Upgrade to upstream

* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" * drop libsepol dynamic link in checkpolicy
2011-11-04 09:27:03 -04:00 · 2011-11-04 09:27:03 -04:00 · 1e7f3c93f0
commit 1e7f3c93f0
parent 0708d417f5
4 changed files with 318 additions and 46 deletions
--- a/.gitignore
+++ b/.gitignore
@ -82,3 +82,4 @@ checkpolicy-2.0.22.tgz
 /checkpolicy-2.1.3.tgz
 /checkpolicy-2.1.4.tgz
 /checkpolicy-2.1.5.tgz
 /checkpolicy-2.1.6.tgz
--- a/checkpolicy-rhat.patch
+++ b/checkpolicy-rhat.patch
@ -1,42 +1,307 @@
-diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
+diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
-index 49ac15f..1e3ef6f 100644
+index 65cf901..0731e89 100644
--- a/checkpolicy/policy_parse.y
+--- a/checkpolicy/test/Makefile
-+++ b/checkpolicy/policy_parse.y
+++ b/checkpolicy/test/Makefile
-@@ -353,7 +353,7 @@ cond_rule_def           : cond_transition_def
+@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin
- 			| require_block
+ LIBDIR=$(PREFIX)/lib
- 			{ $$ = NULL; }
+ INCLUDEDIR ?= $(PREFIX)/include
-                         ;
+ 
-cond_transition_def	: TYPE_TRANSITION names names ':' names identifier filename ';'
+-CFLAGS ?= -g -Wall -O2 -pipe
-+cond_transition_def	: TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
-                         { $$ = define_cond_filename_trans() ;
+ override CFLAGS += -I$(INCLUDEDIR)
-                           if ($$ == COND_ERR) return -1;}
+ 
- 			| TYPE_TRANSITION names names ':' names identifier ';'
+ LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
-@@ -391,7 +391,7 @@ cond_dontaudit_def	: DONTAUDIT names names ':' names names ';'
+diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
- 			{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
+index 1674a47..6a951f6 100644
-                           if ($$ == COND_ERR) return -1; }
+--- a/checkpolicy/test/dismod.c
- 		        ;
+++ b/checkpolicy/test/dismod.c
-transition_def		: TYPE_TRANSITION  names names ':' names identifier filename ';'
+@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
-+transition_def		: TYPE_TRANSITION  names names ':' names identifier '\"' filename '\"' ';'
+ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
- 			{if (define_filename_trans()) return -1; }
+ 		     FILE * fp)
- 			| TYPE_TRANSITION names names ':' names identifier ';'
+ {
-                         {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
+-	int i, num_types;
-diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
+	unsigned int i, num_types;
-index a61e0db..2ba5971 100644
+ 
--- a/checkpolicy/policy_scan.l
+ 	if (set->flags & TYPE_STAR) {
-+++ b/checkpolicy/policy_scan.l
+ 		fprintf(fp, " * ");
-@@ -227,7 +227,6 @@ PERMISSIVE			{ return(PERMISSIVE); }
+@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
- {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
+ 
- {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
+ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
- {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
+ {
-\"({alnum}|[_\.\-])+\"		{ return(FILENAME); }
+-	int i, num = 0;
- {alnum}*                        { return(FILENAME); }
+	unsigned int i, num = 0;
- \.({alnum}|[_\.\-])*	        { return(FILENAME); }
+ 
- {letter}+([-_\.]|{alnum})+      { return(FILENAME); }
+ 	if (roles->flags & ROLE_STAR) {
-@@ -253,6 +252,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
+ 		fprintf(fp, " * ");
- "-" |
+@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
- "." |
+ 
- "]" |
+ }
-+"\"" |
+ 
- "~" |
+-/* 'what' values for this function */
- "*"				{ return(yytext[0]); } 
+-#define	RENDER_UNCONDITIONAL	0x0001	/* render all regardless of enabled state */
- .                               { yywarn("unrecognized character");}
+-#define RENDER_ENABLED		0x0002
 -#define RENDER_DISABLED		0x0004
 -#define RENDER_CONDITIONAL	(RENDER_ENABLED|RENDER_DISABLED)
 -
 -int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy,
 +int display_avrule(avrule_t * avrule, policydb_t * policy,
 		   FILE * fp)
 {
 	class_perm_node_t *cur;
@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
 {
 	type_datum_t *type;
 	FILE *fp;
 -	int i, first_attrib = 1;
 +	unsigned int i, first_attrib = 1;
 	type = (type_datum_t *) datum;
 	fp = (FILE *) data;
