Commit 44141f58 authored by bauen1's avatar bauen1 Committed by Paul Moore
Browse files

selinux: allow dontauditx and auditallowx rules to take effect without allowx 



This allows for dontauditing very specific ioctls e.g. TCGETS without
dontauditing every ioctl or granting additional permissions.

Now either an allowx, dontauditx or auditallowx rules enables checking
for extended permissions.

Signed-off-by: default avatarJonathan Hettwer <j2468h@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 83370b31

security/selinux/ss/services.c

+1 −3
Original line number Diff line number Diff line
@@ -596,8 +596,6 @@ void services_compute_xperms_drivers( 
					node->datum.u.xperms->driver);

	}



	/* If no ioctl commands are allowed, ignore auditallow and auditdeny */

	if (node->key.specified & AVTAB_XPERMS_ALLOWED)

	xperms->len = 1;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE