Update to upstream

* Only call role_fix_callback for base.p_roles during expansion.
	* use mapped role number instead of module role number

.gitignore

@@ -153,3 +153,5 @@ libsepol-2.0.41.tgz
 /libsepol-2.0.44.tgz
 /libsepol-2.0.45.tgz
 /libsepol-2.1.0.tgz
+/libsepol-2.1.1.tgz
+/libsepol-2.1.2.tgz

libsepol-rhat.patch

@@ -1,48 +1,74 @@
-diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
-index b1af365..42bc931 100644
---- a/libsepol/src/expand.c
-+++ b/libsepol/src/expand.c
-@@ -1181,23 +1181,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+diff --git a/libsepol/src/write.c b/libsepol/src/write.c
+index 290e036..7257b0b 100644
+--- a/libsepol/src/write.c
++++ b/libsepol/src/write.c
+@@ -972,6 +972,19 @@ static int role_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
  
- 					cur_trans = state->out->role_tr;
- 					while (cur_trans) {
-+						unsigned int mapped_role;
+ 	role = (role_datum_t *) datum;
+ 
++	/*
++	 * Role attributes are redundant for policy.X, skip them
++	 * when writing the roles symbol table. They are also skipped
++	 * when pp is downgraded.
++	 *
++	 * Their numbers would be deducted in policydb_write().
++	 */
++	if ((role->flavor == ROLE_ATTRIB) &&
++	    ((p->policy_type == POLICY_KERN) ||
++	     (p->policy_type != POLICY_KERN &&
++	      p->policyvers < MOD_POLICYDB_VERSION_ROLEATTRIB)))
++		return POLICYDB_SUCCESS;
 +
-+						mapped_role = state->rolemap[cur->new_role - 1];
+ 	len = strlen(key);
+ 	items = 0;
+ 	buf[items++] = cpu_to_le32(len);
+@@ -1795,6 +1808,19 @@ static int type_attr_uncount(hashtab_key_t key __attribute__ ((unused)),
+ 	return 0;
+ }
+ 
++static int role_attr_uncount(hashtab_key_t key __attribute__ ((unused)),
++			     hashtab_datum_t datum, void *args)
++{
++	role_datum_t *role = datum;
++	uint32_t *p_nel = args;
 +
- 						if ((cur_trans->role ==
- 								i + 1) &&
- 						    (cur_trans->type ==
- 								j + 1) &&
- 						    (cur_trans->tclass ==
- 								k + 1)) {
--							if (cur_trans->
--							    new_role ==
--								cur->new_role) {
-+							if (cur_trans->new_role == mapped_role) {
- 								break;
- 							} else {
- 								ERR(state->handle,
--									"Conflicting role trans rule %s %s : %s %s",
-+									"Conflicting role trans rule %s %s : %s { %s vs %s }",
- 									state->out->p_role_val_to_name[i],
- 									state->out->p_type_val_to_name[j],
- 									state->out->p_class_val_to_name[k],
--									state->out->p_role_val_to_name[cur->new_role - 1]);
-+									state->out->p_role_val_to_name[mapped_role],
-+									state->out->p_role_val_to_name[cur_trans->new_role - 1]);
- 								return -1;
- 							}
- 						}
-diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
-index 6d8ff91..3d8dc80 100644
---- a/libsepol/src/policydb.c
-+++ b/libsepol/src/policydb.c
-@@ -2280,6 +2280,7 @@ int filename_trans_read(filename_trans_t **t, struct policy_file *fp)
- 			lft->next = ft;
- 		else
- 			*t = ft;
-+		lft = ft;
- 		rc = next_entry(buf, fp, sizeof(uint32_t));
- 		if (rc < 0)
- 			return -1;
++	if (role->flavor == ROLE_ATTRIB) {
++		/* uncount attribute from total number of roles */
++		(*p_nel)--;
++	}
++	return 0;
++}
++
+ /*
+  * Write the configuration data in a policy database
+  * structure to a policy database binary representation
+@@ -1926,7 +1952,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
+ 	num_syms = info->sym_num;
+ 	for (i = 0; i < num_syms; i++) {
+ 		buf[0] = cpu_to_le32(p->symtab[i].nprim);
+-		buf[1] = cpu_to_le32(p->symtab[i].table->nel);
++		buf[1] = p->symtab[i].table->nel;
+ 
+ 		/*
+ 		 * A special case when writing type/attribute symbol table.
+@@ -1939,6 +1965,20 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
+ 		    p->policy_type == POLICY_KERN) {
+ 			hashtab_map(p->symtab[i].table, type_attr_uncount, &buf[1]);
+ 		}
++
++		/*
++		 * Another special case when writing role/attribute symbol
++		 * table, role attributes are redundant for policy.X, or
++		 * when the pp's version is not big enough. So deduct
++		 * their numbers from p_roles.table->nel.
++		 */
++		if ((i == SYM_ROLES) &&
++		    ((p->policy_type == POLICY_KERN) ||
++		     (p->policy_type != POLICY_KERN &&
++		      p->policyvers < MOD_POLICYDB_VERSION_ROLEATTRIB)))
++			hashtab_map(p->symtab[i].table, role_attr_uncount, &buf[1]);
++
++		buf[1] = cpu_to_le32(buf[1]);
+ 		items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ 		if (items != 2)
+ 			return POLICYDB_ERROR;

libsepol.spec

@@ -1,6 +1,6 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
-Version: 2.1.0
+Version: 2.1.2
 Release: 1%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
@@ -98,7 +98,16 @@ exit 0
 /%{_lib}/libsepol.so.1
 
 %changelog
-* Thu May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.1.0-1
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
+- Update to upstream 
+	* Only call role_fix_callback for base.p_roles during expansion.
+	* use mapped role number instead of module role number
+
+* Mon Aug 1 2011 Dan Walsh <dwalsh@redhat.com> 2.1.1-1
+- Update to upstream 
+	* Minor fix to reading policy with filename transition rules
+
+* Wed Jul 27 2011 Dan Walsh <dwalsh@redhat.com> 2.1.0-1
 - Update to upstream 
 	* Release, minor version bump
 

sources

@@ -1 +1 @@
-c151def95fc51a5ebffabceb6d749e0b  libsepol-2.1.0.tgz
+b5633c3d0326cf492b88eb5e010923f0  libsepol-2.1.2.tgz