libsepol-2.5-3

- Fix bug in CIL when resetting classes
- Add support for portcon dccp protocol

libsepol-fedora.patch

@@ -0,0 +1,170 @@
+diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog
+index ace3d54..41bf8c0 100644
+--- libsepol-2.5/ChangeLog
++++ libsepol-2.5/ChangeLog
+@@ -1,3 +1,6 @@
++	* Add support for portcon dccp protocol, from Richard Haines
++	* Fix bug in CIL when resetting classes, from Steve Lawrence
++
+ 2.5 2016-02-23
+ 	* Fix unused variable annotations, from Nicolas Iooss.
+ 	* Fix uninitialized variable in CIL, from Nicolas Iooss.
+diff --git libsepol-2.5/cil/src/cil.c libsepol-2.5/cil/src/cil.c
+index afdc240..de7033a 100644
+--- libsepol-2.5/cil/src/cil.c
++++ libsepol-2.5/cil/src/cil.c
+@@ -108,6 +108,7 @@ static void cil_init_keys(void)
+ 	CIL_KEY_STAR = cil_strpool_add("*");
+ 	CIL_KEY_UDP = cil_strpool_add("udp");
+ 	CIL_KEY_TCP = cil_strpool_add("tcp");
++	CIL_KEY_DCCP = cil_strpool_add("dccp");
+ 	CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
+ 	CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
+ 	CIL_KEY_ALLOW = cil_strpool_add("allow");
+diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c
+index f749e53..5d7e52e 100644
+--- libsepol-2.5/cil/src/cil_binary.c
++++ libsepol-2.5/cil/src/cil_binary.c
+@@ -3035,6 +3035,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
+ 		case CIL_PROTOCOL_TCP:
+ 			new_ocon->u.port.protocol = IPPROTO_TCP;
+ 			break;
++		case CIL_PROTOCOL_DCCP:
++			new_ocon->u.port.protocol = IPPROTO_DCCP;
++			break;
+ 		default:
+ 			/* should not get here */
+ 			rc = SEPOL_ERR;
+diff --git libsepol-2.5/cil/src/cil_build_ast.c libsepol-2.5/cil/src/cil_build_ast.c
+index 1135e06..90fee8e 100644
+--- libsepol-2.5/cil/src/cil_build_ast.c
++++ libsepol-2.5/cil/src/cil_build_ast.c
+@@ -4261,6 +4261,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
+ 		portcon->proto = CIL_PROTOCOL_UDP;
+ 	} else if (proto == CIL_KEY_TCP) {
+ 		portcon->proto = CIL_PROTOCOL_TCP;
++	} else if (proto == CIL_KEY_DCCP) {
++		portcon->proto = CIL_PROTOCOL_DCCP;
+ 	} else {
+ 		cil_log(CIL_ERR, "Invalid protocol\n");
+ 		rc = SEPOL_ERR;
+diff --git libsepol-2.5/cil/src/cil_internal.h libsepol-2.5/cil/src/cil_internal.h
+index a0a5480..a75ddf8 100644
+--- libsepol-2.5/cil/src/cil_internal.h
++++ libsepol-2.5/cil/src/cil_internal.h
+@@ -101,6 +101,7 @@ char *CIL_KEY_OBJECT_R;
+ char *CIL_KEY_STAR;
+ char *CIL_KEY_TCP;
+ char *CIL_KEY_UDP;
++char *CIL_KEY_DCCP;
+ char *CIL_KEY_AUDITALLOW;
+ char *CIL_KEY_TUNABLEIF;
+ char *CIL_KEY_ALLOW;
+@@ -713,7 +714,8 @@ struct cil_filecon {
+ 
+ enum cil_protocol {
+ 	CIL_PROTOCOL_UDP = 1,
+-	CIL_PROTOCOL_TCP	
++	CIL_PROTOCOL_TCP,
++	CIL_PROTOCOL_DCCP
+ };
+ 
+ struct cil_portcon {
+diff --git libsepol-2.5/cil/src/cil_policy.c libsepol-2.5/cil/src/cil_policy.c
+index 2c9b158..382129b 100644
+--- libsepol-2.5/cil/src/cil_policy.c
++++ libsepol-2.5/cil/src/cil_policy.c
+@@ -123,6 +123,8 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
+ 			fprintf(file_arr[NETIFCONS], "udp ");
+ 		} else if (portcon->proto == CIL_PROTOCOL_TCP) {
+ 			fprintf(file_arr[NETIFCONS], "tcp ");
++		} else if (portcon->proto == CIL_PROTOCOL_DCCP) {
++			fprintf(file_arr[NETIFCONS], "dccp ");
+ 		}
+ 		fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low);
+ 		fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high);
+diff --git libsepol-2.5/cil/src/cil_reset_ast.c libsepol-2.5/cil/src/cil_reset_ast.c
+index 06146ca..de00679 100644
+--- libsepol-2.5/cil/src/cil_reset_ast.c
++++ libsepol-2.5/cil/src/cil_reset_ast.c
+@@ -23,7 +23,7 @@ static void cil_reset_class(struct cil_class *class)
