From 6c6496a6160f9a1ca266321282ee3174c5b35ea2 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 8 Apr 2016 20:52:33 +0200
Subject: [PATCH] policycoreutils-2.5-5

- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy
  files (#1319338)
---
 policycoreutils.spec  |  7 +++-
 sepolgen-fedora.patch | 86 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/policycoreutils.spec b/policycoreutils.spec
index af10dec..57df362 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -20,7 +20,7 @@ Source4: sepolicy-icons.tgz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
-# HEAD https://github.com/fedora-selinux/selinux/commit/c3819c97e4231166cfb2ae64e623546bd26a5627
+# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
 Patch:	 policycoreutils-fedora.patch
 # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
 Patch1:  sepolgen-fedora.patch
@@ -408,6 +408,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
+- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files (#1319338)
+
 * Fri Mar 18 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
 - Add documentation for MCS separated domains
 - Move svirt man page out of libvirt into its own
diff --git a/sepolgen-fedora.patch b/sepolgen-fedora.patch
index 897fe4e..aec6b32 100644
--- a/sepolgen-fedora.patch
+++ b/sepolgen-fedora.patch
@@ -1,3 +1,13 @@
+diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog
+index 7cc0a18..c1ee815 100644
+--- sepolgen-1.2.3/ChangeLog
++++ sepolgen-1.2.3/ChangeLog
+@@ -1,3 +1,5 @@
++	* Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl.
++
+ 1.2.3 2016-02-23
+ 	* Support latest refpolicy interfaces, from Nicolas Iooss.
+ 	* Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss.
 diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py
 index a5d8698..7606561 100644
 --- sepolgen-1.2.3/src/sepolgen/access.py
@@ -252,3 +262,79 @@ index 34c8401..f374132 100644
              if av.type == audit2why.ALLOW:
                  rule.comment += "\n#!!!! This avc is allowed in the current policy"
              if av.type == audit2why.DONTAUDIT:
+diff --git sepolgen-1.2.3/src/sepolgen/refparser.py sepolgen-1.2.3/src/sepolgen/refparser.py
+index 9b1d0c8..2cef8e8 100644
+--- sepolgen-1.2.3/src/sepolgen/refparser.py
++++ sepolgen-1.2.3/src/sepolgen/refparser.py
+@@ -113,6 +113,7 @@ tokens = (
+     'AUDITALLOW',
+     'NEVERALLOW',
+     'PERMISSIVE',
++    'TYPEBOUNDS',
+     'TYPE_TRANSITION',
+     'TYPE_CHANGE',
+     'TYPE_MEMBER',
+@@ -178,6 +179,7 @@ reserved = {
+     'auditallow' : 'AUDITALLOW',
+     'neverallow' : 'NEVERALLOW',
+     'permissive' : 'PERMISSIVE',
++    'typebounds' : 'TYPEBOUNDS',
+     'type_transition' : 'TYPE_TRANSITION',
+     'type_change' : 'TYPE_CHANGE',
+     'type_member' : 'TYPE_MEMBER',
+@@ -502,6 +504,7 @@ def p_policy_stmt(p):
+     '''policy_stmt : gen_require
+                    | avrule_def
+                    | typerule_def
++                   | typebound_def
+                    | typeattribute_def
+                    | roleattribute_def
+                    | interface_call
+@@ -823,6 +826,13 @@ def p_typerule_def(p):
+     t.file_name = p[7]
+     p[0] = t
+ 
++def p_typebound_def(p):
++    '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
++    t = refpolicy.TypeBound()
++    t.type = p[2]
++    t.tgt_types.update(p[3])
++    p[0] = t
++
+ def p_bool(p):
+     '''bool : BOOL IDENTIFIER TRUE SEMI
+             | BOOL IDENTIFIER FALSE SEMI'''
+diff --git sepolgen-1.2.3/src/sepolgen/refpolicy.py sepolgen-1.2.3/src/sepolgen/refpolicy.py
+index 31b40d8..2ee029c 100644
+--- sepolgen-1.2.3/src/sepolgen/refpolicy.py
++++ sepolgen-1.2.3/src/sepolgen/refpolicy.py
+@@ -112,6 +112,9 @@ class Node(PolicyBase):
+     def typerules(self):
+         return filter(lambda x: isinstance(x, TypeRule), walktree(self))
+ 
++    def typebounds(self):
++        return filter(lambda x: isinstance(x, TypeBound), walktree(self))
++
+     def typeattributes(self):
+         """Iterate over all of the TypeAttribute children of this Interface."""
+         return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
+@@ -522,6 +525,19 @@ class TypeRule(Leaf):
+                                      self.tgt_types.to_space_str(),
+                                      self.obj_classes.to_space_str(),
+                                      self.dest_type)
++class TypeBound(Leaf):
++    """SElinux typebound statement.
++
++    This class represents a typebound statement.
++    """
++    def __init__(self, parent=None):
++        Leaf.__init__(self, parent)
++        self.type = ""
++        self.tgt_types = IdSet()
++
++    def to_string(self):
++        return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
++
+ 
+ class RoleAllow(Leaf):
+     def __init__(self, parent=None):