diff --git a/.gitignore b/.gitignore index ba42a0d..604fc90 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ setools-3.3.8-f1e5b20.tar.bz2 /4.2.1.tar.gz /4.2.2.tar.gz /4.3.0.tar.gz +/05e90ee.tar.gz diff --git a/0001-Adapt-to-new-libsepol-filename-transition-structures.patch b/0001-Adapt-to-new-libsepol-filename-transition-structures.patch new file mode 100644 index 0000000..ba448fb --- /dev/null +++ b/0001-Adapt-to-new-libsepol-filename-transition-structures.patch @@ -0,0 +1,120 @@ +From f63a3690e3e3f02ab67ad1165be54ce25bac2de7 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 17 Jul 2020 11:28:08 +0200 +Subject: [PATCH] Adapt to new libsepol filename transition structures + +Adapt setools to the new libsepol internal API for filename transitions +which allows for more efficient filename trans rule representation in +memory and binary policy. + +Signed-off-by: Ondrej Mosnacek +--- + setools/policyrep/sepol.pxd | 9 ++++---- + setools/policyrep/terule.pxi | 41 ++++++++++++++++++++++++++++++------ + 2 files changed, 39 insertions(+), 11 deletions(-) + +diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd +index 60bc58c28ebf..b07ddb78350f 100644 +--- a/setools/policyrep/sepol.pxd ++++ b/setools/policyrep/sepol.pxd +@@ -544,21 +544,22 @@ cdef extern from "": + ctypedef cond_bool_datum cond_bool_datum_t + + # +- # filename_trans_t ++ # filename_trans_key_t + # +- cdef struct filename_trans: +- uint32_t stype ++ cdef struct filename_trans_key: + uint32_t ttype + uint32_t tclass + char *name + +- ctypedef filename_trans filename_trans_t ++ ctypedef filename_trans_key filename_trans_key_t + + # + # filename_trans_datum_t + # + cdef struct filename_trans_datum: ++ ebitmap_t stypes + uint32_t otype ++ filename_trans_datum *next + + ctypedef filename_trans_datum filename_trans_datum_t + +diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi +index 3976586b7985..760c366f6c39 100644 +--- a/setools/policyrep/terule.pxi ++++ b/setools/policyrep/terule.pxi +@@ -470,17 +470,18 @@ cdef class FileNameTERule(BaseTERule): + readonly str filename + + @staticmethod +- cdef inline FileNameTERule factory(SELinuxPolicy policy, sepol.filename_trans_t *key, +- sepol.filename_trans_datum_t *datum): ++ cdef inline FileNameTERule factory(SELinuxPolicy policy, ++ sepol.filename_trans_key_t *key, ++ Type stype, size_t otype): + """Factory function for creating FileNameTERule objects.""" + cdef FileNameTERule r = FileNameTERule.__new__(FileNameTERule) + r.policy = policy + r.key = key + r.ruletype = TERuletype.type_transition +- r.source = type_or_attr_factory(policy, policy.type_value_to_datum(key.stype - 1)) ++ r.source = stype + r.target = type_or_attr_factory(policy, policy.type_value_to_datum(key.ttype - 1)) + r.tclass = ObjClass.factory(policy, policy.class_value_to_datum(key.tclass - 1)) +- r.dft = Type.factory(policy, policy.type_value_to_datum(datum.otype - 1)) ++ r.dft = Type.factory(policy, policy.type_value_to_datum(otype - 1)) + r.filename = intern(key.name) + r.origin = None + return r +@@ -708,6 +709,10 @@ cdef class FileNameTERuleIterator(HashtabIterator): + + """Iterate over FileNameTERules in the policy.""" + ++ cdef: ++ sepol.filename_trans_datum_t *datum ++ TypeEbitmapIterator stypei ++ + @staticmethod + cdef factory(SELinuxPolicy policy, sepol.hashtab_t *table): + """Factory function for creating FileNameTERule iterators.""" +@@ -717,7 +722,29 @@ cdef class FileNameTERuleIterator(HashtabIterator): + i.reset() + return i + ++ def _next_stype(self): ++ while True: ++ if self.datum == NULL: ++ super().__next__() ++ self.datum = self.curr.datum ++ self.stypei = TypeEbitmapIterator.factory(self.policy, &self.datum.stypes) ++ try: ++ return next(self.stypei) ++ except StopIteration: ++ pass ++ self.datum = self.datum.next ++ if self.datum != NULL: ++ self.stypei = TypeEbitmapIterator.factory(self.policy, &self.datum.stypes) ++ + def __next__(self): +- super().