rpms
/
checkpolicy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:a85176781b1d292601df2b2912d98b259d09e8e5
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c8s
rpms:imports/c9/checkpolicy-3.6-1.el9
rpms:imports/c9/checkpolicy-3.5-1.el9
rpms:imports/c9-beta/checkpolicy-3.5-1.el9
rpms:imports/c9/checkpolicy-3.4-1.el9
rpms:imports/c9-beta/checkpolicy-3.4-1.el9
rpms:imports/c9/checkpolicy-3.3-1.el9
rpms:imports/c9-beta/checkpolicy-3.3-1.el9
rpms:imports/c9-beta/checkpolicy-3.2-4.el9
rpms:imports/c8-beta/checkpolicy-2.9-1.el8
rpms:imports/c8s/checkpolicy-2.9-1.el8
rpms:imports/c8/checkpolicy-2.9-1.el8
rpms:imports/c8/checkpolicy-2.8-2.el8
...
compare: rpms:b8533e5ff3fea61bfcbdae41dc878f409661b052
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c8s
rpms:c8
rpms:imports/c9/checkpolicy-3.6-1.el9
rpms:imports/c9/checkpolicy-3.5-1.el9
rpms:imports/c9-beta/checkpolicy-3.5-1.el9
rpms:imports/c9/checkpolicy-3.4-1.el9
rpms:imports/c9-beta/checkpolicy-3.4-1.el9
rpms:imports/c9/checkpolicy-3.3-1.el9
rpms:imports/c9-beta/checkpolicy-3.3-1.el9
rpms:imports/c9-beta/checkpolicy-3.2-4.el9
rpms:imports/c8-beta/checkpolicy-2.9-1.el8
rpms:imports/c8s/checkpolicy-2.9-1.el8
rpms:imports/c8/checkpolicy-2.9-1.el8
rpms:imports/c8/checkpolicy-2.8-2.el8

10 Commits
a85176781b ... b8533e5ff3

Author SHA1 Message Date
Petr Lautrbach b8533e5ff3 SELinux userspace 3.5 release 2023-05-18 10:32:39 +00:00
Petr Lautrbach 5a90bd37cd SELinux userspace 3.5-rc3 release 
Resolves: rhbz#2145230
 2023-02-15 05:48:26 +01:00
Petr Lautrbach 172aa6a9c7 SELinux userspace 3.5-rc2 release 
Resolves: rhbz#2145230
 2023-01-17 10:11:01 +01:00
Petr Lautrbach 2bf78f3526 checkpolicy-3.5-0.rc1.1 
- SELinux userspace 3.5-rc1 release
Resolves: rhbz#2145230
 2023-01-02 16:15:05 +01:00
Petr Lautrbach 59be98a24f run tests via TMT/FMF 
Related: rhbz#2145230
 2023-01-02 16:14:48 +01:00
Petr Lautrbach 36ad04f322 SELinux userspace 3.4 release 
Resolves: rhbz#2079287
 2022-05-20 07:12:15 +02:00
Petr Lautrbach 0948ba07a7 SELinux userspace 3.3 release 
Resolves: rhbz#2003552
 2021-10-24 18:35:20 +02:00
Petr Lautrbach 2e94ed4b6e SELinux userspace 3.3-rc3 release 
Resolves: rhbz#2003552
 2021-10-24 18:35:17 +02:00
Petr Lautrbach 04ac4f468c SELinux userspace 3.3-rc2 release 
Resolves: rhbz#2003552
 2021-09-30 15:40:30 +02:00
Mohan Boddu f83088e739 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags 
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
 2021-08-09 19:35:42 +00:00
42 changed files with 53 additions and 2189 deletions
Show Stats Expand all files Collapse all files

1
.checkpolicy.metadata Normal file
View File

@ -0,0 +1 @@
40e9c6939db7a94552dc971fc871286812bcea3b checkpolicy-3.5.tar.gz

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

8
.gitignore vendored
View File

@ -108,3 +108,11 @@ checkpolicy-2.0.22.tgz
/checkpolicy-3.2-rc1.tar.gz
/checkpolicy-3.2-rc2.tar.gz
/checkpolicy-3.2.tar.gz
/checkpolicy-3.3-rc2.tar.gz
/checkpolicy-3.3-rc3.tar.gz
/checkpolicy-3.3.tar.gz
/checkpolicy-3.4.tar.gz
/checkpolicy-3.5-rc1.tar.gz
/checkpolicy-3.5-rc2.tar.gz
/checkpolicy-3.5-rc3.tar.gz
/checkpolicy-3.5.tar.gz

78
0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch
View File

@ -1,78 +0,0 @@
From dcd07fdcbf3ba9fc47aef924b9b9f81bdefcb18b Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Mon, 8 Mar 2021 15:49:23 -0500
Subject: [PATCH] libsepol/checkpolicy: Set user roles using role value instead
of dominance
Roles in an optional block have two datums, one in the global block
and one in the avrule_decl where it is declared. The datum in the
global block does not have its dominace set. This is a problem because
the function set_user_role() sets the user's roles based on the global
datum's dominance ebitmap. If a user is declared with an associated role
that was declared in an optional block, then it will not have any roles
set for it because the dominance ebitmap is empty.
Example/
# handle_unknown deny
class CLASS1
sid kernel
class CLASS1 { PERM1 }
type TYPE1;
allow TYPE1 self:CLASS1 PERM1;
role ROLE1;
role ROLE1 types { TYPE1 };
optional {
require {
class CLASS1 { PERM1 };
}
role ROLE1A;
user USER1A roles ROLE1A;
}
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1
In this example, USER1A would not have ROLE1A associated with it.
Instead of using dominance, which has been deprecated anyway, just
set the bit corresponding to the role's value in the user's roles
ebitmap in set_user_role().
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
[N.I: added spaces around "-" operator]
---
checkpolicy/policy_define.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index c9286f7733c5..16234f31bbc3 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -4088,8 +4088,6 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
static int set_user_roles(role_set_t * set, char *id)
{
role_datum_t *r;
- unsigned int i;
- ebitmap_node_t *node;
if (strcmp(id, "*") == 0) {
free(id);
@@ -4115,12 +4113,9 @@ static int set_user_roles(role_set_t * set, char *id)
return -1;
}
- /* set the role and every role it dominates */
- ebitmap_for_each_positive_bit(&r->dominates, node, i) {
- if (ebitmap_set_bit(&set->roles, i, TRUE))
- goto oom;
- }
free(id);
+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE))
+ goto oom;
return 0;
oom:
yyerror("out of memory");
--
2.32.0