@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp)
 int display_users(policydb_t * p, FILE * fp)
 {
 -	int i, j;
 +	unsigned int i, j;
 	ebitmap_t *bitmap;
 	for (i = 0; i < p->p_users.nprim; i++) {
 		display_id(p, fp, SYM_USERS, i, "");
@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp)
 int display_bools(policydb_t * p, FILE * fp)
 {
 -	int i;
 +	unsigned int i;
 	for (i = 0; i < p->p_bools.nprim; i++) {
 		display_id(p, fp, SYM_BOOLS, i, "");
@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
 	}
 }
 -void display_policycon(policydb_t * p, FILE * fp)
 +void display_policycon(FILE * fp)
 {
 -#if 0
 -	int i;
 -	ocontext_t *cur;
 -	char *name;
 -
 -	for (i = 0; i < POLICYCON_NUM; i++) {
 -		fprintf(fp, "%s:", symbol_labels[i]);
 -		for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) {
 -			if (*(cur->u.name) == '\0') {
 -				name = "{default}";
 -			} else {
 -				name = cur->u.name;
 -			}
 -			fprintf(fp, "\n%16s - %s:%s:%s", name,
 -				p->p_user_val_to_name[cur->context[0].user - 1],
 -				p->p_role_val_to_name[cur->context[0].role - 1],
 -				p->p_type_val_to_name[cur->context[0].type -
 -						      1]);
 -		}
 -		fprintf(fp, "\n");
 -	}
 -#endif
 +	/* There was an attempt to implement this at one time.  Look through
 +	 * git history to find it. */
 +	fprintf(fp, "Sorry, not implemented\n");
 }
 void display_initial_sids(policydb_t * p, FILE * fp)
@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
 void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
 {
 -	int i, num = 0;
 +	unsigned int i, num = 0;
 	for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
 		if (!ebitmap_get_bit(classes, i))
@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
 	}
 }
 -int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
 +int role_display_callback(hashtab_key_t key __attribute__((unused)),
 +			  hashtab_datum_t datum, void *data)
 {
 	role_datum_t *role;
 	FILE *fp;
@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
 static int display_scope_index(scope_index_t * indices, policydb_t * p,
 			       FILE * out_fp)
 {
 -	int i;
 +	unsigned int i;
 	for (i = 0; i < SYM_NUM; i++) {
 -		int any_found = 0, j;
 +		unsigned int any_found = 0, j;
 		fprintf(out_fp, "%s:", symbol_labels[i]);
 		for (j = ebitmap_startbit(&indices->scope[i]);
 		     j < ebitmap_length(&indices->scope[i]); j++) {
@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
 }
 #endif
 -int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
 +int display_avdecl(avrule_decl_t * decl, int field,
 		   policydb_t * policy, FILE * out_fp)
 {
 	fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
 				avrule = cond->avtrue_list;
 				while (avrule) {
 					display_avrule(avrule,
 -						       RENDER_UNCONDITIONAL,
 						       &policydb, out_fp);
 					avrule = avrule->next;
 				}
@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
 				avrule = cond->avfalse_list;
 				while (avrule) {
 					display_avrule(avrule,
 -						       RENDER_UNCONDITIONAL,
 						       &policydb, out_fp);
 					avrule = avrule->next;
 				}
@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
 				fprintf(out_fp, "  <empty>\n");
 			}
 			while (avrule != NULL) {
 -				if (display_avrule
 -				    (avrule, what, policy, out_fp)) {
 +				if (display_avrule(avrule, policy, out_fp))
 					return -1;
 -				}
 				avrule = avrule->next;
 			}
 			break;
@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
 	return 0;		/* should never get here */
 }
 -int display_avblock(int field, uint32_t what, policydb_t * policy,
 +int display_avblock(int field, policydb_t * policy,
 		    FILE * out_fp)
 {
 	avrule_block_t *block = policydb.global;
@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy,
 		fprintf(out_fp, "--- begin avrule block ---\n");
 		avrule_decl_t *decl = block->branch_list;
 		while (decl != NULL) {
 -			if (display_avdecl(decl, field, what, policy, out_fp)) {
 +			if (display_avdecl(decl, field, policy, out_fp)) {
 				return -1;
 			}
 			decl = decl->next;
@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
 	ebitmap_node_t *node;
 	const char *capname;
 	char buf[64];
 -	int i;
 +	unsigned int i;
 	fprintf(fp, "policy capabilities:\n");
 	ebitmap_for_each_bit(&p->policycaps, node, i) {
