mirror of
https://github.com/SELinuxProject/selinux
synced 2025-04-11 04:01:46 +00:00
sepolgen: sort extended rules like normal ones
Currently:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
Changed:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
This commit is contained in:
Christian Göttsche
Stephen Smalley
parent
9e239e5569
commit
2a60de8eca
@ -84,7 +84,7 @@ def avrule_cmp(a, b):
|
||||
return ret
|
||||
|
||||
# At this point, who cares - just return something
|
||||
return cmp(len(a.perms), len(b.perms))
|
||||
return 0
|
||||
|
||||
# Compare two interface calls
|
||||
def ifcall_cmp(a, b):
|
||||
@ -100,7 +100,7 @@ def rule_cmp(a, b):
|
||||
else:
|
||||
return id_set_cmp([a.args[0]], b.src_types)
|
||||
else:
|
||||
if isinstance(b, refpolicy.AVRule):
|
||||
if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
|
||||
return avrule_cmp(a,b)
|
||||
else:
|
||||
return id_set_cmp(a.src_types, [b.args[0]])
|
||||
@ -130,6 +130,7 @@ def sort_filter(module):
|
||||
# we assume is the first argument for interfaces).
|
||||
rules = []
|
||||
rules.extend(node.avrules())
|
||||
rules.extend(node.avextrules())
|
||||
rules.extend(node.interface_calls())
|
||||
rules.sort(key=util.cmp_to_key(rule_cmp))
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user