97
0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch
View File

@ -1,97 +0,0 @@
From 750cc1136d054b77e84cd55be5fbe0e8ad0174e8 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Mon, 15 Mar 2021 11:09:37 -0400
Subject: [PATCH] checkpolicy: Do not automatically upgrade when using "-b"
flag
When reading a binary policy, do not automatically change the version
to the max policy version supported by libsepol or, if specified, the
value given using the "-c" flag.
If the binary policy version is less than or equal to version 23
(POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
policy and if a policy version is specified by the "-c" flag, only set
the binary policy to the specified version if it is lower than the
current version.
If the binary policy version is greater than version 23 than it should
be set to the maximum version supported by libsepol or, if specified,
the value given by the "-c" flag.
The reason for this change is that policy versions 20
(POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
attributes where the datums are not written out, but they exist in the
type_attr_map. This means that when the binary policy is read by
libsepol, there will be gaps in the type_val_to_struct and
p_type_val_to_name arrays and policy rules can refer to those gaps.
Certain libsepol functions like sepol_kernel_policydb_to_conf() and
sepol_kernel_policydb_to_cil() do not support this behavior and need
to be able to identify these policies. Policies before version 20 do not
support attributes at all and can be handled by all libsepol functions.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
checkpolicy/checkpolicy.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 5841c5c4c196..acf1eac41559 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
static const char *txtfile = "policy.conf";
static const char *binfile = "policy";
-unsigned int policyvers = POLICYDB_VERSION_MAX;
+unsigned int policyvers = 0;
static __attribute__((__noreturn__)) void usage(const char *progname)
{
@@ -515,7 +515,8 @@ int main(int argc, char **argv)
}
if (show_version) {
- printf("%d (compatibility range %d-%d)\n", policyvers,
+ printf("%d (compatibility range %d-%d)\n",
+ policyvers ? policyvers : POLICYDB_VERSION_MAX ,
POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
exit(0);
}
@@ -588,6 +589,16 @@ int main(int argc, char **argv)
exit(1);
}
}
+
+ if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
+ if (policyvers > policydbp->policyvers) {
+ fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
+ } else if (policyvers) {
+ policydbp->policyvers = policyvers;
+ }
+ } else {
+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
+ }
} else {
if (conf) {
fprintf(stderr, "Can only generate policy.conf from binary policy\n");
@@ -629,6 +640,8 @@ int main(int argc, char **argv)
policydb_destroy(policydbp);
policydbp = &policydb;
}
+
+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
}
if (policydb_load_isids(&policydb, &sidtab))
@@ -654,8 +667,6 @@ int main(int argc, char **argv)
}
}
- policydb.policyvers = policyvers;
-
if (!cil) {
if (!conf) {
policydb.policy_type = POLICY_KERN;
--
2.32.0

48
0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch
View File

@ -1,48 +0,0 @@
From ed7e3348d18bb00bcfcb3da6d4265307425bb882 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 3 Jul 2021 16:31:20 +0200
Subject: [PATCH] checkpolicy: silence -Wextra-semi-stmt warning
On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
(which is not the default build configuration), the compiler reports:
checkpolicy.c:740:33: error: empty expression statement has no
effect; remove unnecessary ';' to silence this warning
[-Werror,-Wextra-semi-stmt]
FGETS(ans, sizeof(ans), stdin);
^
Introduce "do { } while (0)" blocks to silence such warnings.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/checkpolicy.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index acf1eac41559..8af31db5c6b7 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -119,11 +119,14 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
}
#define FGETS(out, size, in) \
-if (fgets(out,size,in)==NULL) { \
- fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
- strerror(errno)); \
- exit(1);\
-}
+do { \
+ if (fgets(out,size,in)==NULL) { \
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__, \
+ strerror(errno)); \
+ exit(1);\
+ } \
+} while (0)
+
static int print_sid(sepol_security_id_t sid,
context_struct_t * context
__attribute__ ((unused)), void *data
--
2.32.0

54
0004-checkpolicy-pass-CFLAGS-at-link-stage.patch
View File

@ -1,54 +0,0 @@
From 40e2f98519ba3fc6a4a0f2b4a2b8b0e1d864fd9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:21 +0200
Subject: [PATCH] checkpolicy: pass CFLAGS at link stage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Pass CFLAGS when invoking CC at link time, it might contain optimization
or sanitizer flags required for linking.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/Makefile | 4 ++--
checkpolicy/test/Makefile | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
index 0d282ef93d14..be63c0182682 100644
--- a/checkpolicy/Makefile
+++ b/checkpolicy/Makefile
@@ -30,10 +30,10 @@ all: $(TARGETS)
$(MAKE) -C test
checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA)
- $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA)
- $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
%.o: %.c
$(CC) $(CFLAGS) -o $@ -c $<
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index 89e7557c7aa6..e2a332b5a079 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -13,10 +13,10 @@ endif
all: dispol dismod
dispol: dispol.o $(LIBSEPOLA)
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
dismod: dismod.o $(LIBSEPOLA)
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
clean:
-rm -f dispol dismod *.o
--
2.32.0

49
0005-checkpolicy-drop-pipe-compile-option.patch
View File

@ -1,49 +0,0 @@
From 02678b9d40f7de5cae1840f3d7ceedf1499c84a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:22 +0200
Subject: [PATCH] checkpolicy: drop -pipe compile option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The compiler option -pipe does not affect the generated code; it affects
whether the compiler uses temporary files or pipes. As the benefit might
vary from system to system usually its up to the packager or build
framework to set it.
Also these are the only places where the flag is used.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/Makefile | 2 +-
checkpolicy/test/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
index be63c0182682..f9e1fc7cecd4 100644
--- a/checkpolicy/Makefile
+++ b/checkpolicy/Makefile
@@ -10,7 +10,7 @@ TARGETS = checkpolicy checkmodule
LEX = flex
YACC = bison -y
-CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
+CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -fno-strict-aliasing
# If no specific libsepol.a is specified, fall back on LDFLAGS search path
# Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index e2a332b5a079..8e5d16b3c5f0 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -1,7 +1,7 @@
#
# Makefile for building the dispol program
#
-CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
+CFLAGS ?= -g -Wall -W -Werror -O2
# If no specific libsepol.a is specified, fall back on LDFLAGS search path
# Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
--
2.32.0

