diff --git a/.gitignore b/.gitignore index 9f0c7f6..c9dfd58 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,4 @@ checkpolicy-2.0.20.tgz checkpolicy-2.0.21.tgz checkpolicy-2.0.22.tgz /checkpolicy-2.0.23.tgz +/checkpolicy-2.0.24.tgz diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index 862db8c..db9277b 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,174 +1,8 @@ -diff --exclude-from=exclude -N -u -r nsacheckpolicy/policy_parse.y checkpolicy-2.0.22/policy_parse.y ---- nsacheckpolicy/policy_parse.y 2010-05-19 14:45:51.000000000 -0400 -+++ checkpolicy-2.0.22/policy_parse.y 2010-06-16 08:08:37.000000000 -0400 -@@ -755,6 +755,8 @@ - ; - version_identifier : VERSION_IDENTIFIER - { if (insert_id(yytext,0)) return -1; } -+ | number -+ { if (insert_id(yytext,0)) return -1; } - | ipv4_addr_def /* version can look like ipv4 address */ - ; - avrules_block : avrule_decls avrule_user_defs -We just use random numbers to make menu selections. Use #defines and -names that make some sense instead. - -Signed-off-by: Eric Paris - ---- - -diff -up checkpolicy-2.0.23/test/dismod.c.eparis1 checkpolicy-2.0.23/test/dismod.c ---- checkpolicy-2.0.23/test/dismod.c.eparis1 2010-12-21 16:35:45.000000000 -0500 -+++ checkpolicy-2.0.23/test/dismod.c 2011-03-23 13:58:31.561072307 -0400 -@@ -45,6 +45,14 @@ - #define le32_to_cpu(x) bswap_32(x) - #endif - -+#define DISPLAY_AVBLOCK_COND_AVTAB 0 -+#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1 -+#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */ -+#define DISPLAY_AVBLOCK_ROLE_TRANS 3 -+#define DISPLAY_AVBLOCK_ROLE_ALLOW 4 -+#define DISPLAY_AVBLOCK_REQUIRES 5 -+#define DISPLAY_AVBLOCK_DECLARES 6 -+ - static policydb_t policydb; - extern unsigned int ss_initialized; - -@@ -571,7 +579,7 @@ int display_avdecl(avrule_decl_t * decl, - fprintf(out_fp, "decl %u:%s\n", decl->decl_id, - (decl->enabled ? " [enabled]" : "")); - switch (field) { -- case 0:{ -+ case DISPLAY_AVBLOCK_COND_AVTAB:{ - cond_list_t *cond = decl->cond_list; - avrule_t *avrule; - while (cond) { -@@ -599,7 +607,7 @@ int display_avdecl(avrule_decl_t * decl, - } - break; - } -- case 1:{ -+ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{ - avrule_t *avrule = decl->avrules; - if (avrule == NULL) { - fprintf(out_fp, " \n"); -@@ -613,26 +621,26 @@ int display_avdecl(avrule_decl_t * decl, - } - break; - } -- case 2:{ /* role_type_node */ -+ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */ - break; - } -- case 3:{ -+ case DISPLAY_AVBLOCK_ROLE_TRANS:{ - display_role_trans(decl->role_tr_rules, policy, out_fp); - break; - } -- case 4:{ -+ case DISPLAY_AVBLOCK_ROLE_ALLOW:{ - display_role_allow(decl->role_allow_rules, policy, - out_fp); - break; - } -- case 5:{ -+ case DISPLAY_AVBLOCK_REQUIRES:{ - if (display_scope_index - (&decl->required, policy, out_fp)) { - return -1; - } - break; - } -- case 6:{ -+ case DISPLAY_AVBLOCK_DECLARES:{ - if (display_scope_index - (&decl->declared, policy, out_fp)) { - return -1; -@@ -861,15 +869,16 @@ int main(int argc, char **argv) - fgets(ans, sizeof(ans), stdin); - switch (ans[0]) { - -- case '1':{ -- fprintf(out_fp, "unconditional avtab:\n"); -- display_avblock(1, RENDER_UNCONDITIONAL, -- &policydb, out_fp); -- break; -- } -+ case '1': -+ fprintf(out_fp, "unconditional avtab:\n"); -+ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB, -+ RENDER_UNCONDITIONAL, &policydb, -+ out_fp); -+ break; - case '2': - fprintf(out_fp, "conditional