libsepol: Do not reject all type rules in conditionals when validating

Commit 1c91bc8 ("libsepol: reject self flag in type rules in old policies") actually rejects all type rules in conditionals in modular policies prior to version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS). The problem is because of fall-through in a switch statement when the avrule flags are 0. Instead, break rather than fall-through when avrule flags are 0. Reviewed-by: Christian Göttsche <[email protected]> Acked-by: Petr Lautrbach <[email protected]>
stephensmalley · Jun 21, 2024 · 1efc121 · 1efc121
1 parent e6c99f3
commit 1efc121
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
@@ -1076,6 +1076,7 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
 
 		switch(avrule->flags) {
 		case 0:
+			break;
 		case RULE_SELF:
 			if (p->policyvers != POLICY_KERN &&
 			    p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&