Compare commits
4 Commits
Author | SHA1 | Date |
---|---|---|
Dan Walsh | ce269b9102 | |
Dan Walsh | 14bff28574 | |
Dan Walsh | 3151f4b9a8 | |
rhatdan | 3d05d41678 |
|
@ -87,3 +87,5 @@ checkpolicy-2.0.22.tgz
|
|||
/checkpolicy-2.1.8.tgz
|
||||
/checkpolicy-2.1.9.tgz
|
||||
/checkpolicy-2.1.10.tgz
|
||||
/checkpolicy-2.1.11.tgz
|
||||
/checkpolicy-2.1.12.tgz
|
||||
|
|
|
@ -0,0 +1,101 @@
|
|||
diff -ur checkpolicy-2.1.12/policy_define.c checkpolicy-2.1.11/policy_define.c
|
||||
--- checkpolicy-2.1.12/policy_define.c 2013-02-07 12:21:10.000000000 -0500
|
||||
+++ checkpolicy-2.1.11/policy_define.c 2012-09-13 12:29:01.000000000 -0400
|
||||
@@ -415,38 +415,6 @@
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int define_default_type(int which)
|
||||
-{
|
||||
- char *id;
|
||||
- class_datum_t *cladatum;
|
||||
-
|
||||
- if (pass == 1) {
|
||||
- while ((id = queue_remove(id_queue)))
|
||||
- free(id);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- while ((id = queue_remove(id_queue))) {
|
||||
- if (!is_id_in_scope(SYM_CLASSES, id)) {
|
||||
- yyerror2("class %s is not within scope", id);
|
||||
- return -1;
|
||||
- }
|
||||
- cladatum = hashtab_search(policydbp->p_classes.table, id);
|
||||
- if (!cladatum) {
|
||||
- yyerror2("unknown class %s", id);
|
||||
- return -1;
|
||||
- }
|
||||
- if (cladatum->default_type && cladatum->default_type != which) {
|
||||
- yyerror2("conflicting default type information for class %s", id);
|
||||
- return -1;
|
||||
- }
|
||||
- cladatum->default_type = which;
|
||||
- free(id);
|
||||
- }
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
int define_default_range(int which)
|
||||
{
|
||||
char *id;
|
||||
diff -ur checkpolicy-2.1.12/policy_define.h checkpolicy-2.1.11/policy_define.h
|
||||
--- checkpolicy-2.1.12/policy_define.h 2013-02-07 12:21:10.000000000 -0500
|
||||
+++ checkpolicy-2.1.11/policy_define.h 2012-09-13 12:29:01.000000000 -0400
|
||||
@@ -26,7 +26,6 @@
|
||||
int define_class(void);
|
||||
int define_default_user(int which);
|
||||
int define_default_role(int which);
|
||||
-int define_default_type(int which);
|
||||
int define_default_range(int which);
|
||||
int define_common_perms(void);
|
||||
int define_compute_type(int which);
|
||||
diff -ur checkpolicy-2.1.12/policy_parse.y checkpolicy-2.1.11/policy_parse.y
|
||||
--- checkpolicy-2.1.12/policy_parse.y 2013-02-07 12:21:10.000000000 -0500
|
||||
+++ checkpolicy-2.1.11/policy_parse.y 2012-09-13 12:29:01.000000000 -0400
|
||||
@@ -143,7 +143,7 @@
|
||||
%token POLICYCAP
|
||||
%token PERMISSIVE
|
||||
%token FILESYSTEM
|
||||
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
|
||||
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
|
||||
%token LOW_HIGH LOW HIGH
|
||||
|
||||
%left OR
|
||||
@@ -202,11 +202,9 @@
|
||||
;
|
||||
default_rules : default_user_def
|
||||
| default_role_def
|
||||
- | default_type_def
|
||||
| default_range_def
|
||||
| default_rules default_user_def
|
||||
| default_rules default_role_def
|
||||
- | default_rules default_type_def
|
||||
| default_rules default_range_def
|
||||
;
|
||||
default_user_def : DEFAULT_USER names SOURCE ';'
|
||||
@@ -219,11 +217,6 @@
|
||||
| DEFAULT_ROLE names TARGET ';'
|
||||
{if (define_default_role(DEFAULT_TARGET)) return -1; }
|
||||
;
|
||||
-default_type_def : DEFAULT_TYPE names SOURCE ';'
|
||||
- {if (define_default_type(DEFAULT_SOURCE)) return -1; }
|
||||
- | DEFAULT_TYPE names TARGET ';'
|
||||
- {if (define_default_type(DEFAULT_TARGET)) return -1; }
|
||||
- ;
|
||||
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
|
||||
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
|
||||
| DEFAULT_RANGE names SOURCE HIGH ';'
|
||||
diff -ur checkpolicy-2.1.12/policy_scan.l checkpolicy-2.1.11/policy_scan.l
|
||||
--- checkpolicy-2.1.12/policy_scan.l 2013-03-12 13:35:28.740044379 -0400
|
||||
+++ checkpolicy-2.1.11/policy_scan.l 2012-09-13 12:29:01.000000000 -0400
|
