From eb71cf87d92a11a816f1aa92b7ef5d9eaad72aea Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 2 Aug 2005 16:58:50 +0000 Subject: [PATCH] - Update to NSA Release Merged hierarchy check fix from Joshua Brindle (Tresys). --- .cvsignore | 1 + checkpolicy-rhat.patch | 305 +++++++++++++++-------------------------- checkpolicy.spec | 8 +- sources | 2 +- 4 files changed, 117 insertions(+), 199 deletions(-) diff --git a/.cvsignore b/.cvsignore index 007c0ea..47ca483 100644 --- a/.cvsignore +++ b/.cvsignore @@ -15,3 +15,4 @@ checkpolicy-1.23.2.tgz checkpolicy-1.23.3.tgz checkpolicy-1.23.4.tgz checkpolicy-1.25.2.tgz +checkpolicy-1.25.3.tgz diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index b5ed7c6..465ae37 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,198 +1,111 @@ ---- checkpolicy-1.23.3/checkpolicy.c~ 2005-05-19 13:46:55.000000000 -0400 -+++ checkpolicy-1.23.3/checkpolicy.c 2005-05-19 14:04:16.000000000 -0400 -@@ -104,6 +104,12 @@ - exit(1); - } +diff --exclude-from=exclude -N -u -r nsacheckpolicy/Makefile checkpolicy-1.25.3/Makefile +--- nsacheckpolicy/Makefile 2005-07-28 15:18:33.000000000 -0400 ++++ checkpolicy-1.25.3/Makefile 2005-07-29 09:18:09.000000000 -0400 +@@ -6,7 +6,7 @@ + MANDIR ?= $(PREFIX)/share/man + LIBDIR ?= $(PREFIX)/lib + INCLUDEDIR ?= $(PREFIX)/include +-TARGETS = checkpolicy checkmodule ++TARGETS = checkpolicy checkmodule semodule_package -+#define FGETS(out, size, in) \ -+if (fgets(out,size,in)==NULL) { \ -+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\ -+ strerror(errno)); \ -+ exit(1);\ + CFLAGS ?= -g -Wall -O2 -pipe -fno-strict-aliasing + +@@ -15,8 +15,9 @@ + CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o + CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o + CHECKMODOBJS = $(CHECKOBJS) checkmodule.o ++SEMODULE_PACKAGEOBJS = semodule_package.o + +-LDLIBS=$(LIBDIR)/libsepol.a -lfl ++LDLIBS=$(LIBDIR)/libsepol.a -lfl + + all: $(TARGETS) + +@@ -24,6 +25,9 @@ + + checkmodule: $(CHECKMODOBJS) + ++semodule_package: $(SEMODULE_PACKAGEOBJS) ++ $(CC) -o $@ $^ ${LIBDIR}/libsemanage.a $(LIBDIR)/libsepol.a ++ + %.o: %.c + $(CC) $(CFLAGS) -o $@ -c $< + +diff --exclude-from=exclude -N -u -r nsacheckpolicy/semodule_package.c checkpolicy-1.25.3/semodule_package.c +--- nsacheckpolicy/semodule_package.c 1969-12-31 19:00:00.000000000 -0500 ++++ checkpolicy-1.25.3/semodule_package.c 2005-07-28 15:30:24.000000000 -0400 +@@ -0,0 +1,74 @@ ++/* Authors: Karl MacMillan ++ * ++ * Copyright (C) 2004 Tresys Technology, LLC ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, version 2. ++ */ ++ ++#include ++ ++#include ++#include ++#include ++#include ++ ++extern char *optarg; ++ ++static void usage(char *progname) ++{ ++ printf("usage: %s PACKAGE MODULE [FILE_CONTEXTS]\n", progname); ++ printf("Build a package from a module and optional file contexts.\n"); ++ printf("Options:\n"); ++ printf(" PACKAGE name of file to write generated package\n"); ++ printf(" MODULE base or policy module to wrap\n"); ++ printf(" FILE_CONTEXTS file containing file contexts for this package\n"); ++ exit(1); ++} ++ ++static int file_to_policy_file(char *filename, struct policy_file *pf, char *mode) ++{ ++ FILE *f; ++ ++ memset(pf, 0, sizeof(struct policy_file)); ++ ++ f = fopen(filename, mode); ++ if (!f) { ++ fprintf(stderr, "Could not open file %s\n", filename); ++ return -1; ++ } ++ pf->type = PF_USE_STDIO; ++ pf->fp = f; ++ ++ return 0; ++} ++ ++int main(int argc, char **argv) ++{ ++ struct policy_file out, mod, fc; ++ ++ if (argc < 3 || argc > 4) ++ usage(argv[0]); ++ ++ if (file_to_policy_file(argv[1], &out, "w")) ++ exit(1); ++ ++ if (file_to_policy_file(argv[2], &mod, "r")) ++ exit(1); ++ ++ if (argc == 3) { ++ if (semod_module_package_create(&mod, NULL, &out)) { ++ fprintf(stderr, "Could not write module package\n"); ++ exit(1); ++ } ++ } else if (argc == 4) { ++ if (file_to_policy_file(argv[3], &fc, "r")) ++ exit(1); ++ if (semod_module_package_create(&mod, &fc, &out)) { ++ fprintf(stderr, "Could not write module package\n"); ++ exit(1); ++ } ++ } ++ ++ return 0; +} - static int print_sid(sepol_security_id_t sid, - context_struct_t * context __attribute__ ((unused)), void *data __attribute__ ((unused))) - { -@@ -692,19 +698,19 @@ - printf("q) Exit\n"); - while (1) { - printf("\nChoose: "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - switch (ans[0]) { - case '0': - printf("source sid? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ssid = atoi(ans); - - printf("target sid? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - tsid = atoi(ans); - - printf("target class? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - if (isdigit(ans[0])) { - tclass = atoi(ans); - if (!tclass || tclass > policydb.p_classes.nprim) { -@@ -756,7 +762,7 @@ - break; - case '1': - printf("sid? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ssid = atoi(ans); - ret = sepol_sid_to_context(ssid, - &scontext, &scontext_len); -@@ -777,7 +783,7 @@ - break; - case '2': - printf("scontext? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - scontext_len = strlen(ans); - ans[scontext_len - 1] = 0; - ret = sepol_context_to_sid(ans, scontext_len, -@@ -802,14 +808,14 @@ - ch = ans[0]; - - printf("source sid? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ssid = atoi(ans); - printf("target sid? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - tsid = atoi(ans); - - printf("object class? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - if (isdigit(ans[0])) { - tclass = atoi(ans); - if (!tclass || tclass > policydb.p_classes.nprim) { -@@ -852,7 +858,7 @@ - break; - case '7': - printf("pathname? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - pathlen = strlen(ans); - ans[pathlen - 1] = 0; - printf("%s: loading policy configuration from %s\n", argv[0], ans); -@@ -890,7 +896,7 @@ - break; - case '8': - printf("fs kdevname? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - sepol_fs_sid(ans, &ssid, &tsid); - printf("fs_sid %d default_file_sid %d\n", -@@ -898,7 +904,7 @@ - break; - case '9': - printf("protocol? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - if (!strcmp(ans, "tcp") || !strcmp(ans, "TCP")) - protocol = IPPROTO_TCP; -@@ -909,14 +915,14 @@ - break; - } - printf("port? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - port = atoi(ans); - sepol_port_sid(0, 0, protocol, port, &ssid); - printf("sid %d\n", ssid); - break; - case 'a': - printf("netif name? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - sepol_netif_sid(ans, &ssid, &tsid); - printf("if_sid %d default_msg_sid %d\n", -@@ -929,7 +935,7 @@ - struct in6_addr addr6; - - printf("protocol family? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - if (!strcasecmp(ans, "ipv4")) - family = AF_INET; -@@ -941,7 +947,7 @@ - } - - printf("node address? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - - if (family == AF_INET) { -@@ -963,7 +969,7 @@ - } - case 'c': - printf("fstype? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - sepol_fs_use(ans, &uret, &ssid); - switch (uret) { -@@ -987,15 +993,15 @@ - break; - case 'd': - printf("fstype? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - fstype = strdup(ans); - printf("path? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - path = strdup(ans); - printf("object class? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - if (isdigit(ans[0])) { - tclass = atoi(ans); - if (!tclass || tclass > policydb.p_classes.nprim) { -@@ -1019,12 +1025,12 @@ - break; - case 'e': - printf("from SID? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - ssid = atoi(ans); - - printf("username? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - - ret = sepol_get_user_sids(ssid, ans, &sids, &nel); -@@ -1055,7 +1061,7 @@ - break; - case 'h': - printf("name? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - - name = malloc((strlen(ans) + 1) * sizeof(char)); -@@ -1067,7 +1073,7 @@ - - - printf("state? "); -- fgets(ans, sizeof(ans), stdin); -+ FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; - - if (atoi(ans)) diff --git a/checkpolicy.spec b/checkpolicy.spec index dfba119..6d06546 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,7 +1,7 @@ -%define libsepolver 1.7-1 +%define libsepolver 1.7.6-2 Summary: SELinux policy compiler Name: checkpolicy -Version: 1.25.2 +Version: 1.25.3 Release: 1 License: GPL Group: Development/System @@ -46,6 +46,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/checkpolicy.8.gz %changelog +* Thu Jul 28 2005 Dan Walsh 1.25.3-1 +- Update to NSA Release + * Merged hierarchy check fix from Joshua Brindle (Tresys). + * Thu Jul 7 2005 Dan Walsh 1.25.2-1 - Update to NSA Release * Merged loadable module support from Tresys Technology. diff --git a/sources b/sources index c728aa5..8fb6a54 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8706f700c02a74653993eeab593e2983 checkpolicy-1.25.2.tgz +017740afa940e476bac125466664595c checkpolicy-1.25.3.tgz