rpms
/
checkpolicy
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Upgrade to upstream 

* dis* fixed signed vs unsigned errors
	* dismod: fix unused parameter errors
	* test: Makefile: include -W and -Werror
	* allow ~ in filename transition rules
Allow policy to specify the source of target for generating the default user,role
or mls label for a new target.
This commit is contained in:
Dan Walsh 2011-12-15 14:30:26 -05:00
parent e9ff6dfd95
commit 5ea3e823bf
4 changed files with 382 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -83,3 +83,4 @@ checkpolicy-2.0.22.tgz
/checkpolicy-2.1.4.tgz
/checkpolicy-2.1.5.tgz
/checkpolicy-2.1.6.tgz
/checkpolicy-2.1.7.tgz

681
checkpolicy-rhat.patch
View File

@ -1,320 +1,375 @@
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 1bf669c..a86c6b3 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -327,6 +327,126 @@ int define_initial_sid(void)
return -1;
}
+static int read_classes(ebitmap_t *e_classes)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (ebitmap_set_bit(e_classes, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ free(id);
+ }
+ return 0;
+}
+
+int define_default_user(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_user && cladatum->default_user != which) {
+ yyerror2("conflicting default user information for class %s", id);
+ return -1;
+ }
+ cladatum->default_user = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_role(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_role && cladatum->default_role != which) {
+ yyerror2("conflicting default role information for class %s", id);
+ return -1;
+ }
+ cladatum->default_role = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_range(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_range && cladatum->default_range != which) {
+ yyerror2("conflicting default range information for class %s", id);
+ return -1;
+ }
+ cladatum->default_range = which;
+ free(id);
+ }
+
+ return 0;
+}
+
int define_common_perms(void)
{
char *id = 0, *perm = 0;
@@ -1360,7 +1480,6 @@ int define_compute_type_helper(int which, avrule_t ** rule)
{
char *id;
type_datum_t *datum;
- class_datum_t *cladatum;
ebitmap_t tclasses;
ebitmap_node_t *node;
avrule_t *avrule;
@@ -1387,23 +1506,8 @@ int define_compute_type_helper(int which, avrule_t ** rule)
}
ebitmap_init(&tclasses);
- while ((id = queue_remove(id_queue))) {
- if (!is_id_in_scope(SYM_CLASSES, id)) {
- yyerror2("class %s is not within scope", id);
- free(id);
- goto bad;
- }
- cladatum = hashtab_search(policydbp->p_classes.table, id);
- if (!cladatum) {
- yyerror2("unknown class %s", id);
- goto bad;
- }
- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
- yyerror("Out of memory");
- goto bad;
- }
- free(id);
- }
+ if (read_classes(&tclasses))
+ goto bad;
id = (char *)queue_remove(id_queue);
if (!id) {
@@ -1628,25 +1732,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
}
ebitmap_init(&tclasses);
- while ((id = queue_remove(id_queue))) {
- if (!is_id_in_scope(SYM_CLASSES, id)) {
- yyerror2("class %s is not within scope", id);
- ret = -1;
- goto out;
- }
- cladatum = hashtab_search(policydbp->p_classes.table, id);
- if (!cladatum) {
- yyerror2("unknown class %s used in rule", id);
- ret = -1;
- goto out;
- }
- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
- yyerror("Out of memory");
- ret = -1;
- goto out;
- }
- free(id);
- }
+ ret = read_classes(&tclasses);
+ if (ret)
+ goto out;
perms = NULL;
ebitmap_for_each_bit(&tclasses, node, i) {
@@ -2242,22 +2330,8 @@ int define_role_trans(int class_specified)
}
if (class_specified) {
- while ((id = queue_remove(id_queue))) {
- if (!is_id_in_scope(SYM_CLASSES, id)) {
- yyerror2("class %s is not within scope", id);
- free(id);
- return -1;
- }
- cladatum = hashtab_search(policydbp->p_classes.table,
- id);
- if (!cladatum) {
- yyerror2("unknow class %s", id);
- return -1;
- }
-
- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
- free(id);
- }
+ if (read_classes(&e_classes))
+ return -1;
} else {
cladatum = hashtab_search(policydbp->p_classes.table,
"process");
@@ -2410,7 +2484,6 @@ int define_filename_trans(void)
ebitmap_node_t *snode, *tnode, *cnode;
filename_trans_t *ft;
filename_trans_rule_t *ftr;
- class_datum_t *cladatum;
type_datum_t *typdatum;
uint32_t otype;
unsigned int c, s, t;
