| Message ID | 20221012142751.17979-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 3f11c7d19c44 |
| Headers | show |
| Series | libsepol/cil: restore error on context rule conflicts | expand |
On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for > context rule conflicts") reworked the processing of context rule > conflicts to limit the number of written conflicting statements to > increase readability of the printed error message. It forgot to set the > return value, signaling a context conflict, in the case the logging > level is higher than warning (e.g. in semodule(8), which defaults to > error). > > Reported-by: Milos Malik <mmalik@redhat.com> [1] > Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts") > > [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/ > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/cil/src/cil_post.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c > index 6e95225f..11e572e2 100644 > --- a/libsepol/cil/src/cil_post.c > +++ b/libsepol/cil/src/cil_post.c > @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) > } else { > removed++; > if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) { > + rc = SEPOL_ERR; > conflicting++; > if (log_level >= CIL_WARN) { > struct cil_list_item li; > @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) > li.flavor = flavor; > if (conflicting == 1) { > cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str); > - rc = SEPOL_ERR; > li.data = sort->array[i]; > rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, > NULL, NULL, &li); > -- > 2.37.2 >
James Carter <jwcart2@gmail.com> writes: > On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche > <cgzones@googlemail.com> wrote: >> >> Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for >> context rule conflicts") reworked the processing of context rule >> conflicts to limit the number of written conflicting statements to >> increase readability of the printed error message. It forgot to set the >> return value, signaling a context conflict, in the case the logging >> level is higher than warning (e.g. in semodule(8), which defaults to >> error). >> >> Reported-by: Milos Malik <mmalik@redhat.com> [1] >> Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts") >> >> [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/ >> >> Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> Tested-by: Petr Lautrbach <plautrba@redhat.com> Thanks! >> --- >> libsepol/cil/src/cil_post.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c >> index 6e95225f..11e572e2 100644 >> --- a/libsepol/cil/src/cil_post.c >> +++ b/libsepol/cil/src/cil_post.c >> @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) >> } else { >> removed++; >> if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) { >> + rc = SEPOL_ERR; >> conflicting++; >> if (log_level >= CIL_WARN) { >> struct cil_list_item li; >> @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) >> li.flavor = flavor; >> if (conflicting == 1) { >> cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str); >> - rc = SEPOL_ERR; >> li.data = sort->array[i]; >> rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, >> NULL, NULL, &li); >> -- >> 2.37.2 >>
On Thu, Oct 13, 2022 at 9:13 AM Petr Lautrbach <plautrba@redhat.com> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche > > <cgzones@googlemail.com> wrote: > >> > >> Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for > >> context rule conflicts") reworked the processing of context rule > >> conflicts to limit the number of written conflicting statements to > >> increase readability of the printed error message. It forgot to set the > >> return value, signaling a context conflict, in the case the logging > >> level is higher than warning (e.g. in semodule(8), which defaults to > >> error). > >> > >> Reported-by: Milos Malik <mmalik@redhat.com> [1] > >> Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts") > >> > >> [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/ > >> > >> Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > > > Acked-by: James Carter <jwcart2@gmail.com> > > Tested-by: Petr Lautrbach <plautrba@redhat.com> > > Thanks! > Merged. Jim > > >> --- > >> libsepol/cil/src/cil_post.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c > >> index 6e95225f..11e572e2 100644 > >> --- a/libsepol/cil/src/cil_post.c > >> +++ b/libsepol/cil/src/cil_post.c > >> @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) > >> } else { > >> removed++; > >> if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) { > >> + rc = SEPOL_ERR; > >> conflicting++; > >> if (log_level >= CIL_WARN) { > >> struct cil_list_item li; > >> @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) > >> li.flavor = flavor; > >> if (conflicting == 1) { > >> cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str); > >> - rc = SEPOL_ERR; > >> li.data = sort->array[i]; > >> rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, > >> NULL, NULL, &li); > >> -- > >> 2.37.2 > >> >
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index 6e95225f..11e572e2 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) } else { removed++; if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) { + rc = SEPOL_ERR; conflicting++; if (log_level >= CIL_WARN) { struct cil_list_item li; @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) li.flavor = flavor; if (conflicting == 1) { cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str); - rc = SEPOL_ERR; li.data = sort->array[i]; rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, NULL, NULL, &li);
Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts") reworked the processing of context rule conflicts to limit the number of written conflicting statements to increase readability of the printed error message. It forgot to set the return value, signaling a context conflict, in the case the logging level is higher than warning (e.g. in semodule(8), which defaults to error). Reported-by: Milos Malik <mmalik@redhat.com> [1] Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts") [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/ Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/cil/src/cil_post.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)