rpms/checkpolicy
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix checkpolicy to ignore '"' in filename trans rules

Browse Source
This commit is contained in:
Dan Walsh 2011-09-20 10:06:14 -04:00
parent 911694cf55
commit 0708d417f5
2 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
checkpolicy-rhat.patch
View File

@ -0,0 +1,42 @@
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 49ac15f..1e3ef6f 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -353,7 +353,7 @@ cond_rule_def : cond_transition_def
| require_block
{ $$ = NULL; }
;
-cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+cond_transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
{ $$ = define_cond_filename_trans() ;
if ($$ == COND_ERR) return -1;}
| TYPE_TRANSITION names names ':' names identifier ';'
@@ -391,7 +391,7 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
{ $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
if ($$ == COND_ERR) return -1; }
;
-transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
{if (define_filename_trans()) return -1; }
| TYPE_TRANSITION names names ':' names identifier ';'
{if (define_compute_type(AVRULE_TRANSITION)) return -1;}
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index a61e0db..2ba5971 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -227,7 +227,6 @@ PERMISSIVE { return(PERMISSIVE); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
-\"({alnum}|[_\.\-])+\" { return(FILENAME); }
{alnum}* { return(FILENAME); }
\.({alnum}|[_\.\-])* { return(FILENAME); }
{letter}+([-_\.]|{alnum})+ { return(FILENAME); }
@@ -253,6 +252,7 @@ PERMISSIVE { return(PERMISSIVE); }
"-" |
"." |
"]" |
+"\"" |
"~" |
"*" { return(yytext[0]); }
. { yywarn("unrecognized character");}

9
checkpolicy.spec
View File

@ -2,10 +2,11 @@
Summary: SELinux policy compiler Summary: SELinux policy compiler
Name: checkpolicy Name: checkpolicy
Version: 2.1.5 Version: 2.1.5
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2 License: GPLv2
Group: Development/System Group: Development/System
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
Patch: checkpolicy-rhat.patch
BuildRoot: %{_tmppath}/%{name}-buildroot BuildRoot: %{_tmppath}/%{name}-buildroot
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel
@ -26,6 +27,7 @@ Only required for building policies.
%prep %prep
%setup -q %setup -q
%patch -p2 -b .rhat
%build %build
make clean make clean
@ -53,7 +55,10 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol %{_bindir}/sedispol
%changelog %changelog
* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-0 * Tue Sep 20 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
- Fix checkpolicy to ignore '"' in filename trans rules
* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
-Update to upstream -Update to upstream
* Separate tunable from boolean during compile. * Separate tunable from boolean during compile.