rpms/checkpolicy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Latest upgrade from NSA

Browse Source 
Added error checking of all ebitmap_set_bit calls for out of memory
    conditions.
Merged removal of compatibility handling of netlink classes (requirement
    that policies with newer versions include the netlink class
    definitions, remapping of fine-grained netlink classes in newer source
    policies to single netlink class when generating older policies) from
    George Coker.
This commit is contained in:
Daniel J Walsh 2005-12-01 20:02:47 +00:00
parent 671fd361f0
commit e8c9487983
4 changed files with 78 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -34,3 +34,4 @@ checkpolicy-1.27.10.tgz
checkpolicy-1.27.11.tgz checkpolicy-1.27.11.tgz
checkpolicy-1.27.16.tgz checkpolicy-1.27.16.tgz
checkpolicy-1.27.17.tgz checkpolicy-1.27.17.tgz
checkpolicy-1.27.19.tgz

87
checkpolicy-rhat.patch
View File

@ -1,29 +1,60 @@
Index: checkpolicy/policy_parse.y diff --exclude-from=exclude -N -u -r nsacheckpolicy/checkmodule.8 checkpolicy-1.27.19/checkmodule.8
=================================================================== --- nsacheckpolicy/checkmodule.8 1969-12-31 19:00:00.000000000 -0500
RCS file: /nfshome/pal/CVS/selinux-usr/checkpolicy/policy_parse.y,v +++ checkpolicy-1.27.19/checkmodule.8 2005-12-01 15:00:22.000000000 -0500
retrieving revision 1.41 @@ -0,0 +1,45 @@
diff -u -p -r1.41 policy_parse.y +.TH CHECKMODULE 8
--- checkpolicy/policy_parse.y 15 Aug 2005 16:10:56 -0000 1.41 +.SH NAME
+++ checkpolicy/policy_parse.y 22 Aug 2005 17:49:36 -0000 +checkmodule \- SELinux policy module compiler
@@ -2965,6 +2965,7 @@ static int define_validatetrans(constrai +.SH SYNOPSIS
ebitmap_t classmap; +.B checkmodule
constraint_expr_t *e; +.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
int depth; + .br
+ unsigned char useexpr = 1; +.SH "DESCRIPTION"
+This manual page describes the
+.BR checkmodule
+command.
+.PP
+.B checkmodule
+is a program that checks and compiles a SELinux security policy module
+into a binary representation. Use semodule_package to combine this module with
+its optional file context to create a policy package that can be loaded into the kernel.
+
+.SH OPTIONS
+.TP
+.B \-b
+Read an existing binary policy file rather than a source policy.conf file.
+.TP
+.B \-d
+Enter debug mode after loading the policy.
+.TP
+.B \-M
+Enable the MLS policy when checking and compiling the policy.
+.TP
+.B \-o filename
+Write a binary policy file to the specified filename.
+.TP
+.B \-c policyvers
+Specify the policy version, defaults to the latest.
+
+.SH "SEE ALSO"
+.B load_policy(8), semodule(8), semodule_package(8), semodule_expand(8), semodule_link(8)
+SELinux documentation at http://www.nsa.gov/selinux/docs.html,
+especially "Configuring the SELinux Policy".
+
+
+.SH AUTHOR
+This manual page was copied from the checkpolicy man page
+written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
+and edited by Dan Walsh <dwalsh@redhat.com>.
+The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.
diff --exclude-from=exclude -N -u -r nsacheckpolicy/Makefile checkpolicy-1.27.19/Makefile
--- nsacheckpolicy/Makefile 2005-09-12 16:30:34.000000000 -0400
+++ checkpolicy-1.27.19/Makefile 2005-12-01 15:00:34.000000000 -0500
@@ -45,6 +45,7 @@
-mkdir -p $(MANDIR)/man8
install -m 755 $(TARGETS) $(BINDIR)
install -m 644 checkpolicy.8 $(MANDIR)/man8
+ install -m 644 checkmodule.8 $(MANDIR)/man8
if (pass == 1) { relabel: install
while ((id = queue_remove(id_queue))) /sbin/restorecon $(BINDIR)/checkpolicy
@@ -3035,7 +3036,12 @@ static int define_validatetrans(constrai
return -1;
}
memset(node, 0, sizeof(constraint_node_t));
- node->expr = expr;
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
node->permissions = 0;
node->next = cladatum->validatetrans;

20
checkpolicy.spec
View File

@ -1,11 +1,13 @@
%define libsepolver 1.9.39-1 %define libsepolver 1.9.41-1
Summary: SELinux policy compiler Summary: SELinux policy compiler
Name: checkpolicy Name: checkpolicy
Version: 1.27.17 Version: 1.27.19
Release: 7 Release: 1
License: GPL License: GPL
Group: Development/System Group: Development/System
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
Patch: checkpolicy-rhat.patch
BuildRoot: %{_tmppath}/%{name}-buildroot BuildRoot: %{_tmppath}/%{name}-buildroot
BuildRequires: byacc flex libsepol-devel >= %{libsepolver} libselinux-devel BuildRequires: byacc flex libsepol-devel >= %{libsepolver} libselinux-devel
@ -25,6 +27,7 @@ Only required for building policies.
%prep %prep
%setup -q %setup -q
%patch -p1 -b .rhat
%build %build
make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" make LIBDIR="%{_libdir}" CFLAGS="%{optflags}"
@ -42,8 +45,19 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/checkpolicy %{_bindir}/checkpolicy
%{_bindir}/checkmodule %{_bindir}/checkmodule
%{_mandir}/man8/checkpolicy.8.gz %{_mandir}/man8/checkpolicy.8.gz
%{_mandir}/man8/checkmodule.8.gz
%changelog %changelog
* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
- Latest upgrade from NSA
* Added error checking of all ebitmap_set_bit calls for out of
memory conditions.
* Merged removal of compatibility handling of netlink classes
(requirement that policies with newer versions include the
netlink class definitions, remapping of fine-grained netlink
classes in newer source policies to single netlink class when
generating older policies) from George Coker.
* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7 * Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7
- Rebuild to get latest libsepol - Rebuild to get latest libsepol

2
sources
View File

@ -1 +1 @@
c1233892de26b1935142aacbca84b042 checkpolicy-1.27.17.tgz 37c62ce4447586c8e5311133e9ffa489 checkpolicy-1.27.19.tgz