Commit 4b2e2a248e48b2902ab1ef3cab86322a3c6ef055 (libsepol/cil: Limit
the amount of reporting for bounds failures) limited the number of
bounds failures that were reported to the first two matching rules
for the first two bad rules.
Instead, report the first two matching rules for the first four bad
rules at the default log level and report all matching rules for all
bad rules for higher verbosity levels.
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
libsepol/cil/src/cil_binary.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 4ac8ce8d..b7da8241 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4863,6 +4863,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
struct cil_avrule target;
struct cil_tree_node *n1 = NULL;
int count_bad = 0;
+ enum cil_log_level log_level = cil_get_log_level();
*violation = CIL_TRUE;
@@ -4909,16 +4910,16 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
__cil_print_rule(" ", "allow", r2);
}
count_matching++;
- if (count_matching >= 2) {
- cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching);
+ if (count_matching >= 2 && num_matching > 2 && log_level == CIL_ERR) {
+ cil_log(CIL_ERR, " Only first 2 of %d matching rules shown (use \"-v\" to show all)\n", num_matching);
break;
}
}
cil_list_destroy(&matching, CIL_FALSE);
cil_list_destroy(&target.perms.classperms, CIL_TRUE);
count_bad++;
- if (count_bad >= 2) {
- cil_log(CIL_ERR, " Only first 2 of %d bad rules shown\n", numbad);
+ if (count_bad >= 4 && numbad > 4 && log_level == CIL_ERR) {
+ cil_log(CIL_ERR, " Only first 4 of %d bad rules shown (use \"-v\" to show all)\n", numbad);
break;
}
}
--
2.31.1