42
0006-checkpolicy-simplify-assignment.patch
View File

@ -1,42 +0,0 @@
From 7cdb2a8fd2af0a063d6e505fd1250ca10ebbea11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:23 +0200
Subject: [PATCH] checkpolicy: simplify assignment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
checkpolicy.c:504:20: style: The statement 'if (policyvers!=n) policyvers=n' is logically equivalent to 'policyvers=n'. [duplicateConditionalAssign]
if (policyvers != n)
^
checkpolicy.c:505:17: note: Assignment 'policyvers=n'
policyvers = n;
^
checkpolicy.c:504:20: note: Condition 'policyvers!=n' is redundant
if (policyvers != n)
^
Found by Cppcheck
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/checkpolicy.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 8af31db5c6b7..b52595a87b29 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -504,8 +504,7 @@ int main(int argc, char **argv)
usage(argv[0]);
exit(1);
}
- if (policyvers != n)
- policyvers = n;
+ policyvers = n;
break;
}
case 'E':
--
2.32.0

47
0007-checkpolicy-drop-dead-condition.patch
View File

@ -1,47 +0,0 @@
From db674bf2186b34a3712e2069c769131503dcb9ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:24 +0200
Subject: [PATCH] checkpolicy: drop dead condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The variable `id` is guaranteed to be non-NULL due to the preceding
while condition.
policy_define.c:1171:7: style: Condition '!id' is always false [knownConditionTrueFalse]
if (!id) {
^
policy_define.c:1170:13: note: Assuming that condition 'id=queue_remove(id_queue)' is not redundant
while ((id = queue_remove(id_queue))) {
^
policy_define.c:1171:7: note: Condition '!id' is always false
if (!id) {
^
Found by Cppcheck.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 16234f31bbc3..7eff747adacf 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1168,11 +1168,6 @@ int expand_attrib(void)
ebitmap_init(&attrs);
while ((id = queue_remove(id_queue))) {
- if (!id) {
- yyerror("No attribute name for expandattribute statement?");
- goto exit;
- }
-
if (!is_id_in_scope(SYM_TYPES, id)) {
yyerror2("attribute %s is not within scope", id);
goto exit;
--
2.32.0

52
0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch
View File

@ -1,52 +0,0 @@
From babc3d53518b7f9f01b83b9c997f9233a58af92b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:25 +0200
Subject: [PATCH] checkpolicy: use correct format specifier for unsigned
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
test/dispol.c:288:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
snprintf(buf, sizeof(buf), "unknown (%d)", i);
^
test/dismod.c:830:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
snprintf(buf, sizeof(buf), "unknown (%d)", i);
^
Found by Cppcheck.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/test/dismod.c | 2 +-
checkpolicy/test/dispol.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 3408e9b6b767..fadbc8d16695 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -827,7 +827,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
capname = sepol_polcap_getname(i);
if (capname == NULL) {
- snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ snprintf(buf, sizeof(buf), "unknown (%u)", i);
capname = buf;
}
fprintf(fp, "\t%s\n", capname);
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 8785b7252824..37f71842c9e6 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -285,7 +285,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
capname = sepol_polcap_getname(i);
if (capname == NULL) {
- snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ snprintf(buf, sizeof(buf), "unknown (%u)", i);
capname = buf;
}
fprintf(fp, "\t%s\n", capname);
--
2.32.0

75
0009-checkpolicy-follow-declaration-after-statement.patch
View File

@ -1,75 +0,0 @@
From 79e7724930d49cc8cdac4c7d4e80b1fafd22d1d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:26 +0200
Subject: [PATCH] checkpolicy: follow declaration-after-statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Follow the project style of no declaration after statement.
Found by the GCC warning -Wdeclaration-after-statement.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/checkmodule.c | 6 ++++--
checkpolicy/policy_define.c | 3 ++-
checkpolicy/test/dismod.c | 2 +-
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
index 40d0ec9924e9..316b289865e1 100644
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@@ -288,14 +288,16 @@ int main(int argc, char **argv)
}
if (policy_type != POLICY_BASE && outfile) {
+ char *out_name;
+ char *separator;
char *mod_name = modpolicydb.name;
char *out_path = strdup(outfile);
if (out_path == NULL) {
fprintf(stderr, "%s: out of memory\n", argv[0]);
exit(1);
}
- char *out_name = basename(out_path);
- char *separator = strrchr(out_name, '.');
+ out_name = basename(out_path);
+ separator = strrchr(out_name, '.');
if (separator) {
*separator = '\0';
}
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 7eff747adacf..049df55f8468 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1904,9 +1904,10 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
{
char *id;
struct av_ioctl_range_list *rnew, *r = NULL;
- *rangehead = NULL;
uint8_t omit = 0;
+ *rangehead = NULL;
+
/* read in all the ioctl commands */
while ((id = queue_remove(id_queue))) {
if (strcmp(id,"~") == 0) {
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index fadbc8d16695..b1b96115e79e 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -697,8 +697,8 @@ int display_avblock(int field, policydb_t * policy,
{
avrule_block_t *block = policydb.global;
while (block != NULL) {
- fprintf(out_fp, "--- begin avrule block ---\n");
avrule_decl_t *decl = block->branch_list;
+ fprintf(out_fp, "--- begin avrule block ---\n");
while (decl != NULL) {
if (display_avdecl(decl, field, policy, out_fp)) {
return -1;
--
2.32.0

43
0010-checkpolicy-remove-dead-assignments.patch
View File

@ -1,43 +0,0 @@
From 7723180fa09b0c483c07a76a4678f2c2cd51bff6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:27 +0200
Subject: [PATCH] checkpolicy: remove dead assignments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The variable `cladatum` is otherwise always assigned before used, so
these two assignments without a follow up usages are not needed.
Found by clang-analyzer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/checkpolicy.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index b52595a87b29..58edcc34e8cc 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -1179,8 +1179,6 @@ int main(int argc, char **argv)
printf("\nNo such class.\n");
break;
}
- cladatum =
- policydb.class_val_to_struct[tclass - 1];
} else {
ans[strlen(ans) - 1] = 0;
cladatum =
@@ -1232,8 +1230,6 @@ int main(int argc, char **argv)
printf("\nNo such class.\n");
break;
}
- cladatum =
- policydb.class_val_to_struct[tclass - 1];
} else {
ans[strlen(ans) - 1] = 0;
cladatum =
--
2.32.0