+ {
+ 	if (class->common != NULL) {
+ 		struct cil_class *common = class->common;
+-		cil_symtab_map(&common->perms, __class_reset_perm_values, &common->num_perms);
++		cil_symtab_map(&class->perms, __class_reset_perm_values, &common->num_perms);
+ 		/* during a re-resolve, we need to reset the common, so a classcommon
+ 		 * statement isn't seen as a duplicate */
+ 		class->num_perms -= common->num_perms;
+diff --git libsepol-2.5/cil/src/cil_tree.c libsepol-2.5/cil/src/cil_tree.c
+index 1c23efc..563b817 100644
+--- libsepol-2.5/cil/src/cil_tree.c
++++ libsepol-2.5/cil/src/cil_tree.c
+@@ -1319,6 +1319,8 @@ void cil_tree_print_node(struct cil_tree_node *node)
+ 				cil_log(CIL_INFO, " udp");
+ 			} else if (portcon->proto == CIL_PROTOCOL_TCP) {
+ 				cil_log(CIL_INFO, " tcp");
++			} else if (portcon->proto == CIL_PROTOCOL_DCCP) {
++				cil_log(CIL_INFO, " dccp");
+ 			}
+ 			cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high);
+ 
+diff --git libsepol-2.5/include/sepol/port_record.h libsepol-2.5/include/sepol/port_record.h
+index 697cea4..c07d1fa 100644
+--- libsepol-2.5/include/sepol/port_record.h
++++ libsepol-2.5/include/sepol/port_record.h
+@@ -14,6 +14,7 @@ typedef struct sepol_port_key sepol_port_key_t;
+ 
+ #define SEPOL_PROTO_UDP 0
+ #define SEPOL_PROTO_TCP 1
++#define SEPOL_PROTO_DCCP 2
+ 
+ /* Key */
+ extern int sepol_port_compare(const sepol_port_t * port,
+diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c
+index 18ec6b9..b478d9f 100644
+--- libsepol-2.5/src/module_to_cil.c
++++ libsepol-2.5/src/module_to_cil.c
+@@ -2537,6 +2537,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p
+ 		switch (portcon->u.port.protocol) {
+ 		case IPPROTO_TCP: protocol = "tcp"; break;
+ 		case IPPROTO_UDP: protocol = "udp"; break;
++		case IPPROTO_DCCP: protocol = "dccp"; break;
+ 		default:
+ 			log_err("Unknown portcon protocol: %i", portcon->u.port.protocol);
+ 			rc = -1;
+diff --git libsepol-2.5/src/port_record.c libsepol-2.5/src/port_record.c
+index 6a33d93..ed9093b 100644
+--- libsepol-2.5/src/port_record.c
++++ libsepol-2.5/src/port_record.c
+@@ -184,6 +184,8 @@ const char *sepol_port_get_proto_str(int proto)
+ 		return "udp";
+ 	case SEPOL_PROTO_TCP:
+ 		return "tcp";
++	case SEPOL_PROTO_DCCP:
++		return "dccp";
+ 	default:
+ 		return "???";
+ 	}
+diff --git libsepol-2.5/src/ports.c libsepol-2.5/src/ports.c
+index 607a629..b1ee094 100644
+--- libsepol-2.5/src/ports.c
++++ libsepol-2.5/src/ports.c
+@@ -16,6 +16,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
+ 		return IPPROTO_TCP;
+ 	case SEPOL_PROTO_UDP:
+ 		return IPPROTO_UDP;
++	case SEPOL_PROTO_DCCP:
++		return IPPROTO_DCCP;
+ 	default:
+ 		ERR(handle, "unsupported protocol %u", proto);
+ 		return STATUS_ERR;
+@@ -30,6 +32,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
+ 		return SEPOL_PROTO_TCP;
+ 	case IPPROTO_UDP:
+ 		return SEPOL_PROTO_UDP;
++	case IPPROTO_DCCP:
++		return SEPOL_PROTO_DCCP;
+ 	default:
+ 		ERR(handle, "invalid protocol %u " "found in policy", proto);
+ 		return STATUS_ERR;

libsepol.spec

@@ -1,14 +1,14 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol
-# HEAD fedora-20160223
+# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
 # Patch1: libsepol-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 BuildRequires: flex
@@ -107,6 +107,10 @@ exit 0
 %{_libdir}/libsepol.so.1
 
 %changelog
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix bug in CIL when resetting classes
+- Add support for portcon dccp protocol
+
 * Sun Feb 28 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
 - Use fully versioned arch-specific requires