rpms/libsepol
6
0
Fork 0
Code Issues Pull Requests Releases Activity

libsepol-2.5-9

Browse Source 
- Warn instead of fail if permission is not resolved
- Ignore object_r when adding userrole mappings to policydb
This commit is contained in:
Petr Lautrbach 2016-08-01 10:46:53 +02:00
parent 5ec2ad1fb2
commit aac9abeb50
2 changed files with 63 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
libsepol-fedora.patch
View File

@ -19,10 +19,12 @@ index a43b343..6d89f17 100644
$(LOCAL_PATH)/include/ \ $(LOCAL_PATH)/include/ \
$(LOCAL_PATH)/src/ \ $(LOCAL_PATH)/src/ \
diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog
index ace3d54..4c997c5 100644 index ace3d54..b45f3ad 100644
--- libsepol-2.5/ChangeLog --- libsepol-2.5/ChangeLog
+++ libsepol-2.5/ChangeLog +++ libsepol-2.5/ChangeLog
@@ -1,3 +1,21 @@ @@ -1,3 +1,23 @@
+ * Warn instead of fail if permission is not resolved, from James Carter.
+ * Ignore object_r when adding userrole mappings to policydb, from Steve Lawrence.
+ * Add missing return to sepol_node_query(), from Petr Lautrbach. + * Add missing return to sepol_node_query(), from Petr Lautrbach.
+ * Add missing <stdarg.h> include, from Thomas Petazzoni. + * Add missing <stdarg.h> include, from Thomas Petazzoni.
+ * Correctly detect unknown classes in sepol_string_to_security_class, from Joshua Brindle. + * Correctly detect unknown classes in sepol_string_to_security_class, from Joshua Brindle.
@ -118,7 +120,7 @@ index afdc240..929ab19 100644
+ (*info)->path = NULL; + (*info)->path = NULL;
+} +}
diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c
index f749e53..5d03127 100644 index f749e53..46fea4b 100644
--- libsepol-2.5/cil/src/cil_binary.c --- libsepol-2.5/cil/src/cil_binary.c
+++ libsepol-2.5/cil/src/cil_binary.c +++ libsepol-2.5/cil/src/cil_binary.c
@@ -31,6 +31,9 @@ @@ -31,6 +31,9 @@
@ -146,7 +148,20 @@ index f749e53..5d03127 100644
} }
} }
@@ -1770,13 +1775,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu @@ -749,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci
goto exit;
}
+ if (sepol_role->s.value == 1) {
+ // role is object_r, ignore it since it is implicitly associated
+ // with all users
+ continue;
+ }
+
if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) {
cil_log(CIL_INFO, "Failed to set role bit for user\n");
rc = SEPOL_ERR;
@@ -1770,13 +1781,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
cil_typetrans = (struct cil_nametypetransition*)node->data; cil_typetrans = (struct cil_nametypetransition*)node->data;
if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) { if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) {
cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n"); cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n");
@ -162,7 +177,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
break; break;
@@ -1784,7 +1788,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu @@ -1784,7 +1794,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
cil_type_rule = node->data; cil_type_rule = node->data;
rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor); rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor);
if (rc != SEPOL_OK) { if (rc != SEPOL_OK) {
@ -171,7 +186,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
break; break;
@@ -1792,7 +1796,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu @@ -1792,7 +1802,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
cil_avrule = node->data; cil_avrule = node->data;
rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor); rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor);
if (rc != SEPOL_OK) { if (rc != SEPOL_OK) {
@ -180,7 +195,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
break; break;
@@ -1800,8 +1804,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu @@ -1800,8 +1810,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
case CIL_TUNABLEIF: case CIL_TUNABLEIF:
break; break;
default: default:
@ -190,7 +205,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
@@ -2060,14 +2063,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c @@ -2060,14 +2069,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
tmp_cond = cond_node_create(pdb, NULL); tmp_cond = cond_node_create(pdb, NULL);
if (tmp_cond == NULL) { if (tmp_cond == NULL) {
rc = SEPOL_ERR; rc = SEPOL_ERR;
@ -207,7 +222,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
@@ -2123,7 +2125,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c @@ -2123,7 +2131,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
bool_args.cond_flavor = CIL_CONDTRUE; bool_args.cond_flavor = CIL_CONDTRUE;
rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args); rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
if (rc != SEPOL_OK) { if (rc != SEPOL_OK) {
@ -216,7 +231,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
} }
@@ -2132,7 +2134,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c @@ -2132,7 +2140,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
bool_args.cond_flavor = CIL_CONDFALSE; bool_args.cond_flavor = CIL_CONDFALSE;
rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args); rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
if (rc != SEPOL_OK) { if (rc != SEPOL_OK) {
@ -225,7 +240,7 @@ index f749e53..5d03127 100644
goto exit; goto exit;
} }
} }
@@ -3035,6 +3037,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) @@ -3035,6 +3043,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
case CIL_PROTOCOL_TCP: case CIL_PROTOCOL_TCP:
new_ocon->u.port.protocol = IPPROTO_TCP; new_ocon->u.port.protocol = IPPROTO_TCP;
break; break;
@ -235,7 +250,7 @@ index f749e53..5d03127 100644
default: default:
/* should not get here */ /* should not get here */
rc = SEPOL_ERR; rc = SEPOL_ERR;
@@ -3583,7 +3588,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) @@ -3583,7 +3594,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
exit: exit:
if (rc != SEPOL_OK) { if (rc != SEPOL_OK) {
@ -244,7 +259,7 @@ index f749e53..5d03127 100644
} }
return rc; return rc;
} }
@@ -4227,6 +4232,9 @@ exit: @@ -4227,6 +4238,9 @@ exit:
static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node) static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node)
{ {
avrule_t *avrule; avrule_t *avrule;
@ -254,7 +269,7 @@ index f749e53..5d03127 100644
avrule = cil_malloc(sizeof(avrule_t)); avrule = cil_malloc(sizeof(avrule_t));
avrule->specified = kind; avrule->specified = kind;
@@ -4235,8 +4243,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no @@ -4235,8 +4249,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
__cil_init_sepol_type_set(&avrule->ttypes); __cil_init_sepol_type_set(&avrule->ttypes);
avrule->perms = NULL; avrule->perms = NULL;
