From 6eec04097ed4abdc9d4a61106a5f8e84f46f705b Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 18 Aug 2011 06:58:25 -0400 Subject: [PATCH] Update to upstream * Only call role_fix_callback for base.p_roles during expansion. * use mapped role number instead of module role number --- .gitignore | 2 + libsepol-rhat.patch | 116 +++++++++++++++++++++++++++----------------- libsepol.spec | 13 ++++- sources | 2 +- 4 files changed, 85 insertions(+), 48 deletions(-) diff --git a/.gitignore b/.gitignore index bc15aad..ce8c213 100644 --- a/.gitignore +++ b/.gitignore @@ -153,3 +153,5 @@ libsepol-2.0.41.tgz /libsepol-2.0.44.tgz /libsepol-2.0.45.tgz /libsepol-2.1.0.tgz +/libsepol-2.1.1.tgz +/libsepol-2.1.2.tgz diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index f87418d..5066c22 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -1,48 +1,74 @@ -diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c -index b1af365..42bc931 100644 ---- a/libsepol/src/expand.c -+++ b/libsepol/src/expand.c -@@ -1181,23 +1181,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) +diff --git a/libsepol/src/write.c b/libsepol/src/write.c +index 290e036..7257b0b 100644 +--- a/libsepol/src/write.c ++++ b/libsepol/src/write.c +@@ -972,6 +972,19 @@ static int role_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) - cur_trans = state->out->role_tr; - while (cur_trans) { -+ unsigned int mapped_role; + role = (role_datum_t *) datum; + ++ /* ++ * Role attributes are redundant for policy.X, skip them ++ * when writing the roles symbol table. They are also skipped ++ * when pp is downgraded. ++ * ++ * Their numbers would be deducted in policydb_write(). ++ */ ++ if ((role->flavor == ROLE_ATTRIB) && ++ ((p->policy_type == POLICY_KERN) || ++ (p->policy_type != POLICY_KERN && ++ p->policyvers < MOD_POLICYDB_VERSION_ROLEATTRIB))) ++ return POLICYDB_SUCCESS; + -+ mapped_role = state->rolemap[cur->new_role - 1]; + len = strlen(key); + items = 0; + buf[items++] = cpu_to_le32(len); +@@ -1795,6 +1808,19 @@ static int type_attr_uncount(hashtab_key_t key __attribute__ ((unused)), + return 0; + } + ++static int role_attr_uncount(hashtab_key_t key __attribute__ ((unused)), ++ hashtab_datum_t datum, void *args) ++{ ++ role_datum_t *role = datum; ++ uint32_t *p_nel = args; + - if ((cur_trans->role == - i + 1) && - (cur_trans->type == - j + 1) && - (cur_trans->tclass == - k + 1)) { -- if (cur_trans-> -- new_role == -- cur->new_role) { -+ if (cur_trans->new_role == mapped_role) { - break; - } else { - ERR(state->handle, -- "Conflicting role trans rule %s %s : %s %s", -+ "Conflicting role trans rule %s %s : %s { %s vs %s }", - state->out->p_role_val_to_name[i], - state->out->p_type_val_to_name[j], - state->out->p_class_val_to_name[k], -- state->out->p_role_val_to_name[cur->new_role - 1]); -+ state->out->p_role_val_to_name[mapped_role], -+ state->out->p_role_val_to_name[cur_trans->new_role - 1]); - return -1; - } - } -diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c -index 6d8ff91..3d8dc80 100644 ---- a/libsepol/src/policydb.c -+++ b/libsepol/src/policydb.c -@@ -2280,6 +2280,7 @@ int filename_trans_read(filename_trans_t **t, struct policy_file *fp) - lft->next = ft; - else - *t = ft; -+ lft = ft; - rc = next_entry(buf, fp, sizeof(uint32_t)); - if (rc < 0) - return -1; ++ if (role->flavor == ROLE_ATTRIB) { ++ /* uncount attribute from total number of roles */ ++ (*p_nel)--; ++ } ++ return 0; ++} ++ + /* + * Write the configuration data in a policy database + * structure to a policy database binary representation +@@ -1926,7 +1952,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp) + num_syms = info->sym_num; + for (i = 0; i < num_syms; i++) { + buf[0] = cpu_to_le32(p->symtab[i].nprim); +- buf[1] = cpu_to_le32(p->symtab[i].table->nel); ++ buf[1] = p->symtab[i].table->nel; + + /* + * A special case when writing type/attribute symbol table. +@@ -1939,6 +1965,20 @@ int policydb_write(policydb_t * p, struct policy_file *fp) + p->policy_type == POLICY_KERN) { + hashtab_map(p->symtab[i].table, type_attr_uncount, &buf[1]); + } ++ ++ /* ++ * Another special case when writing role/attribute symbol ++ * table, role attributes are redundant for policy.X, or ++ * when the pp's version is not big enough. So deduct ++ * their numbers from p_roles.table->nel. ++ */ ++ if ((i == SYM_ROLES) && ++ ((p->policy_type == POLICY_KERN) || ++ (p->policy_type != POLICY_KERN && ++ p->policyvers < MOD_POLICYDB_VERSION_ROLEATTRIB))) ++ hashtab_map(p->symtab[i].table, role_attr_uncount, &buf[1]); ++ ++ buf[1] = cpu_to_le32(buf[1]); + items = put_entry(buf, sizeof(uint32_t), 2, fp); + if (items != 2) + return POLICYDB_ERROR; diff --git a/libsepol.spec b/libsepol.spec index cd36af8..af99025 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,6 +1,6 @@ Summary: SELinux binary policy manipulation library Name: libsepol -Version: 2.1.0 +Version: 2.1.2 Release: 1%{?dist} License: LGPLv2+ Group: System Environment/Libraries @@ -98,7 +98,16 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog -* Thu May 3 2011 Dan Walsh 2.1.0-1 +* Thu Aug 18 2011 Dan Walsh - 2.1.2-0 +- Update to upstream + * Only call role_fix_callback for base.p_roles during expansion. + * use mapped role number instead of module role number + +* Mon Aug 1 2011 Dan Walsh 2.1.1-1 +- Update to upstream + * Minor fix to reading policy with filename transition rules + +* Wed Jul 27 2011 Dan Walsh 2.1.0-1 - Update to upstream * Release, minor version bump diff --git a/sources b/sources index 96cd270..b75b42f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c151def95fc51a5ebffabceb6d749e0b libsepol-2.1.0.tgz +b5633c3d0326cf492b88eb5e010923f0 libsepol-2.1.2.tgz