rpms/checkpolicy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Latest patches

Browse Source
This commit is contained in:
Dan Walsh 2011-04-12 13:12:30 -04:00
parent 9d5bc6c8bd
commit 66140a0889
4 changed files with 250 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -75,3 +75,4 @@ checkpolicy-2.0.20.tgz
checkpolicy-2.0.21.tgz
checkpolicy-2.0.22.tgz
/checkpolicy-2.0.23.tgz
/checkpolicy-2.0.24.tgz

453
checkpolicy-rhat.patch
View File

@ -1,174 +1,8 @@
diff --exclude-from=exclude -N -u -r nsacheckpolicy/policy_parse.y checkpolicy-2.0.22/policy_parse.y
--- nsacheckpolicy/policy_parse.y 2010-05-19 14:45:51.000000000 -0400
+++ checkpolicy-2.0.22/policy_parse.y 2010-06-16 08:08:37.000000000 -0400
@@ -755,6 +755,8 @@
;
version_identifier : VERSION_IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
+ | number
+ { if (insert_id(yytext,0)) return -1; }
| ipv4_addr_def /* version can look like ipv4 address */
;
avrules_block : avrule_decls avrule_user_defs
We just use random numbers to make menu selections. Use #defines and
names that make some sense instead.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
diff -up checkpolicy-2.0.23/test/dismod.c.eparis1 checkpolicy-2.0.23/test/dismod.c
--- checkpolicy-2.0.23/test/dismod.c.eparis1 2010-12-21 16:35:45.000000000 -0500
+++ checkpolicy-2.0.23/test/dismod.c 2011-03-23 13:58:31.561072307 -0400
@@ -45,6 +45,14 @@
#define le32_to_cpu(x) bswap_32(x)
#endif
+#define DISPLAY_AVBLOCK_COND_AVTAB 0
+#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1
+#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */
+#define DISPLAY_AVBLOCK_ROLE_TRANS 3
+#define DISPLAY_AVBLOCK_ROLE_ALLOW 4
+#define DISPLAY_AVBLOCK_REQUIRES 5
+#define DISPLAY_AVBLOCK_DECLARES 6
+
static policydb_t policydb;
extern unsigned int ss_initialized;
@@ -571,7 +579,7 @@ int display_avdecl(avrule_decl_t * decl,
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
(decl->enabled ? " [enabled]" : ""));
switch (field) {
- case 0:{
+ case DISPLAY_AVBLOCK_COND_AVTAB:{
cond_list_t *cond = decl->cond_list;
avrule_t *avrule;
while (cond) {
@@ -599,7 +607,7 @@ int display_avdecl(avrule_decl_t * decl,
}
break;
}
- case 1:{
+ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{
avrule_t *avrule = decl->avrules;
if (avrule == NULL) {
fprintf(out_fp, " <empty>\n");
@@ -613,26 +621,26 @@ int display_avdecl(avrule_decl_t * decl,
}
break;
}
- case 2:{ /* role_type_node */
+ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */
break;
}
- case 3:{
+ case DISPLAY_AVBLOCK_ROLE_TRANS:{
display_role_trans(decl->role_tr_rules, policy, out_fp);
break;
}
- case 4:{
+ case DISPLAY_AVBLOCK_ROLE_ALLOW:{
display_role_allow(decl->role_allow_rules, policy,
out_fp);
break;
}
- case 5:{
+ case DISPLAY_AVBLOCK_REQUIRES:{
if (display_scope_index
(&decl->required, policy, out_fp)) {
return -1;
}
break;
}
- case 6:{
+ case DISPLAY_AVBLOCK_DECLARES:{
if (display_scope_index
(&decl->declared, policy, out_fp)) {
return -1;
@@ -861,15 +869,16 @@ int main(int argc, char **argv)
