From 0a1d1e58aa42bb4eeb0202bc7db588dfa6d11b91 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 6 May 2016 16:04:28 +0200
Subject: [PATCH] libsepol-2.5-6

- Change logic of bounds checking to match change in kernel
- Fix multiple spelling errors
---
 libsepol-fedora.patch | 162 +++++++++++++++++++++++++++++++++++++-----
 libsepol.spec         |   8 ++-
 2 files changed, 151 insertions(+), 19 deletions(-)

diff --git a/libsepol-fedora.patch b/libsepol-fedora.patch
index f29272f..f5b52ab 100644
--- a/libsepol-fedora.patch
+++ b/libsepol-fedora.patch
@@ -1,8 +1,8 @@
 diff --git libsepol-2.5/Android.mk libsepol-2.5/Android.mk
-index a43b343..5d2c96b 100644
+index a43b343..6d89f17 100644
 --- libsepol-2.5/Android.mk
 +++ libsepol-2.5/Android.mk
-@@ -64,6 +64,7 @@ cil_src_files := \
+@@ -64,14 +64,11 @@ cil_src_files := \
  	cil/src/cil_verify.c
  
  common_cflags := \
@@ -10,11 +10,21 @@ index a43b343..5d2c96b 100644
  	-Wall -W -Wundef \
  	-Wshadow -Wmissing-noreturn \
  	-Wmissing-format-attribute
+ 
+-ifeq ($(HOST_OS), darwin)
+-common_cflags += -DDARWIN
+-endif
+-
+ common_includes := \
+ 	$(LOCAL_PATH)/include/ \
+ 	$(LOCAL_PATH)/src/ \
 diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog
-index ace3d54..12e2ebc 100644
+index ace3d54..2abcff4 100644
 --- libsepol-2.5/ChangeLog
 +++ libsepol-2.5/ChangeLog
-@@ -1,3 +1,12 @@
+@@ -1,3 +1,14 @@
++	* Change logic of bounds checking to match change in kernel, from James Carter.
++	* Fix multiple spelling errors, from Laurent Bigonville.
 +	* Only apply bounds checking to source types in rules, from Stephen Smalley.
 +	* Fix CIL and not add an attribute as a type in the attr_type_map, from James Carter
 +	* Build policy on systems not supporting DCCP protocol, from Richard Haines.
@@ -269,7 +279,7 @@ index 1135e06..90fee8e 100644
  		cil_log(CIL_ERR, "Invalid protocol\n");
  		rc = SEPOL_ERR;
 diff --git libsepol-2.5/cil/src/cil_find.c libsepol-2.5/cil/src/cil_find.c
-index 75de886..8e0688c 100644
+index 75de886..4134242 100644
 --- libsepol-2.5/cil/src/cil_find.c
 +++ libsepol-2.5/cil/src/cil_find.c
 @@ -69,7 +69,11 @@ static int cil_type_match_any(struct cil_symtab_datum *d1, struct cil_symtab_dat
@@ -285,6 +295,15 @@ index 75de886..8e0688c 100644
  	}
  	return CIL_FALSE;
  }
+@@ -379,7 +383,7 @@ int cil_find_matching_avrule_in_ast(struct cil_tree_node *current, enum cil_flav
+ 
+ 	rc = cil_tree_walk(current, __cil_find_matching_avrule_in_ast, NULL, NULL, &args);
+ 	if (rc) {
+-		cil_log(CIL_ERR, "An error occured while searching for avrule in AST\n");
++		cil_log(CIL_ERR, "An error occurred while searching for avrule in AST\n");
+ 	}
+ 
+ 	return rc;
 diff --git libsepol-2.5/cil/src/cil_internal.h libsepol-2.5/cil/src/cil_internal.h
 index a0a5480..a75ddf8 100644
 --- libsepol-2.5/cil/src/cil_internal.h
@@ -496,8 +515,52 @@ index fbf397f..f4429ad 100644
  		if (rc == 0)
  			goto exit;
  	}
+diff --git libsepol-2.5/src/genbools.c libsepol-2.5/src/genbools.c
+index 6a06ec9..c81e848 100644
+--- libsepol-2.5/src/genbools.c
++++ libsepol-2.5/src/genbools.c
+@@ -79,7 +79,7 @@ static int load_booleans(struct policydb *policydb, const char *path,
+ 	if (boolf == NULL)
+ 		goto localbool;
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+         if ((buffer = (char *)malloc(255 * sizeof(char))) == NULL) {
+           ERR(NULL, "out of memory");
+ 	  return -1;
+@@ -111,7 +111,7 @@ static int load_booleans(struct policydb *policydb, const char *path,
+ 	boolf = fopen(localbools, "r");
+ 	if (boolf != NULL) {
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ 
+ 	  while(fgets(buffer, 255, boolf) != NULL) {
+ #else
+diff --git libsepol-2.5/src/genusers.c libsepol-2.5/src/genusers.c
+index 7826b71..0b98a76 100644
+--- libsepol-2.5/src/genusers.c
++++ libsepol-2.5/src/genusers.c
+@@ -7,7 +7,7 @@
+ 
+ #include <sepol/policydb/policydb.h>
+ 
+-#ifndef DARWIN
++#ifndef __APPLE__
+ #include <stdio_ext.h>
+ #endif
+ 
+@@ -47,7 +47,7 @@ static int load_users(struct policydb *policydb, const char *path)
+ 	if (fp == NULL)
+ 		return -1;
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ 	if ((buffer = (char *)malloc(255 * sizeof(char))) == NULL) {
+ 	  ERR(NULL, "out of memory");
+ 	  return -1;
 diff --git libsepol-2.5/src/hierarchy.c libsepol-2.5/src/hierarchy.c
-index 6f73195..b24b39e 100644
+index 6f73195..778541a 100644
 --- libsepol-2.5/src/hierarchy.c
 +++ libsepol-2.5/src/hierarchy.c
 @@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
@@ -519,10 +582,26 @@ index 6f73195..b24b39e 100644
  exit:
  	return rc;
  }
-@@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
- 			if (rc) goto exit;
- 		}
- 	}
+@@ -313,45 +301,21 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
+ 		ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) {
+ 			if (!ebitmap_node_get_bit(tnode, i))
+ 				continue;
+-			avtab_key.target_type = i + 1;
+-			d = bounds_not_covered(global_avtab, cur_avtab,
+-					       &avtab_key, data);
+-			if (!d) continue;
+ 			td = p->type_val_to_struct[i];
+ 			if (td && td->bounds) {
+ 				avtab_key.target_type = td->bounds;
+ 				d = bounds_not_covered(global_avtab, cur_avtab,
+ 						       &avtab_key, data);
+-				if (!d) continue;
+-			}
+-			(*numbad)++;
+-			rc = bounds_add_bad(handle, child, i+1, class, d, bad);
+-			if (rc) goto exit;
+-		}
+-	}
 -	if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
 -		avtab_key.target_type = parent;
 -		ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
@@ -539,18 +618,23 @@ index 6f73195..b24b39e 100644
 -			td = p->type_val_to_struct[i];
 -			if (td && td->bounds) {
 -				avtab_key.source_type = td->bounds;
--				d = bounds_not_covered(global_avtab, cur_avtab,
--						       &avtab_key, data);
++			} else {
++				avtab_key.target_type = i + 1;
+ 				d = bounds_not_covered(global_avtab, cur_avtab,
+ 						       &avtab_key, data);
 -				if (!d) continue;
--			}
+ 			}
 -			(*numbad)++;
 -			rc = bounds_add_bad(handle, i+1, child, class, d, bad);
 -			if (rc) goto exit;
--		}
--	}
++			if (d) {
++				(*numbad)++;
++				rc = bounds_add_bad(handle, child, i+1, class, d, bad);
++				if (rc) goto exit;
++			}
+ 		}
+ 	}
  
