-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7dHaMACgkQrlYvE4MpobOfuQCgv03sDTU5HoJipB5ZLPgExndz
zygAnA8TShQB9qwL/aCWpLOtAzgAy6ew
=hDYL
-----END PGP SIGNATURE-----
>From 901af31f3ed1a1e069559bec8047e7cfc8bd8d49 Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Sun, 27 Nov 2011 16:06:57 +0000
Subject: [PATCH 39/48] libselinux: Mapped compute functions now obey
deny_unknown flag
If selinux_set_mapping(3) is used to map classes, and an invalid class is used
to compute a decision (tclass = 0), the result did not obey the status of the
deny_unknown flag.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
libselinux/src/compute_av.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index 86ff274..5962c0b 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -60,7 +60,9 @@ int security_compute_av_flags_raw(const security_context_t scon,
} else if (ret < 6)
avd->flags = 0;
- map_decision(tclass, avd);
+ /* If tclass invalid, kernel sets avd according to deny_unknown flag */
+ if (tclass != 0)
+ map_decision(tclass, avd);
ret = 0;
out2:
--
1.7.7.4
