The type bounds / hierarchy checker was incorrectly handling
rules with attributes as the target type, causing it to trigger
violations if the parent type lacked a rule directly to the same
attribute even if the parent had all the permissions to the
types associated with that attribute. Skip the degenerate
case and only check for the individual types.
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
libsepol/src/hierarchy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
index ba65978..79db3a6 100644
--- a/libsepol/src/hierarchy.c
+++ b/libsepol/src/hierarchy.c
@@ -318,6 +318,8 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
&avtab_key, data);
if (!d) continue;
td = p->type_val_to_struct[i];
+ if (!td || td->flavor == TYPE_ATTRIB)
+ continue;
if (td && td->bounds) {
avtab_key.target_type = td->bounds;
d = bounds_not_covered(global_avtab, cur_avtab,
--
2.5.5
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
