Commit 4b2e2a248e48b2902ab1ef3cab86322a3c6ef055 (libsepol/cil: Limit the amount of reporting for bounds failures) limited the number of bounds failures that were reported to the first two matching rules for the first two bad rules. Instead, report the first two matching rules for the first four bad rules at the default log level and report all matching rules for all bad rules for higher verbosity levels. Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/cil/src/cil_binary.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 4ac8ce8d..b7da8241 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4863,6 +4863,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void struct cil_avrule target; struct cil_tree_node *n1 = NULL; int count_bad = 0; + enum cil_log_level log_level = cil_get_log_level(); *violation = CIL_TRUE; @@ -4909,16 +4910,16 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void __cil_print_rule(" ", "allow", r2); } count_matching++; - if (count_matching >= 2) { - cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); + if (count_matching >= 2 && num_matching > 2 && log_level == CIL_ERR) { + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown (use \"-v\" to show all)\n", num_matching); break; } } cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&target.perms.classperms, CIL_TRUE); count_bad++; - if (count_bad >= 2) { - cil_log(CIL_ERR, " Only first 2 of %d bad rules shown\n", numbad); + if (count_bad >= 4 && numbad > 4 && log_level == CIL_ERR) { + cil_log(CIL_ERR, " Only first 4 of %d bad rules shown (use \"-v\" to show all)\n", numbad); break; } } -- 2.31.1