- exit:
- 	return rc;
 diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c
 index 18ec6b9..38f0dc3 100644
 --- libsepol-2.5/src/module_to_cil.c
@@ -573,6 +657,28 @@ index 18ec6b9..38f0dc3 100644
  		default:
  			log_err("Unknown portcon protocol: %i", portcon->u.port.protocol);
  			rc = -1;
+diff --git libsepol-2.5/src/node_record.c libsepol-2.5/src/node_record.c
+index bd48ba0..21043b6 100644
+--- libsepol-2.5/src/node_record.c
++++ libsepol-2.5/src/node_record.c
+@@ -70,7 +70,7 @@ static int node_parse_addr(sepol_handle_t * handle,
+ 				return STATUS_ERR;
+ 			}
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ 			memcpy(addr_bytes, in_addr.s6_addr, 16);
+ #else
+ 			memcpy(addr_bytes, in_addr.s6_addr32, 16);
+@@ -162,7 +162,7 @@ static int node_expand_addr(sepol_handle_t * handle,
+ 		{
+ 			struct in6_addr addr;
+ 			memset(&addr, 0, sizeof(struct in6_addr));
+-#ifdef DARWIN
++#ifdef __APPLE__
+ 			memcpy(&addr.s6_addr[0], addr_bytes, 16);
+ #else
+ 			memcpy(&addr.s6_addr32[0], addr_bytes, 16);
 diff --git libsepol-2.5/src/port_record.c libsepol-2.5/src/port_record.c
 index 6a33d93..ed9093b 100644
 --- libsepol-2.5/src/port_record.c
@@ -616,3 +722,25 @@ index 607a629..62ec602 100644
  	default:
  		ERR(handle, "invalid protocol %u " "found in policy", proto);
  		return STATUS_ERR;
+diff --git libsepol-2.5/src/private.h libsepol-2.5/src/private.h
+index 8a6d4bb..9c700c9 100644
+--- libsepol-2.5/src/private.h
++++ libsepol-2.5/src/private.h
+@@ -5,7 +5,7 @@
+ #include <sepol/policydb/policydb.h>
+ 
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ #include <sys/types.h>
+ #include <machine/endian.h>
+ #else
+@@ -16,7 +16,7 @@
+ #include <errno.h>
+ #include <dso.h>
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ #define __BYTE_ORDER  BYTE_ORDER
+ #define __LITTLE_ENDIAN  LITTLE_ENDIAN
+ #endif
diff --git a/libsepol.spec b/libsepol.spec
index aa8693e..106cd09 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,14 +1,14 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol
-# HEAD https://github.com/fedora-selinux/selinux/commit/3d38b0a219c3697546d813b6da9fff4d0da04a1e
+# HEAD https://github.com/fedora-selinux/selinux/commit/b4fd6cda6dede7a90892aac8f138b86b3ebda3e8
 Patch1: libsepol-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 BuildRequires: flex
@@ -106,6 +106,10 @@ exit 0
 %{_libdir}/libsepol.so.1
 
 %changelog
+* Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
+- Change logic of bounds checking to match change in kernel
+- Fix multiple spelling errors
+
 * Mon May 02 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
 - Only apply bounds checking to source types in rules
 - Fix CIL and not add an attribute as a type in the attr_type_map