avtab:\n"); -- display_avblock(0, RENDER_UNCONDITIONAL, &policydb, -+ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB, -+ RENDER_UNCONDITIONAL, &policydb, - out_fp); - break; - case '3': -@@ -892,11 +901,13 @@ int main(int argc, char **argv) - break; - case '7': - fprintf(out_fp, "role transitions:\n"); -- display_avblock(3, 0, &policydb, out_fp); -+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0, -+ &policydb, out_fp); - break; - case '8': - fprintf(out_fp, "role allows:\n"); -- display_avblock(4, 0, &policydb, out_fp); -+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0, -+ &policydb, out_fp); - break; - case '9': - display_policycon(&policydb, out_fp); -@@ -906,11 +917,13 @@ int main(int argc, char **argv) - break; - case 'a': - fprintf(out_fp, "avrule block requirements:\n"); -- display_avblock(5, 0, &policydb, out_fp); -+ display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0, -+ &policydb, out_fp); - break; - case 'b': - fprintf(out_fp, "avrule block declarations:\n"); -- display_avblock(6, 0, &policydb, out_fp); -+ display_avblock(DISPLAY_AVBLOCK_DECLARES, 0, -+ &policydb, out_fp); - break; - case 'c': - display_policycaps(&policydb, out_fp); - - - --- -This message was distributed to subscribers of the selinux mailing list. -If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with -the words "unsubscribe selinux" without quotes as the message. -This patch adds support for using the last path component as part of the -information in making labeling decisions for new objects. A example -rule looks like so: - -type_transition unconfined_t etc_t:file system_conf_t eric; - -This rule says if unconfined_t creates a file in a directory labeled -etc_t and the last path component is "eric" (no globbing, no matching -magic, just exact strcmp) it should be labeled system_conf_t. - -The kernel and policy representation does not have support for such -rules in conditionals, and thus policy explicitly notes that fact if -such a rule is added to a conditional. - -Signed-off-by: Eric Paris ---- - -diff -up checkpolicy-2.0.23/module_compiler.c.eparis2 checkpolicy-2.0.23/module_compiler.c ---- checkpolicy-2.0.23/module_compiler.c.eparis2 2010-12-21 16:35:45.000000000 -0500 -+++ checkpolicy-2.0.23/module_compiler.c 2011-03-23 14:19:51.152530839 -0400 -@@ -1313,6 +1313,18 @@ void append_role_allow(role_allow_rule_t +diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c +index d6ebd78..0946ff6 100644 +--- a/checkpolicy/module_compiler.c ++++ b/checkpolicy/module_compiler.c +@@ -1313,6 +1313,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules) } /* this doesn't actually append, but really prepends it */ @@ -187,9 +21,10 @@ diff -up checkpolicy-2.0.23/module_compiler.c.eparis2 checkpolicy-2.0.23/module_ void append_range_trans(range_trans_rule_t * range_tr_rules) { avrule_decl_t *decl = stack_top->decl; -diff -up checkpolicy-2.0.23/module_compiler.h.eparis2 checkpolicy-2.0.23/module_compiler.h ---- checkpolicy-2.0.23/module_compiler.h.eparis2 2010-12-21 16:35:45.000000000 -0500 -+++ checkpolicy-2.0.23/module_compiler.h 2011-03-23 14:19:51.154531123 -0400 +diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h +index fa91400..ae33753 100644 +--- a/checkpolicy/module_compiler.h ++++ b/checkpolicy/module_compiler.h @@ -80,6 +80,7 @@ void append_avrule(avrule_t * avrule); void append_role_trans(role_trans_rule_t * role_tr_rules); void append_role_allow(role_allow_rule_t * role_allow_rules); @@ -198,10 +33,11 @@ diff -up