RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-13 17:00:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

libselinux: Only audit permissions specified by the policy

Browse Source 
Only audit the permissions specified by the policy, excluding any
permissions specified via dontaudit or not specified via auditallow.
This only shows up when a single avc_has_perm() call is made with
multiple permissions where some of those permissions are dontaudit'd or
auditallow'd while others are not.  The corresponding kernel patch has
already been applied, see:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commit;h=b6cac5a30b325e14cda425670bb3568d3cad0aa8

Signed-off-by:  Stephen D. Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2010-02-05 09:24:41 -05:00
parent 9a1814832b
commit 0fc6c7762c
1 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
libselinux/src/avc.c
View File

@ -694,17 +694,14 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
access_vector_t denied, audited;
denied = requested & ~avd->allowed;
if (denied) {
audited = denied;
if (!(audited & avd->auditdeny))
return;
} else if (!requested || result) {
if (denied)
audited = denied & avd->auditdeny;
else if (!requested || result)
audited = denied = requested;
} else {
audited = requested;
if (!(audited & avd->auditallow))
return;
}
else
audited = requested & avd->auditallow;
if (!audited)
return;
#if 0
if (!check_avc_ratelimit())
return;