The changes are the same as in a patch sent by Christian Göttsche <cgzones@xxxxxxxxxxxxxx> to support adding not-self to neverallowxperm checking, but it is needed for normal neverallowxperm checking as well and the following explanation reflects that. When reporting neverallowxperm violations, the avtab is searched to find the rule that violates the assertion. If the avtab pointer of the args is not set, then it will report the error as if no extended permissions existed for the source and target (so allowing the ioctl permission at all violates the neverallowxperm). Example (where t1 has attribute attr): allow attr attr:CLASS ioctl; allowxperm attr attr:CLASS ioctl 0x9411; neverallowxperm t1 self:CLASS ioctl 0x9411; Would be reported as: neverallowxperm on line 3 of policy.conf (or line 3 of policy.conf) violated by allow t1 t1:CLASS { ioctl }; Instead of: neverallowxperm on line 3 of policy.conf (or line 3 of policy.conf) violated by allowxperm attr attr:CLASS ioctl { 0x9411 }; Reported-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/src/assertion.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index ae3c18be..ecd3f567 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -292,10 +292,12 @@ static int report_assertion_failures(sepol_handle_t *handle, policydb_t *p, avru args.avrule = avrule; args.errors = 0; + args.avtab = &p->te_avtab; rc = avtab_map(&p->te_avtab, report_assertion_avtab_matches, &args); if (rc < 0) goto oom; + args.avtab = &p->te_cond_avtab; rc = avtab_map(&p->te_cond_avtab, report_assertion_avtab_matches, &args); if (rc < 0) goto oom; -- 2.31.1