checkpolicy-2.0.23/module_compiler.h.eparis2 checkpolicy-2.0.23/module_ /* Create a new optional block and add it to the global policy. * During the second pass resolve the block's requirements. Return 0 -diff -up checkpolicy-2.0.23/policy_define.c.eparis2 checkpolicy-2.0.23/policy_define.c ---- checkpolicy-2.0.23/policy_define.c.eparis2 2010-12-21 16:35:45.000000000 -0500 -+++ checkpolicy-2.0.23/policy_define.c 2011-03-28 13:50:57.667710915 -0400 -@@ -2196,6 +2196,190 @@ int define_role_allow(void) +diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c +index 5e99b30..f75a682 100644 +--- a/checkpolicy/policy_define.c ++++ b/checkpolicy/policy_define.c +@@ -2241,6 +2241,190 @@ int define_role_allow(void) return 0; } @@ -392,9 +228,10 @@ diff -up checkpolicy-2.0.23/policy_define.c.eparis2 checkpolicy-2.0.23/policy_de static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) { constraint_expr_t *h = NULL, *l = NULL, *e, *newe; -diff -up checkpolicy-2.0.23/policy_define.h.eparis2 checkpolicy-2.0.23/policy_define.h ---- checkpolicy-2.0.23/policy_define.h.eparis2 2010-12-21 16:35:45.000000000 -0500 -+++ checkpolicy-2.0.23/policy_define.h 2011-03-28 13:50:05.489297128 -0400 +diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h +index 2f7a78f..890a6af 100644 +--- a/checkpolicy/policy_define.h ++++ b/checkpolicy/policy_define.h @@ -16,6 +16,7 @@ avrule_t *define_cond_compute_type(int which); avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt); @@ -403,53 +240,138 @@ diff -up checkpolicy-2.0.23/policy_define.h.eparis2 checkpolicy-2.0.23/policy_de cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2); int define_attrib(void); int define_av_perms(int inherits); -@@ -47,6 +48,7 @@ int define_range_trans(int class_specifi +@@ -47,6 +48,7 @@ int define_range_trans(int class_specified); int define_role_allow(void); - int define_role_trans(void); + int define_role_trans(int class_specified); int define_role_types(void); +int define_filename_trans(void); int define_sens(void); int define_te_avtab(int which); int define_typealias(void); -diff -up checkpolicy-2.0.23/policy_parse.y.eparis2 checkpolicy-2.0.23/policy_parse.y ---- checkpolicy-2.0.23/policy_parse.y.eparis2 2011-03-23 14:19:51.133528148 -0400 -+++ checkpolicy-2.0.23/policy_parse.y 2011-03-28 13:49:03.489482156 -0400 -@@ -342,7 +342,10 @@ cond_rule_def : cond_transitio +diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y +index 8c29e2b..8274d36 100644 +--- a/checkpolicy/policy_parse.y ++++ b/checkpolicy/policy_parse.y +@@ -81,6 +81,7 @@ typedef int (* require_func_t)(); + %type require_decl_def + + %token PATH ++%token FILENAME + %token CLONE + %token COMMON + %token CLASS +@@ -341,7 +342,10 @@ cond_rule_def : cond_transition_def | require_block { $$ = NULL; } ; -cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+cond_transition_def : TYPE_TRANSITION names names ':' names identifier identifier ';' ++cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' + { $$ = define_cond_filename_trans() ; + if ($$ == COND_ERR) return -1;} + | TYPE_TRANSITION names names ':' names identifier ';' { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; if ($$ == COND_ERR) return -1;} | TYPE_MEMBER names names ':' names identifier ';' -@@ -377,7 +380,10 @@ cond_dontaudit_def : DONTAUDIT names nam +@@ -376,7 +380,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); if ($$ == COND_ERR) return -1; } ; -transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+ ; -+transition_def : TYPE_TRANSITION names names ':' names identifier identifier ';' -+ {if (define_filename_trans()) return -1; } -+ | TYPE_TRANSITION names names ':' names identifier ';' ++transition_def : TYPE_TRANSITION names names ':' names identifier filename';' ++ {if (define_filename_trans()) return -1; } ++ |TYPE_TRANSITION names names ':' names identifier ';' {if (define_compute_type(AVRULE_TRANSITION)) return -1;} | TYPE_MEMBER names names ':' names identifier ';' {if (define_compute_type(AVRULE_MEMBER)) return -1;} -diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod.c ---- checkpolicy-2.0.23/test/dismod.c.eparis2 2011-03-23 14:19:51.142529423 -0400 -+++ checkpolicy-2.0.23/test/dismod.c 2011-03-23 14:19:51.160531973 -0400 -@@ -52,6 +52,7 @@ - #define DISPLAY_AVBLOCK_ROLE_ALLOW 4 - #define DISPLAY_AVBLOCK_REQUIRES 5 - #define DISPLAY_AVBLOCK_DECLARES 6 -+#define DISPLAY_AVBLOCK_FILENAME_TRANS 7 +@@ -639,7 +645,7 @@ opt_fs_uses : fs_uses + fs_uses : fs_use_def + | fs_uses fs_use_def + ; +-fs_use_def : FSUSEXATTR identifier security_context_def ';' ++fs_use_def : FSUSEXATTR filename security_context_def ';' + {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;} + | FSUSETASK identifier security_context_def ';' + {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;} +@@ -652,11 +658,11 @@ opt_genfs_contexts : genfs_contexts + genfs_contexts : genfs_context_def + | genfs_contexts genfs_context_def + ; +-genfs_context_def : GENFSCON identifier path '-' identifier security_context_def ++genfs_context_def : GENFSCON filename path '-' identifier security_context_def + {if (define_genfs_context(1)) return -1;} +- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def ++ | GENFSCON filename path '-' '-' {insert_id("-", 0);} security_context_def + {if (define_genfs_context(1)) return -1;} +- | GENFSCON identifier path security_context_def ++ | GENFSCON filename path security_context_def + {if (define_genfs_context(0)) return -1;} + ; + ipv4_addr_def : IPV4_ADDR +@@ -733,6 +739,17 @@ identifier : IDENTIFIER + path : PATH + { if (insert_id(yytext,0)) return -1; } + ; ++filename : FILENAME ++ { if (insert_id(yytext,0)) return -1; } ++ | NUMBER ++ { if (insert_id(yytext,0)) return -1; } ++ | IPV4_ADDR ++ { if (insert_id(yytext,0)) return -1; } ++ | VERSION_IDENTIFIER ++ { if (insert_id(yytext,0)) return -1; } ++ | IDENTIFIER ++ { if (insert_id(yytext,0)) return -1; } ++ ; + number : NUMBER + { $$ = strtoul(yytext,NULL,0); } + ; +@@ -757,6 +774,8 @@ module_def : MODULE identifier version_identifier ';' + ; + version_identifier : VERSION_IDENTIFIER + { if (insert_id(yytext,0)) return -1; } ++ | number ++ { if (insert_id(yytext,0)) return -1; } + | ipv4_addr_def /* version can look like ipv4 address */ + ; + avrules_block : avrule_decls avrule_user_defs +diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l +index 48128a8..427c189 100644 +--- a/checkpolicy/policy_scan.l ++++ b/checkpolicy/policy_scan.l +@@ -218,9 +218,12 @@ PERMISSIVE { return(PERMISSIVE); } + "/"({alnum}|[_\.\-/])* { return(PATH); } + {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } + {digit}+|0x{hexval}+ { return(NUMBER); } ++{alnum}* { return(FILENAME); } + {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } + {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } + {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } ++{alnum}+([_\.]