1 files changed, 22 insertions, 3 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 7f1a304712a9..9da6420e2056 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -288,7 +288,6 @@ static struct avc_node *avc_alloc_node(void)
        if (!node)
                goto out;
-        INIT_RCU_HEAD(&node->rhead);
        INIT_HLIST_NODE(&node->list);
        avc_cache_stats_incr(allocations);
@@ -489,9 +488,29 @@ void avc_audit(u32 ssid, u32 tsid,
        struct common_audit_data stack_data;
        u32 denied, audited;
        denied = requested & ~avd->allowed;
-        if (denied)
+        if (denied) {
                audited = denied & avd->auditdeny;
-        else if (result)
+                /*
+                 * a->selinux_audit_data.auditdeny is TRICKY!  Setting a bit in
+                 * this field means that ANY denials should NOT be audited if
+                 * the policy contains an explicit dontaudit rule for that
+                 * permission.  Take notice that this is unrelated to the
+                 * actual permissions that were denied.  As an example lets
+                 * assume:
+                 *
+                 * denied == READ
+                 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
+                 * selinux_audit_data.auditdeny & ACCESS == 1
+                 *
+                 * We will NOT audit the denial even though the denied
+                 * permission was READ and the auditdeny checks were for
+                 * ACCESS
+                 */
+                if (a &&
+                    a->selinux_audit_data.auditdeny &&
+                    !(a->selinux_audit_data.auditdeny & avd->auditdeny))
+                        audited = 0;
+        } else if (result)
                audited = denied = requested;
        else
                audited = requested & avd->auditallow;

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 7f1a304712a9..9da6420e2056 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -288,7 +288,6 @@ static struct avc_node *avc_alloc_node(void)
288	if (!node)	288	if (!node)
289	goto out;	289	goto out;
290		290
291	INIT_RCU_HEAD(&node->rhead);
292	INIT_HLIST_NODE(&node->list);	291	INIT_HLIST_NODE(&node->list);
293	avc_cache_stats_incr(allocations);	292	avc_cache_stats_incr(allocations);
294		293
@@ -489,9 +488,29 @@ void avc_audit(u32 ssid, u32 tsid,
489	struct common_audit_data stack_data;	488	struct common_audit_data stack_data;
490	u32 denied, audited;	489	u32 denied, audited;
491	denied = requested & ~avd->allowed;	490	denied = requested & ~avd->allowed;
492	if (denied)	491	if (denied) {
493	audited = denied & avd->auditdeny;	492	audited = denied & avd->auditdeny;
494	else if (result)	493	/*
		494	* a->selinux_audit_data.auditdeny is TRICKY! Setting a bit in
		495	* this field means that ANY denials should NOT be audited if
		496	* the policy contains an explicit dontaudit rule for that
		497	* permission. Take notice that this is unrelated to the
		498	* actual permissions that were denied. As an example lets
		499	* assume:
		500	*
		501	* denied == READ
		502	* avd.auditdeny & ACCESS == 0 (not set means explicit rule)
		503	* selinux_audit_data.auditdeny & ACCESS == 1
		504	*
		505	* We will NOT audit the denial even though the denied
		506	* permission was READ and the auditdeny checks were for
		507	* ACCESS
		508	*/
		509	if (a &&
		510	a->selinux_audit_data.auditdeny &&
		511	!(a->selinux_audit_data.auditdeny & avd->auditdeny))
		512	audited = 0;
		513	} else if (result)
495	audited = denied = requested;	514	audited = denied = requested;
496	else	515	else
497	audited = requested & avd->auditallow;	516	audited = requested & avd->auditallow;