1 files changed, 22 insertions, 2 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 3662b0f15ec5..9da6420e2056 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -488,9 +488,29 @@ void avc_audit(u32 ssid, u32 tsid,
        struct common_audit_data stack_data;
        u32 denied, audited;
        denied = requested & ~avd->allowed;
-        if (denied)
+        if (denied) {
                audited = denied & avd->auditdeny;
-        else if (result)
+                /*
+                 * a->selinux_audit_data.auditdeny is TRICKY!  Setting a bit in
+                 * this field means that ANY denials should NOT be audited if
+                 * the policy contains an explicit dontaudit rule for that
+                 * permission.  Take notice that this is unrelated to the
+                 * actual permissions that were denied.  As an example lets
+                 * assume:
+                 *
+                 * denied == READ
+                 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
+                 * selinux_audit_data.auditdeny & ACCESS == 1
+                 *
+                 * We will NOT audit the denial even though the denied
+                 * permission was READ and the auditdeny checks were for
+                 * ACCESS
+                 */
+                if (a &&
+                    a->selinux_audit_data.auditdeny &&
+                    !(a->selinux_audit_data.auditdeny & avd->auditdeny))
+                        audited = 0;
+        } else if (result)
                audited = denied = requested;
        else
                audited = requested & avd->auditallow;

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 3662b0f15ec5..9da6420e2056 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -488,9 +488,29 @@ void avc_audit(u32 ssid, u32 tsid,
488	struct common_audit_data stack_data;	488	struct common_audit_data stack_data;
489	u32 denied, audited;	489	u32 denied, audited;
490	denied = requested & ~avd->allowed;	490	denied = requested & ~avd->allowed;
491	if (denied)	491	if (denied) {
492	audited = denied & avd->auditdeny;	492	audited = denied & avd->auditdeny;
493	else if (result)	493	/*
		494	* a->selinux_audit_data.auditdeny is TRICKY! Setting a bit in
		495	* this field means that ANY denials should NOT be audited if
		496	* the policy contains an explicit dontaudit rule for that
		497	* permission. Take notice that this is unrelated to the
		498	* actual permissions that were denied. As an example lets
		499	* assume:
		500	*
		501	* denied == READ
		502	* avd.auditdeny & ACCESS == 0 (not set means explicit rule)
		503	* selinux_audit_data.auditdeny & ACCESS == 1
		504	*
		505	* We will NOT audit the denial even though the denied
		506	* permission was READ and the auditdeny checks were for
		507	* ACCESS
		508	*/
		509	if (a &&
		510	a->selinux_audit_data.auditdeny &&
		511	!(a->selinux_audit_data.auditdeny & avd->auditdeny))
		512	audited = 0;
		513	} else if (result)
494	audited = denied = requested;	514	audited = denied = requested;
495	else	515	else
496	audited = requested & avd->auditallow;	516	audited = requested & avd->auditallow;