RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: Do not reject all type rules in conditionals when validating 

Commit 1c91bc84 ("libsepol: reject self flag in type rules in old
policies") actually rejects all type rules in conditionals in modular
policies prior to version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).

The problem is because of fall-through in a switch statement when
the avrule flags are 0. Instead, break rather than fall-through when
avrule flags are 0.

Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
This commit is contained in:
James Carter 2024-06-14 15:45:00 -04:00
parent e6c99f34a1
commit 1efc121466
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libsepol/src/policydb_validate.c
View File

@ -1076,6 +1076,7 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
switch(avrule->flags) {
case 0:
break;
case RULE_SELF:
if (p->policyvers != POLICY_KERN &&
p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&