From 1e7f3c93f02c559dc2ef2347194e2a5f4260c895 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 4 Nov 2011 09:27:03 -0400 Subject: [PATCH] Upgrade to upstream * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" * drop libsepol dynamic link in checkpolicy --- .gitignore | 1 + checkpolicy-rhat.patch | 349 ++++++++++++++++++++++++++++++++++++----- checkpolicy.spec | 12 +- sources | 2 +- 4 files changed, 318 insertions(+), 46 deletions(-) diff --git a/.gitignore b/.gitignore index 5455733..6e75576 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,4 @@ checkpolicy-2.0.22.tgz /checkpolicy-2.1.3.tgz /checkpolicy-2.1.4.tgz /checkpolicy-2.1.5.tgz +/checkpolicy-2.1.6.tgz diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index 971e35f..f2fee6a 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,42 +1,307 @@ -diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y -index 49ac15f..1e3ef6f 100644 ---- a/checkpolicy/policy_parse.y -+++ b/checkpolicy/policy_parse.y -@@ -353,7 +353,7 @@ cond_rule_def : cond_transition_def - | require_block - { $$ = NULL; } - ; --cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+cond_transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';' - { $$ = define_cond_filename_trans() ; - if ($$ == COND_ERR) return -1;} - | TYPE_TRANSITION names names ':' names identifier ';' -@@ -391,7 +391,7 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' - { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); - if ($$ == COND_ERR) return -1; } - ; --transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';' - {if (define_filename_trans()) return -1; } - | TYPE_TRANSITION names names ':' names identifier ';' - {if (define_compute_type(AVRULE_TRANSITION)) return -1;} -diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l -index a61e0db..2ba5971 100644 ---- a/checkpolicy/policy_scan.l -+++ b/checkpolicy/policy_scan.l -@@ -227,7 +227,6 @@ PERMISSIVE { return(PERMISSIVE); } - {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } - {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } - {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } --\"({alnum}|[_\.\-])+\" { return(FILENAME); } - {alnum}* { return(FILENAME); } - \.({alnum}|[_\.\-])* { return(FILENAME); } - {letter}+([-_\.]|{alnum})+ { return(FILENAME); } -@@ -253,6 +252,7 @@ PERMISSIVE { return(PERMISSIVE); } - "-" | - "." | - "]" | -+"\"" | - "~" | - "*" { return(yytext[0]); } - . { yywarn("unrecognized character");} +diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile +index 65cf901..0731e89 100644 +--- a/checkpolicy/test/Makefile ++++ b/checkpolicy/test/Makefile +@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin + LIBDIR=$(PREFIX)/lib + INCLUDEDIR ?= $(PREFIX)/include + +-CFLAGS ?= -g -Wall -O2 -pipe ++CFLAGS ?= -g -Wall -W -Werror -O2 -pipe + override CFLAGS += -I$(INCLUDEDIR) + + LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) +diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c +index 1674a47..6a951f6 100644 +--- a/checkpolicy/test/dismod.c ++++ b/checkpolicy/test/dismod.c +@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type, + int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, + FILE * fp) + { +- int i, num_types; ++ unsigned int i, num_types; + + if (set->flags & TYPE_STAR) { + fprintf(fp, " * "); +@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, + + int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) + { +- int i, num = 0; ++ unsigned int i, num = 0; + + if (roles->flags & ROLE_STAR) { + fprintf(fp, " * "); +@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) + + } + +-/* 'what' values for this function */ +-#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */ +-#define RENDER_ENABLED 0x0002 +-#define RENDER_DISABLED 0x0004 +-#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED) +- +-int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy, ++int display_avrule(avrule_t * avrule, policydb_t * policy, + FILE * fp) + { + class_perm_node_t *cur; +@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) + { + type_datum_t *type; + FILE *fp; +- int i, first_attrib = 1; ++ unsigned int i, first_attrib = 1; + + type = (type_datum_t *) datum; + fp = (FILE *) data; +@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp) + + int display_users(policydb_t * p, FILE * fp) + { +- int i, j; ++ unsigned int i, j; + ebitmap_t *bitmap; + for (i = 0; i < p->p_users.nprim; i++) { + display_id(p, fp, SYM_USERS, i, ""); +@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp) + + int display_bools(policydb_t * p, FILE * fp) + { +- int i; ++ unsigned int i; + + for (i = 0; i < p->p_bools.nprim; i++) { + display_id(p, fp, SYM_BOOLS, i, ""); +@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) + } + } + +-void display_policycon(policydb_t * p, FILE * fp) ++void display_policycon(FILE * fp) + { +-#if 0 +- int i; +- ocontext_t *cur; +- char *name; +- +- for (i = 0; i < POLICYCON_NUM; i++) { +- fprintf(fp, "%s:", symbol_labels[i]); +- for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) { +- if (*(cur->u.name) == '\0') { +- name = "{default}"; +- } else { +- name = cur->u.name; +- } +- fprintf(fp, "\n%16s - %s:%s:%s", name, +- p->p_user_val_to_name[cur->context[0].user - 1], +- p->p_role_val_to_name[cur->context[0].role - 1], +- p->p_type_val_to_name[cur->context[0].type - +- 1]); +- } +- fprintf(fp, "\n"); +- } +-#endif ++ /* There was an attempt to implement this at one time. Look through ++ * git history to find it. */ ++ fprintf(fp, "Sorry, not implemented\n"); + } + + void display_initial_sids(policydb_t * p, FILE * fp) +@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp) + + void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) + { +- int i, num = 0; ++ unsigned int i, num = 0; + + for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) { + if (!ebitmap_get_bit(classes, i)) +@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F + } + } + +-int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) ++int role_display_callback(hashtab_key_t key __attribute__((unused)), ++ hashtab_datum_t datum, void *data) + { + role_datum_t *role; + FILE *fp; +@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) + static int display_scope_index(scope_index_t * indices, policydb_t * p, + FILE * out_fp) + { +- int i; ++ unsigned int i; + for (i = 0; i < SYM_NUM; i++) { +- int any_found = 0, j; ++ unsigned int any_found = 0, j; + fprintf(out_fp, "%s:", symbol_labels[i]); + for (j = ebitmap_startbit(&indices->scope[i]); + j < ebitmap_length(&indices->scope[i]); j++) { +@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp) + } + #endif + +-int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, ++int display_avdecl(avrule_decl_t * decl, int field, + policydb_t * policy, FILE * out_fp) + { + fprintf(out_fp, "decl %u:%s\n", decl->decl_id, +@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + avrule = cond->avtrue_list; + while (avrule) { + display_avrule(avrule, +- RENDER_UNCONDITIONAL, + &policydb, out_fp); + avrule = avrule->next; + } +@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + avrule = cond->avfalse_list; + while (avrule) { + display_avrule(avrule, +- RENDER_UNCONDITIONAL, + &policydb, out_fp); + avrule = avrule->next; + } +@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + fprintf(out_fp, " \n"); + } + while (avrule != NULL) { +- if (display_avrule +- (avrule, what, policy, out_fp)) { ++ if (display_avrule(avrule, policy, out_fp)) + return -1; +- } + avrule = avrule->next; + } + break; +@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + return 0; /* should never get here */ + } + +-int display_avblock(int field, uint32_t what, policydb_t * policy, ++int display_avblock(int field, policydb_t * policy, + FILE * out_fp) + { + avrule_block_t *block = policydb.global; +@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy, + fprintf(out_fp, "--- begin avrule block ---\n"); + avrule_decl_t *decl = block->branch_list; + while (decl != NULL) { +- if (display_avdecl(decl, field, what, policy, out_fp)) { ++ if (display_avdecl(decl, field, policy, out_fp)) { + return -1; + } + decl = decl->next; +@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) + ebitmap_node_t *node; + const char *capname; + char buf[64]; +- int i; ++ unsigned int i; + + fprintf(fp, "policy