avrule->line = node->line; avrule->line = node->line;
@ -273,7 +288,7 @@ index f749e53..5d03127 100644
avrule->next = NULL; avrule->next = NULL;
return avrule; return avrule;
} }
@@ -4263,10 +4280,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n) @@ -4263,10 +4286,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n)
__cil_print_parents(pad, n->parent); __cil_print_parents(pad, n->parent);
@ -286,7 +301,7 @@ index f749e53..5d03127 100644
} }
} }
@@ -4357,7 +4372,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr @@ -4357,7 +4378,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
allow_str = CIL_KEY_ALLOWX; allow_str = CIL_KEY_ALLOWX;
avrule_flavor = CIL_AVRULEX; avrule_flavor = CIL_AVRULEX;
} }
@ -295,7 +310,7 @@ index f749e53..5d03127 100644
__cil_print_rule(" ", neverallow_str, cil_rule); __cil_print_rule(" ", neverallow_str, cil_rule);
cil_list_init(&matching, CIL_NODE); cil_list_init(&matching, CIL_NODE);
rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE); rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE);
@@ -4380,10 +4395,9 @@ exit: @@ -4380,10 +4401,9 @@ exit:
return rc; return rc;
} }
@ -308,7 +323,7 @@ index f749e53..5d03127 100644
struct cil_avrule *cil_rule = node->data; struct cil_avrule *cil_rule = node->data;
struct cil_symtab_datum *tgt = cil_rule->tgt; struct cil_symtab_datum *tgt = cil_rule->tgt;
uint32_t kind; uint32_t kind;
@@ -4422,11 +4436,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct @@ -4422,11 +4442,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
rc = check_assertion(pdb, rule); rc = check_assertion(pdb, rule);
if (rc == CIL_TRUE) { if (rc == CIL_TRUE) {
@ -321,7 +336,7 @@ index f749e53..5d03127 100644
} }
} else { } else {
@@ -4444,12 +4458,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct @@ -4444,12 +4464,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
rule->xperms = item->data; rule->xperms = item->data;
rc = check_assertion(pdb, rule); rc = check_assertion(pdb, rule);
if (rc == CIL_TRUE) { if (rc == CIL_TRUE) {
@ -335,7 +350,7 @@ index f749e53..5d03127 100644
} }
} }
} }
@@ -4466,34 +4479,23 @@ exit: @@ -4466,34 +4485,23 @@ exit:
rule->xperms = NULL; rule->xperms = NULL;
__cil_destroy_sepol_avrules(rule); __cil_destroy_sepol_avrules(rule);
@ -375,7 +390,7 @@ index f749e53..5d03127 100644
} }
static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[]) static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
@@ -4548,7 +4550,7 @@ exit: @@ -4548,7 +4556,7 @@ exit:
return rc; return rc;
} }
@ -384,7 +399,7 @@ index f749e53..5d03127 100644
{ {
int rc = SEPOL_OK; int rc = SEPOL_OK;
int i; int i;
@@ -4574,6 +4576,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void @@ -4574,6 +4582,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
if (bad) { if (bad) {
avtab_ptr_t cur; avtab_ptr_t cur;
struct cil_avrule target; struct cil_avrule target;
@ -394,7 +409,7 @@ index f749e53..5d03127 100644
target.is_extended = 0; target.is_extended = 0;
target.rule_kind = CIL_AVRULE_ALLOWED; target.rule_kind = CIL_AVRULE_ALLOWED;
@@ -4585,7 +4590,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void @@ -4585,7 +4596,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
for (cur = bad; cur; cur = cur->next) { for (cur = bad; cur; cur = cur->next) {
struct cil_list_item *i2; struct cil_list_item *i2;
struct cil_list *matching; struct cil_list *matching;
@ -402,7 +417,7 @@ index f749e53..5d03127 100644
rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil); rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
if (rc != SEPOL_OK) { if (rc != SEPOL_OK) {
@@ -4594,7 +4598,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void @@ -4594,7 +4604,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
} }
__cil_print_rule(" ", "allow", &target); __cil_print_rule(" ", "allow", &target);
cil_list_init(&matching, CIL_NODE); cil_list_init(&matching, CIL_NODE);
@ -411,7 +426,7 @@ index f749e53..5d03127 100644
if (rc) { if (rc) {
cil_log(CIL_ERR, "Error occurred while checking type bounds\n"); cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&matching, CIL_FALSE);
@@ -4602,14 +4606,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void @@ -4602,14 +4612,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
bounds_destroy_bad(bad); bounds_destroy_bad(bad);
goto exit; goto exit;
} }
@ -435,7 +450,7 @@ index f749e53..5d03127 100644
cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&matching, CIL_FALSE);
cil_list_destroy(&target.perms.classperms, CIL_TRUE); cil_list_destroy(&target.perms.classperms, CIL_TRUE);
} }
@@ -4753,20 +4760,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p @@ -4753,20 +4766,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
__cil_set_conditional_state_and_flags(pdb); __cil_set_conditional_state_and_flags(pdb);
if (db->disable_neverallow != CIL_TRUE) { if (db->disable_neverallow != CIL_TRUE) {
@ -2014,9 +2029,23 @@ index 06146ca..de00679 100644
* statement isn't seen as a duplicate */ * statement isn't seen as a duplicate */
class->num_perms -= common->num_perms; class->num_perms -= common->num_perms;
diff --git libsepol-2.5/cil/src/cil_resolve_ast.c libsepol-2.5/cil/src/cil_resolve_ast.c diff --git libsepol-2.5/cil/src/cil_resolve_ast.c libsepol-2.5/cil/src/cil_resolve_ast.c
index 1489680..70e4462 100644 index 1489680..8348d57 100644
--- libsepol-2.5/cil/src/cil_resolve_ast.c --- libsepol-2.5/cil/src/cil_resolve_ast.c
+++ libsepol-2.5/cil/src/cil_resolve_ast.c +++ libsepol-2.5/cil/src/cil_resolve_ast.c
@@ -131,10 +131,10 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
}
}
if (rc != SEPOL_OK) {
- cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
- goto exit;
+ cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+ } else {
+ cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
}
- cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
} else {
cil_list_append(*perm_datums, curr->flavor, curr->data);
}
@@ -497,7 +497,7 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f @@ -497,7 +497,7 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f
int limit = 2; int limit = 2;
@ -2197,7 +2226,7 @@ index 1489680..70e4462 100644
- cil_log(lvl, "Failed to resolve '%s' in %s statement at line %d of %s\n", - cil_log(lvl, "Failed to resolve '%s' in %s statement at line %d of %s\n",
- args->last_resolved_name, cil_node_to_string(node), node->line, node->path); - args->last_resolved_name, cil_node_to_string(node), node->line, node->path);
+ cil_tree_log(node, lvl, "Failed to resolve '%s' in %s statement", args->last_resolved_name, cil_node_to_string(node)); + cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node));
goto exit; goto exit;
} }