43
0011-checkpolicy-check-before-potential-NULL-dereference.patch
View File

@ -1,43 +0,0 @@
From 5a10f05f53ef78c48ebce3d512960c71100073d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:28 +0200
Subject: [PATCH] checkpolicy: check before potential NULL dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
policy_define.c: In function define_te_avtab_extended_perms:
policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference]
1946 | r->omit = omit;
| ^
In the case of `r` being NULL, avrule_read_ioctls() would return
with its parameter `rangehead` being a pointer to NULL, which is
considered a failure in its caller `avrule_ioctl_ranges`.
So it is not necessary to alter the return value.
Found by GCC 11 with LTO enabled.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 049df55f8468..887857851504 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1943,7 +1943,9 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
}
}
r = *rangehead;
- r->omit = omit;
+ if (r) {
+ r->omit = omit;
+ }
return 0;
error:
yyerror("out of memory");
--
2.32.0

62
0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch
View File

@ -1,62 +0,0 @@
From 5218bf4b262ae6c3aa0ec72c5116a73bbdb7806f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:29 +0200
Subject: [PATCH] checkpolicy: avoid potential use of uninitialized variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
checkpolicy.c: In function main:
checkpolicy.c:1000:25: error: tsid may be used uninitialized in this function [-Werror=maybe-uninitialized]
1000 | printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
| ^
checkpolicy.c: In function main:
checkpolicy.c:971:25: error: tsid may be used uninitialized in this function [-Werror=maybe-uninitialized]
971 | printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
| ^
Found by GCC 11 with LTO enabled.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/checkpolicy.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 58edcc34e8cc..e6cfd3372022 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -970,8 +970,12 @@ int main(int argc, char **argv)
printf("fs kdevname? ");
FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- sepol_fs_sid(ans, &ssid, &tsid);
- printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
+ ret = sepol_fs_sid(ans, &ssid, &tsid);
+ if (ret) {
+ printf("unknown fs kdevname\n");
+ } else {
+ printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
+ }
break;
case '9':
printf("protocol? ");
@@ -999,8 +1003,12 @@ int main(int argc, char **argv)
printf("netif name? ");
FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- sepol_netif_sid(ans, &ssid, &tsid);
- printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
+ ret = sepol_netif_sid(ans, &ssid, &tsid);
+ if (ret) {
+ printf("unknown name\n");
+ } else {
+ printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
+ }
break;
case 'b':{
char *p;
--
2.32.0

31
0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch
View File

@ -1,31 +0,0 @@
From 4e3d0990c6be73419df3c32b7de98c992797e3ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:30 +0200
Subject: [PATCH] checkpolicy: drop redundant cast to the same type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Found by clang-tidy.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 887857851504..efe3a1a26315 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1796,7 +1796,7 @@ int define_bool_tunable(int is_tunable)
return -1;
}
- datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
+ datum->state = (bool_value[0] == 'T') ? 1 : 0;
free(bool_value);
return 0;
cleanup:
--
2.32.0

28
0014-checkpolicy-parse_util-drop-unused-declaration.patch
View File

@ -1,28 +0,0 @@
From 47f4cbd357fa0b0dc46e2e95ce10fc2d9a586061 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:31 +0200
Subject: [PATCH] checkpolicy: parse_util drop unused declaration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/parse_util.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
index f2809b483be3..1795e93c31e4 100644
--- a/checkpolicy/parse_util.c
+++ b/checkpolicy/parse_util.c
@@ -28,7 +28,6 @@ extern int yyparse(void);
extern void yyrestart(FILE *);
extern queue_t id_queue;
extern unsigned int policydb_errors;
-extern unsigned long policydb_lineno;
extern policydb_t *policydbp;
extern int mlspol;
extern void set_source_file(const char *name);
--
2.32.0