@@ -2451,23 +2524,8 @@ int define_filename_trans(void)
}
ebitmap_init(&e_tclasses);
- while ((id = queue_remove(id_queue))) {
- if (!is_id_in_scope(SYM_CLASSES, id)) {
- yyerror2("class %s is not within scope", id);
- free(id);
- goto bad;
- }
- cladatum = hashtab_search(policydbp->p_classes.table, id);
- if (!cladatum) {
- yyerror2("unknown class %s", id);
- goto bad;
- }
- if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
- yyerror("Out of memory");
- goto bad;
- }
- free(id);
- }
+ if (read_classes(&e_tclasses))
+ goto bad;
id = (char *)queue_remove(id_queue);
if (!id) {
@@ -4549,23 +4607,8 @@ int define_range_trans(int class_specified)
}
if (class_specified) {
- while ((id = queue_remove(id_queue))) {
- if (!is_id_in_scope(SYM_CLASSES, id)) {
- yyerror2("class %s is not within scope", id);
- free(id);
- goto out;
- }
- cladatum = hashtab_search(policydbp->p_classes.table,
- id);
- if (!cladatum) {
- yyerror2("unknown class %s", id);
- goto out;
- }
-
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
- TRUE);
- free(id);
- }
+ if (read_classes(&rule->tclasses))
+ goto out;
} else {
cladatum = hashtab_search(policydbp->p_classes.table,
"process");
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 92a9be7..ccbe56f 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -24,6 +24,9 @@ int define_av_perms(int inherits);
int define_bool_tunable(int is_tunable);
int define_category(void);
int define_class(void);
+int define_default_user(int which);
+int define_default_role(int which);
+int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index d808111..3b7357f 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -143,6 +143,8 @@ typedef int (* require_func_t)();
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
+%token LOW_HIGH LOW HIGH
%left OR
%left XOR
@@ -157,7 +159,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
classes initial_sids access_vectors
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
- opt_mls te_rbac users opt_constraints
+ default_rules opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
@@ -195,6 +197,36 @@ av_perms_def : CLASS identifier '{' identifier_list '}'
| CLASS identifier INHERITS identifier '{' identifier_list '}'
{if (define_av_perms(TRUE)) return -1;}
;
+default_rules : default_user_def
+ | default_role_def
+ | default_range_def
+ | default_rules default_user_def
+ | default_rules default_role_def
+ | default_rules default_range_def
+ ;
+default_user_def : DEFAULT_USER names SOURCE ';'
+ {if (define_default_user(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_USER names TARGET ';'
+ {if (define_default_user(DEFAULT_TARGET)) return -1; }
+ ;
+default_role_def : DEFAULT_ROLE names SOURCE ';'
+ {if (define_default_role(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_ROLE names TARGET ';'
+ {if (define_default_role(DEFAULT_TARGET)) return -1; }
+ ;
+default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
+ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
+ | DEFAULT_RANGE names SOURCE HIGH ';'
+ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
+ | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
+ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
+ | DEFAULT_RANGE names TARGET LOW ';'
+ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
+ | DEFAULT_RANGE names TARGET HIGH ';'
+ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
+ | DEFAULT_RANGE names TARGET LOW_HIGH ';'
+ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
+ ;
opt_mls : mls
|
;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 5ee27f8..b4b9066 100644
index 9b24db5..e767b5f 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -222,7 +222,7 @@ POLICYCAP { return(POLICYCAP); }
@@ -221,6 +221,18 @@ policycap |
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
+default_user |
+DEFAULT_USER { return(DEFAULT_USER); }
+default_role |
+DEFAULT_ROLE { return(DEFAULT_ROLE); }
+default_range |
+DEFAULT_RANGE { return(DEFAULT_RANGE); }
+low-high |
+LOW-HIGH { return(LOW_HIGH); }
+high |
+HIGH { return(HIGH); }
+low |
+LOW { return(LOW); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
-\"({alnum}|[_\.\-])+\" { return(FILENAME); }
+\"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
\"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}+|0x{hexval}+ { return(NUMBER); }
