am 6f1b8911: Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.

* commit '6f1b8911f53284c7c768562ab4e3164edfafeb2c':
  Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.

1 files changed, 17 insertions, 2 deletions

diff --git a/src/avc.c b/src/avc.c
index 36f479f..0a6cc98 100644
--- a/src/avc.c
+++ b/src/avc.c
@@ -691,6 +691,16 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 
 hidden_def(avc_audit)
 
+
+static void avd_init(struct av_decision *avd)
+{
+	avd->allowed = 0;
+	avd->auditallow = 0;
+	avd->auditdeny = 0xffffffff;
+	avd->seqno = avc_cache.latest_notif;
+	avd->flags = 0;
+}
+
 int avc_has_perm_noaudit(security_id_t ssid,
 			 security_id_t tsid,
 			 security_class_t tclass,
@@ -703,6 +713,9 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	access_vector_t denied;
 	struct avc_entry_ref ref;
 
+	if (avd)
+		avd_init(avd);
+
 	if (!avc_using_threads && !avc_app_main_loop) {
 		(void)avc_netlink_check_nb();
 	}
@@ -735,6 +748,10 @@ int avc_has_perm_noaudit(security_id_t ssid,
 			rc = security_compute_av(ssid->ctx, tsid->ctx,
 						 tclass, requested,
 						 &entry.avd);
+			if (rc && errno == EINVAL && !avc_enforcing) {
+				rc = errno = 0;
+				goto out;
+			}
 			if (rc)
 				goto out;
 			rc = avc_insert(ssid, tsid, tclass, &entry, aeref);
@@ -773,8 +790,6 @@ int avc_has_perm(security_id_t ssid, security_id_t tsid,
 	struct av_decision avd;
 	int errsave, rc;
 
-	memset(&avd, 0, sizeof(avd));
-
 	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, aeref, &avd);
 	errsave = errno;
 	avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);