From 43d653f2202e73a5ff65329e9caf504f1ef0b024 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 29 Apr 2016 19:08:43 +0200
Subject: [PATCH] checkpolicy-2.5-3

- Build policy on systems not supporting DCCP protocol
- Fail if module name different than output base filename
---
 checkpolicy-fedora.patch | 72 ++++++++++++++++++++++++++++++++++++----
 checkpolicy.spec         | 10 ++++--
 2 files changed, 73 insertions(+), 9 deletions(-)

diff --git a/checkpolicy-fedora.patch b/checkpolicy-fedora.patch
index 5062087..8d835d6 100644
--- a/checkpolicy-fedora.patch
+++ b/checkpolicy-fedora.patch
@@ -1,17 +1,67 @@
 diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
-index dfe4908..51b99cd 100644
+index dfe4908..eae775f 100644
 --- checkpolicy-2.5/ChangeLog
 +++ checkpolicy-2.5/ChangeLog
-@@ -1,3 +1,4 @@
+@@ -1,3 +1,6 @@
++	* Build policy on systems not supporting DCCP protocol, from Richard Haines.
++	* Fail if module name different than output base filename, from James Carter
 +	* Add support for portcon dccp protocol, from Richard Haines
  2.5 2016-02-23
  	* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
  	* fix double free on name-based type transitions, from Stephen Smalley.
+diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
+index 5957d29..418f77b 100644
+--- checkpolicy-2.5/checkmodule.c
++++ checkpolicy-2.5/checkmodule.c
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <sys/mman.h>
++#include <libgen.h>
+ 
+ #include <sepol/module_to_cil.h>
+ #include <sepol/policydb/policydb.h>
+@@ -258,6 +259,25 @@ int main(int argc, char **argv)
+ 		}
+ 	}
+ 
++	if (policy_type != POLICY_BASE && outfile) {
++		char *mod_name = modpolicydb.name;
++		char *out_path = strdup(outfile);
++		if (out_path == NULL) {
++			fprintf(stderr, "%s:  out of memory\n", argv[0]);
++			exit(1);
++		}
++		char *out_name = basename(out_path);
++		char *separator = strrchr(out_name, '.');
++		if (separator) {
++			*separator = '\0';
++		}
++		if (strcmp(mod_name, out_name) != 0) {
++			fprintf(stderr,	"%s:  Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
++			exit(1);
++		}
++		free(out_path);
++	}
++
+ 	if (modpolicydb.policy_type == POLICY_BASE && !cil) {
+ 		/* Verify that we can successfully expand the base module. */
+ 		policydb_t kernpolicydb;
 diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
-index 9da661e..ea9ee00 100644
+index 9da661e..7947c20 100644
 --- checkpolicy-2.5/checkpolicy.c
 +++ checkpolicy-2.5/checkpolicy.c
-@@ -919,6 +919,8 @@ int main(int argc, char **argv)
+@@ -64,6 +64,9 @@
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#ifndef IPPROTO_DCCP
++#define IPPROTO_DCCP 33
++#endif
+ #include <arpa/inet.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+@@ -919,6 +922,8 @@ int main(int argc, char **argv)
  				protocol = IPPROTO_TCP;
  			else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
  				protocol = IPPROTO_UDP;
@@ -21,10 +71,20 @@ index 9da661e..ea9ee00 100644
  				printf("unknown protocol\n");
  				break;
 diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
-index ee20fea..7a4d2f1 100644
+index ee20fea..2068b71 100644
 --- checkpolicy-2.5/policy_define.c
 +++ checkpolicy-2.5/policy_define.c
-@@ -4876,6 +4876,8 @@ int define_port_context(unsigned int low, unsigned int high)
+@@ -36,6 +36,9 @@
+ #include <string.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#ifndef IPPROTO_DCCP
++#define IPPROTO_DCCP 33
++#endif
+ #include <arpa/inet.h>
+ #include <stdlib.h>
+ #include <limits.h>
+@@ -4876,6 +4879,8 @@ int define_port_context(unsigned int low, unsigned int high)
  		protocol = IPPROTO_TCP;
  	} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
  		protocol = IPPROTO_UDP;
diff --git a/checkpolicy.spec b/checkpolicy.spec
index a686233..d2588cc 100644
--- a/checkpolicy.spec
+++ b/checkpolicy.spec
@@ -3,14 +3,14 @@
 Summary: SELinux policy compiler
 Name: checkpolicy
 Version: 2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Group: Development/System
 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh checkpolicy
-# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
+# HEAD https://github.com/fedora-selinux/selinux/commit/f900ff37022119de47d516f103ccfd339d52c861
 Patch1: checkpolicy-fedora.patch
 Conflicts: selinux-policy-base < 3.13.1-138
 BuildRoot: %{_tmppath}/%{name}-buildroot
@@ -31,7 +31,7 @@ This package contains checkpolicy, the SELinux policy compiler.
 Only required for building policies. 
 
 %prep
-%setup -q -n checkpolicy-2.5
+%autosetup -p 1 -n checkpolicy-2.5
 
 %build
 make clean
@@ -61,6 +61,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_bindir}/sedispol
 
 %changelog
+* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Build policy on systems not supporting DCCP protocol
+- Fail if module name different than output base filename
+
 * Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
 - Add support for portcon dccp protocol