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index 65cf901..0731e89 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin
LIBDIR=$(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
-CFLAGS ?= -g -Wall -O2 -pipe
+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
override CFLAGS += -I$(INCLUDEDIR)
LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 1674a47..6a951f6 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
FILE * fp)
{
- int i, num_types;
+ unsigned int i, num_types;
if (set->flags & TYPE_STAR) {
fprintf(fp, " * ");
@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
{
- int i, num = 0;
+ unsigned int i, num = 0;
if (roles->flags & ROLE_STAR) {
fprintf(fp, " * ");
@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
}
-/* 'what' values for this function */
-#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
-#define RENDER_ENABLED 0x0002
-#define RENDER_DISABLED 0x0004
-#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
-
-int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy,
+int display_avrule(avrule_t * avrule, policydb_t * policy,
FILE * fp)
{
class_perm_node_t *cur;
@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
{
type_datum_t *type;
FILE *fp;
- int i, first_attrib = 1;
+ unsigned int i, first_attrib = 1;
type = (type_datum_t *) datum;
fp = (FILE *) data;
@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp)
int display_users(policydb_t * p, FILE * fp)
{
- int i, j;
+ unsigned int i, j;
ebitmap_t *bitmap;
for (i = 0; i < p->p_users.nprim; i++) {
display_id(p, fp, SYM_USERS, i, "");
@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp)
int display_bools(policydb_t * p, FILE * fp)
{
- int i;
+ unsigned int i;
for (i = 0; i < p->p_bools.nprim; i++) {
display_id(p, fp, SYM_BOOLS, i, "");
@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
}
}
-void display_policycon(policydb_t * p, FILE * fp)
+void display_policycon(FILE * fp)
{
-#if 0
- int i;
- ocontext_t *cur;
- char *name;
-
- for (i = 0; i < POLICYCON_NUM; i++) {
- fprintf(fp, "%s:", symbol_labels[i]);
- for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) {
- if (*(cur->u.name) == '\0') {
- name = "{default}";
- } else {
- name = cur->u.name;
- }
- fprintf(fp, "\n%16s - %s:%s:%s", name,
- p->p_user_val_to_name[cur->context[0].user - 1],
- p->p_role_val_to_name[cur->context[0].role - 1],
- p->p_type_val_to_name[cur->context[0].type -
- 1]);
- }
- fprintf(fp, "\n");
- }
-#endif
+ /* There was an attempt to implement this at one time. Look through
+ * git history to find it. */
+ fprintf(fp, "Sorry, not implemented\n");
}
void display_initial_sids(policydb_t * p, FILE * fp)
@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
{
- int i, num = 0;
+ unsigned int i, num = 0;
for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
if (!ebitmap_get_bit(classes, i))
@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
}
}
-int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+int role_display_callback(hashtab_key_t key __attribute__((unused)),
+ hashtab_datum_t datum, void *data)
{
role_datum_t *role;
FILE *fp;
@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
static int display_scope_index(scope_index_t * indices, policydb_t * p,
FILE * out_fp)
{
- int i;
+ unsigned int i;
for (i = 0; i < SYM_NUM; i++) {
- int any_found = 0, j;
+ unsigned int any_found = 0, j;
fprintf(out_fp, "%s:", symbol_labels[i]);
for (j = ebitmap_startbit(&indices->scope[i]);
j < ebitmap_length(&indices->scope[i]); j++) {
@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
}
#endif
-int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
+int display_avdecl(avrule_decl_t * decl, int field,
policydb_t * policy, FILE * out_fp)
{
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
avrule = cond->avtrue_list;
while (avrule) {
display_avrule(avrule,
- RENDER_UNCONDITIONAL,
&policydb, out_fp);
avrule = avrule->next;
}
@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
avrule = cond->avfalse_list;
while (avrule) {
display_avrule(avrule,
- RENDER_UNCONDITIONAL,
&policydb, out_fp);
avrule = avrule->next;
}
@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
fprintf(out_fp, " <empty>\n");
}
while (avrule != NULL) {
- if (display_avrule
- (avrule, what, policy, out_fp)) {
+ if (display_avrule(avrule, policy, out_fp))
return -1;
- }