|{alnum})+ { return(FILENAME); } ++([_\.]){alnum}+ { return(FILENAME); } + #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } + #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } + #[^\n]* { /* delete comments */ } +diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c +index 33a29e4..66f976f 100644 +--- a/checkpolicy/test/dismod.c ++++ b/checkpolicy/test/dismod.c +@@ -45,6 +45,15 @@ + #define le32_to_cpu(x) bswap_32(x) + #endif ++#define DISPLAY_AVBLOCK_COND_AVTAB 0 ++#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1 ++#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */ ++#define DISPLAY_AVBLOCK_ROLE_TRANS 3 ++#define DISPLAY_AVBLOCK_ROLE_ALLOW 4 ++#define DISPLAY_AVBLOCK_REQUIRES 5 ++#define DISPLAY_AVBLOCK_DECLARES 6 ++#define DISPLAY_AVBLOCK_FILENAME_TRANS 7 ++ static policydb_t policydb; extern unsigned int ss_initialized; -@@ -480,6 +481,18 @@ void display_role_allow(role_allow_rule_ + +@@ -497,6 +506,18 @@ void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp) } } @@ -468,7 +390,56 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { role_datum_t *role; -@@ -647,6 +660,11 @@ int display_avdecl(avrule_decl_t * decl, +@@ -596,7 +617,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + fprintf(out_fp, "decl %u:%s\n", decl->decl_id, + (decl->enabled ? " [enabled]" : "")); + switch (field) { +- case 0:{ ++ case DISPLAY_AVBLOCK_COND_AVTAB:{ + cond_list_t *cond = decl->cond_list; + avrule_t *avrule; + while (cond) { +@@ -624,7 +645,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + } + break; + } +- case 1:{ ++ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{ + avrule_t *avrule = decl->avrules; + if (avrule == NULL) { + fprintf(out_fp, " \n"); +@@ -638,32 +659,37 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, + } + break; + } +- case 2:{ /* role_type_node */ ++ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */ + break; + } +- case 3:{ ++ case DISPLAY_AVBLOCK_ROLE_TRANS:{ + display_role_trans(decl->role_tr_rules, policy, out_fp); + break; + } +- case 4:{ ++ case DISPLAY_AVBLOCK_ROLE_ALLOW:{ + display_role_allow(decl->role_allow_rules, policy, + out_fp); + break; + } +- case 5:{ ++ case DISPLAY_AVBLOCK_REQUIRES:{ + if (display_scope_index + (&decl->required, policy, out_fp)) { + return -1; + } + break; + } +- case 6:{ ++ case DISPLAY_AVBLOCK_DECLARES:{ + if (display_scope_index + (&decl->declared, policy, out_fp)) { + return -1; } break; } @@ -480,7 +451,7 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod default:{ assert(0); } -@@ -812,6 +830,7 @@ int menu() +@@ -829,6 +855,7 @@ int menu() printf("c) Display policy capabilities\n"); printf("l) Link in a module\n"); printf("u) Display the unknown handling setting\n"); @@ -488,7 +459,63 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod printf("\n"); printf("f) set output file\n"); printf("m) display menu\n"); -@@ -947,6 +966,11 @@ int main(int argc, char **argv) +@@ -886,15 +913,16 @@ int main(int argc, char **argv) + fgets(ans, sizeof(ans), stdin); + switch (ans[0]) { + +- case '1':{ +- fprintf(out_fp, "unconditional avtab:\n"); +- display_avblock(1, RENDER_UNCONDITIONAL, +- &policydb, out_fp); +- break; +- } ++ case '1': ++ fprintf(out_fp, "unconditional avtab:\n"); ++ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB, ++ RENDER_UNCONDITIONAL, &policydb, ++ out_fp); ++ break; + case '2': + fprintf(out_fp, "conditional avtab:\n"); +- display_avblock(0, RENDER_UNCONDITIONAL, &policydb, ++ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB, ++ RENDER_UNCONDITIONAL, &policydb, + out_fp); + break; + case '3': +@@ -917,11 +945,13 @@ int main(int argc, char **argv) + break; + case '7': + fprintf(out_fp, "role transitions:\n"); +- display_avblock(3, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0, ++ &policydb, out_fp); + break; + case '8': + fprintf(out_fp, "role allows:\n"); +- display_avblock(4, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0, ++ &policydb, out_fp); + break; + case '9': + display_policycon(&policydb, out_fp); +@@ -931,11 +961,13 @@ int main(int argc, char **argv) + break; + case 'a': + fprintf(out_fp, "avrule block requirements:\n"); +- display_avblock(5, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0, ++ &policydb, out_fp); + break; + case 'b': + fprintf(out_fp, "avrule block declarations:\n"); +- display_avblock(6, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_DECLARES, 0, ++ &policydb, out_fp); + break; + case 'c': + display_policycaps(&policydb, out_fp); +@@ -959,6 +991,11 @@ int main(int argc, char **argv) if (out_fp != stdout) printf("\nOutput to file: %s\n", OutfileName); break; @@ -500,10 +527,11 @@ diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod case 'l': link_module(&policydb, out_fp); break; -diff -up checkpolicy-2.0.23/test/dispol.c.eparis2 checkpolicy-2.0.23/test/dispol.c ---- checkpolicy-2.0.23/test/dispol.c.eparis2 2010-12-21 16:35:45.000000000 -0500 -+++ checkpolicy-2.0.23/test/dispol.c 2011-03-23 14:19:51.162532256 -0400 -@@ -341,6 +341,21 @@ static void display_permissive(policydb_ +diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c +index f8c05e6..ee2cf02 100644 +--- a/checkpolicy/test/dispol.c ++++ b/checkpolicy/test/dispol.c +@@ -341,6 +341,21 @@ static void display_permissive(policydb_t *p, FILE *fp) } } @@ -544,10 +572,3 @@ diff -up checkpolicy-2.0.23/test/dispol.c.eparis2 checkpolicy-2.0.23/test/dispol case 'q': policydb_destroy(&policydb); exit(0); - - - --- -This message was distributed to subscribers of the selinux mailing list. -If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with -the words "unsubscribe selinux" without quotes as the message. diff --git a/checkpolicy.spec b/checkpolicy.spec index f69465a..8e63e6e 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,13 +1,12 @@ -%define libsepolver 2.0.42-3 +%define libsepolver 2.0.43-3 Summary: SELinux policy compiler Name: checkpolicy -Version: 2.0.23 -Release: 4%{?dist} +Version: 2.0.24 +Release: 1%{?dist} License: GPLv2 Group: Development/System Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz Patch: checkpolicy-rhat.patch -Patch2: checkpolicy-filesystem.patch BuildRoot: %{_tmppath}/%{name}-buildroot BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel @@ -28,8 +27,7 @@ Only required for building policies. %prep %setup -q -%patch -p1 -b .rhat -%patch2 -p2 -b .filesystem +%patch -p2 -b .rhat %build make clean @@ -57,6 +55,13 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Tue Apr 29 2011 Dan Walsh - 2.0.24-1 +-Update to upstream + * Add new class field in role_transition by Harry Ciao. + +* Mon Apr 11 2011 Dan Walsh - 2.0.23-5 +- Fix type_transition to allow all files + * Tue Mar 29 2011 Dan Walsh - 2.0.23-4 - Patches from Eric Paris We just use random numbers to make menu selections. Use #defines and diff --git a/sources b/sources index 07847ba..fb3ed24 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -19a9e3593b88aaddddba288070351e2e checkpolicy-2.0.23.tgz +c8353d730f159007d9ce9407db30950a checkpolicy-2.0.24.tgz