libselinux: Mapped compute functions now obey deny_unknown flag

If selinux_set_mapping(3) is used to map classes, and an invalid class is used
to compute a decision (tclass = 0), the result did not obey the status of the
deny_unknown flag.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>

libselinux/src/compute_av.c

@@ -60,7 +60,9 @@ int security_compute_av_flags_raw(const security_context_t scon,
 	} else if (ret < 6)
 		avd->flags = 0;
 
-	map_decision(tclass, avd);
+	/* If tclass invalid, kernel sets avd according to deny_unknown flag */
+	if (tclass != 0)
+		map_decision(tclass, avd);
 
 	ret = 0;
       out2: