libsepol: Do not reject all type rules in conditionals when validating

jwcart2 · jwcart2 · commit 1efc12146624 · 2024-06-21T09:29:02.000-04:00
Commit 1c91bc8 ("libsepol: reject self flag in type rules in old policies") actually rejects all type rules in conditionals in modular policies prior to version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS). The problem is because of fall-through in a switch statement when the avrule flags are 0. Instead, break rather than fall-through when avrule flags are 0. Reviewed-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Petr Lautrbach <lautrbach@redhat.com>
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
@@ -1076,6 +1076,7 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
 
 		switch(avrule->flags) {
 		case 0:
+			break;
 		case RULE_SELF:
 			if (p->policyvers != POLICY_KERN &&
 			    p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
