re-add Erics patch for filename transitions
Update to upstream * Add new class field in role_transition by Harry Ciao.
This commit is contained in:
Dan Walsh
parent
a3a7288b5c
commit
53af5b6865
|
|
@ -1,7 +1,8 @@
|
|||
diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.42/include/sepol/policydb/policydb.h
|
||||
--- libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis 2010-12-21 16:41:58.000000000 -0500
|
||||
+++ libsepol-2.0.42/include/sepol/policydb/policydb.h 2011-03-23 14:11:28.432820275 -0400
|
||||
@@ -135,6 +135,16 @@ typedef struct role_allow {
|
||||
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
|
||||
index 94b8609..7b23a16 100644
|
||||
--- a/libsepol/include/sepol/policydb/policydb.h
|
||||
+++ b/libsepol/include/sepol/policydb/policydb.h
|
||||
@@ -136,6 +136,16 @@ typedef struct role_allow {
|
||||
struct role_allow *next;
|
||||
} role_allow_t;
|
||||
|
||||
|
|
@ -18,7 +19,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4
|
|||
/* Type attributes */
|
||||
typedef struct type_datum {
|
||||
symtab_datum_t s;
|
||||
@@ -245,6 +255,15 @@ typedef struct role_allow_rule {
|
||||
@@ -247,6 +257,15 @@ typedef struct role_allow_rule {
|
||||
struct role_allow_rule *next;
|
||||
} role_allow_rule_t;
|
||||
|
||||
|
|
@ -34,7 +35,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4
|
|||
typedef struct range_trans_rule {
|
||||
type_set_t stypes;
|
||||
type_set_t ttypes;
|
||||
@@ -374,6 +393,9 @@ typedef struct avrule_decl {
|
||||
@@ -376,6 +395,9 @@ typedef struct avrule_decl {
|
||||
scope_index_t required; /* symbols needed to activate this block */
|
||||
scope_index_t declared; /* symbols declared within this block */
|
||||
|
||||
|
|
@ -44,7 +45,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4
|
|||
/* for additive statements (type attribute, roles, and users) */
|
||||
symtab_t symtab[SYM_NUM];
|
||||
|
||||
@@ -484,6 +506,9 @@ typedef struct policydb {
|
||||
@@ -486,6 +508,9 @@ typedef struct policydb {
|
||||
/* role transitions */
|
||||
role_trans_t *role_tr;
|
||||
|
||||
|
|
@ -54,7 +55,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4
|
|||
/* role allows */
|
||||
role_allow_t *role_allow;
|
||||
|
||||
@@ -562,6 +587,8 @@ extern void avrule_destroy(avrule_t * x)
|
||||
@@ -564,6 +589,8 @@ extern void avrule_destroy(avrule_t * x);
|
||||
extern void avrule_list_destroy(avrule_t * x);
|
||||
extern void role_trans_rule_init(role_trans_rule_t * x);
|
||||
extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
|
||||
|
|
@ -63,35 +64,36 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4
|
|||
|
||||
extern void role_datum_init(role_datum_t * x);
|
||||
extern void role_datum_destroy(role_datum_t * x);
|
||||
@@ -630,10 +657,11 @@ extern int policydb_set_target_platform(
|
||||
#define POLICYDB_VERSION_POLCAP 22
|
||||
@@ -633,10 +660,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
|
||||
#define POLICYDB_VERSION_PERMISSIVE 23
|
||||
#define POLICYDB_VERSION_BOUNDARY 24
|
||||
+#define POLICYDB_VERSION_FILENAME_TRANS 25
|
||||
#define POLICYDB_VERSION_ROLETRANS 26
|
||||
+#define POLICYDB_VERSION_FILENAME_TRANS 27
|
||||
|
||||
/* Range of policy versions we understand*/
|
||||
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
|
||||
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY
|
||||
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
|
||||
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS
|
||||
|
||||
/* Module versions and specific changes*/
|
||||
#define MOD_POLICYDB_VERSION_BASE 4
|
||||
@@ -645,9 +673,10 @@ extern int policydb_set_target_platform(
|
||||
#define MOD_POLICYDB_VERSION_PERMISSIVE 8
|
||||
@@ -649,9 +677,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
|
||||
#define MOD_POLICYDB_VERSION_BOUNDARY 9
|
||||
#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10
|
||||
+#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11
|
||||
#define MOD_POLICYDB_VERSION_ROLETRANS 12
|
||||
+#define MOD_POLICYDB_VERSION_FILENAME_TRANS 13
|
||||
|
||||
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
|
||||
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS
|
||||
