rpms/checkpolicy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

checkpolicy-2.6-1

Browse Source 
- Update to upstream release 2016-10-14
This commit is contained in:
Petr Lautrbach 2017-02-15 13:46:32 +01:00
parent 7671da68a5
commit 269e7db87e
4 changed files with 15 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -94,3 +94,4 @@ checkpolicy-2.0.22.tgz
/checkpolicy-2.4.tar.gz /checkpolicy-2.4.tar.gz
/checkpolicy-2.5-rc1.tar.gz /checkpolicy-2.5-rc1.tar.gz
/checkpolicy-2.5.tar.gz /checkpolicy-2.5.tar.gz
/checkpolicy-2.6.tar.gz

207
checkpolicy-fedora.patch
View File

@ -1,207 +0,0 @@
diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
index 98f5168..3b7ff8a 100644
--- checkpolicy-2.5/Android.mk
+++ checkpolicy-2.5/Android.mk
@@ -12,10 +12,6 @@ common_cflags := \
-Wall -Wshadow -O2 \
-pipe -fno-strict-aliasing \
-ifeq ($(HOST_OS),darwin)
-common_cflags += -DDARWIN
-endif
-
common_includes := \
$(LOCAL_PATH)/ \
$(LOCAL_PATH)/../libsepol/include/ \
diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
index dfe4908..0e13227 100644
--- checkpolicy-2.5/ChangeLog
+++ checkpolicy-2.5/ChangeLog
@@ -1,3 +1,12 @@
+ * Add types associated to a role in the current scope when parsing, from Nicolas Iooss.
+ * Extend checkpolicy pathname matching, from Stephen Smalley.
+ * Fix typos in test/dispol, from Petr Lautrbach.
+ * Set flex as default lexer, from Julien Pivotto.
+ * Fix checkmodule output message, from Petr Lautrbach.
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
+ * Fail if module name different than output base filename, from James Carter
+ * Add support for portcon dccp protocol, from Richard Haines
+
2.5 2016-02-23
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
* fix double free on name-based type transitions, from Stephen Smalley.
diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
index e5fae3d..53a3074 100644
--- checkpolicy-2.5/Makefile
+++ checkpolicy-2.5/Makefile
@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
TARGETS = checkpolicy checkmodule
+LEX = flex
YACC = bison -y
CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
index 5957d29..53cc5a0 100644
--- checkpolicy-2.5/checkmodule.c
+++ checkpolicy-2.5/checkmodule.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
+#include <libgen.h>
#include <sepol/module_to_cil.h>
#include <sepol/policydb/policydb.h>
@@ -258,6 +259,25 @@ int main(int argc, char **argv)
}
}
+ if (policy_type != POLICY_BASE && outfile) {
+ char *mod_name = modpolicydb.name;
+ char *out_path = strdup(outfile);
+ if (out_path == NULL) {
+ fprintf(stderr, "%s: out of memory\n", argv[0]);
+ exit(1);
+ }
+ char *out_name = basename(out_path);
+ char *separator = strrchr(out_name, '.');
+ if (separator) {
+ *separator = '\0';
+ }
+ if (strcmp(mod_name, out_name) != 0) {
+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
+ exit(1);
+ }
+ free(out_path);
+ }
+
if (modpolicydb.policy_type == POLICY_BASE && !cil) {
/* Verify that we can successfully expand the base module. */
policydb_t kernpolicydb;
@@ -294,7 +314,7 @@ int main(int argc, char **argv)
if (!cil) {
printf("%s: writing binary representation (version %d) to %s\n",
- argv[0], policyvers, file);
+ argv[0], policyvers, outfile);
if (write_binary_policy(&modpolicydb, outfp) != 0) {
fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
index 9da661e..2d68316 100644
--- checkpolicy-2.5/checkpolicy.c
+++ checkpolicy-2.5/checkpolicy.c
@@ -64,13 +64,16 @@
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
#include <arpa/inet.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
-#ifdef DARWIN
+#ifdef __APPLE__
#include <ctype.h>
#endif
@@ -919,6 +922,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_TCP;
else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
protocol = IPPROTO_UDP;
+ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
+ protocol = IPPROTO_DCCP;
else {
printf("unknown protocol\n");
break;
diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
index ee20fea..128869c 100644
--- checkpolicy-2.5/policy_define.c
+++ checkpolicy-2.5/policy_define.c
@@ -36,6 +36,9 @@
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
#include <arpa/inet.h>
#include <stdlib.h>
#include <limits.h>
@@ -2611,6 +2614,7 @@ int define_role_types(void)
free(id);
return -1;
}
+ role = get_local_role(id, role->s.value, (role->flavor == ROLE_ATTRIB));
while ((id = queue_remove(id_queue))) {
if (set_types(&role->types, id, &add, 0))
@@ -4876,6 +4880,8 @@ int define_port_context(unsigned int low, unsigned int high)
protocol = IPPROTO_TCP;
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
protocol = IPPROTO_UDP;
+ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
+ protocol = IPPROTO_DCCP;
} else {
yyerror2("unrecognized protocol %s", id);
free(newc);
@@ -5135,7 +5141,7 @@ int define_ipv6_node_context(void)
memset(newc, 0, sizeof(ocontext_t));
-#ifdef DARWIN
+#ifdef __APPLE__
memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
#else
diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l
index 22da338..2f7f221 100644
--- checkpolicy-2.5/policy_scan.l
+++ checkpolicy-2.5/policy_scan.l
@@ -249,9 +249,9 @@ high |
HIGH { return(HIGH); }
low |
LOW { return(LOW); }
-"/"({alnum}|[_\.\-/])* { return(PATH); }
-\""/"[ !#-~]*\" { return(QPATH); }
-\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
+"/"[^ \n\r\t\f]* { return(PATH); }
+\""/"[^\"\n]*\" { return(QPATH); }
+\"[^"/"\"\n]+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c
index 86f5688..a78ce81 100644
--- checkpolicy-2.5/test/dispol.c
+++ checkpolicy-2.5/test/dispol.c
@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
if (p->handle_unknown == ALLOW_UNKNOWN)
- fprintf(out_fp, "Allow unknown classes and permisions\n");
+ fprintf(out_fp, "Allow unknown classes and permissions\n");
else if (p->handle_unknown == DENY_UNKNOWN)
- fprintf(out_fp, "Deny unknown classes and permisions\n");
+ fprintf(out_fp, "Deny unknown classes and permissions\n");
else if (p->handle_unknown == REJECT_UNKNOWN)
- fprintf(out_fp, "Reject unknown classes and permisions\n");
+ fprintf(out_fp, "Reject unknown classes and permissions\n");
return 0;
}
@@ -349,7 +349,7 @@ int menu(void)
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
printf("2) display conditional AVTAB (entirely)\n");
- printf("3) display conditional AVTAG (only ENABLED rules)\n");
+ printf("3) display conditional AVTAB (only ENABLED rules)\n");
printf("4) display conditional AVTAB (only DISABLED rules)\n");
printf("5) display conditional bools\n");
printf("6) display conditional expressions\n");

