* [PATCH] libsepol/cil: restore error on context rule conflicts
@ 2022-10-12 14:27 Christian Göttsche
2022-10-12 15:38 ` James Carter
0 siblings, 1 reply; 4+ messages in thread
From: Christian Göttsche @ 2022-10-12 14:27 UTC (permalink / raw)
To: selinux; +Cc: Milos Malik
Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for
context rule conflicts") reworked the processing of context rule
conflicts to limit the number of written conflicting statements to
increase readability of the printed error message. It forgot to set the
return value, signaling a context conflict, in the case the logging
level is higher than warning (e.g. in semodule(8), which defaults to
error).
Reported-by: Milos Malik <mmalik@redhat.com> [1]
Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
[1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/cil/src/cil_post.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 6e95225f..11e572e2 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
} else {
removed++;
if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
+ rc = SEPOL_ERR;
conflicting++;
if (log_level >= CIL_WARN) {
struct cil_list_item li;
@@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
li.flavor = flavor;
if (conflicting == 1) {
cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
- rc = SEPOL_ERR;
li.data = sort->array[i];
rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
NULL, NULL, &li);
--
2.37.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] libsepol/cil: restore error on context rule conflicts
2022-10-12 14:27 [PATCH] libsepol/cil: restore error on context rule conflicts Christian Göttsche
@ 2022-10-12 15:38 ` James Carter
2022-10-13 13:13 ` Petr Lautrbach
0 siblings, 1 reply; 4+ messages in thread
From: James Carter @ 2022-10-12 15:38 UTC (permalink / raw)
To: Christian Göttsche; +Cc: selinux, Milos Malik
On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for
> context rule conflicts") reworked the processing of context rule
> conflicts to limit the number of written conflicting statements to
> increase readability of the printed error message. It forgot to set the
> return value, signaling a context conflict, in the case the logging
> level is higher than warning (e.g. in semodule(8), which defaults to
> error).
>
> Reported-by: Milos Malik <mmalik@redhat.com> [1]
> Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
>
> [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/cil/src/cil_post.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> index 6e95225f..11e572e2 100644
> --- a/libsepol/cil/src/cil_post.c
> +++ b/libsepol/cil/src/cil_post.c
> @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
> } else {
> removed++;
> if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
> + rc = SEPOL_ERR;
> conflicting++;
> if (log_level >= CIL_WARN) {
> struct cil_list_item li;
> @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
> li.flavor = flavor;
> if (conflicting == 1) {
> cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
> - rc = SEPOL_ERR;
> li.data = sort->array[i];
> rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
> NULL, NULL, &li);
> --
> 2.37.2
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] libsepol/cil: restore error on context rule conflicts
2022-10-12 15:38 ` James Carter
@ 2022-10-13 13:13 ` Petr Lautrbach
2022-10-13 15:26 ` James Carter
0 siblings, 1 reply; 4+ messages in thread
From: Petr Lautrbach @ 2022-10-13 13:13 UTC (permalink / raw)
To: selinux, James Carter, Christian Göttsche; +Cc: Milos Malik
James Carter <jwcart2@gmail.com> writes:
> On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
>>
>> Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for
>> context rule conflicts") reworked the processing of context rule
>> conflicts to limit the number of written conflicting statements to
>> increase readability of the printed error message. It forgot to set the
>> return value, signaling a context conflict, in the case the logging
>> level is higher than warning (e.g. in semodule(8), which defaults to
>> error).
>>
>> Reported-by: Milos Malik <mmalik@redhat.com> [1]
>> Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
>>
>> [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
>>
>> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
Tested-by: Petr Lautrbach <plautrba@redhat.com>
Thanks!
>> ---
>> libsepol/cil/src/cil_post.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
>> index 6e95225f..11e572e2 100644
>> --- a/libsepol/cil/src/cil_post.c
>> +++ b/libsepol/cil/src/cil_post.c
>> @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
>> } else {
>> removed++;
>> if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
>> + rc = SEPOL_ERR;
>> conflicting++;
>> if (log_level >= CIL_WARN) {
>> struct cil_list_item li;
>> @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
>> li.flavor = flavor;
>> if (conflicting == 1) {
>> cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
>> - rc = SEPOL_ERR;
>> li.data = sort->array[i];
>> rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
>> NULL, NULL, &li);
>> --
>> 2.37.2
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] libsepol/cil: restore error on context rule conflicts
2022-10-13 13:13 ` Petr Lautrbach
@ 2022-10-13 15:26 ` James Carter
0 siblings, 0 replies; 4+ messages in thread
From: James Carter @ 2022-10-13 15:26 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: selinux, Christian Göttsche, Milos Malik
On Thu, Oct 13, 2022 at 9:13 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> James Carter <jwcart2@gmail.com> writes:
>
> > On Wed, Oct 12, 2022 at 10:28 AM Christian Göttsche
> > <cgzones@googlemail.com> wrote:
> >>
> >> Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for
> >> context rule conflicts") reworked the processing of context rule
> >> conflicts to limit the number of written conflicting statements to
> >> increase readability of the printed error message. It forgot to set the
> >> return value, signaling a context conflict, in the case the logging
> >> level is higher than warning (e.g. in semodule(8), which defaults to
> >> error).
> >>
> >> Reported-by: Milos Malik <mmalik@redhat.com> [1]
> >> Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
> >>
> >> [1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
> >>
> >> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> >
> > Acked-by: James Carter <jwcart2@gmail.com>
>
> Tested-by: Petr Lautrbach <plautrba@redhat.com>
>
> Thanks!
>
Merged.
Jim
>
> >> ---
> >> libsepol/cil/src/cil_post.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> >> index 6e95225f..11e572e2 100644
> >> --- a/libsepol/cil/src/cil_post.c
> >> +++ b/libsepol/cil/src/cil_post.c
> >> @@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
> >> } else {
> >> removed++;
> >> if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
> >> + rc = SEPOL_ERR;
> >> conflicting++;
> >> if (log_level >= CIL_WARN) {
> >> struct cil_list_item li;
> >> @@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
> >> li.flavor = flavor;
> >> if (conflicting == 1) {
> >> cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
> >> - rc = SEPOL_ERR;
> >> li.data = sort->array[i];
> >> rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
> >> NULL, NULL, &li);
> >> --
> >> 2.37.2
> >>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-13 15:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-12 14:27 [PATCH] libsepol/cil: restore error on context rule conflicts Christian Göttsche
2022-10-12 15:38 ` James Carter
2022-10-13 13:13 ` Petr Lautrbach
2022-10-13 15:26 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.