@@ -915,14 +887,12 @@ int main(int argc, char **argv)
 		case '1':
 			fprintf(out_fp, "unconditional avtab:\n");
 			display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
 -					RENDER_UNCONDITIONAL, &policydb,
 -					out_fp);
 +					&policydb, out_fp);
 			break;
 		case '2':
 			fprintf(out_fp, "conditional avtab:\n");
 			display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
 -					RENDER_UNCONDITIONAL, &policydb,
 -					out_fp);
 +					&policydb, out_fp);
 			break;
 		case '3':
 			display_users(&policydb, out_fp);
@@ -944,28 +914,28 @@ int main(int argc, char **argv)
 			break;
 		case '7':
 			fprintf(out_fp, "role transitions:\n");
 -			display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
 +			display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS,
 					&policydb, out_fp);
 			break;
 		case '8':
 			fprintf(out_fp, "role allows:\n");
 -			display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
 +			display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW,
 					&policydb, out_fp);
 			break;
 		case '9':
 -			display_policycon(&policydb, out_fp);
 +			display_policycon(out_fp);
 			break;
 		case '0':
 			display_initial_sids(&policydb, out_fp);
 			break;
 		case 'a':
 			fprintf(out_fp, "avrule block requirements:\n");
 -			display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
 +			display_avblock(DISPLAY_AVBLOCK_REQUIRES,
 					&policydb, out_fp);
 			break;
 		case 'b':
 			fprintf(out_fp, "avrule block declarations:\n");
 -			display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
 +			display_avblock(DISPLAY_AVBLOCK_DECLARES,
 					&policydb, out_fp);
 			break;
 		case 'c':
@@ -993,7 +963,7 @@ int main(int argc, char **argv)
 		case 'F':
 			fprintf(out_fp, "filename_trans rules:\n");
 			display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
 -					0, &policydb, out_fp);
 +					&policydb, out_fp);
 			break;
 		case 'l':
 			link_module(&policydb, out_fp);
 diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
 index 0e08965..f41acdc 100644
 --- a/checkpolicy/test/dispol.c
 +++ b/checkpolicy/test/dispol.c
@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
 int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
 {
 -	int i;
 +	unsigned int i;
 	avtab_ptr_t cur;
 	avtab_t expa;
@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
 int display_bools(policydb_t * p, FILE * fp)
 {
 -	int i;
 +	unsigned int i;
 	for (i = 0; i < p->p_bools.nprim; i++) {
 		fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
 	ebitmap_node_t *node;
 	const char *capname;
 	char buf[64];
 -	int i;
 +	unsigned int i;
 	fprintf(fp, "policy capabilities:\n");
 	ebitmap_for_each_bit(&p->policycaps, node, i) {
@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
 static void display_permissive(policydb_t *p, FILE *fp)
 {
 	ebitmap_node_t *node;
 -	int i;
 +	unsigned int i;
 	fprintf(fp, "permissive sids:\n");
 	ebitmap_for_each_bit(&p->permissive_map, node, i) {
--- a/checkpolicy.spec
+++ b/checkpolicy.spec
@ -1,15 +1,16 @@
 %define libselinuxver 2.1.6-4
 %define libsepolver 2.1.2-3
 Summary: SELinux policy compiler
 Name: checkpolicy
-Version: 2.1.5
+Version: 2.1.6
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: GPLv2
 Group: Development/System
 Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
 Patch: checkpolicy-rhat.patch
 BuildRoot: %{_tmppath}/%{name}-buildroot
-BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel
+BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel  >= %{libselinuxver} 
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
@ -55,6 +56,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_bindir}/sedispol
 %changelog
 * Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
 - Upgrade to upstream
 	* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
 	* drop libsepol dynamic link in checkpolicy
 * Tue Sep 20 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
 - Fix checkpolicy to ignore '"' in filename trans rules
--- a/2
+++ b/2
@ -1 +1 @@
-be5053328eac201b3856f160d2bd8d12  checkpolicy-2.1.5.tgz
+a1115f9c92777da7c8cafab08a81b779  checkpolicy-2.1.6.tgz
`@ -1 +1 @@`
	`be5053328eac201b3856f160d2bd8d12 checkpolicy-2.1.5.tgz`	`a1115f9c92777da7c8cafab08a81b779 checkpolicy-2.1.6.tgz`