capabilities:\n"); + ebitmap_for_each_bit(&p->policycaps, node, i) { +@@ -915,14 +887,12 @@ int main(int argc, char **argv) + case '1': + fprintf(out_fp, "unconditional avtab:\n"); + display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB, +- RENDER_UNCONDITIONAL, &policydb, +- out_fp); ++ &policydb, out_fp); + break; + case '2': + fprintf(out_fp, "conditional avtab:\n"); + display_avblock(DISPLAY_AVBLOCK_COND_AVTAB, +- RENDER_UNCONDITIONAL, &policydb, +- out_fp); ++ &policydb, out_fp); + break; + case '3': + display_users(&policydb, out_fp); +@@ -944,28 +914,28 @@ int main(int argc, char **argv) + break; + case '7': + fprintf(out_fp, "role transitions:\n"); +- display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0, ++ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, + &policydb, out_fp); + break; + case '8': + fprintf(out_fp, "role allows:\n"); +- display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0, ++ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, + &policydb, out_fp); + break; + case '9': +- display_policycon(&policydb, out_fp); ++ display_policycon(out_fp); + break; + case '0': + display_initial_sids(&policydb, out_fp); + break; + case 'a': + fprintf(out_fp, "avrule block requirements:\n"); +- display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0, ++ display_avblock(DISPLAY_AVBLOCK_REQUIRES, + &policydb, out_fp); + break; + case 'b': + fprintf(out_fp, "avrule block declarations:\n"); +- display_avblock(DISPLAY_AVBLOCK_DECLARES, 0, ++ display_avblock(DISPLAY_AVBLOCK_DECLARES, + &policydb, out_fp); + break; + case 'c': +@@ -993,7 +963,7 @@ int main(int argc, char **argv) + case 'F': + fprintf(out_fp, "filename_trans rules:\n"); + display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS, +- 0, &policydb, out_fp); ++ &policydb, out_fp); + break; + case 'l': + link_module(&policydb, out_fp); +diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c +index 0e08965..f41acdc 100644 +--- a/checkpolicy/test/dispol.c ++++ b/checkpolicy/test/dispol.c +@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, + + int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) + { +- int i; ++ unsigned int i; + avtab_ptr_t cur; + avtab_t expa; + +@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) + + int display_bools(policydb_t * p, FILE * fp) + { +- int i; ++ unsigned int i; + + for (i = 0; i < p->p_bools.nprim; i++) { + fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i], +@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) + ebitmap_node_t *node; + const char *capname; + char buf[64]; +- int i; ++ unsigned int i; + + fprintf(fp, "policy capabilities:\n"); + ebitmap_for_each_bit(&p->policycaps, node, i) { +@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type, + static void display_permissive(policydb_t *p, FILE *fp) + { + ebitmap_node_t *node; +- int i; ++ unsigned int i; + + fprintf(fp, "permissive sids:\n"); + ebitmap_for_each_bit(&p->permissive_map, node, i) { diff --git a/checkpolicy.spec b/checkpolicy.spec index 11257b3..64343fc 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,15 +1,16 @@ +%define libselinuxver 2.1.6-4 %define libsepolver 2.1.2-3 Summary: SELinux policy compiler Name: checkpolicy -Version: 2.1.5 -Release: 2%{?dist} +Version: 2.1.6 +Release: 1%{?dist} License: GPLv2 Group: Development/System Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz Patch: checkpolicy-rhat.patch BuildRoot: %{_tmppath}/%{name}-buildroot -BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel +BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver} %description Security-enhanced Linux is a feature of the Linux® kernel and a number @@ -55,6 +56,11 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Fri Nov 4 2011 Dan Walsh - 2.1.6-1 +- Upgrade to upstream + * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" + * drop libsepol dynamic link in checkpolicy + * Tue Sep 20 2011 Dan Walsh - 2.1.5-2 - Fix checkpolicy to ignore '"' in filename trans rules diff --git a/sources b/sources index 23dfe20..a97bde0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -be5053328eac201b3856f160d2bd8d12 checkpolicy-2.1.5.tgz +a1115f9c92777da7c8cafab08a81b779 checkpolicy-2.1.6.tgz