fgets(ans, sizeof(ans), stdin);
switch (ans[0]) {
- case '1':{
- fprintf(out_fp, "unconditional avtab:\n");
- display_avblock(1, RENDER_UNCONDITIONAL,
- &policydb, out_fp);
- break;
- }
+ case '1':
+ fprintf(out_fp, "unconditional avtab:\n");
+ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
+ RENDER_UNCONDITIONAL, &policydb,
+ out_fp);
+ break;
case '2':
fprintf(out_fp, "conditional avtab:\n");
- display_avblock(0, RENDER_UNCONDITIONAL, &policydb,
+ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
+ RENDER_UNCONDITIONAL, &policydb,
out_fp);
break;
case '3':
@@ -892,11 +901,13 @@ int main(int argc, char **argv)
break;
case '7':
fprintf(out_fp, "role transitions:\n");
- display_avblock(3, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
+ &policydb, out_fp);
break;
case '8':
fprintf(out_fp, "role allows:\n");
- display_avblock(4, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
+ &policydb, out_fp);
break;
case '9':
display_policycon(&policydb, out_fp);
@@ -906,11 +917,13 @@ int main(int argc, char **argv)
break;
case 'a':
fprintf(out_fp, "avrule block requirements:\n");
- display_avblock(5, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
+ &policydb, out_fp);
break;
case 'b':
fprintf(out_fp, "avrule block declarations:\n");
- display_avblock(6, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
+ &policydb, out_fp);
break;
case 'c':
display_policycaps(&policydb, out_fp);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
diff -up checkpolicy-2.0.23/module_compiler.c.eparis2 checkpolicy-2.0.23/module_compiler.c
--- checkpolicy-2.0.23/module_compiler.c.eparis2 2010-12-21 16:35:45.000000000 -0500
+++ checkpolicy-2.0.23/module_compiler.c 2011-03-23 14:19:51.152530839 -0400
@@ -1313,6 +1313,18 @@ void append_role_allow(role_allow_rule_t
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index d6ebd78..0946ff6 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -1313,6 +1313,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules)
}
/* this doesn't actually append, but really prepends it */
@ -187,9 +21,10 @@ diff -up checkpolicy-2.0.23/module_compiler.c.eparis2 checkpolicy-2.0.23/module_
void append_range_trans(range_trans_rule_t * range_tr_rules)
{
avrule_decl_t *decl = stack_top->decl;
diff -up checkpolicy-2.0.23/module_compiler.h.eparis2 checkpolicy-2.0.23/module_compiler.h
--- checkpolicy-2.0.23/module_compiler.h.eparis2 2010-12-21 16:35:45.000000000 -0500
+++ checkpolicy-2.0.23/module_compiler.h 2011-03-23 14:19:51.154531123 -0400
diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
index fa91400..ae33753 100644
--- a/checkpolicy/module_compiler.h
+++ b/checkpolicy/module_compiler.h
@@ -80,6 +80,7 @@ void append_avrule(avrule_t * avrule);
void append_role_trans(role_trans_rule_t * role_tr_rules);
void append_role_allow(role_allow_rule_t * role_allow_rules);
@ -198,10 +33,11 @@ diff -up checkpolicy-2.0.23/module_compiler.h.eparis2 checkpolicy-2.0.23/module_
/* Create a new optional block and add it to the global policy.
