libselinux: Mapped compute functions now obey deny_unknown flag
If selinux_set_mapping(3) is used to map classes, and an invalid class is used to compute a decision (tclass = 0), the result did not obey the status of the deny_unknown flag. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
98234cf543
commit
d0a8d81882
|
@ -60,6 +60,8 @@ int security_compute_av_flags_raw(const security_context_t scon,
|
||||||
} else if (ret < 6)
|
} else if (ret < 6)
|
||||||
avd->flags = 0;
|
avd->flags = 0;
|
||||||
|
|
||||||
|
/* If tclass invalid, kernel sets avd according to deny_unknown flag */
|
||||||
|
if (tclass != 0)
|
||||||
map_decision(tclass, avd);
|
map_decision(tclass, avd);
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
Loading…
Reference in New Issue