__next__() +- return FileNameTERule.factory(self.policy, self.curr.key, +- self.curr.datum) ++ stype = self._next_stype() ++ return FileNameTERule.factory(self.policy, ++ self.curr.key, ++ stype, self.datum.otype) ++ ++ def __len__(self): ++ return sum(1 for r in FileNameTERuleIterator.factory(self.policy, self.table)) ++ ++ def reset(self): ++ super().reset() ++ self.datum = NULL +-- +2.29.0 + diff --git a/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch b/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch index a996069..5a0460b 100644 --- a/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch +++ b/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch @@ -33,7 +33,7 @@ index 60861ca630a5..41e38a237b42 100755 +import setools.dta - def print_transition(trans): + def print_transition(trans: setools.DomainTransition) -> None: @@ -114,7 +114,7 @@ else: try: @@ -56,7 +56,7 @@ index f10c39de4d8e..fee749a83bb5 100755 import argparse import sys import logging -@@ -101,7 +101,7 @@ elif args.booleans is not None: +@@ -102,7 +102,7 @@ elif args.booleans is not None: try: p = setools.SELinuxPolicy(args.policy) m = setools.PermissionMap(args.map) @@ -66,18 +66,18 @@ index f10c39de4d8e..fee749a83bb5 100755 if args.shortest_path or args.all_paths: diff --git a/setools/__init__.py b/setools/__init__.py -index 26fa5aa34a19..b7e51c43c4bb 100644 +index d72d343e7e79..642485b9018d 100644 --- a/setools/__init__.py +++ b/setools/__init__.py -@@ -75,12 +75,8 @@ from .pcideviceconquery import PcideviceconQuery +@@ -91,12 +91,8 @@ from .pcideviceconquery import PcideviceconQuery from .devicetreeconquery import DevicetreeconQuery # Information Flow Analysis -from .infoflow import InfoFlowAnalysis - from .permmap import PermissionMap + from .permmap import PermissionMap, RuleWeight, Mapping -# Domain Transition Analysis --from .dta import DomainTransitionAnalysis +-from .dta import DomainTransitionAnalysis, DomainEntrypoint, DomainTransition - # Policy difference from .diff import PolicyDifference diff --git a/setools.spec b/setools.spec index c1cae3b..c293a84 100644 --- a/setools.spec +++ b/setools.spec @@ -1,20 +1,21 @@ -# % global setools_pre_ver rc -# % global gitver f1e5b20 +%global setools_pre_ver 05e90ee +%global gitver 05e90ee241af05665f3394e9bed0073e1bb2e17d -%global sepol_ver 2.3-1 -%global selinux_ver 2.3-1 +%global sepol_ver 3.1-4 +%global selinux_ver 3.1-4 Name: setools -Version: 4.3.0 -Release: 5%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist} +Version: 4.4.0 +Release: 0.1.20201102git%{setools_pre_ver}%{?dist} Summary: Policy analysis tools for SELinux License: GPLv2 URL: https://github.com/SELinuxProject/setools/wiki -Source0: https://github.com/SELinuxProject/setools/archive/%{version}%{?setools_pre_ver:-%{setools_pre_ver}}.tar.gz +Source0: https://github.com/SELinuxProject/setools/archive/%{setools_pre_ver}.tar.gz Source1: setools.pam Source2: apol.desktop +Patch0001: 0001-Adapt-to-new-libsepol-filename-transition-structures.patch Patch1001: 1001-Do-not-use-Werror-during-build.patch Patch1002: 1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch Patch1003: 1003-Require-networkx-on-package-level.patch @@ -95,7 +96,7 @@ Python modules designed to facilitate SELinux policy analysis. %prep -%autosetup -p 1 -S git -n setools-%{version}%{?setools_pre_ver:-%{setools_pre_ver}} +%autosetup -p 1 -S git -n setools-%{gitver} %build @@ -114,9 +115,11 @@ Python modules designed to facilitate SELinux policy analysis. %files %files console +%{_bindir}/sechecker %{_bindir}/sediff %{_bindir}/seinfo %{_bindir}/sesearch +%{_mandir}/man1/sechecker* %{_mandir}/man1/sediff* %{_mandir}/man1/seinfo* %{_mandir}/man1/sesearch* @@ -144,6 +147,12 @@ Python modules designed to facilitate SELinux policy analysis. %{_mandir}/ru/man1/apol* %changelog +* Tue Nov 3 2020 Petr Lautrbach - 4.4.0-0.1.20201102git05e90ee +- Update to 05e90ee +- Add /usr/bin/sechecker +- Adapt to new libsepol filename transition structures +- Rebuild with libsepol.so.2 + * Sat Aug 01 2020 Fedora Release Engineering - 4.3.0-5 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index ff7f110..e13005d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (4.3.0.tar.gz) = 93da43c4b577ff944f1c19ef40cfc51f6d1cb1efef582e467834300540a7af440b6ae9106f29d810963c74b0fb5953003304790a9143a7318e477d17fa7d536a +SHA512 (05e90ee.tar.gz) = 32f60e9a40ca5791a1e63986377e90ca728c7e205d8ae7ce446830ca7f96b51496d9753fd70077f5b6547050d23c41a1d10b20e0af9e4066355e29781d5e3686