Only audit the permissions specified by the policy, excluding any permissions specified via dontaudit or not specified via auditallow. This only shows up when a single avc_has_perm() call is made with multiple permissions where some of those permissions are dontaudit'd or auditallow'd while others are not. The corresponding kernel patch has already been applied, see: http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commit;h=b6cac5a30b325e14cda425670bb3568d3cad0aa8 Signed-off-by: Stephen D. Smalley <sds@xxxxxxxxxxxxx> --- libselinux/src/avc.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c index 1c62fa3..881b915 100644 --- a/libselinux/src/avc.c +++ b/libselinux/src/avc.c @@ -694,17 +694,14 @@ void avc_audit(security_id_t ssid, security_id_t tsid, access_vector_t denied, audited; denied = requested & ~avd->allowed; - if (denied) { - audited = denied; - if (!(audited & avd->auditdeny)) - return; - } else if (!requested || result) { + if (denied) + audited = denied & avd->auditdeny; + else if (!requested || result) audited = denied = requested; - } else { - audited = requested; - if (!(audited & avd->auditallow)) - return; - } + else + audited = requested & avd->auditallow; + if (!audited) + return; #if 0 if (!check_avc_ratelimit()) return; -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
