[Selinux-commits] SF.net SVN: selinux: [2322] trunk/libselinux/src

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 2322
          http://svn.sourceforge.net/selinux/?rev=2322&view=rev
Author:   ssmalley
Date:     2007-04-05 13:00:54 -0700 (Thu, 05 Apr 2007)

Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: grant permissions on deny in permissive mode
Date: Thu, 05 Apr 2007 14:37:22 -0400

This patch duplicates the kernel behavior of granting permissions
after a denial to avoid repeated AVC's, including flushing the cache
on a switch to enforcing mode.

Signed-off-by: Eamon Walsh <ew...@ty...>

Modified Paths:
--------------
    trunk/libselinux/src/avc.c
    trunk/libselinux/src/avc_internal.c

Modified: trunk/libselinux/src/avc.c
===================================================================

--- trunk/libselinux/src/avc.c	2007-04-05 18:18:47 UTC (rev 2321)
+++ trunk/libselinux/src/avc.c	2007-04-05 20:00:54 UTC (rev 2322)
@@ -984,9 +984,12 @@
 
 	denied = requested & ~(ae->avd.allowed);
 
-	if ((!requested || denied) && avc_enforcing) {
-		errno = EACCES;
-		rc = -1;
+	if (!requested || denied) {
+		if (avc_enforcing) {
+			errno = EACCES;
+			rc = -1;
+		} else
+			ae->avd.allowed |= requested;
 	}
 
       out:

Modified: trunk/libselinux/src/avc_internal.c
===================================================================
--- trunk/libselinux/src/avc_internal.c	2007-04-05 18:18:47 UTC (rev 2321)
+++ trunk/libselinux/src/avc_internal.c	2007-04-05 20:00:54 UTC (rev 2322)
@@ -163,6 +163,12 @@
 				    ("%s:  received setenforce notice (enforcing=%d)\n",
 				     avc_prefix, msg->val);
 				avc_enforcing = msg->val;
+				if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
+					avc_log
+					    ("%s:  cache reset returned %d (errno %d)\n",
+					     avc_prefix, rc, errno);
+					goto out;
+				}
 				break;
 			}
 
@@ -263,6 +269,12 @@
 				    ("%s:  received setenforce notice (enforcing=%d)\n",
 				     avc_prefix, msg->val);
 				avc_enforcing = msg->val;
+				if (avc_enforcing && (ret = avc_ss_reset(0)) < 0) {
+					avc_log
+					    ("%s:  cache reset returned %d (errno %d)\n",
+					     avc_prefix, ret, errno);
+					goto out;
+				}
 				break;
 			}
 


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


