From d0a8d81882c9b3eb7ad5601b45254a5c19479085 Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@btinternet.com>
Date: Sun, 27 Nov 2011 16:06:57 +0000
Subject: [PATCH] libselinux: Mapped compute functions now obey deny_unknown
 flag

If selinux_set_mapping(3) is used to map classes, and an invalid class is used
to compute a decision (tclass = 0), the result did not obey the status of the
deny_unknown flag.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
---
 libselinux/src/compute_av.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index 86ff2740..5962c0b5 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -60,7 +60,9 @@ int security_compute_av_flags_raw(const security_context_t scon,
 	} else if (ret < 6)
 		avd->flags = 0;
 
-	map_decision(tclass, avd);
+	/* If tclass invalid, kernel sets avd according to deny_unknown flag */
+	if (tclass != 0)
+		map_decision(tclass, avd);
 
 	ret = 0;
       out2: