifcon *netifcon;
   1746 
   1747 	for (i=0; i<netifcons->count; i++) {
   1748 		netifcon = netifcons->array[i];
   1749 		fprintf(out, "netifcon %s ", netifcon->interface_str);
   1750 		cil_context_to_policy(out, netifcon->if_context, mls);
   1751 		fprintf(out, " ");
   1752 		cil_context_to_policy(out, netifcon->packet_context, mls);
   1753 		fprintf(out, ";\n");
   1754 	}
   1755 }
   1756 
   1757 static void cil_nodecons_to_policy(FILE *out, struct cil_sort *nodecons, int mls)
   1758 {
   1759 	unsigned i;
   1760 	struct cil_nodecon *nodecon;
   1761 	char *addr, *mask;
   1762 
   1763 	for (i=0; i<nodecons->count; i++) {
   1764 		nodecon = nodecons->array[i];
   1765 		fprintf(out, "nodecon ");
   1766 
   1767 		if (nodecon->addr->family == AF_INET) {
   1768 			errno = 0;
   1769 			addr = cil_malloc(INET_ADDRSTRLEN);
   1770 			inet_ntop(nodecon->addr->family, &nodecon->addr->ip.v4, addr, INET_ADDRSTRLEN);
   1771 			if (errno == 0) {
   1772 				fprintf(out, "%s ",addr);
   1773 			} else {
   1774 				fprintf(out, "[INVALID] ");
   1775 			}
   1776 			free(addr);
   1777 
   1778 			errno = 0;
   1779 			mask = cil_malloc(INET_ADDRSTRLEN);
   1780 			inet_ntop(nodecon->mask->family, &nodecon->mask->ip.v4, mask, INET_ADDRSTRLEN);
   1781 			if (errno == 0) {
   1782 				fprintf(out, "%s ",mask);
   1783 			} else {
   1784 				fprintf(out, "[INVALID] ");
   1785 			}
   1786 			free(mask);
   1787 		} else {
   1788 			errno = 0;
   1789 			addr = cil_malloc(INET6_ADDRSTRLEN);
   1790 			inet_ntop(nodecon->addr->family, &nodecon->addr->ip.v6, addr, INET6_ADDRSTRLEN);
   1791 			if (errno == 0) {
   1792 				fprintf(out, "%s ",addr);
   1793 			} else {
   1794 				fprintf(out, "[INVALID] ");
   1795 			}
   1796 			free(addr);
   1797 
   1798 			errno = 0;
   1799 			mask = cil_malloc(INET6_ADDRSTRLEN);
   1800 			inet_ntop(nodecon->mask->family, &nodecon->mask->ip.v6, mask, INET6_ADDRSTRLEN);
   1801 			if (errno == 0) {
   1802 				fprintf(out, "%s ",mask);
   1803 			} else {
   1804 				fprintf(out, "[INVALID] ");
   1805 			}
   1806 			free(mask);
   1807 		}
   1808 
   1809 		cil_context_to_policy(out, nodecon->context, mls);
   1810 		fprintf(out, ";\n");
   1811 	}
   1812 }
   1813 
   1814 static void cil_pirqcons_to_policy(FILE *out, struct cil_sort *pirqcons, int mls)
   1815 {
   1816 	unsigned i;
   1817 	struct cil_pirqcon *pirqcon;
   1818 
   1819 	for (i = 0; i<pirqcons->count; i++) {
   1820 		pirqcon = pirqcons->array[i];
   1821 		fprintf(out, "pirqcon %d ", pirqcon->pirq);
   1822 		cil_context_to_policy(out, pirqcon->context, mls);
   1823 		fprintf(out, ";\n");
   1824 	}
   1825 }
   1826 
   1827 static void cil_iomemcons_to_policy(FILE *out, struct cil_sort *iomemcons, int mls)
   1828 {
   1829 	unsigned i;
   1830 	struct cil_iomemcon *iomemcon;