* During the second pass resolve the block's requirements. Return 0
diff -up checkpolicy-2.0.23/policy_define.c.eparis2 checkpolicy-2.0.23/policy_define.c
--- checkpolicy-2.0.23/policy_define.c.eparis2 2010-12-21 16:35:45.000000000 -0500
+++ checkpolicy-2.0.23/policy_define.c 2011-03-28 13:50:57.667710915 -0400
@@ -2196,6 +2196,190 @@ int define_role_allow(void)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 5e99b30..f75a682 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2241,6 +2241,190 @@ int define_role_allow(void)
return 0;
}
@ -392,9 +228,10 @@ diff -up checkpolicy-2.0.23/policy_define.c.eparis2 checkpolicy-2.0.23/policy_de
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
{
constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
diff -up checkpolicy-2.0.23/policy_define.h.eparis2 checkpolicy-2.0.23/policy_define.h
--- checkpolicy-2.0.23/policy_define.h.eparis2 2010-12-21 16:35:45.000000000 -0500
+++ checkpolicy-2.0.23/policy_define.h 2011-03-28 13:50:05.489297128 -0400
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 2f7a78f..890a6af 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -16,6 +16,7 @@
avrule_t *define_cond_compute_type(int which);
avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
@ -403,53 +240,138 @@ diff -up checkpolicy-2.0.23/policy_define.h.eparis2 checkpolicy-2.0.23/policy_de
cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
int define_attrib(void);
int define_av_perms(int inherits);
@@ -47,6 +48,7 @@ int define_range_trans(int class_specifi
@@ -47,6 +48,7 @@ int define_range_trans(int class_specified);
int define_role_allow(void);
int define_role_trans(void);
int define_role_trans(int class_specified);
int define_role_types(void);
+int define_filename_trans(void);
int define_sens(void);
int define_te_avtab(int which);
int define_typealias(void);
diff -up checkpolicy-2.0.23/policy_parse.y.eparis2 checkpolicy-2.0.23/policy_parse.y
--- checkpolicy-2.0.23/policy_parse.y.eparis2 2011-03-23 14:19:51.133528148 -0400
+++ checkpolicy-2.0.23/policy_parse.y 2011-03-28 13:49:03.489482156 -0400
@@ -342,7 +342,10 @@ cond_rule_def : cond_transitio
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 8c29e2b..8274d36 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -81,6 +81,7 @@ typedef int (* require_func_t)();
%type <require_func> require_decl_def
%token PATH
+%token FILENAME
%token CLONE
%token COMMON
%token CLASS
@@ -341,7 +342,10 @@ cond_rule_def : cond_transition_def
| require_block
{ $$ = NULL; }
;
-cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';'
+cond_transition_def : TYPE_TRANSITION names names ':' names identifier identifier ';'
+cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+ { $$ = define_cond_filename_trans() ;
+ if ($$ == COND_ERR) return -1;}
+ | TYPE_TRANSITION names names ':' names identifier ';'
{ $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
if ($$ == COND_ERR) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
@@ -377,7 +380,10 @@ cond_dontaudit_def : DONTAUDIT names nam
@@ -376,7 +380,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
if ($$ == COND_ERR) return -1; }
;
-transition_def : TYPE_TRANSITION names names ':' names identifier ';'
+ ;
+transition_def : TYPE_TRANSITION names names ':' names identifier identifier ';'
+ {if (define_filename_trans()) return -1; }
+ | TYPE_TRANSITION names names ':' names identifier ';'
+transition_def : TYPE_TRANSITION names names ':' names identifier filename';'
+ {if (define_filename_trans()) return -1; }
+ |TYPE_TRANSITION names names ':' names identifier ';'
{if (define_compute_type(AVRULE_TRANSITION)) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
{if (define_compute_type(AVRULE_MEMBER)) return -1;}
diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod.c
--- checkpolicy-2.0.23/test/dismod.c.eparis2 2011-03-23 14:19:51.142529423 -0400
+++ checkpolicy-2.0.23/test/dismod.c 2011-03-23 14:19:51.160531973 -0400
@@ -52,6 +52,7 @@
#define DISPLAY_AVBLOCK_ROLE_ALLOW 4
#define DISPLAY_AVBLOCK_REQUIRES 5
#define DISPLAY_AVBLOCK_DECLARES 6
+#define DISPLAY_AVBLOCK_FILENAME_TRANS 7
@@ -639,7 +645,7 @@ opt_fs_uses : fs_uses
fs_uses : fs_use_def
| fs_uses fs_use_def
;
