On 11/21/2015 11:26 AM, Richard Haines wrote:
Currently neverallowxperm rules will be resolved correctly when
building policy, however they are not detectable when using tools
such as an updated version of setools. This patch will allow
these to be viewed in the same way as neverallow rules are in a
text based kernel policy file (e.g. policy.conf).
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Thanks, applied.
---
libsepol/src/expand.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 9047c6d..9cb7965 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle,
if (handle && handle->disable_dontaudit)
return EXPAND_RULE_SUCCESS;
spec = AVTAB_XPERMS_DONTAUDIT;
+ } else if (specified & AVRULE_XPERMS_NEVERALLOW) {
+ spec = AVTAB_XPERMS_NEVERALLOW;
} else {
assert(0); /* unreachable */
}
@@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle,
if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
return EXPAND_RULE_SUCCESS;
- if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
+ if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
return EXPAND_RULE_SUCCESS;
ebitmap_init(&stypes);
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