282
0015-checkpolicy-test-mark-file-local-functions-static.patch
View File

@ -1,282 +0,0 @@
From b306cd5b90979a4d6e1a85b842835deb77272873 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:32 +0200
Subject: [PATCH] checkpolicy/test: mark file local functions static
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/test/dismod.c | 36 ++++++++++++++++++------------------
checkpolicy/test/dispol.c | 22 +++++++++++-----------
2 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index b1b96115e79e..90c293186afd 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -111,7 +111,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
}
}
-int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
FILE * fp)
{
unsigned int i, num_types;
@@ -175,7 +175,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
return 0;
}
-int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
{
unsigned int i, num = 0;
@@ -210,7 +210,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
}
-int display_avrule(avrule_t * avrule, policydb_t * policy,
+static int display_avrule(avrule_t * avrule, policydb_t * policy,
FILE * fp)
{
class_perm_node_t *cur;
@@ -313,7 +313,7 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
return 0;
}
-int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
{
type_datum_t *type;
FILE *fp;
@@ -355,14 +355,14 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
return 0;
}
-int display_types(policydb_t * p, FILE * fp)
+static int display_types(policydb_t * p, FILE * fp)
{
if (hashtab_map(p->p_types.table, display_type_callback, fp))
return -1;
return 0;
}
-int display_users(policydb_t * p, FILE * fp)
+static int display_users(policydb_t * p, FILE * fp)
{
unsigned int i, j;
ebitmap_t *bitmap;
@@ -381,7 +381,7 @@ int display_users(policydb_t * p, FILE * fp)
return 0;
}
-int display_bools(policydb_t * p, FILE * fp)
+static int display_bools(policydb_t * p, FILE * fp)
{
unsigned int i;
@@ -392,7 +392,7 @@ int display_bools(policydb_t * p, FILE * fp)
return 0;
}
-void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
{
cond_expr_t *cur;
@@ -427,14 +427,14 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
}
}
-void display_policycon(FILE * fp)
+static void display_policycon(FILE * fp)
{
/* There was an attempt to implement this at one time. Look through
* git history to find it. */
fprintf(fp, "Sorry, not implemented\n");
}
-void display_initial_sids(policydb_t * p, FILE * fp)
+static void display_initial_sids(policydb_t * p, FILE * fp)
{
ocontext_t *cur;
char *user, *role, *type;
@@ -459,7 +459,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
#endif
}
-void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
{
unsigned int i, num = 0;
@@ -482,7 +482,7 @@ void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
fprintf(fp, " }");
}
-void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
+static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
{
for (; tr; tr = tr->next) {
fprintf(fp, "role transition ");
@@ -495,7 +495,7 @@ void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
}
}
-void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
+static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
{
for (; ra; ra = ra->next) {
fprintf(fp, "role allow ");
@@ -517,7 +517,7 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
}
}
-int role_display_callback(hashtab_key_t key __attribute__((unused)),
+static int role_display_callback(hashtab_key_t key __attribute__((unused)),
hashtab_datum_t datum, void *data)
{
role_datum_t *role;
@@ -611,7 +611,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
}
#endif
-int display_avdecl(avrule_decl_t * decl, int field,
+static int display_avdecl(avrule_decl_t * decl, int field,
policydb_t * policy, FILE * out_fp)
{
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
@@ -692,7 +692,7 @@ int display_avdecl(avrule_decl_t * decl, int field,
return 0; /* should never get here */
}
-int display_avblock(int field, policydb_t * policy,
+static int display_avblock(int field, policydb_t * policy,
FILE * out_fp)
{
avrule_block_t *block = policydb.global;
@@ -710,7 +710,7 @@ int display_avblock(int field, policydb_t * policy,
return 0;
}
-int display_handle_unknown(policydb_t * p, FILE * out_fp)
+static int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
if (p->handle_unknown == ALLOW_UNKNOWN)
fprintf(out_fp, "Allow unknown classes and perms\n");
@@ -834,7 +834,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
}
}
-int menu(void)
+static int menu(void)
{
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 37f71842c9e6..8ddefb04ac89 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -42,7 +42,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
exit(1);
}
-int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
+static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
FILE * fp)
{
char *perm;
@@ -54,13 +54,13 @@ int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
return 0;
}
-int render_type(uint32_t type, policydb_t * p, FILE * fp)
+static int render_type(uint32_t type, policydb_t * p, FILE * fp)
{
fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
return 0;
}
-int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
+static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
{
char *stype, *ttype, *tclass;
stype = p->p_type_val_to_name[key->source_type - 1];
@@ -84,7 +84,7 @@ int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
#define RENDER_DISABLED 0x0004
#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
-int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
policydb_t * p, FILE * fp)
{
if (!(what & RENDER_UNCONDITIONAL)) {
@@ -163,7 +163,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
return 0;
}
-int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
{
unsigned int i;
avtab_ptr_t cur;
@@ -178,7 +178,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
return 0;
}
-int display_bools(policydb_t * p, FILE * fp)
+static int display_bools(policydb_t * p, FILE * fp)
{
unsigned int i;
@@ -189,7 +189,7 @@ int display_bools(policydb_t * p, FILE * fp)
return 0;
}
-void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
{
cond_expr_t *cur;
@@ -224,7 +224,7 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
}
}
-int display_cond_expressions(policydb_t * p, FILE * fp)
+static int display_cond_expressions(policydb_t * p, FILE * fp)
{
cond_node_t *cur;
cond_av_list_t *av_cur;
@@ -249,7 +249,7 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
return 0;
}
-int display_handle_unknown(policydb_t * p, FILE * out_fp)
+static int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
if (p->handle_unknown == ALLOW_UNKNOWN)
fprintf(out_fp, "Allow unknown classes and permissions\n");
@@ -260,7 +260,7 @@ int display_handle_unknown(policydb_t * p, FILE * out_fp)
return 0;
}
-int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
{
cond_bool_datum_t *bool;
@@ -368,7 +368,7 @@ static void display_filename_trans(policydb_t *p, FILE *fp)
hashtab_map(p->filename_trans, filenametr_display, &args);
}
-int menu(void)
+static int menu(void)
{
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
--
2.32.0

81
0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch
View File

@ -1,81 +0,0 @@
From 1711757378d1ff1e7437fd7d5ddf263272284641 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 6 Jul 2021 19:54:33 +0200
Subject: [PATCH] checkpolicy: mark read-only parameters in policy define const
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
checkpolicy/policy_define.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index efe3a1a26315..75a67d5c8a7c 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -77,7 +77,7 @@ extern int yyerror(const char *msg);
#define ERRORMSG_LEN 255
static char errormsg[ERRORMSG_LEN + 1] = {0};
-static int id_has_dot(char *id);
+static int id_has_dot(const char *id);
static int parse_security_context(context_struct_t *c);
/* initialize all of the state variables for the scanner/parser */
@@ -141,7 +141,7 @@ int insert_id(const char *id, int push)
/* If the identifier has a dot within it and that its first character
is not a dot then return 1, else return 0. */
-static int id_has_dot(char *id)
+static int id_has_dot(const char *id)
{
if (strchr(id, '.') >= id + 1) {
return 1;
@@ -2172,7 +2172,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
}
}
-int avrule_xperms_used(av_extended_perms_t *xperms)
+int avrule_xperms_used(const av_extended_perms_t *xperms)
{
unsigned int i;
@@ -2347,7 +2347,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
return 0;
}
-int avrule_cpy(avrule_t *dest, avrule_t *src)
+int avrule_cpy(avrule_t *dest, const avrule_t *src)
{
class_perm_node_t *src_perms;
class_perm_node_t *dest_perms, *dest_tail;
@@ -2395,7 +2395,7 @@ int avrule_cpy(avrule_t *dest, avrule_t *src)
return 0;
}
-int define_te_avtab_ioctl(avrule_t *avrule_template)
+int define_te_avtab_ioctl(const avrule_t *avrule_template)
{
avrule_t *avrule;
struct av_ioctl_range_list *rangelist;
@@ -3444,9 +3444,10 @@ bad:
return -1;
}
-static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
+static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
{
- constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
+ constraint_expr_t *h = NULL, *l = NULL, *newe;
+ const constraint_expr_t *e;
for (e = expr; e; e = e->next) {
newe = malloc(sizeof(*newe));
if (!newe)
--
2.32.0

58
checkpolicy.spec
View File

@ -1,33 +1,17 @@
%define libselinuxver 3.2-5
%define libsepolver 3.2-3
%define libselinuxver 3.5-1
%define libsepolver 3.5-1
Summary: SELinux policy compiler
Name: checkpolicy
Version: 3.2
Release: 3%{?dist}
Version: 3.5
Release: 1%{?dist}
License: GPLv2
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/checkpolicy-3.2.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/checkpolicy-3.5.tar.gz
# $ git clone https://github.com/fedora-selinux/selinux.git
# $ cd selinux
# $ git format-patch -N 3.2 -- checkpolicy
# $ git format-patch -N 3.5 -- checkpolicy
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch
Patch0002: 0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch
Patch0003: 0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch
Patch0004: 0004-checkpolicy-pass-CFLAGS-at-link-stage.patch
Patch0005: 0005-checkpolicy-drop-pipe-compile-option.patch
Patch0006: 0006-checkpolicy-simplify-assignment.patch
Patch0007: 0007-checkpolicy-drop-dead-condition.patch
Patch0008: 0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch
Patch0009: 0009-checkpolicy-follow-declaration-after-statement.patch
Patch0010: 0010-checkpolicy-remove-dead-assignments.patch
Patch0011: 0011-checkpolicy-check-before-potential-NULL-dereference.patch
Patch0012: 0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch
Patch0013: 0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch
Patch0014: 0014-checkpolicy-parse_util-drop-unused-declaration.patch
Patch0015: 0015-checkpolicy-test-mark-file-local-functions-static.patch
Patch0016: 0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch
# Patch list end
BuildRequires: gcc
BuildRequires: make
@ -66,7 +50,7 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%license LICENSE
%{_bindir}/checkpolicy
%{_bindir}/checkmodule
%{_mandir}/man8/checkpolicy.8.gz
@ -77,6 +61,34 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
%{_bindir}/sedispol
%changelog
* Thu Feb 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
- SELinux userspace 3.5 release
* Wed Feb 15 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
- SELinux userspace 3.5-rc3 release
* Tue Jan 17 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
- SELinux userspace 3.5-rc2 release
* Mon Jan 2 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
- SELinux userspace 3.5-rc1 release
* Fri May 20 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
- SELinux userspace 3.4 release
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
- SELinux userspace 3.3 release
* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
- SELinux userspace 3.3-rc3 release
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
- Rebase on upstream commit 32611aea6543

