diff options
| author | Richard Haines <richard_c_haines@btinternet.com> | 2015-11-21 16:26:48 +0000 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2015-11-24 16:36:07 -0500 |
| commit | 0ca5562e9782cd078030d486be9e8dc3190a8ccf (patch) | |
| tree | 0d26c9840fc2637a23a97b9f5c867c607f1e46fa | |
| parent | 4a1169a3671dcea24b1713f7b711993547a42e8a (diff) | |
| download | selinux-0ca5562e9782cd078030d486be9e8dc3190a8ccf.tar.gz | |
libsepol: Fully expand neverallowxperm rules
Currently neverallowxperm rules will be resolved correctly when
building policy, however they are not detectable when using tools
such as an updated version of setools. This patch will allow
these to be viewed in the same way as neverallow rules are in a
text based kernel policy file (e.g. policy.conf).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
| -rw-r--r-- | libsepol/src/expand.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 9047c6da..9cb79656 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle, if (handle && handle->disable_dontaudit) return EXPAND_RULE_SUCCESS; spec = AVTAB_XPERMS_DONTAUDIT; + } else if (specified & AVRULE_XPERMS_NEVERALLOW) { + spec = AVTAB_XPERMS_NEVERALLOW; } else { assert(0); /* unreachable */ } @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle, if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) return EXPAND_RULE_SUCCESS; - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW) + if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW) return EXPAND_RULE_SUCCESS; ebitmap_init(&stypes); |