   1831 
   1832 	for (i = 0; i<iomemcons->count; i++) {
   1833 		iomemcon = iomemcons->array[i];
   1834 		if (iomemcon->iomem_low == iomemcon->iomem_high) {
   1835 			fprintf(out, "iomemcon %"PRIx64" ", iomemcon->iomem_low);
   1836 		} else {
   1837 			fprintf(out, "iomemcon %"PRIx64"-%"PRIx64" ", iomemcon->iomem_low, iomemcon->iomem_high);
   1838 		}
   1839 		cil_context_to_policy(out, iomemcon->context, mls);
   1840 		fprintf(out, ";\n");
   1841 	}
   1842 }
   1843 
   1844 static void cil_ioportcons_to_policy(FILE *out, struct cil_sort *ioportcons, int mls)
   1845 {
   1846 	unsigned i;
   1847 	struct cil_ioportcon *ioportcon;
   1848 
   1849 	for (i = 0; i < ioportcons->count; i++) {
   1850 		ioportcon = ioportcons->array[i];
   1851 		fprintf(out, "ioportcon 0x%x-0x%x ", ioportcon->ioport_low, ioportcon->ioport_high);
   1852 		cil_context_to_policy(out, ioportcon->context, mls);
   1853 		fprintf(out, ";\n");
   1854 	}
   1855 }
   1856 
   1857 static void cil_pcidevicecons_to_policy(FILE *out, struct cil_sort *pcidevicecons, int mls)
   1858 {
   1859 	unsigned i;
   1860 	struct cil_pcidevicecon *pcidevicecon;
   1861 
   1862 	for (i = 0; i < pcidevicecons->count; i++) {
   1863 		pcidevicecon = pcidevicecons->array[i];
   1864 		fprintf(out, "pcidevicecon 0x%x ", pcidevicecon->dev);
   1865 		cil_context_to_policy(out, pcidevicecon->context, mls);
   1866 		fprintf(out, ";\n");
   1867 	}
   1868 }
   1869 
   1870 static void cil_devicetreecons_to_policy(FILE *out, struct cil_sort *devicetreecons, int mls)
   1871 {
   1872 	unsigned i;
   1873 	struct cil_devicetreecon *devicetreecon;
   1874 
   1875 	for (i = 0; i < devicetreecons->count; i++) {
   1876 		devicetreecon = devicetreecons->array[i];
   1877 		fprintf(out, "devicetreecon %s ", devicetreecon->path);
   1878 		cil_context_to_policy(out, devicetreecon->context, mls);
   1879 		fprintf(out, ";\n");
   1880 	}
   1881 }
   1882 
   1883 void cil_gen_policy(FILE *out, struct cil_db *db)
   1884 {
   1885 	unsigned i;
   1886 	struct cil_tree_node *head = db->ast->root;
   1887 	struct cil_list *lists[CIL_LIST_NUM_LISTS];
   1888 
   1889 	for (i=0; i<CIL_LIST_NUM_LISTS; i++) {
   1890 		cil_list_init(&lists[i], CIL_LIST);
   1891 	}
   1892 
   1893 	cil_gather_statements(head, lists);
   1894 
   1895 	cil_class_decls_to_policy(out, db->classorder);
   1896 
   1897 	cil_sid_decls_to_policy(out, db->sidorder);
   1898 
   1899 	cil_commons_to_policy(out, lists[CIL_LIST_COMMON]);
   1900 	cil_classes_to_policy(out, db->classorder);
   1901 
   1902 	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER], CIL_KEY_DEFAULTUSER);
   1903 	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_ROLE], CIL_KEY_DEFAULTROLE);
   1904 	cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_TYPE], CIL_KEY_DEFAULTTYPE);
   1905 
