checkpolicy-2.5-3

- Build policy on systems not supporting DCCP protocol
- Fail if module name different than output base filename
This commit is contained in:
Petr Lautrbach 2016-04-29 19:08:43 +02:00
parent 65b44362fe
commit 43d653f220
2 changed files with 73 additions and 9 deletions

View File

@ -1,17 +1,67 @@
diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
index dfe4908..51b99cd 100644 index dfe4908..eae775f 100644
--- checkpolicy-2.5/ChangeLog --- checkpolicy-2.5/ChangeLog
+++ checkpolicy-2.5/ChangeLog +++ checkpolicy-2.5/ChangeLog
@@ -1,3 +1,4 @@ @@ -1,3 +1,6 @@
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
+ * Fail if module name different than output base filename, from James Carter
+ * Add support for portcon dccp protocol, from Richard Haines + * Add support for portcon dccp protocol, from Richard Haines
2.5 2016-02-23 2.5 2016-02-23
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep. * Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
* fix double free on name-based type transitions, from Stephen Smalley. * fix double free on name-based type transitions, from Stephen Smalley.
diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
index 5957d29..418f77b 100644
--- checkpolicy-2.5/checkmodule.c
+++ checkpolicy-2.5/checkmodule.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
+#include <libgen.h>
#include <sepol/module_to_cil.h>
#include <sepol/policydb/policydb.h>
@@ -258,6 +259,25 @@ int main(int argc, char **argv)
}
}
+ if (policy_type != POLICY_BASE && outfile) {
+ char *mod_name = modpolicydb.name;
+ char *out_path = strdup(outfile);
+ if (out_path == NULL) {
+ fprintf(stderr, "%s: out of memory\n", argv[0]);
+ exit(1);
+ }
+ char *out_name = basename(out_path);
+ char *separator = strrchr(out_name, '.');
+ if (separator) {
+ *separator = '\0';
+ }
+ if (strcmp(mod_name, out_name) != 0) {
+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
+ exit(1);
+ }
+ free(out_path);
+ }
+
if (modpolicydb.policy_type == POLICY_BASE && !cil) {
/* Verify that we can successfully expand the base module. */
policydb_t kernpolicydb;
diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
index 9da661e..ea9ee00 100644 index 9da661e..7947c20 100644
--- checkpolicy-2.5/checkpolicy.c --- checkpolicy-2.5/checkpolicy.c
+++ checkpolicy-2.5/checkpolicy.c +++ checkpolicy-2.5/checkpolicy.c
@@ -919,6 +919,8 @@ int main(int argc, char **argv) @@ -64,6 +64,9 @@
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
#include <arpa/inet.h>
#include <fcntl.h>
#include <stdio.h>
@@ -919,6 +922,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_TCP; protocol = IPPROTO_TCP;
else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP")) else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
protocol = IPPROTO_UDP; protocol = IPPROTO_UDP;
@ -21,10 +71,20 @@ index 9da661e..ea9ee00 100644
printf("unknown protocol\n"); printf("unknown protocol\n");
break; break;
diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
index ee20fea..7a4d2f1 100644 index ee20fea..2068b71 100644
--- checkpolicy-2.5/policy_define.c --- checkpolicy-2.5/policy_define.c
+++ checkpolicy-2.5/policy_define.c +++ checkpolicy-2.5/policy_define.c
@@ -4876,6 +4876,8 @@ int define_port_context(unsigned int low, unsigned int high) @@ -36,6 +36,9 @@
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
#include <arpa/inet.h>
#include <stdlib.h>
#include <limits.h>
@@ -4876,6 +4879,8 @@ int define_port_context(unsigned int low, unsigned int high)
protocol = IPPROTO_TCP; protocol = IPPROTO_TCP;
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
protocol = IPPROTO_UDP; protocol = IPPROTO_UDP;

View File

@ -3,14 +3,14 @@
Summary: SELinux policy compiler Summary: SELinux policy compiler
Name: checkpolicy Name: checkpolicy
Version: 2.5 Version: 2.5
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2 License: GPLv2
Group: Development/System Group: Development/System
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh checkpolicy # $ VERSION=2.5 ./make-fedora-selinux-patch.sh checkpolicy
# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562 # HEAD https://github.com/fedora-selinux/selinux/commit/f900ff37022119de47d516f103ccfd339d52c861
Patch1: checkpolicy-fedora.patch Patch1: checkpolicy-fedora.patch
Conflicts: selinux-policy-base < 3.13.1-138 Conflicts: selinux-policy-base < 3.13.1-138
BuildRoot: %{_tmppath}/%{name}-buildroot BuildRoot: %{_tmppath}/%{name}-buildroot
@ -31,7 +31,7 @@ This package contains checkpolicy, the SELinux policy compiler.
Only required for building policies. Only required for building policies.
%prep %prep
%setup -q -n checkpolicy-2.5 %autosetup -p 1 -n checkpolicy-2.5
%build %build
make clean make clean
@ -61,6 +61,10 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol %{_bindir}/sedispol
%changelog %changelog
* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
- Build policy on systems not supporting DCCP protocol
- Fail if module name different than output base filename
* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2 * Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
- Add support for portcon dccp protocol - Add support for portcon dccp protocol