On 11/15/2016 07:42 PM, william.c.roberts@xxxxxxxxx wrote:
> From: William Roberts <william.c.roberts@xxxxxxxxx>
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplementation of:
> commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
> fix checkpolicy dontaudit compiler bug")
> that avoids the cumbersome pointer assignments on alloced.
Thanks, applied both patches (revert and reimplementation).
>
> Reported-by: Nick Kralevich <nnk@xxxxxxxxxx>
> Signed-off-by: William Roberts <william.c.roberts@xxxxxxxxx>
> ---
> libsepol/src/expand.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 004a029..3e16f58 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -1640,6 +1640,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
>
> if (!node) {
> memset(&avdatum, 0, sizeof avdatum);
> + /*
> + * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
> + * others. Initialize the data accordingly.
> + */
> + avdatum.data = key->specified == AVTAB_AUDITDENY ? ~0 : 0;
normally I'd parenthesize this, although it isn't strictly needed.
> /* this is used to get the node - insertion is actually unique */
> node = avtab_insert_nonunique(avtab, key, &avdatum);
> if (!node) {
> @@ -1850,10 +1855,7 @@ static int expand_avrule_helper(sepol_handle_t * handle,
> */
> avdatump->data &= cur->data;
> } else if (specified & AVRULE_DONTAUDIT) {
> - if (avdatump->data)
> - avdatump->data &= ~cur->data;
> - else
> - avdatump->data = ~cur->data;
> + avdatump->data &= ~cur->data;
> } else if (specified & AVRULE_XPERMS) {
> xperms = avdatump->xperms;
> if (!xperms) {
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
