diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index 9c28806..8b54e5b 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -1,11 +1,237 @@ -diff --exclude-from=exclude -N -u -r nsalibsepol/Makefile libsepol-1.12.8/Makefile ---- nsalibsepol/Makefile 2006-05-08 09:52:40.000000000 -0400 -+++ libsepol-1.12.8/Makefile 2006-05-08 10:12:29.000000000 -0400 -@@ -1,7 +1,6 @@ - all: - $(MAKE) -C src - $(MAKE) -C utils -- $(MAKE) -C tests +diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/policydb/conditional.h libsepol-2.0.1/include/sepol/policydb/conditional.h +--- nsalibsepol/include/sepol/policydb/conditional.h 2006-11-16 17:14:15.000000000 -0500 ++++ libsepol-2.0.1/include/sepol/policydb/conditional.h 2007-03-28 14:13:02.000000000 -0400 +@@ -100,6 +100,8 @@ + cond_node_t * needle, cond_node_t * haystack, + int *was_created); - install: - $(MAKE) -C include install ++extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node); ++ + extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list, + cond_node_t * cn); + +diff --exclude-from=exclude -N -u -r nsalibsepol/src/conditional.c libsepol-2.0.1/src/conditional.c +--- nsalibsepol/src/conditional.c 2006-11-16 17:14:24.000000000 -0500 ++++ libsepol-2.0.1/src/conditional.c 2007-03-28 14:13:02.000000000 -0400 +@@ -26,9 +26,6 @@ + + #include "private.h" + +-#undef min +-#define min(a,b) (((a) < (b)) ? (a) : (b)) +- + /* move all type rules to top of t/f lists to help kernel on evaluation */ + static void cond_optimize(cond_av_list_t ** l) + { +@@ -136,6 +133,38 @@ + return 1; + } + ++/* Create a new conditional node, optionally copying ++ * the conditional expression from an existing node. ++ * If node is NULL then a new node will be created ++ * with no conditional expression. ++ */ ++cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node) ++{ ++ cond_node_t *new_node; ++ unsigned int i; ++ ++ new_node = (cond_node_t *)malloc(sizeof(cond_node_t)); ++ if (!new_node) { ++ return NULL; ++ } ++ memset(new_node, 0, sizeof(cond_node_t)); ++ ++ if (node) { ++ new_node->expr = cond_copy_expr(node->expr); ++ if (!new_node->expr) { ++ free(new_node); ++ return NULL; ++ } ++ new_node->cur_state = cond_evaluate_expr(p, new_node->expr); ++ new_node->nbools = node->nbools; ++ for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++) ++ new_node->bool_ids[i] = node->bool_ids[i]; ++ new_node->expr_pre_comp = node->expr_pre_comp; ++ } ++ ++ return new_node; ++} ++ + /* Find a conditional (the needle) within a list of existing ones (the + * haystack) that has a matching expression. If found, return a + * pointer to the existing node, setting 'was_created' to 0. +@@ -145,9 +174,6 @@ + cond_node_t * needle, cond_node_t * haystack, + int *was_created) + { +- cond_node_t *new_node; +- unsigned int i; +- + while (haystack) { + if (cond_expr_equal(needle, haystack)) { + *was_created = 0; +@@ -156,26 +182,8 @@ + haystack = haystack->next; + } + *was_created = 1; +- new_node = (cond_node_t *) malloc(sizeof(cond_node_t)); +- if (!new_node) { +- return NULL; +- } +- memset(new_node, 0, sizeof(cond_node_t)); +- new_node->expr = cond_copy_expr(needle->expr); +- if (!new_node->expr) { +- free(new_node); +- return NULL; +- } +- new_node->cur_state = cond_evaluate_expr(p, new_node->expr); +- new_node->nbools = needle->nbools; +- for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++) +- new_node->bool_ids[i] = needle->bool_ids[i]; +- new_node->expr_pre_comp = needle->expr_pre_comp; +- new_node->true_list = NULL; +- new_node->false_list = NULL; +- new_node->avtrue_list = NULL; +- new_node->avfalse_list = NULL; +- return new_node; ++ ++ return cond_node_create(p, needle); + } + + /* return either a pre-existing matching node or create a new node */ +diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.1/src/expand.c +--- nsalibsepol/src/expand.c 2007-02-07 12:11:48.000000000 -0500 ++++ libsepol-2.0.1/src/expand.c 