7
plans/selinux.fmf Normal file
View File

@ -0,0 +1,7 @@
summary: selinux tests - Tier 1 | checkpolicy
discover:
how: fmf
url: https://src.fedoraproject.org/tests/selinux
filter: "tier:1 | component:checkpolicy"
execute:
how: tmt

2
sources
View File

@ -1 +1 @@
SHA512 (checkpolicy-3.2.tar.gz) = 133639595c2acc66c02b5a637c5e0c60d80ce2bae04f4a709d9fafabd31f9497d1a6e3334904b985c2a1bd94a7a7e3df782c2af2ae41d1fd79b69156a835edeb
SHA512 (checkpolicy-3.5.tar.gz) = fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529

67
tests/checkmodule/Makefile
View File

@ -1,67 +0,0 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/checkpolicy/Sanity/checkmodule
# Description: runs checkmodule with various options to find out if it behaves correctly
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/checkpolicy/Sanity/checkmodule
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: checkpolicy" >> $(METADATA)
@echo "Requires: checkpolicy" >> $(METADATA)
@echo "Requires: man" >> $(METADATA)
@echo "Requires: grep" >> $(METADATA)
@echo "Requires: mktemp" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4" >> $(METADATA)
rhts-lint $(METADATA)

5
tests/checkmodule/PURPOSE
View File

@ -1,5 +0,0 @@
PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule
Author: Milos Malik <mmalik@redhat.com>
This TC runs checkmodule with various options to find out if it behaves correctly.

9
tests/checkmodule/mypolicy.te
View File

@ -1,9 +0,0 @@
module mypolicy 1.0;
require {
type httpd_log_t;
type postfix_postdrop_t;
class dir getattr;
class file { read getattr };
}
allow postfix_postdrop_t httpd_log_t:file getattr;

101
tests/checkmodule/runtest.sh
View File

@ -1,101 +0,0 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule
# Description: runs checkmodule with various options to find out if it behaves correctly
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include rhts environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh
PACKAGE="checkpolicy"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm ${PACKAGE}
TEST_FILE=`mktemp`
TEST_DIR=`mktemp -d`
rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule"
rlPhaseEnd
rlPhaseStartTest
rlRun "checkmodule >& ${TEST_FILE}" 1
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
rlRun "checkmodule -b >& ${TEST_FILE}" 1
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
rlRun "checkmodule -V"
rlRun "checkmodule -U 1>/dev/null" 1
rlRun "rm -f policy.conf"
for OPTION in "deny" "reject" "allow" ; do
rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
done
rlRun "rm -f ${TEST_FILE}"
rlRun "touch ${TEST_FILE}"
rlRun "rm -rf ${TEST_DIR}"
rlRun "mkdir ${TEST_DIR}"
rlRun "checkmodule ${TEST_FILE}" 1,2
rlRun "checkmodule -b ${TEST_FILE}" 1
rlRun "checkmodule ${TEST_DIR}" 1,2
rlRun "checkmodule -b ${TEST_DIR}" 1
rlRun "rm -f ${TEST_FILE}"
rlRun "rm -rf ${TEST_DIR}"
rlRun "checkmodule ${TEST_FILE}" 1
rlRun "checkmodule -b ${TEST_FILE}" 1
if rlIsRHEL 5 ; then
rlRun "checkmodule --help 2>&1 | grep -- -d"
fi
rlRun "checkmodule --help 2>&1 | grep -- -h"
rlRun "checkmodule --help 2>&1 | grep -- -U"
rlPhaseEnd
rlPhaseStartTest
for POLICY_KIND in minimum mls targeted ; do
rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1
rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}"
done
rlPhaseEnd
rlPhaseStartTest
INPUT_FILE="mypolicy.te"
OUTPUT_FILE="mypolicy.output"
rlRun "ls -l ${INPUT_FILE}"
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\""
rlRun "ls -l ${OUTPUT_FILE}"
if checkmodule --help | grep -q " CIL " ; then
rlRun "rm -f ${OUTPUT_FILE}"
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\""
rlRun "ls -l ${OUTPUT_FILE}"
fi
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

64
tests/checkpolicy-docs/Makefile
View File

@ -1,64 +0,0 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
# Description: covers an issue where manpage included an unsupported option.
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: covers an issue where manpage included an unsupported option." >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 1m" >> $(METADATA)
@echo "RunFor: checkpolicy" >> $(METADATA)
@echo "Requires: checkpolicy" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4" >> $(METADATA)
rhts-lint $(METADATA)

7
tests/checkpolicy-docs/PURPOSE
View File

@ -1,7 +0,0 @@
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
Description: covers an issue where manpage included an unsupported option.
Author: Milos Malik <mmalik@redhat.com>

53
tests/checkpolicy-docs/runtest.sh
View File

@ -1,53 +0,0 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs
# Description: covers an issue where manpage included an unsupported option.
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include rhts environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh
PACKAGE="checkpolicy"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm ${PACKAGE}
rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz"
rlPhaseEnd
rlPhaseStartTest
rlRun "man checkpolicy | col -b | grep -- '-m]'" 1
rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule"
if rlIsRHEL 5 ; then
rlRun "man checkmodule | col -b | grep -- -d"
fi
rlRun "man checkmodule | col -b | grep -- -h"
rlRun "man checkmodule | col -b | grep -- -U"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

