From 1ef68435f0dd8e0f7b133400751eabca89c652f9 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 3 Apr 2012 18:51:45 -0400 Subject: [PATCH] Allow checkpolicy to use + in a file name --- checkpolicy-rhat.patch | 235 ++--------------------------------------- checkpolicy.spec | 7 +- 2 files changed, 14 insertions(+), 228 deletions(-) diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index 196f0cb..87748ca 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,232 +1,13 @@ -diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 -index 473f642..40f73c5 100644 ---- a/checkpolicy/checkmodule.8 -+++ b/checkpolicy/checkmodule.8 -@@ -53,7 +53,7 @@ $ checkmodule -M -m httpd.te -o httpd.mod - - .SH "SEE ALSO" - .B semodule(8), semodule_package(8) --SELinux documentation at http://www.nsa.gov/selinux, -+SELinux documentation at http://www.nsa.gov/research/selinux, - especially "Configuring the SELinux Policy". - - -diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 -index f79239e..6826938 100644 ---- a/checkpolicy/checkpolicy.8 -+++ b/checkpolicy/checkpolicy.8 -@@ -46,7 +46,7 @@ Show version information. - Show usage information. - - .SH "SEE ALSO" --SELinux documentation at http://www.nsa.gov/selinux, -+SELinux documentation at http://www.nsa.gov/research/selinux, - especially "Configuring the SELinux Policy". - - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index d19fc61..a86c6b3 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -351,6 +351,102 @@ static int read_classes(ebitmap_t *e_classes) - return 0; - } - -+int define_default_user(int which) -+{ -+ char *id; -+ class_datum_t *cladatum; -+ -+ if (pass == 1) { -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ return 0; -+ } -+ -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ return -1; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ return -1; -+ } -+ if (cladatum->default_user && cladatum->default_user != which) { -+ yyerror2("conflicting default user information for class %s", id); -+ return -1; -+ } -+ cladatum->default_user = which; -+ free(id); -+ } -+ -+ return 0; -+} -+ -+int define_default_role(int which) -+{ -+ char *id; -+ class_datum_t *cladatum; -+ -+ if (pass == 1) { -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ return 0; -+ } -+ -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ return -1; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ return -1; -+ } -+ if (cladatum->default_role && cladatum->default_role != which) { -+ yyerror2("conflicting default role information for class %s", id); -+ return -1; -+ } -+ cladatum->default_role = which; -+ free(id); -+ } -+ -+ return 0; -+} -+ -+int define_default_range(int which) -+{ -+ char *id; -+ class_datum_t *cladatum; -+ -+ if (pass == 1) { -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ return 0; -+ } -+ -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ return -1; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ return -1; -+ } -+ if (cladatum->default_range && cladatum->default_range != which) { -+ yyerror2("conflicting default range information for class %s", id); -+ return -1; -+ } -+ cladatum->default_range = which; -+ free(id); -+ } -+ -+ return 0; -+} -+ - int define_common_perms(void) - { - char *id = 0, *perm = 0; -diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h -index 92a9be7..ccbe56f 100644 ---- a/checkpolicy/policy_define.h -+++ b/checkpolicy/policy_define.h -@@ -24,6 +24,9 @@ int define_av_perms(int inherits); - int define_bool_tunable(int is_tunable); - int define_category(void); - int define_class(void); -+int define_default_user(int which); -+int define_default_role(int which); -+int define_default_range(int which); - int define_common_perms(void); - int define_compute_type(int which); - int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); -diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y -index d808111..d92cc32 100644 ---- a/checkpolicy/policy_parse.y -+++ b/checkpolicy/policy_parse.y -@@ -143,6 +143,8 @@ typedef int (* require_func_t)(); - %token POLICYCAP - %token PERMISSIVE - %token FILESYSTEM -+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE -+%token LOW_HIGH LOW HIGH - - %left OR - %left XOR -@@ -157,7 +159,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } - classes initial_sids access_vectors - { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } - else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} -- opt_mls te_rbac users opt_constraints -+ opt_default_rules opt_mls te_rbac users opt_constraints - { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} - else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts -@@ -195,6 +197,39 @@ av_perms_def : CLASS identifier '{' identifier_list '}' - | CLASS identifier INHERITS identifier '{' identifier_list '}' - {if (define_av_perms(TRUE)) return -1;} - ; -+opt_default_rules : default_rules -+ | -+ ; -+default_rules : default_user_def -+ | default_role_def -+ | default_range_def -+ | default_rules default_user_def -+ | default_rules default_role_def -+ | default_rules default_range_def -+ ; -+default_user_def : DEFAULT_USER names SOURCE ';' -+ {if (define_default_user(DEFAULT_SOURCE)) return -1; } -+ | DEFAULT_USER names TARGET ';' -+ {if (define_default_user(DEFAULT_TARGET)) return -1; } -+ ; -+default_role_def : DEFAULT_ROLE names SOURCE ';' -+ {if (define_default_role(DEFAULT_SOURCE)) return -1; } -+ | DEFAULT_ROLE names TARGET ';' -+ {if (define_default_role(DEFAULT_TARGET)) return -1; } -+ ; -+default_range_def : DEFAULT_RANGE names SOURCE LOW ';' -+ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } -+ | DEFAULT_RANGE names SOURCE HIGH ';' -+ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } -+ | DEFAULT_RANGE names SOURCE LOW_HIGH ';' -+ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } -+ | DEFAULT_RANGE names TARGET LOW ';' -+ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } -+ | DEFAULT_RANGE names TARGET HIGH ';' -+ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } -+ | DEFAULT_RANGE names TARGET LOW_HIGH ';' -+ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } -+ ; - opt_mls : mls - | - ; diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l -index 9b24db5..e767b5f 100644 +index e767b5f..143e797 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l -@@ -221,6 +221,18 @@ policycap | - POLICYCAP { return(POLICYCAP); } - permissive | - PERMISSIVE { return(PERMISSIVE); } -+default_user | -+DEFAULT_USER { return(DEFAULT_USER); } -+default_role | -+DEFAULT_ROLE { return(DEFAULT_ROLE); } -+default_range | -+DEFAULT_RANGE { return(DEFAULT_RANGE); } -+low-high | -+LOW-HIGH { return(LOW_HIGH); } -+high | -+HIGH { return(HIGH); } -+low | -+LOW { return(LOW); } +@@ -234,7 +234,7 @@ HIGH { return(HIGH); } + low | + LOW { return(LOW); } "/"({alnum}|[_\.\-/])* { return(PATH); } - \"({alnum}|[_\.\-\~])+\" { return(FILENAME); } +-\"({alnum}|[_\.\-\~])+\" { return(FILENAME); } ++\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } + {alnum}*{letter}{alnum}* { return(FILESYSTEM); } + {digit}+|0x{hexval}+ { return(NUMBER); } diff --git a/checkpolicy.spec b/checkpolicy.spec index d80d83b..c164791 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -3,10 +3,11 @@ Summary: SELinux policy compiler Name: checkpolicy Version: 2.1.9 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Group: Development/System Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz +Patch: checkpolicy-rhat.patch BuildRoot: %{_tmppath}/%{name}-buildroot BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver} @@ -27,6 +28,7 @@ Only required for building policies. %prep %setup -q +%patch -p2 -b .rhat %build make clean @@ -54,6 +56,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Tue Apr 3 2012 Dan Walsh - 2.1.9-2 +- Allow checkpolicy to use + in a file name + * Thu Mar 29 2012 Dan Walsh - 2.1.9-1 - Update to upstream * implement new default labeling behaviors for usr, role, range