On 04/29/2016 01:47 PM, James Carter wrote:
> The attribute to type map is used to get all of the types that are
> asociated with an attribute. To make neverallow and bounds checking
> easier it was convienent to map a type to itself. However, CIL was
> wrongly mapping an attribute to itself in addition to the types
> associated with it. This caused type bounds checking to fail if the
> parent was granted a permission through one attribute while the child
> was granted the permission through another attribute.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> libsepol/cil/src/cil_binary.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index b8437c9..1cd12d2 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -609,9 +609,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb)
> rc = SEPOL_ERR;
> goto exit;
> }
> - if (ebitmap_set_bit(&pdb->attr_type_map[i], i, 1)) {
> - rc = SEPOL_ERR;
> - goto exit;
> + if (pdb->type_val_to_struct[i] && pdb->type_val_to_struct[i]->flavor != TYPE_ATTRIB) {
> + if (ebitmap_set_bit(&pdb->attr_type_map[i], i, 1)) {
> + rc = SEPOL_ERR;
> + goto exit;
> + }
> }
>
> }
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
