• Eric Paris's avatar
    SELinux: print denials for buggy kernel with unknown perms · 0bce9527
    Eric Paris authored
    Historically we've seen cases where permissions are requested for classes
    where they do not exist.  In particular we have seen CIFS forget to set
    i_mode to indicate it is a directory so when we later check something like
    remove_name we have problems since it wasn't defined in tclass file.  This
    used to result in a avc which included the permission 0x2000 or something.
    Currently the kernel will deny the operations (good thing) but will not
    print ANY information (bad thing).  First the auditdeny field is no
    extended to include unknown permissions.  After that is fixed the logic in
    avc_dump_query to output this information isn't right since it will remove
    the permission from the av and print the phrase "<NULL>".  This takes us
    back to the behavior before the classmap rewrite.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    0bce9527
avc.c 20.6 KB