64
tests/checkpolicy/Makefile
View File

@ -1,64 +0,0 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
# Description: runs checkpolicy with various options to find out if it behaves correctly
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: checkpolicy setools" >> $(METADATA)
@echo "Requires: checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4" >> $(METADATA)
rhts-lint $(METADATA)

7
tests/checkpolicy/PURPOSE
View File

@ -1,7 +0,0 @@
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
Description: runs checkpolicy with various options to find out if it behaves correctly
Author: Milos Malik <mmalik@redhat.com>

143
tests/checkpolicy/policy.conf.from.secilc
View File

@ -1,143 +0,0 @@
class file
class process
class char
sid kernel
sid security
sid unlabeled
common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
class file inherits file { execute_no_trans entrypoint execmod open audit_access }
class char inherits file { foo transition }
class process { open }
sensitivity s0 alias sens0;
sensitivity s1;
dominance { s0 s1 }
category c0 alias cat0;
category c1;
category c2;
level s0:c0.c2;
level s1:c0.c2;
mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
mlsconstrain file { open } (l1 dom h2);
mlsconstrain file { open } (h1 domby l2);
mlsconstrain file { open } (l1 incomp l2);
mlsvalidatetrans file (h1 domby l2);
attribute foo_type;
attribute bar_type;
attribute baz_type;
attribute exec_type;
type bin_t, bar_type, exec_type;
type kernel_t, foo_type, exec_type, baz_type;
type security_t, baz_type;
type unlabeled_t, baz_type;
type exec_t, baz_type;
type console_t, baz_type;
type auditadm_t, baz_type;
type console_device_t, baz_type;
type user_tty_device_t, baz_type;
type device_t, baz_type;
type getty_t, baz_type;
type a_t, baz_type;
type b_t, baz_type;
typealias bin_t alias sbin_t;
bool secure_mode false;
bool console_login true;
bool b1 false;
role system_r;
role user_r;
role system_r types bin_t;
role system_r types kernel_t;
role system_r types security_t;
role system_r types unlabeled_t;
policycap open_perms;
permissive device_t;
range_transition device_t console_t : file s0:c0 - s1:c0.c1;
type_transition device_t console_t : file console_device_t;
type_member device_t bin_t : file exec_t;
if console_login{
type_change auditadm_t console_device_t : file user_tty_device_t;
}
role_transition system_r bin_t user_r;
auditallow device_t auditadm_t: file { open };
dontaudit device_t auditadm_t: file { read };
allow system_r user_r;
allow console_t console_device_t: char { write setattr };
allow console_t console_device_t: file { open read getattr };
allow foo_type self: file { execute };
allow bin_t device_t: file { execute };
allow bin_t exec_t: file { execute };
allow bin_t bin_t: file { execute };
allow a_t b_t : file { write };
allow console_t console_device_t: file { read write getattr setattr lock append };
allow kernel_t kernel_t : file { execute };
if b1 {
allow a_t b_t : file { read };
}
if secure_mode{
auditallow device_t exec_t: file { read write };
}
if console_login{
allow getty_t console_device_t: file { getattr open read write append };
}
else {
dontaudit getty_t console_device_t: file { getattr open read write append };
}
if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
allow bin_t exec_t: file { execute };
}
user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1;
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
validatetrans file (t1 == exec_t);
constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
constrain file { open } (r1 dom r2);
constrain file { open } (r1 domby r2);
constrain file { open } (r1 incomp r2);
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1

153
tests/checkpolicy/runtest.sh
View File

@ -1,153 +0,0 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy
# Description: runs checkpolicy with various options to find out if it behaves correctly
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include rhts environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh
PACKAGE="checkpolicy"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm ${PACKAGE}
rlAssertRpm selinux-policy-minimum
rlAssertRpm selinux-policy-mls
rlAssertRpm selinux-policy-targeted
rlRun "uname -a"
TEST_FILE=`mktemp`
TEST_DIR=`mktemp -d`
OUTPUT_FILE=`mktemp`
rlAssertExists "/usr/bin/checkpolicy"
rlPhaseEnd
rlPhaseStartTest "compilation from policy.conf"
MIN_VERSION="15"
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
if rlIsRHEL 5 6 ; then
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
else
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
fi
for CUR_VERSION in ${VERSIONS} ; do
rlRun "rm -f policy.out"
rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15
if [ -s policy.out ] ; then
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
else
rlRun "ls -l policy.out"
fi
done
rlPhaseEnd
rlPhaseStartTest
rlRun "checkpolicy >& ${TEST_FILE}" 1
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
rlRun "checkpolicy -b >& ${TEST_FILE}" 1
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
rlRun "checkpolicy -V"
rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\""
rlRun "checkpolicy -U xyz" 1
rlRun "rm -f policy.conf"
if ! rlIsRHEL 4 ; then
for OPTION in "deny" "reject" "allow" ; do
rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
done
fi
rlRun "rm -f ${TEST_FILE}"
rlRun "touch ${TEST_FILE}"
rlRun "rm -rf ${TEST_DIR}"
rlRun "mkdir ${TEST_DIR}"
rlRun "checkpolicy ${TEST_FILE}" 1,2
rlRun "checkpolicy -b ${TEST_FILE}" 1
rlRun "checkpolicy ${TEST_DIR}" 1,2
rlRun "checkpolicy -b ${TEST_DIR}" 1
rlRun "rm -f ${TEST_FILE}"
rlRun "rm -rf ${TEST_DIR}"
rlRun "checkpolicy ${TEST_FILE}" 1
rlRun "checkpolicy -b ${TEST_FILE}" 1
rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\""
rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\""
rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\""
rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\""
rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1
rlPhaseEnd
rlPhaseStartTest
if rlIsRHEL 5 6 ; then
ACTIVE_POLICY="/selinux/policy"
else
ACTIVE_POLICY="/sys/fs/selinux/policy"
fi
rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}"
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
for POLICY_TYPE in minimum mls targeted ; do
if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then
continue
fi
rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}"
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
done
rlPhaseEnd
rlPhaseStartTest
if rlIsRHEL 5 6 ; then
ACTIVE_POLICY_TREE="/selinux"
else # RHEL-7 and above
ACTIVE_POLICY_TREE="/sys/fs/selinux"
fi
MIN_VERSION="15"
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
for POLICY_TYPE in minimum mls targeted ; do
if rlIsRHEL 5 6 ; then
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
else
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
fi
for CUR_VERSION in ${VERSIONS} ; do
rlRun "rm -f policy.out"
rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15
if [ -s policy.out ] ; then
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
else
rlRun "ls -l policy.out"
fi
done
done
rlPhaseEnd
rlPhaseStartCleanup
rm -f ${OUTPUT_FILE} policy.out
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

65
tests/sedismod/Makefile
View File

@ -1,65 +0,0 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/checkpolicy/Sanity/sedismod
# Description: Does sedismod work correctly ?)
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/checkpolicy/Sanity/sedismod
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
test -x sedismod.exp || chmod a+x sedismod.exp
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Does sedismod work correctly?" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: checkpolicy" >> $(METADATA)
@echo "Requires: checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

5
tests/sedismod/PURPOSE
View File

@ -1,5 +0,0 @@
PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod
Author: Milos Malik <mmalik@redhat.com>
Does sedismod work correctly?