22
checkpolicy.spec
View File

@ -1,17 +1,18 @@
%define libselinuxver 2.5-12 %define libselinuxver 2.6-0
%define libsepolver 2.5-10 %define libsepolver 2.6-0
Summary: SELinux policy compiler Summary: SELinux policy compiler
Name: checkpolicy Name: checkpolicy
Version: 2.5 Version: 2.6
Release: 9%{?dist} Release: 1%{?dist}
License: GPLv2 License: GPLv2
Group: Development/System Group: Development/System
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/checkpolicy-2.6.tar.gz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh checkpolicy # $ VERSION=2.6 ./make-fedora-selinux-patch.sh checkpolicy
# HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b # FIXME: HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b
Patch1: checkpolicy-fedora.patch # Patch1: checkpolicy-fedora.patch
Conflicts: selinux-policy-base < 3.13.1-138 Conflicts: selinux-policy-base < 3.13.1-138
BuildRoot: %{_tmppath}/%{name}-buildroot BuildRoot: %{_tmppath}/%{name}-buildroot
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver} BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
@ -31,7 +32,7 @@ This package contains checkpolicy, the SELinux policy compiler.
Only required for building policies. Only required for building policies.
%prep %prep
%autosetup -p 1 -n checkpolicy-2.5 %autosetup -p 1 -n checkpolicy-%{version}
%build %build
make clean make clean
@ -61,6 +62,9 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol %{_bindir}/sedispol
%changelog %changelog
* Wed Feb 15 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1
- Update to upstream release 2016-10-14
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-9 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
a8099a2a36de32327abf681159027c58 checkpolicy-2.5.tar.gz SHA512 (checkpolicy-2.6.tar.gz) = 1d8361a5735410909be7fe5a54740e0e1b6339d0fbad9965f3ae2902e7eaaec7531fec1dd73bb57b28ad933773778ab50b97db3d92aacf5fac3b63d1ed364b46