-fs_use_def : FSUSEXATTR identifier security_context_def ';'
+fs_use_def : FSUSEXATTR filename security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
| FSUSETASK identifier security_context_def ';'
{if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
@@ -652,11 +658,11 @@ opt_genfs_contexts : genfs_contexts
genfs_contexts : genfs_context_def
| genfs_contexts genfs_context_def
;
-genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
+genfs_context_def : GENFSCON filename path '-' identifier security_context_def
{if (define_genfs_context(1)) return -1;}
- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
+ | GENFSCON filename path '-' '-' {insert_id("-", 0);} security_context_def
{if (define_genfs_context(1)) return -1;}
- | GENFSCON identifier path security_context_def
+ | GENFSCON filename path security_context_def
{if (define_genfs_context(0)) return -1;}
;
ipv4_addr_def : IPV4_ADDR
@@ -733,6 +739,17 @@ identifier : IDENTIFIER
path : PATH
{ if (insert_id(yytext,0)) return -1; }
;
+filename : FILENAME
+ { if (insert_id(yytext,0)) return -1; }
+ | NUMBER
+ { if (insert_id(yytext,0)) return -1; }
+ | IPV4_ADDR
+ { if (insert_id(yytext,0)) return -1; }
+ | VERSION_IDENTIFIER
+ { if (insert_id(yytext,0)) return -1; }
+ | IDENTIFIER
+ { if (insert_id(yytext,0)) return -1; }
+ ;
number : NUMBER
{ $$ = strtoul(yytext,NULL,0); }
;
@@ -757,6 +774,8 @@ module_def : MODULE identifier version_identifier ';'
;
version_identifier : VERSION_IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
+ | number
+ { if (insert_id(yytext,0)) return -1; }
| ipv4_addr_def /* version can look like ipv4 address */
;
avrules_block : avrule_decls avrule_user_defs
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..427c189 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -218,9 +218,12 @@ PERMISSIVE { return(PERMISSIVE); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
+{alnum}* { return(FILENAME); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
+{alnum}+([_\.]|{alnum})+ { return(FILENAME); }
+([_\.]){alnum}+ { return(FILENAME); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
#[^\n]* { /* delete comments */ }
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 33a29e4..66f976f 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -45,6 +45,15 @@
#define le32_to_cpu(x) bswap_32(x)
#endif
+#define DISPLAY_AVBLOCK_COND_AVTAB 0
+#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1
+#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */
+#define DISPLAY_AVBLOCK_ROLE_TRANS 3
+#define DISPLAY_AVBLOCK_ROLE_ALLOW 4
+#define DISPLAY_AVBLOCK_REQUIRES 5
+#define DISPLAY_AVBLOCK_DECLARES 6
+#define DISPLAY_AVBLOCK_FILENAME_TRANS 7
+
static policydb_t policydb;
extern unsigned int ss_initialized;
@@ -480,6 +481,18 @@ void display_role_allow(role_allow_rule_
@@ -497,6 +506,18 @@ void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
}
}
@ -468,7 +390,56 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod
int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
{
role_datum_t *role;
@@ -647,6 +660,11 @@ int display_avdecl(avrule_decl_t * decl,
@@ -596,7 +617,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
(decl->enabled ? " [enabled]" : ""));
switch (field) {
- case 0:{
+ case DISPLAY_AVBLOCK_COND_AVTAB:{
cond_list_t *cond = decl->cond_list;
avrule_t *avrule;
while (cond) {
@@ -624,7 +645,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
}
break;
}
- case 1:{
+ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{
avrule_t *avrule = decl->avrules;
if (avrule == NULL) {
fprintf(out_fp, " <empty>\n");
@@ -638,32 +659,37 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
}
break;
}
- case 2:{ /* role_type_node */
+ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */
break;
}
- case 3:{
+ case DISPLAY_AVBLOCK_ROLE_TRANS:{
display_role_trans(decl->role_tr_rules, policy, out_fp);
break;
}
- case 4:{
+ case DISPLAY_AVBLOCK_ROLE_ALLOW:{
display_role_allow(decl->role_allow_rules, policy,
out_fp);
break;
}
- case 5:{
+ case DISPLAY_AVBLOCK_REQUIRES:{
if (display_scope_index
(&decl->required, policy, out_fp)) {
return -1;
}
break;
}
- case 6:{
+ case DISPLAY_AVBLOCK_DECLARES:{
if (display_scope_index
(&decl->declared, policy, out_fp)) {
return -1;
