| Message ID | 1461873759-29136-2-git-send-email-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On 04/28/2016 04:02 PM, Stephen Smalley wrote: > The type bounds / hierarchy checker was incorrectly handling > rules with attributes as the target type, causing it to trigger > violations if the parent type lacked a rule directly to the same > attribute even if the parent had all the permissions to the > types associated with that attribute. Skip the degenerate > case and only check for the individual types. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > libsepol/src/hierarchy.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c > index ba65978..79db3a6 100644 > --- a/libsepol/src/hierarchy.c > +++ b/libsepol/src/hierarchy.c > @@ -318,6 +318,8 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p, > &avtab_key, data); > if (!d) continue; > td = p->type_val_to_struct[i]; > + if (!td || td->flavor == TYPE_ATTRIB) > + continue; > if (td && td->bounds) { > avtab_key.target_type = td->bounds; > d = bounds_not_covered(global_avtab, cur_avtab, > There shouldn't be any attributes here. CIL is wrongly including the attribute itself in the attr_type_map. Patch coming. Jim
diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c index ba65978..79db3a6 100644 --- a/libsepol/src/hierarchy.c +++ b/libsepol/src/hierarchy.c @@ -318,6 +318,8 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p, &avtab_key, data); if (!d) continue; td = p->type_val_to_struct[i]; + if (!td || td->flavor == TYPE_ATTRIB) + continue; if (td && td->bounds) { avtab_key.target_type = td->bounds; d = bounds_not_covered(global_avtab, cur_avtab,
The type bounds / hierarchy checker was incorrectly handling rules with attributes as the target type, causing it to trigger violations if the parent type lacked a rule directly to the same attribute even if the parent had all the permissions to the types associated with that attribute. Skip the degenerate case and only check for the individual types. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- libsepol/src/hierarchy.c | 2 ++ 1 file changed, 2 insertions(+)