@@ -44,10 +44,14 @@ int main(int argc, char **argv)
print_access_vector(tclass, avd.allowed);
printf("\n");
- if (avd.decided != ~0U) {
+ if (~avd.decided) {
printf("decided=");
print_access_vector(tclass, avd.decided);
printf("\n");
+
+ printf("undecided=");
+ print_access_vector(tclass, ~avd.decided);
+ printf("\n");
}
if (avd.auditallow) {
@@ -56,10 +60,14 @@ int main(int argc, char **argv)
printf("\n");
}
- if (avd.auditdeny != ~0U) {
- printf("auditdeny");
+ if (~avd.auditdeny) {
+ printf("auditdeny=");
print_access_vector(tclass, avd.auditdeny);
printf("\n");
+
+ printf("dontaudit=");
+ print_access_vector(tclass, ~avd.auditdeny);
+ printf("\n");
}
exit(EXIT_SUCCESS);
Show the more interesting inverse of the auditdeny vector as dontaudit. Show the inverse of the decided vector, although since Linux v2.6.30 f1c6381a6e33 ("SELinux: remove unused av.decided field") all permissions are always decided. $ compute_av staff_u:staff_r:staff_t:s0 sysadm_u:sysadm_r:sysadm_t:s0 process allowed= null auditdeny= { fork transition sigchld sigkill sigstop signull ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit 0x80000000 } dontaudit= { signal } Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libselinux/utils/compute_av.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)