From: William Roberts <william.c.robe...@intel.com>
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")
that avoids the cumbersome pointer assignments on alloced.
Reported-by: Nick Kralevich <n...@google.com>
Signed-off-by: William Roberts <william.c.robe...@intel.com>
---
libsepol/src/expand.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 004a029..3e16f58 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1640,6 +1640,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t *
handle,
if (!node) {
memset(&avdatum, 0, sizeof avdatum);
+ /*
+ * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
+ * others. Initialize the data accordingly.
+ */
+ avdatum.data = key->specified == AVTAB_AUDITDENY ? ~0 : 0;
/* this is used to get the node - insertion is actually unique
*/
node = avtab_insert_nonunique(avtab, key, &avdatum);
if (!node) {
@@ -1850,10 +1855,7 @@ static int expand_avrule_helper(sepol_handle_t * handle,
*/
avdatump->data &= cur->data;
} else if (specified & AVRULE_DONTAUDIT) {
- if (avdatump->data)
- avdatump->data &= ~cur->data;
- else
- avdatump->data = ~cur->data;
+ avdatump->data &= ~cur->data;
} else if (specified & AVRULE_XPERMS) {
xperms = avdatump->xperms;
if (!xperms) {
--
2.7.4
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