||||
@@ -229,8 +229,6 @@
|
||||
DEFAULT_USER { return(DEFAULT_USER); }
|
||||
default_role |
|
||||
DEFAULT_ROLE { return(DEFAULT_ROLE); }
|
||||
-default_type |
|
||||
-DEFAULT_TYPE { return(DEFAULT_TYPE); }
|
||||
default_range |
|
||||
DEFAULT_RANGE { return(DEFAULT_RANGE); }
|
||||
low-high |
|
|
@ -1,33 +1,13 @@
|
|||
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
|
||||
index 47603e0..cb58cf0 100644
|
||||
--- a/checkpolicy/checkmodule.c
|
||||
+++ b/checkpolicy/checkmodule.c
|
||||
@@ -63,10 +63,12 @@ static int read_binary_policy(policydb_t * p, char *file, char *progname)
|
||||
if (fstat(fd, &sb) < 0) {
|
||||
fprintf(stderr, "Can't stat '%s': %s\n",
|
||||
file, strerror(errno));
|
||||
+ close(fd);
|
||||
return -1;
|
||||
}
|
||||
map =
|
||||
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
|
||||
+ close(fd);
|
||||
if (map == MAP_FAILED) {
|
||||
fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
|
||||
return -1;
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 8fa3214..2c12447 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -2341,7 +2341,10 @@ int define_role_trans(int class_specified)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
|
||||
+ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
|
||||
+ yyerror("out of memory");
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
id = (char *)queue_remove(id_queue);
|
||||
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
|
||||
index bba7667..ab046cc 100644
|
||||
--- a/checkpolicy/policy_scan.l
|
||||
+++ b/checkpolicy/policy_scan.l
|
||||
@@ -240,7 +240,7 @@ HIGH { return(HIGH); }
|
||||
low |
|
||||
LOW { return(LOW); }
|
||||
"/"({alnum}|[_\.\-/])* { return(PATH); }
|
||||
-\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); }
|
||||
+\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
|
||||
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
|
||||
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
|
||||
{digit}+|0x{hexval}+ { return(NUMBER); }
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
%define libselinuxver 2.1.10-1
|
||||
%define libsepolver 2.1.7-4
|
||||
%define libselinuxver 2.1.11-1
|
||||
%define libsepolver 2.1.8-2
|
||||
Summary: SELinux policy compiler
|
||||
Name: checkpolicy
|
||||
Version: 2.1.10
|
||||
Release: 4%{?dist}
|
||||
Version: 2.1.12
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2
|
||||
Group: Development/System
|
||||
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
|
||||
Patch: checkpolicy-rhat.patch
|
||||
Patch1: checkpolicy-defaulttype.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
|
||||
|
@ -29,6 +30,7 @@ Only required for building policies.
|
|||
%prep
|
||||
%setup -q
|
||||
%patch -p2 -b .rhat
|
||||
%patch1 -p1 -b .defaulttype
|
||||
|
||||
%build
|
||||
make clean
|
||||
|
@ -56,6 +58,37 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{_bindir}/sedispol
|
||||
|
||||
%changelog
|
||||
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
|
||||
- ":" should be allowed for file trans names
|
||||
|
||||
* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
|
||||
- Space should be allowed for file trans names
|
||||
|
||||
* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
|
||||
- Update to upstream
|
||||
* Fix errors found by coverity
|
||||
* implement default type policy syntax
|
||||
* Free allocated memory when clean up / exit.
|
||||
|
||||
* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.11-3
|
||||
- Update to latest patches from eparis/Upstream
|
||||
- checkpolicy: libsepol: implement default type policy syntax
|
||||
-
|
||||
- We currently have a mechanism in which the default user, role, and range
|
||||
- can be picked up from the source or the target object. This implements
|
||||
- the same thing for types. The kernel will override this with type
|
||||
- transition rules and similar. This is just the default if nothing
|
||||
- specific is given.
