diff --git a/.gitignore b/.gitignore index c64bd68..00360c9 100644 --- a/.gitignore +++ b/.gitignore @@ -94,3 +94,4 @@ checkpolicy-2.0.22.tgz /checkpolicy-2.4.tar.gz /checkpolicy-2.5-rc1.tar.gz /checkpolicy-2.5.tar.gz +/checkpolicy-2.6.tar.gz diff --git a/checkpolicy-fedora.patch b/checkpolicy-fedora.patch index 1378043..e69de29 100644 --- a/checkpolicy-fedora.patch +++ b/checkpolicy-fedora.patch @@ -1,207 +0,0 @@ -diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk -index 98f5168..3b7ff8a 100644 ---- checkpolicy-2.5/Android.mk -+++ checkpolicy-2.5/Android.mk -@@ -12,10 +12,6 @@ common_cflags := \ - -Wall -Wshadow -O2 \ - -pipe -fno-strict-aliasing \ - --ifeq ($(HOST_OS),darwin) --common_cflags += -DDARWIN --endif -- - common_includes := \ - $(LOCAL_PATH)/ \ - $(LOCAL_PATH)/../libsepol/include/ \ -diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog -index dfe4908..0e13227 100644 ---- checkpolicy-2.5/ChangeLog -+++ checkpolicy-2.5/ChangeLog -@@ -1,3 +1,12 @@ -+ * Add types associated to a role in the current scope when parsing, from Nicolas Iooss. -+ * Extend checkpolicy pathname matching, from Stephen Smalley. -+ * Fix typos in test/dispol, from Petr Lautrbach. -+ * Set flex as default lexer, from Julien Pivotto. -+ * Fix checkmodule output message, from Petr Lautrbach. -+ * Build policy on systems not supporting DCCP protocol, from Richard Haines. -+ * Fail if module name different than output base filename, from James Carter -+ * Add support for portcon dccp protocol, from Richard Haines -+ - 2.5 2016-02-23 - * Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep. - * fix double free on name-based type transitions, from Stephen Smalley. -diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile -index e5fae3d..53a3074 100644 ---- checkpolicy-2.5/Makefile -+++ checkpolicy-2.5/Makefile -@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib - INCLUDEDIR ?= $(PREFIX)/include - TARGETS = checkpolicy checkmodule - -+LEX = flex - YACC = bison -y - - CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing -diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c -index 5957d29..53cc5a0 100644 ---- checkpolicy-2.5/checkmodule.c -+++ checkpolicy-2.5/checkmodule.c -@@ -19,6 +19,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -258,6 +259,25 @@ int main(int argc, char **argv) - } - } - -+ if (policy_type != POLICY_BASE && outfile) { -+ char *mod_name = modpolicydb.name; -+ char *out_path = strdup(outfile); -+ if (out_path == NULL) { -+ fprintf(stderr, "%s: out of memory\n", argv[0]); -+ exit(1); -+ } -+ char *out_name = basename(out_path); -+ char *separator = strrchr(out_name, '.'); -+ if (separator) { -+ *separator = '\0'; -+ } -+ if (strcmp(mod_name, out_name) != 0) { -+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name); -+ exit(1); -+ } -+ free(out_path); -+ } -+ - if (modpolicydb.policy_type == POLICY_BASE && !cil) { - /* Verify that we can successfully expand the base module. */ - policydb_t kernpolicydb; -@@ -294,7 +314,7 @@ int main(int argc, char **argv) - - if (!cil) { - printf("%s: writing binary representation (version %d) to %s\n", -- argv[0], policyvers, file); -+ argv[0], policyvers, outfile); - - if (write_binary_policy(&modpolicydb, outfp) != 0) { - fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); -diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c -index 9da661e..2d68316 100644 ---- checkpolicy-2.5/checkpolicy.c -+++ checkpolicy-2.5/checkpolicy.c -@@ -64,13 +64,16 @@ - #include - #include - #include -+#ifndef IPPROTO_DCCP -+#define IPPROTO_DCCP 33 -+#endif - #include - #include - #include - #include - #include - --#ifdef DARWIN -+#ifdef __APPLE__ - #include - #endif - -@@ -919,6 +922,8 @@ int main(int argc, char **argv) - protocol = IPPROTO_TCP; - else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP")) - protocol = IPPROTO_UDP; -+ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP")) -+ protocol = IPPROTO_DCCP; - else { - printf("unknown protocol\n"); - break; -diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c -index ee20fea..128869c 100644 ---- checkpolicy-2.5/policy_define.c -+++ checkpolicy-2.5/policy_define.c -@@ -36,6 +36,9 @@ - #include - #include - #include -+#ifndef IPPROTO_DCCP -+#define IPPROTO_DCCP 33 -+#endif - #include - #include - #include -@@ -2611,6 +2614,7 @@ int define_role_types(void) - free(id); - return -1; - } -+ role = get_local_role(id, role->s.value, (role->flavor == ROLE_ATTRIB)); - - while ((id = queue_remove(id_queue))) { - if (set_types(&role->types, id, &add, 0)) -@@ -4876,6 +4880,8 @@ int define_port_context(unsigned int low, unsigned int high) - protocol = IPPROTO_TCP; - } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { - protocol = IPPROTO_UDP; -+ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) { -+ protocol = IPPROTO_DCCP; - } else { - yyerror2("unrecognized protocol %s", id); - free(newc); -@@ -5135,7 +5141,7 @@ int define_ipv6_node_context(void) - - memset(newc, 0, sizeof(ocontext_t)); - --#ifdef DARWIN -+#ifdef __APPLE__ - memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16); - memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16); - #else -diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l -index 22da338..2f7f221 100644 ---- checkpolicy-2.5/policy_scan.l -+++ checkpolicy-2.5/policy_scan.l -@@ -249,9 +249,9 @@ high | - HIGH { return(HIGH); } - low | - LOW { return(LOW); } --"/"({alnum}|[_\.\-/])* { return(PATH); } --\""/"[ !#-~]*\" { return(QPATH); } --\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } -+"/"[^ \n\r\t\f]* { return(PATH); } -+\""/"[^\"\n]*\" { return(QPATH); } -+\"[^"/"\"\n]+\" { return(FILENAME); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } - {digit}+|0x{hexval}+ { return(NUMBER); } - {alnum}*{letter}{alnum}* { return(FILESYSTEM); } -diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c -index 86f5688..a78ce81 100644 ---- checkpolicy-2.5/test/dispol.c -+++ checkpolicy-2.5/test/dispol.c -@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp) - int display_handle_unknown(policydb_t * p, FILE * out_fp) - { - if (p->handle_unknown == ALLOW_UNKNOWN) -- fprintf(out_fp, "Allow unknown classes and permisions\n"); -+ fprintf(out_fp, "Allow unknown classes and permissions\n"); - else if (p->handle_unknown == DENY_UNKNOWN) -- fprintf(out_fp, "Deny unknown classes and permisions\n"); -+ fprintf(out_fp, "Deny unknown classes and permissions\n"); - else if (p->handle_unknown == REJECT_UNKNOWN) -- fprintf(out_fp, "Reject unknown classes and permisions\n"); -+ fprintf(out_fp, "Reject unknown classes and permissions\n"); - return 0; - } - -@@ -349,7 +349,7 @@ int menu(void) - printf("\nSelect a command:\n"); - printf("1) display unconditional AVTAB\n"); - printf("2) display conditional AVTAB (entirely)\n"); -- printf("3) display conditional AVTAG (only ENABLED rules)\n"); -+ printf("3) display conditional AVTAB (only ENABLED rules)\n"); - printf("4) display conditional AVTAB (only DISABLED rules)\n"); - printf("5) display conditional bools\n"); - printf("6) display conditional expressions\n"); diff --git a/checkpolicy.spec b/checkpolicy.spec index 4a7cf21..d5b138f 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,17 +1,18 @@ -%define libselinuxver 2.5-12 -%define libsepolver 2.5-10 +%define libselinuxver 2.6-0 +%define libsepolver 2.6-0 + Summary: SELinux policy compiler Name: checkpolicy -Version: 2.5 -Release: 9%{?dist} +Version: 2.6 +Release: 1%{?dist} License: GPLv2 Group: Development/System -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/checkpolicy-2.6.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: -# $ VERSION=2.5 ./make-fedora-selinux-patch.sh checkpolicy -# HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b -Patch1: checkpolicy-fedora.patch +# $ VERSION=2.6 ./make-fedora-selinux-patch.sh checkpolicy +# FIXME: HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b +# Patch1: checkpolicy-fedora.patch Conflicts: selinux-policy-base < 3.13.1-138 BuildRoot: %{_tmppath}/%{name}-buildroot BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver} @@ -31,7 +32,7 @@ This package contains checkpolicy, the SELinux policy compiler. Only required for building policies. %prep -%autosetup -p 1 -n checkpolicy-2.5 +%autosetup -p 1 -n checkpolicy-%{version} %build make clean @@ -61,6 +62,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Wed Feb 15 2017 Petr Lautrbach - 2.6-1 +- Update to upstream release 2016-10-14 + * Fri Feb 10 2017 Fedora Release Engineering - 2.5-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index b92eb87..2d3b393 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a8099a2a36de32327abf681159027c58 checkpolicy-2.5.tar.gz +SHA512 (checkpolicy-2.6.tar.gz) = 1d8361a5735410909be7fe5a54740e0e1b6339d0fbad9965f3ae2902e7eaaec7531fec1dd73bb57b28ad933773778ab50b97db3d92aacf5fac3b63d1ed364b46