| Message ID | 1448123208-5557-1-git-send-email-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
Acked-by: Jeff Vander Stoep <jeffv@google.com> On Sat, Nov 21, 2015 at 8:30 AM Richard Haines < richard_c_haines@btinternet.com> wrote: > Currently neverallowxperm rules will be resolved correctly when > building policy, however they are not detectable when using tools > such as an updated version of setools. This patch will allow > these to be viewed in the same way as neverallow rules are in a > text based kernel policy file (e.g. policy.conf). > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > libsepol/src/expand.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index 9047c6d..9cb7965 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * > handle, > if (handle && handle->disable_dontaudit) > return EXPAND_RULE_SUCCESS; > spec = AVTAB_XPERMS_DONTAUDIT; > + } else if (specified & AVRULE_XPERMS_NEVERALLOW) { > + spec = AVTAB_XPERMS_NEVERALLOW; > } else { > assert(0); /* unreachable */ > } > @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * > handle, > > if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) > return EXPAND_RULE_SUCCESS; > - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW) > + if (!do_neverallow && source_rule->specified & > AVRULE_XPERMS_NEVERALLOW) > return EXPAND_RULE_SUCCESS; > > ebitmap_init(&stypes); > -- > 2.5.0 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. >
On 11/21/2015 11:26 AM, Richard Haines wrote: > Currently neverallowxperm rules will be resolved correctly when > building policy, however they are not detectable when using tools > such as an updated version of setools. This patch will allow > these to be viewed in the same way as neverallow rules are in a > text based kernel policy file (e.g. policy.conf). > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Thanks, applied. > --- > libsepol/src/expand.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index 9047c6d..9cb7965 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle, > if (handle && handle->disable_dontaudit) > return EXPAND_RULE_SUCCESS; > spec = AVTAB_XPERMS_DONTAUDIT; > + } else if (specified & AVRULE_XPERMS_NEVERALLOW) { > + spec = AVTAB_XPERMS_NEVERALLOW; > } else { > assert(0); /* unreachable */ > } > @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle, > > if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) > return EXPAND_RULE_SUCCESS; > - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW) > + if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW) > return EXPAND_RULE_SUCCESS; > > ebitmap_init(&stypes); >
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 9047c6d..9cb7965 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle, if (handle && handle->disable_dontaudit) return EXPAND_RULE_SUCCESS; spec = AVTAB_XPERMS_DONTAUDIT; + } else if (specified & AVRULE_XPERMS_NEVERALLOW) { + spec = AVTAB_XPERMS_NEVERALLOW; } else { assert(0); /* unreachable */ } @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle, if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) return EXPAND_RULE_SUCCESS; - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW) + if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW) return EXPAND_RULE_SUCCESS; ebitmap_init(&stypes);
Currently neverallowxperm rules will be resolved correctly when building policy, however they are not detectable when using tools such as an updated version of setools. This patch will allow these to be viewed in the same way as neverallow rules are in a text based kernel policy file (e.g. policy.conf). Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- libsepol/src/expand.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)