|
||||
|
||||
|
||||
* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
|
||||
- Rebuild with fixed libsepol
|
||||
|
||||
* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
|
||||
- Update to upstream
|
||||
* fd leak reading policy
|
||||
* check return code on ebitmap_set_bit
|
||||
|
||||
* Mon Jul 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
|
||||
- Rebuild to grab latest libsepol
|
||||
|
||||
|
@ -200,7 +233,7 @@ such a rule is added to a conditional.
|
|||
* Wed Dec 8 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-2
|
||||
- Rebuild to make sure it will build in Fedora
|
||||
|
||||
* Mon Jun 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
|
||||
* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
|
||||
- Latest update from NSA
|
||||
* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
|
||||
- Allow policy version to be one number
|
||||
|
@ -208,7 +241,7 @@ such a rule is added to a conditional.
|
|||
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
|
||||
- Fix checkmodule man page and usage statements
|
||||
|
||||
* Tue Nov 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
|
||||
* Sun Nov 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
|
||||
- Latest update from NSA
|
||||
* Add support for building Xen policies from Paul Nuzzi.
|
||||
* Add long options to checkpolicy and checkmodule by Guido
|
||||
|
@ -242,12 +275,12 @@ such a rule is added to a conditional.
|
|||
- Latest update from NSA
|
||||
* Update checkpolicy for user and role mapping support from Joshua Brindle.
|
||||
|
||||
* Tue May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.15-1
|
||||
* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.15-1
|
||||
- Latest update from NSA
|
||||
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
|
||||
Resolves bug 444451.
|
||||
|
||||
* Tue May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-2
|
||||
* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-2
|
||||
- Allow modules with 4 sections or more
|
||||
|
||||
* Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
|
||||
|
@ -297,10 +330,10 @@ such a rule is added to a conditional.
|
|||
* Tue Aug 28 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.0.3-3
|
||||
- Rebuild for selinux ppc32 issue.
|
||||
|
||||
* Thu Jun 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-2
|
||||
* Mon Jun 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-2
|
||||
- Rebuild with the latest libsepol
|
||||
|
||||
* Thu Jun 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-1
|
||||
* Sun Jun 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-1
|
||||
- Latest update from NSA
|
||||
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
|
||||
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
|
||||
|
@ -315,7 +348,7 @@ such a rule is added to a conditional.
|
|||
* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-2
|
||||
- Rebuild with new libsepol
|
||||
|
||||
* Tue Nov 20 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
|
||||
* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
|
||||
- Latest update from NSA
|
||||
* Merged patch to allow dots in class identifiers from Caleb Case.
|
||||
|
||||
|
@ -360,7 +393,7 @@ such a rule is added to a conditional.
|
|||
from Joshua Brindle.
|
||||
* Merged optionals in base take 2 patch set from Joshua Brindle.
|
||||
|
||||
* Wed May 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.5-1
|
||||
* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.5-1
|
||||
- Latest upgrade from NSA
|
||||
* Merged compiler cleanup patch from Karl MacMillan.
|
||||
* Merged fix warnings patch from Karl MacMillan.
|
||||
|
@ -610,7 +643,7 @@ such a rule is added to a conditional.
|
|||
* Added sepol_ prefix to Flask types to avoid namespace
|
||||
collision with libselinux.
|
||||
|
||||
* Fri May 7 2005 Dan Walsh <dwalsh@redhat.com> 1.23-2-1
|
||||
* Sat May 7 2005 Dan Walsh <dwalsh@redhat.com> 1.23-2-1
|
||||
- Update to NSA Release
|
||||
* Merged identifier fix from Joshua Brindle (Tresys).
|
||||
|
||||
|
@ -688,7 +721,7 @@ such a rule is added to a conditional.
|
|||
* Wed Aug 11 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
|
||||
- Latest from NSA
|
||||
|
||||
* Sat Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
|
||||
* Sat Aug 7 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
|
||||
- Latest from NSA
|
||||
|
||||
* Wed Aug 4 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
|
||||
|
@ -730,7 +763,7 @@ such a rule is added to a conditional.
|
|||
* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
|
||||
- Upgrade to the latest from NSA
|
||||
|
||||
* Mon Feb 24 2004 Dan Walsh <dwalsh@redhat.com> 1.6-1
|
||||
* Tue Feb 24 2004 Dan Walsh <dwalsh@redhat.com> 1.6-1
|
||||
- Upgrade to the latest from NSA
|
||||
|
||||
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
|
||||
|
@ -762,4 +795,3 @@ such a rule is added to a conditional.
|
|||
|
||||
* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
|
||||
- Initial version
|
||||
|
||||
|
|
Loading…
Reference in New Issue