Show the more interesting inverse of the auditdeny vector as dontaudit.
Show the inverse of the decided vector, although since Linux v2.6.30
f1c6381a6e33 ("SELinux: remove unused av.decided field") all permissions
are always decided.
$ compute_av staff_u:staff_r:staff_t:s0 sysadm_u:sysadm_r:sysadm_t:s0 process
allowed= null
auditdeny= { fork transition sigchld sigkill sigstop signull ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit 0x80000000 }
dontaudit= { signal }
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libselinux/utils/compute_av.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/libselinux/utils/compute_av.c b/libselinux/utils/compute_av.c
index cca407d6..09f574a0 100644
--- a/libselinux/utils/compute_av.c
+++ b/libselinux/utils/compute_av.c
@@ -44,10 +44,14 @@ int main(int argc, char **argv)
print_access_vector(tclass, avd.allowed);
printf("\n");
- if (avd.decided != ~0U) {
+ if (~avd.decided) {
printf("decided=");
print_access_vector(tclass, avd.decided);
printf("\n");
+
+ printf("undecided=");
+ print_access_vector(tclass, ~avd.decided);
+ printf("\n");
}
if (avd.auditallow) {
@@ -56,10 +60,14 @@ int main(int argc, char **argv)
printf("\n");
}
- if (avd.auditdeny != ~0U) {
- printf("auditdeny");
+ if (~avd.auditdeny) {
+ printf("auditdeny=");
print_access_vector(tclass, avd.auditdeny);
printf("\n");
+
+ printf("dontaudit=");
+ print_access_vector(tclass, ~avd.auditdeny);
+ printf("\n");
}
exit(EXIT_SUCCESS);
--
2.43.0
