selinux

mirror of https://github.com/topjohnwu/selinux.git synced 2025-02-04 02:06:41 +00:00

History

Jeff Vander Stoep 44c359aa05 Fix neverallowxperm checking on attributes

The following test incorrectly asserts a neverallowxperm failure.

	attribute test1_attr1;
	attribute test1_attr2;
	type test1_type1, test1_attr1, test1_attr2;

	allow test1_type1 test1_attr1:socket ioctl;
	allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
	neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }

To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>

2016-05-19 14:22:07 -04:00

cil

libsepol/cil: Remove path field from cil_tree_node struct

2016-05-05 16:32:07 -04:00

include

selinux: Add support for portcon dccp protocol

2016-04-06 10:14:27 -04:00

man

Laurent Bigonville patch to fix various minor manpage issues and correct section numbering.

2013-10-24 13:58:37 -04:00

src

Fix neverallowxperm checking on attributes