8
libsepol.spec
View File

@ -1,14 +1,14 @@
Summary: SELinux binary policy manipulation library Summary: SELinux binary policy manipulation library
Name: libsepol Name: libsepol
Version: 2.5 Version: 2.5
Release: 8%{?dist} Release: 9%{?dist}
License: LGPLv2+ License: LGPLv2+
Group: System Environment/Libraries Group: System Environment/Libraries
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol
# HEAD https://github.com/fedora-selinux/selinux/commit/9eb71873eb6e6073228257abbeb42f61b2719336 # HEAD https://github.com/fedora-selinux/selinux/commit/dbf42c22e798a5e2cf9c1fc711c803e7da20cfb4
Patch1: libsepol-fedora.patch Patch1: libsepol-fedora.patch
URL: https://github.com/SELinuxProject/selinux/wiki URL: https://github.com/SELinuxProject/selinux/wiki
BuildRequires: flex BuildRequires: flex
@ -106,6 +106,10 @@ exit 0
%{_libdir}/libsepol.so.1 %{_libdir}/libsepol.so.1
%changelog %changelog
* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-9
- Warn instead of fail if permission is not resolved
- Ignore object_r when adding userrole mappings to policydb
* Thu Jul 14 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-8 * Thu Jul 14 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-8
- Add missing return to sepol_node_query() - Add missing return to sepol_node_query()
- Add missing <stdarg.h> include - Add missing <stdarg.h> include