avrule = avrule->next;
}
break;
@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
return 0; /* should never get here */
}
-int display_avblock(int field, uint32_t what, policydb_t * policy,
+int display_avblock(int field, policydb_t * policy,
FILE * out_fp)
{
avrule_block_t *block = policydb.global;
@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy,
fprintf(out_fp, "--- begin avrule block ---\n");
avrule_decl_t *decl = block->branch_list;
while (decl != NULL) {
- if (display_avdecl(decl, field, what, policy, out_fp)) {
+ if (display_avdecl(decl, field, policy, out_fp)) {
return -1;
}
decl = decl->next;
@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
ebitmap_node_t *node;
const char *capname;
char buf[64];
- int i;
+ unsigned int i;
fprintf(fp, "policy capabilities:\n");
ebitmap_for_each_bit(&p->policycaps, node, i) {
@@ -915,14 +887,12 @@ int main(int argc, char **argv)
case '1':
fprintf(out_fp, "unconditional avtab:\n");
display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
- RENDER_UNCONDITIONAL, &policydb,
- out_fp);
+ &policydb, out_fp);
break;
case '2':
fprintf(out_fp, "conditional avtab:\n");
display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
- RENDER_UNCONDITIONAL, &policydb,
- out_fp);
+ &policydb, out_fp);
break;
case '3':
display_users(&policydb, out_fp);
@@ -944,28 +914,28 @@ int main(int argc, char **argv)
break;
case '7':
fprintf(out_fp, "role transitions:\n");
- display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS,
&policydb, out_fp);
break;
case '8':
fprintf(out_fp, "role allows:\n");
- display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW,
&policydb, out_fp);
break;
case '9':
- display_policycon(&policydb, out_fp);
+ display_policycon(out_fp);
break;
case '0':
display_initial_sids(&policydb, out_fp);
break;
case 'a':
fprintf(out_fp, "avrule block requirements:\n");
- display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
+ display_avblock(DISPLAY_AVBLOCK_REQUIRES,
&policydb, out_fp);
break;
case 'b':
fprintf(out_fp, "avrule block declarations:\n");
- display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
+ display_avblock(DISPLAY_AVBLOCK_DECLARES,
&policydb, out_fp);
break;
case 'c':
@@ -993,7 +963,7 @@ int main(int argc, char **argv)
case 'F':
fprintf(out_fp, "filename_trans rules:\n");
display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
- 0, &policydb, out_fp);
+ &policydb, out_fp);
break;
case 'l':
link_module(&policydb, out_fp);
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 0e08965..f41acdc 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
{
- int i;
+ unsigned int i;
avtab_ptr_t cur;
avtab_t expa;
@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
int display_bools(policydb_t * p, FILE * fp)
{
- int i;
+ unsigned int i;
for (i = 0; i < p->p_bools.nprim; i++) {
fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
ebitmap_node_t *node;
const char *capname;
char buf[64];
- int i;
+ unsigned int i;
fprintf(fp, "policy capabilities:\n");
ebitmap_for_each_bit(&p->policycaps, node, i) {
@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
static void display_permissive(policydb_t *p, FILE *fp)
{
ebitmap_node_t *node;
- int i;
+ unsigned int i;
fprintf(fp, "permissive sids:\n");
ebitmap_for_each_bit(&p->permissive_map, node, i) {

15
checkpolicy.spec
View File

@ -1,9 +1,9 @@
%define libselinuxver 2.1.6-4
%define libsepolver 2.1.2-3
%define libsepolver 2.1.4-1
Summary: SELinux policy compiler
Name: checkpolicy
Version: 2.1.6
Release: 2%{?dist}
Version: 2.1.7
Release: 1%{?dist}
License: GPLv2
Group: Development/System
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
@ -56,6 +56,15 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol
%changelog
* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
- Upgrade to upstream
* dis* fixed signed vs unsigned errors
* dismod: fix unused parameter errors
* test: Makefile: include -W and -Werror
* allow ~ in filename transition rules
- Allow policy to specify the source of target for generating the default user,role
- or mls label for a new target.
* Mon Nov 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
- Allow ~ in a filename

2
sources
View File

@ -1 +1 @@
a1115f9c92777da7c8cafab08a81b779 checkpolicy-2.1.6.tgz
19c722fd1e180250a22d25b1fb41a4fd checkpolicy-2.1.7.tgz