Space should be allowed for file trans names
This commit is contained in:
parent
02cf4abf2d
commit
7a5e44fa80
@ -1,165 +1,13 @@
|
|||||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
|
||||||
index 2c12447..5db1bca 100644
|
|
||||||
--- a/checkpolicy/policy_define.c
|
|
||||||
+++ b/checkpolicy/policy_define.c
|
|
||||||
@@ -415,6 +415,38 @@ int define_default_role(int which)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int define_default_type(int which)
|
|
||||||
+{
|
|
||||||
+ char *id;
|
|
||||||
+ class_datum_t *cladatum;
|
|
||||||
+
|
|
||||||
+ if (pass == 1) {
|
|
||||||
+ while ((id = queue_remove(id_queue)))
|
|
||||||
+ free(id);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while ((id = queue_remove(id_queue))) {
|
|
||||||
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
|
||||||
+ yyerror2("class %s is not within scope", id);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
|
||||||
+ if (!cladatum) {
|
|
||||||
+ yyerror2("unknown class %s", id);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ if (cladatum->default_type && cladatum->default_type != which) {
|
|
||||||
+ yyerror2("conflicting default type information for class %s", id);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ cladatum->default_type = which;
|
|
||||||
+ free(id);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int define_default_range(int which)
|
|
||||||
{
|
|
||||||
char *id;
|
|
||||||
@@ -2777,6 +2809,7 @@ int define_constraint(constraint_expr_t * expr)
|
|
||||||
}
|
|
||||||
if (!node->expr) {
|
|
||||||
yyerror("out of memory");
|
|
||||||
+ free(node);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
node->permissions = 0;
|
|
||||||
@@ -3068,13 +3101,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
|
|
||||||
ebitmap_destroy(&negset);
|
|
||||||
return (uintptr_t) expr;
|
|
||||||
default:
|
|
||||||
- yyerror("invalid constraint expression");
|
|
||||||
- constraint_expr_destroy(expr);
|
|
||||||
- return 0;
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
|
|
||||||
yyerror("invalid constraint expression");
|
|
||||||
- free(expr);
|
|
||||||
+ constraint_expr_destroy(expr);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -3281,6 +3312,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
|
||||||
return expr;
|
|
||||||
default:
|
|
||||||
yyerror("illegal conditional expression");
|
|
||||||
+ free(expr);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -4627,7 +4659,10 @@ int define_range_trans(int class_specified)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
|
|
||||||
+ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
|
|
||||||
+ yyerror("out of memory");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
id = (char *)queue_remove(id_queue);
|
|
||||||
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
|
|
||||||
index ccbe56f..8bfd8f6 100644
|
|
||||||
--- a/checkpolicy/policy_define.h
|
|
||||||
+++ b/checkpolicy/policy_define.h
|
|
||||||
@@ -26,6 +26,7 @@ int define_category(void);
|
|
||||||
int define_class(void);
|
|
||||||
int define_default_user(int which);
|
|
||||||
int define_default_role(int which);
|
|
||||||
+int define_default_type(int which);
|
|
||||||
int define_default_range(int which);
|
|
||||||
int define_common_perms(void);
|
|
||||||
int define_compute_type(int which);
|
|
||||||
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
|
|
||||||
index d92cc32..b40f413 100644
|
|
||||||
--- a/checkpolicy/policy_parse.y
|
|
||||||
+++ b/checkpolicy/policy_parse.y
|
|
||||||
@@ -143,7 +143,7 @@ typedef int (* require_func_t)();
|
|
||||||
%token POLICYCAP
|
|
||||||
%token PERMISSIVE
|
|
||||||
%token FILESYSTEM
|
|
||||||
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
|
|
||||||
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
|
|
||||||
%token LOW_HIGH LOW HIGH
|
|
||||||
|
|
||||||
%left OR
|
|
||||||
@@ -202,9 +202,11 @@ opt_default_rules : default_rules
|
|
||||||
;
|
|
||||||