2007-03-28 14:13:02.000000000 -0400 +@@ -35,10 +35,12 @@ + #include + + #include "debug.h" ++#include "private.h" + + typedef struct expand_state { + int verbose; + uint32_t *typemap; ++ uint32_t *boolmap; + policydb_t *base; + policydb_t *out; + sepol_handle_t *handle; +@@ -791,8 +793,8 @@ + return -1; + } + +- new_bool->s.value = bool->s.value; + state->out->p_bools.nprim++; ++ new_bool->s.value = state->out->p_bools.nprim; + + ret = hashtab_insert(state->out->p_bools.table, + (hashtab_key_t) new_id, +@@ -804,6 +806,8 @@ + return -1; + } + ++ state->boolmap[bool->s.value - 1] = new_bool->s.value; ++ + new_bool->state = bool->state; + + return 0; +@@ -1555,12 +1559,35 @@ + return 0; + } + ++static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn) ++{ ++ cond_expr_t *cur; ++ unsigned int i; ++ ++ cur = cn->expr; ++ while (cur) { ++ if (cur->bool) ++ cur->bool = state->boolmap[cur->bool - 1]; ++ cur = cur->next; ++ } ++ ++ for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++) ++ cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1]; ++ ++ if (cond_normalize_expr(state->out, cn)) { ++ ERR(state->handle, "Error while normalizing conditional"); ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* copy the nodes in *reverse* order -- the result is that the last + * given conditional appears first in the policy, so as to match the + * behavior of the upstream compiler */ + static int cond_node_copy(expand_state_t * state, cond_node_t * cn) + { +- cond_node_t *new_cond; ++ cond_node_t *new_cond, *tmp; + + if (cn == NULL) { + return 0; +@@ -1573,11 +1600,26 @@ + return -1; + } + +- new_cond = cond_node_search(state->out, state->out->cond_list, cn); ++ /* create a new temporary conditional node with the booleans ++ * mapped */ ++ tmp = cond_node_create(state->base, cn); ++ if (!tmp) { ++ ERR(state->handle, "Out of memory"); ++ return -1; ++ } ++ ++ if (cond_node_map_bools(state, tmp)) { ++ ERR(state->handle, "Error mapping booleans"); ++ return -1; ++ } ++ ++ new_cond = cond_node_search(state->out, state->out->cond_list, tmp); + if (!new_cond) { ++ cond_node_destroy(tmp); + ERR(state->handle, "Out of memory!"); + return -1; + } ++ cond_node_destroy(tmp); + + if (cond_avrule_list_copy + (state->out, cn->avtrue_list, &state->out->te_cond_avtab, +@@ -2210,6 +2252,12 @@ + goto cleanup; + } + ++ state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t)); ++ if (!state.boolmap) { ++ ERR(handle, "Out of memory!"); ++ goto cleanup; ++ } ++ + /* order is important - types must be first */ + + /* copy types */ +@@ -2364,6 +2412,7 @@ + + cleanup: + free(state.typemap); ++ free(state.boolmap); + return retval; + } + +diff --exclude-from=exclude -N -u -r nsalibsepol/src/private.h libsepol-2.0.1/src/private.h +--- nsalibsepol/src/private.h 2007-02-07 12:11:48.000000000 -0500 ++++ libsepol-2.0.1/src/private.h 2007-03-28 14:13:02.000000000 -0400 +@@ -24,6 +24,9 @@ + #define le64_to_cpu(x) bswap_64(x) + #endif + ++#undef min ++#define min(a,b) (((a) < (b)) ? (a) : (b)) ++ + /* Policy compatibility information. */ + struct policydb_compat_info { + unsigned int type; diff --git a/libsepol.spec b/libsepol.spec index f455879..bc13f74 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,10 +1,11 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.0.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz +Patch: libsepol-rhat.patch Prefix: %{_prefix} BuildRoot: %{_tmppath}/%{name}-buildroot @@ -37,6 +38,7 @@ needed for developing applications that manipulate binary policies. %prep %setup -q +%patch -p1 -b .rhat # sparc64 is an -fPIC arch, so we need to fix it here %ifarch sparc64 sed -i 's/fpic/fPIC/g' src/Makefile @@ -85,6 +87,7 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Wed Mar 28 2007 Dan Walsh 2.0.1-2 * Wed Feb 7 2007 Dan Walsh 2.0.1-1 - Upgrade to latest from NSA * Merged libsepol segfault fix from Stephen Smalley for when