On 04/28/2016 04:02 PM, Stephen Smalley wrote:
The type bounds / hierarchy checker was incorrectly handling
rules with attributes as the target type, causing it to trigger
violations if the parent type lacked a rule directly to the same
attribute even if the parent had all the permissions to the
types associated with that attribute. Skip the degenerate
case and only check for the individual types.
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
libsepol/src/hierarchy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
index ba65978..79db3a6 100644
--- a/libsepol/src/hierarchy.c
+++ b/libsepol/src/hierarchy.c
@@ -318,6 +318,8 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
&avtab_key, data);
if (!d) continue;
td = p->type_val_to_struct[i];
+ if (!td || td->flavor == TYPE_ATTRIB)
+ continue;
if (td && td->bounds) {
avtab_key.target_type = td->bounds;
d = bounds_not_covered(global_avtab, cur_avtab,
There shouldn't be any attributes here. CIL is wrongly including the attribute
itself in the attr_type_map. Patch coming.
Jim
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