}
break;
}
@ -480,7 +451,7 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod
default:{
assert(0);
}
@@ -812,6 +830,7 @@ int menu()
@@ -829,6 +855,7 @@ int menu()
printf("c) Display policy capabilities\n");
printf("l) Link in a module\n");
printf("u) Display the unknown handling setting\n");
@ -488,7 +459,63 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod
printf("\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -947,6 +966,11 @@ int main(int argc, char **argv)
@@ -886,15 +913,16 @@ int main(int argc, char **argv)
fgets(ans, sizeof(ans), stdin);
switch (ans[0]) {
- case '1':{
- fprintf(out_fp, "unconditional avtab:\n");
- display_avblock(1, RENDER_UNCONDITIONAL,
- &policydb, out_fp);
- break;
- }
+ case '1':
+ fprintf(out_fp, "unconditional avtab:\n");
+ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
+ RENDER_UNCONDITIONAL, &policydb,
+ out_fp);
+ break;
case '2':
fprintf(out_fp, "conditional avtab:\n");
- display_avblock(0, RENDER_UNCONDITIONAL, &policydb,
+ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
+ RENDER_UNCONDITIONAL, &policydb,
out_fp);
break;
case '3':
@@ -917,11 +945,13 @@ int main(int argc, char **argv)
break;
case '7':
fprintf(out_fp, "role transitions:\n");
- display_avblock(3, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
+ &policydb, out_fp);
break;
case '8':
fprintf(out_fp, "role allows:\n");
- display_avblock(4, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
+ &policydb, out_fp);
break;
case '9':
display_policycon(&policydb, out_fp);
@@ -931,11 +961,13 @@ int main(int argc, char **argv)
break;
case 'a':
fprintf(out_fp, "avrule block requirements:\n");
- display_avblock(5, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
+ &policydb, out_fp);
break;
case 'b':
fprintf(out_fp, "avrule block declarations:\n");
- display_avblock(6, 0, &policydb, out_fp);
+ display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
+ &policydb, out_fp);
break;
case 'c':
display_policycaps(&policydb, out_fp);
@@ -959,6 +991,11 @@ int main(int argc, char **argv)
if (out_fp != stdout)
printf("\nOutput to file: %s\n", OutfileName);
break;
@ -500,10 +527,11 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod
case 'l':
link_module(&policydb, out_fp);
break;
diff -up checkpolicy-2.0.23/test/dispol.c.eparis2 checkpolicy-2.0.23/test/dispol.c
--- checkpolicy-2.0.23/test/dispol.c.eparis2 2010-12-21 16:35:45.000000000 -0500
+++ checkpolicy-2.0.23/test/dispol.c 2011-03-23 14:19:51.162532256 -0400
@@ -341,6 +341,21 @@ static void display_permissive(policydb_
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index f8c05e6..ee2cf02 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -341,6 +341,21 @@ static void display_permissive(policydb_t *p, FILE *fp)
}
}
@ -544,10 +572,3 @@ diff -up checkpolicy-2.0.23/test/dispol.c.eparis2 checkpolicy-2.0.23/test/dispol
case 'q':
policydb_destroy(&policydb);
exit(0);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

17
checkpolicy.spec
View File

@ -1,13 +1,12 @@
%define libsepolver 2.0.42-3
%define libsepolver 2.0.43-3
Summary: SELinux policy compiler
Name: checkpolicy
Version: 2.0.23
Release: 4%{?dist}
Version: 2.0.24
Release: 1%{?dist}
License: GPLv2
Group: Development/System
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
Patch: checkpolicy-rhat.patch
Patch2: checkpolicy-filesystem.patch
BuildRoot: %{_tmppath}/%{name}-buildroot
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel
@ -28,8 +27,7 @@ Only required for building policies.
%prep
%setup -q
%patch -p1 -b .rhat
%patch2 -p2 -b .filesystem
%patch -p2 -b .rhat
%build
make clean
@ -57,6 +55,13 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol
%changelog
* Tue Apr 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
-Update to upstream
* Add new class field in role_transition by Harry Ciao.
* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-5
- Fix type_transition to allow all files
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-4
- Patches from Eric Paris
We just use random numbers to make menu selections. Use #defines and

2
sources
View File

@ -1 +1 @@
19a9e3593b88aaddddba288070351e2e checkpolicy-2.0.23.tgz
c8353d730f159007d9ce9407db30950a checkpolicy-2.0.24.tgz