Re: [PATCH 1/2] libsepol/cil: Limit the amount of reporting for neverallow violations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

as a heavy user of neverallow / neverallowx, please don't limit this.

When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying.

If you want to limit this, then please make it opt-in or add it as a command line option.

On 1/14/22 20:20, James Carter wrote:
When there is a neverallow violation, a search is made for all of
the rules that violate the neverallow. The violating rules as well
as their parents are written out to make it easier to find these
rules.

If there is a lot of rules that violate a neverallow, then this
amount of reporting is too much. Instead, only print out the first
two rules (with their parents) that match the violated neverallow
rule along with the total number of rules that violate the
neverallow.

Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
  libsepol/cil/src/cil_binary.c | 10 ++++++++++
  1 file changed, 10 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 4ac8ce8d..04a5d053 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4640,6 +4640,8 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
  	char *neverallow_str;
  	char *allow_str;
  	enum cil_flavor avrule_flavor;
+	int num_matching = 0;
+	int count_matching = 0;
target.rule_kind = CIL_AVRULE_ALLOWED;
  	target.is_extended = cil_rule->is_extended;
@@ -4666,11 +4668,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
  		goto exit;
  	}
+ cil_list_for_each(i2, matching) {
+		num_matching++;
+	}
  	cil_list_for_each(i2, matching) {
  		n2 = i2->data;
  		r2 = n2->data;
  		__cil_print_parents("    ", n2);
  		__cil_print_rule("      ", allow_str, r2);
+		count_matching++;
+		if (count_matching >= 2) {
+			cil_log(CIL_ERR, "    Only first 2 of %d matching rules shown\n", num_matching);
+			break;
+		}
  	}
  	cil_log(CIL_ERR,"\n");
  	cil_list_destroy(&matching, CIL_FALSE);

--
bauen1
https://dn42.bauen1.xyz/



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux