Re: [PATCH] libsepol/cil: restore error on context rule conflicts

James Carter <jwcart2@xxxxxxxxx> · Thu, 13 Oct 2022 11:26:27 -0400



On Thu, Oct 13, 2022 at 9:13 AM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>
> James Carter <jwcart2@xxxxxxxxx> writes:
>
> > On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche
> > <cgzones@xxxxxxxxxxxxxx> wrote:
> >>
> >> Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for
> >> context rule conflicts") reworked the processing of context rule
> >> conflicts to limit the number of written conflicting statements to
> >> increase readability of the printed error message.  It forgot to set the
> >> return value, signaling a context conflict, in the case the logging
> >> level is higher than warning (e.g. in semodule(8), which defaults to
> >> error).
> >>
> >> Reported-by: Milos Malik <mmalik@xxxxxxxxxx> [1]
> >> Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
> >>
> >> [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@xxxxxxxxxx/
> >>
> >> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
> Tested-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
>
> Thanks!
>
Merged.
Jim

>
> >> ---
> >>  libsepol/cil/src/cil_post.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> >> index 6e95225f..11e572e2 100644
> >> --- a/libsepol/cil/src/cil_post.c
> >> +++ b/libsepol/cil/src/cil_post.c
> >> @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
> >>                 } else {
> >>                         removed++;
> >>                         if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
> >> +                               rc = SEPOL_ERR;
> >>                                 conflicting++;
> >>                                 if (log_level >= CIL_WARN) {
> >>                                         struct cil_list_item li;
> >> @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
> >>                                         li.flavor = flavor;
> >>                                         if (conflicting == 1) {
> >>                                                 cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
> >> -                                               rc = SEPOL_ERR;
> >>                                                 li.data = sort->array[i];
> >>                                                 rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
> >>                                                                                         NULL, NULL, &li);
> >> --
> >> 2.37.2
> >>
>