   1906 	if (db->mls == CIL_TRUE) {
   1907 		cil_default_ranges_to_policy(out, lists[CIL_LIST_DEFAULT_RANGE]);
   1908 		cil_sensitivities_to_policy(out, db->sensitivityorder, lists[CIL_LIST_SENSALIAS]);
   1909 		cil_dominance_to_policy(out, db->sensitivityorder);
   1910 		cil_categories_to_policy(out, db->catorder, lists[CIL_LIST_CATALIAS]);
   1911 		cil_levels_to_policy(out, db->sensitivityorder);
   1912 		cil_mlsconstrains_to_policy(out, db, lists[CIL_LIST_MLSCONSTRAIN]);
   1913 		cil_validatetrans_to_policy(out, db, lists[CIL_LIST_MLSVALIDATETRANS], CIL_KEY_MLSVALIDATETRANS);
   1914 	}
   1915 
   1916 	cil_simple_rules_to_policy(out, lists[CIL_LIST_POLICYCAP], CIL_KEY_POLICYCAP);
   1917 
   1918 	cil_simple_rules_to_policy(out, lists[CIL_LIST_TYPEATTRIBUTE], "attribute");
   1919 	cil_simple_rules_to_policy(out, lists[CIL_LIST_ROLEATTRIBUTE], "attribute_role");
   1920 
   1921 	cil_bools_to_policy(out, lists[CIL_LIST_BOOL]);
   1922 
   1923 	cil_simple_rules_to_policy(out, lists[CIL_LIST_TYPE], "type");
   1924 	cil_typealiases_to_policy(out, lists[CIL_LIST_TYPE], lists[CIL_LIST_TYPEALIAS]);
   1925 	cil_typebounds_to_policy(out, lists[CIL_LIST_TYPE]);
   1926 	cil_typeattributes_to_policy(out, lists[CIL_LIST_TYPE], lists[CIL_LIST_TYPEATTRIBUTE]);
   1927 	cil_te_rules_to_policy(out, head, db->mls);
   1928 
   1929 	cil_roles_to_policy(out, lists[CIL_LIST_ROLE]);
   1930 	cil_role_types_to_policy(out, lists[CIL_LIST_ROLE], lists[CIL_LIST_TYPE]);
   1931 	cil_roleattributes_to_policy(out, lists[CIL_LIST_ROLE], lists[CIL_LIST_ROLEATTRIBUTE]);
   1932 	cil_roleallows_to_policy(out, lists[CIL_LIST_ROLEALLOW]);
   1933 	cil_roletransitions_to_policy(out, lists[CIL_LIST_ROLETRANSITION]);
   1934 
   1935 	cil_users_to_policy(out, db->mls, lists[CIL_LIST_USER], lists[CIL_LIST_ROLE]);
   1936 
   1937 	cil_constrains_to_policy(out, db, lists[CIL_LIST_CONSTRAINT]);
   1938 	cil_validatetrans_to_policy(out, db, lists[CIL_LIST_VALIDATETRANS], CIL_KEY_VALIDATETRANS);
   1939 
   1940 	cil_sid_contexts_to_policy(out, db->sidorder, db->mls);
   1941 	cil_fsuses_to_policy(out, db->fsuse, db->mls);
   1942 	cil_genfscons_to_policy(out, db->genfscon, db->mls);
   1943 	cil_portcons_to_policy(out, db->portcon, db->mls);
   1944 	cil_netifcons_to_policy(out, db->netifcon, db->mls);
   1945 	cil_nodecons_to_policy(out, db->nodecon, db->mls);
   1946 	cil_pirqcons_to_policy(out, db->pirqcon, db->mls);
   1947 	cil_iomemcons_to_policy(out, db->iomemcon, db->mls);
   1948 	cil_ioportcons_to_policy(out, db->ioportcon, db->mls);
   1949 	cil_pcidevicecons_to_policy(out, db->pcidevicecon, db->mls);
   1950 	cil_devicetreecons_to_policy(out, db->devicetreecon, db->mls);
   1951 
   1952 	for (i=0; i<CIL_LIST_NUM_LISTS; i++) {
   1953 		cil_list_destroy(&lists[i], CIL_FALSE);
   1954 	}
   1955 
   1956 }
   1957