83
tests/sedismod/runtest.sh
View File

@ -1,83 +0,0 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod
# Description: Does sedismod work correctly
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="checkpolicy"
# TODO: repeat for all policy modules that are installed under /etc/selinux
if rlIsFedora ; then
POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll"
elif rlIsRHEL '<7.3' ; then
POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp`
else # RHEL-7.3 and above
POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll"
fi
rlJournalStart
rlPhaseStartSetup
rlAssertRpm ${PACKAGE}
OUTPUT_FILE=`mktemp`
if rlIsRHEL '>=7.3' || rlIsFedora ; then
rlRun "semodule -H -E base"
else
rlRun "cp ${POLICY_FILE} ./base.pp.bz2"
rlRun "rm -f base.pp"
rlRun "bzip2 -d ./base.pp.bz2"
fi
POLICY_FILE="base.pp"
rlRun "ls -l ${POLICY_FILE}"
rlPhaseEnd
rlPhaseStartTest "check all available options"
if rlIsRHEL 6 ; then
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u"
else # RHEL-7 and above
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F"
fi
for OPTION in ${AVAILABLE_OPTIONS} ; do
rlRun "rm -f ${OUTPUT_FILE}"
rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
# rlWatchdog kills the expect script, but we need to kill the sedismod process too
rlRun "killall sedismod" 0,1
rlRun "ls -l ${OUTPUT_FILE}"
if [ -s ${OUTPUT_FILE} ] ; then
rlPass "sedismod produced some output"
else
rlFail "sedismod did not produce any output"
fi
done
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

21
tests/sedismod/sedismod.exp
View File

@ -1,21 +0,0 @@
#!/usr/bin/expect -f
# ./sedismod.exp option policyfile outputfile
set option [lrange $argv 0 0]
set policyfile [lrange $argv 1 1]
set outputfile [lrange $argv 2 2]
set timeout 60
spawn sedismod $policyfile
expect "Command*:" {
send -- "f\r"
}
expect "Filename*:" {
send -- "$outputfile\r"
}
expect "Command*:" {
send -- "$option\r"
}
expect "Command*:" {
send -- "q\r"
}
expect eof

65
tests/sedispol/Makefile
View File

@ -1,65 +0,0 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/checkpolicy/Sanity/sedispol
# Description: Does sedispol work correctly?
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/checkpolicy/Sanity/sedispol
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
test -x sedispol.exp || chmod a+x sedispol.exp
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Does sedispol work correctly?" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: checkpolicy" >> $(METADATA)
@echo "Requires: checkpolicy selinux-policy expect" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

5
tests/sedispol/PURPOSE
View File

@ -1,5 +0,0 @@
PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol
Author: Milos Malik <mmalik@redhat.com>
Does sedispol work correctly?

77
tests/sedispol/runtest.sh
View File

@ -1,77 +0,0 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol
# Description: Does sedispol work correctly?
# Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="checkpolicy"
# TODO: repeat for all policy files that are installed under /etc/selinux
POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f`
rlJournalStart
rlPhaseStartSetup
rlAssertRpm ${PACKAGE}
OUTPUT_FILE=`mktemp`
rlPhaseEnd
rlPhaseStartTest
if rlIsRHEL 6 ; then
AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u"
else # RHEL-7 and above
AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F"
fi
for OPTION in ${AVAILABLE_OPTIONS} ; do
rlRun "rm -f ${OUTPUT_FILE}"
rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
# rlWatchdog kills the expect script, but we need to kill the sedispol process too
rlRun "killall sedispol" 0,1
rlRun "ls -l ${OUTPUT_FILE}"
if [ -s ${OUTPUT_FILE} ] ; then
rlPass "sedispol produced some output"
else
rlFail "sedispol did not produce any output"
fi
done
rlPhaseEnd
rlPhaseStartTest
rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
rlRun "grep AVTAB ${OUTPUT_FILE}"
rlRun "grep AVTAG ${OUTPUT_FILE}" 1
rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
rlRun "grep permissions ${OUTPUT_FILE}"
rlRun "grep permisions ${OUTPUT_FILE}" 1
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm -f ${OUTPUT_FILE}"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

21
tests/sedispol/sedispol.exp
View File

@ -1,21 +0,0 @@
#!/usr/bin/expect -f
# ./sedispol.exp option policyfile outputfile
set option [lrange $argv 0 0]
set policyfile [lrange $argv 1 1]
set outputfile [lrange $argv 2 2]
set timeout 60
spawn sedispol $policyfile
expect "Command*:" {
send -- "f\r"
}
expect "Filename*:" {
send -- "$outputfile\r"
}
expect "Command*:" {
send -- "$option\r"
}
expect "Command*:" {
send -- "q\r"
}
expect eof

38
tests/tests.yml
View File

@ -1,38 +0,0 @@
---
# Tests for Classic
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
repositories:
- repo: "https://src.fedoraproject.org/tests/selinux.git"
dest: "selinux"
fmf_filter: "tier:1 | component:checkpolicy"
# Tests for Container
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- container
repositories:
- repo: "https://src.fedoraproject.org/tests/selinux.git"
dest: "selinux"
tests:
- selinux/checkpolicy/checkmodule
- selinux/checkpolicy/checkpolicy
- selinux/checkpolicy/sedismod
- selinux/checkpolicy/sedispol
required_packages:
- checkpolicy # Required by all tests
- grep # Required by checkmodule
- coreutils # Required by checkmodule
- setools-console # Required by checkpolicy
- selinux-policy-minimum # Required by checkpolicy
- selinux-policy-mls # Required by checkpolicy
- selinux-policy-targeted # Required by checkpolicy and sedismod
- expect # Required by sedismod and sedispol
- policycoreutils # Required by sedismod
- psmisc # Required by sedismod
- selinux-policy # Required by sedispol