policycoreutils-2.5-5

- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files (#1319338)
2016-04-08 20:52:33 +02:00 · 2016-04-08 20:52:33 +02:00 · 6c6496a616
commit 6c6496a616
parent e41aa2fbd5
2 changed files with 91 additions and 2 deletions
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Source4: sepolicy-icons.tgz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
-# HEAD https://github.com/fedora-selinux/selinux/commit/c3819c97e4231166cfb2ae64e623546bd26a5627
+# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
 Patch:	 policycoreutils-fedora.patch
 # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
 Patch1:  sepolgen-fedora.patch
@ -408,6 +408,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
+- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files (#1319338)
+
 * Fri Mar 18 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
 - Add documentation for MCS separated domains
 - Move svirt man page out of libvirt into its own
--- a/sepolgen-fedora.patch
+++ b/sepolgen-fedora.patch
@ -1,3 +1,13 @@
+diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog
+index 7cc0a18..c1ee815 100644
+--- sepolgen-1.2.3/ChangeLog
+++ sepolgen-1.2.3/ChangeLog
+@@ -1,3 +1,5 @@
+	* Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl.
+
+ 1.2.3 2016-02-23
+ 	* Support latest refpolicy interfaces, from Nicolas Iooss.
+ 	* Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss.
 diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py
 index a5d8698..7606561 100644
 --- sepolgen-1.2.3/src/sepolgen/access.py
@ -252,3 +262,79 @@ index 34c8401..f374132 100644
             if av.type == audit2why.ALLOW:
                 rule.comment += "\n#!!!! This avc is allowed in the current policy"
             if av.type == audit2why.DONTAUDIT:
+diff --git sepolgen-1.2.3/src/sepolgen/refparser.py sepolgen-1.2.3/src/sepolgen/refparser.py
+index 9b1d0c8..2cef8e8 100644
+--- sepolgen-1.2.3/src/sepolgen/refparser.py
+++ sepolgen-1.2.3/src/sepolgen/refparser.py
+@@ -113,6 +113,7 @@ tokens = (
+     'AUDITALLOW',
+     'NEVERALLOW',
+     'PERMISSIVE',
+    'TYPEBOUNDS',
+     'TYPE_TRANSITION',
+     'TYPE_CHANGE',
+     'TYPE_MEMBER',
+@@ -178,6 +179,7 @@ reserved = {
+     'auditallow' : 'AUDITALLOW',
+     'neverallow' : 'NEVERALLOW',
+     'permissive' : 'PERMISSIVE',
+    'typebounds' : 'TYPEBOUNDS',
+     'type_transition' : 'TYPE_TRANSITION',
+     'type_change' : 'TYPE_CHANGE',
+     'type_member' : 'TYPE_MEMBER',
+@@ -502,6 +504,7 @@ def p_policy_stmt(p):
+     '''policy_stmt : gen_require
+                    | avrule_def
+                    | typerule_def
+                   | typebound_def
+                    | typeattribute_def
+                    | roleattribute_def
+                    | interface_call
+@@ -823,6 +826,13 @@ def p_typerule_def(p):
+     t.file_name = p[7]
+     p[0] = t
+ 
+def p_typebound_def(p):
+    '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
+    t = refpolicy.TypeBound()
+    t.type = p[2]
+    t.tgt_types.update(p[3])
+    p[0] = t
+
+ def p_bool(p):
+     '''bool : BOOL IDENTIFIER TRUE SEMI
+             | BOOL IDENTIFIER FALSE SEMI'''
+diff --git sepolgen-1.2.3/src/sepolgen/refpolicy.py sepolgen-1.2.3/src/sepolgen/refpolicy.py
+index 31b40d8..2ee029c 100644
+--- sepolgen-1.2.3/src/sepolgen/refpolicy.py
+++ sepolgen-1.2.3/src/sepolgen/refpolicy.py
+@@ -112,6 +112,9 @@ class Node(PolicyBase):
+     def typerules(self):
+         return filter(lambda x: isinstance(x, TypeRule), walktree(self))
+ 
+    def typebounds(self):
+        return filter(lambda x: isinstance(x, TypeBound), walktree(self))
+
+     def typeattributes(self):
+         """Iterate over all of the TypeAttribute children of this Interface."""
+         return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
+@@ -522,6 +525,19 @@ class TypeRule(Leaf):
+                                      self.tgt_types.to_space_str(),
+                                      self.obj_classes.to_space_str(),
+                                      self.dest_type)
+class TypeBound(Leaf):
+    """SElinux typebound statement.
+
+    This class represents a typebound statement.
+    """
+    def __init__(self, parent=None):
+        Leaf.__init__(self, parent)
+        self.type = ""
+        self.tgt_types = IdSet()
+
+    def to_string(self):
+        return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
+
+ 
+ class RoleAllow(Leaf):
+     def __init__(self, parent=None):