default_rules : default_user_def
|
|
||||||
| default_role_def
|
|
||||||
+ | default_type_def
|
|
||||||
| default_range_def
|
|
||||||
| default_rules default_user_def
|
|
||||||
| default_rules default_role_def
|
|
||||||
+ | default_rules default_type_def
|
|
||||||
| default_rules default_range_def
|
|
||||||
;
|
|
||||||
default_user_def : DEFAULT_USER names SOURCE ';'
|
|
||||||
@@ -217,6 +219,11 @@ default_role_def : DEFAULT_ROLE names SOURCE ';'
|
|
||||||
| DEFAULT_ROLE names TARGET ';'
|
|
||||||
{if (define_default_role(DEFAULT_TARGET)) return -1; }
|
|
||||||
;
|
|
||||||
+default_type_def : DEFAULT_TYPE names SOURCE ';'
|
|
||||||
+ {if (define_default_type(DEFAULT_SOURCE)) return -1; }
|
|
||||||
+ | DEFAULT_TYPE names TARGET ';'
|
|
||||||
+ {if (define_default_type(DEFAULT_TARGET)) return -1; }
|
|
||||||
+ ;
|
|
||||||
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
|
|
||||||
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
|
|
||||||
| DEFAULT_RANGE names SOURCE HIGH ';'
|
|
||||||
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
|
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
|
||||||
index 62d03f0..bba7667 100644
|
index bba7667..f82c93b 100644
|
||||||
--- a/checkpolicy/policy_scan.l
|
--- a/checkpolicy/policy_scan.l
|
||||||
+++ b/checkpolicy/policy_scan.l
|
+++ b/checkpolicy/policy_scan.l
|
||||||
@@ -229,6 +229,8 @@ default_user |
|
@@ -240,7 +240,7 @@ HIGH { return(HIGH); }
|
||||||
DEFAULT_USER { return(DEFAULT_USER); }
|
low |
|
||||||
default_role |
|
LOW { return(LOW); }
|
||||||
DEFAULT_ROLE { return(DEFAULT_ROLE); }
|
"/"({alnum}|[_\.\-/])* { return(PATH); }
|
||||||
+default_type |
|
-\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); }
|
||||||
+DEFAULT_TYPE { return(DEFAULT_TYPE); }
|
+\"({alnum}|[_\.\-\+\~ ])+\" { return(FILENAME); }
|
||||||
default_range |
|
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
|
||||||
DEFAULT_RANGE { return(DEFAULT_RANGE); }
|
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
|
||||||
low-high |
|
{digit}+|0x{hexval}+ { return(NUMBER); }
|
||||||
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
|
|
||||||
index 6a951f6..96ef047 100644
|
|
||||||
--- a/checkpolicy/test/dismod.c
|
|
||||||
+++ b/checkpolicy/test/dismod.c
|
|
||||||
@@ -844,7 +844,10 @@ int main(int argc, char **argv)
|
|
||||||
|
|
||||||
/* read the binary policy */
|
|
||||||
fprintf(out_fp, "Reading policy...\n");
|
|
||||||
- policydb_init(&policydb);
|
|
||||||
+ if (policydb_init(&policydb)) {
|
|
||||||
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
if (read_policy(argv[1], &policydb)) {
|
|
||||||
fprintf(stderr,
|
|
||||||
"%s: error(s) encountered while loading policy\n",
|
|
||||||
|
@ -3,10 +3,11 @@
|
|||||||
Summary: SELinux policy compiler
|
Summary: SELinux policy compiler
|
||||||
Name: checkpolicy
|
Name: checkpolicy
|
||||||
Version: 2.1.12
|
Version: 2.1.12
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: Development/System
|
Group: Development/System
|
||||||
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
|
||||||
|
Patch: checkpolicy-rhat.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||||
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
|
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
|
||||||
@ -27,6 +28,7 @@ Only required for building policies.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch -p2 -b .rhat
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make clean
|
make clean
|
||||||
@ -54,6 +56,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%{_bindir}/sedispol
|
%{_bindir}/sedispol
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
|
||||||
|
- Space should be allowed for file trans names
|
||||||
|
|
||||||
* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
|
* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
* Fix errors found by coverity
|
* Fix errors found by coverity
|
||||||
|
Loading…
Reference in New Issue
Block a user