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLETRANS
|
||||
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_FILENAME_TRANS
|
||||
|
||||
#define POLICYDB_CONFIG_MLS 1
|
||||
|
||||
diff -up libsepol-2.0.42/src/avrule_block.c.eparis libsepol-2.0.42/src/avrule_block.c
|
||||
--- libsepol-2.0.42/src/avrule_block.c.eparis 2010-12-21 16:41:58.000000000 -0500
|
||||
+++ libsepol-2.0.42/src/avrule_block.c 2011-03-23 12:15:48.241980087 -0400
|
||||
@@ -98,6 +98,7 @@ void avrule_decl_destroy(avrule_decl_t *
|
||||
diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c
|
||||
index 8d1f8f6..16c89f3 100644
|
||||
--- a/libsepol/src/avrule_block.c
|
||||
+++ b/libsepol/src/avrule_block.c
|
||||
@@ -98,6 +98,7 @@ void avrule_decl_destroy(avrule_decl_t * x)
|
||||
cond_list_destroy(x->cond_list);
|
||||
avrule_list_destroy(x->avrules);
|
||||
role_trans_rule_list_destroy(x->role_tr_rules);
|
||||
|
|
@ -99,10 +101,11 @@ diff -up libsepol-2.0.42/src/avrule_block.c.eparis libsepol-2.0.42/src/avrule_bl
|
|||
role_allow_rule_list_destroy(x->role_allow_rules);
|
||||
range_trans_rule_list_destroy(x->range_tr_rules);
|
||||
scope_index_destroy(&x->required);
|
||||
diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c
|
||||
--- libsepol-2.0.42/src/expand.c.eparis 2010-12-21 16:41:58.000000000 -0500
|
||||
+++ libsepol-2.0.42/src/expand.c 2011-03-23 12:15:48.242980223 -0400
|
||||
@@ -1231,6 +1231,101 @@ static int copy_role_trans(expand_state_
|
||||
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
|
||||
index 8539f88..b1af365 100644
|
||||
--- a/libsepol/src/expand.c
|
||||
+++ b/libsepol/src/expand.c
|
||||
@@ -1237,6 +1237,101 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -204,7 +207,7 @@ diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c
|
|||
static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
|
||||
mls_semantic_range_t * trange,
|
||||
expand_state_t * state)
|
||||
@@ -2374,6 +2469,9 @@ static int copy_and_expand_avrule_block(
|
||||
@@ -2380,6 +2475,9 @@ static int copy_and_expand_avrule_block(expand_state_t * state)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
|
@ -214,10 +217,11 @@ diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c
|
|||
/* expand the range transition rules */
|
||||
if (expand_range_trans(state, decl->range_tr_rules))
|
||||
goto cleanup;
|
||||
diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c
|
||||
--- libsepol-2.0.42/src/link.c.eparis 2010-12-21 16:41:58.000000000 -0500
|
||||
+++ libsepol-2.0.42/src/link.c 2011-03-23 12:15:48.243980361 -0400
|
||||
@@ -1326,6 +1326,50 @@ static int copy_role_allow_list(role_all
|
||||
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
|
||||
index e33db0f..23dbb1b 100644
|
||||
--- a/libsepol/src/link.c
|
||||
+++ b/libsepol/src/link.c
|
||||
@@ -1340,6 +1340,50 @@ static int copy_role_allow_list(role_allow_rule_t * list,
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -268,7 +272,7 @@ diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c
|
|||
static int copy_range_trans_list(range_trans_rule_t * rules,
|
||||
range_trans_rule_t ** dst,
|
||||
policy_module_t * mod, link_state_t * state)
|
||||
@@ -1568,6 +1612,11 @@ static int copy_avrule_decl(link_state_t
|
||||
@@ -1582,6 +1626,11 @@ static int copy_avrule_decl(link_state_t * state, policy_module_t * module,
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -280,10 +284,11 @@ diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c
|
|||
if (copy_range_trans_list(src_decl->range_tr_rules,
|
||||
&dest_decl->range_tr_rules, module, state))
|
||||
return -1;
|
||||
diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
||||
--- libsepol-2.0.42/src/policydb.c.eparis 2010-12-21 16:41:58.000000000 -0500
|
||||
+++ libsepol-2.0.42/src/policydb.c 2011-03-23 12:15:48.244980498 -0400
|
||||
@@ -136,6 +136,13 @@ static struct policydb_compat_info polic
|
||||
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
|
||||
index bbf3c88..d7be9fc 100644
|
||||
--- a/libsepol/src/policydb.c
|
||||
+++ b/libsepol/src/policydb.c
|
||||
@@ -143,6 +143,13 @@ static struct policydb_compat_info policydb_compat[] = {
|
||||
.ocon_num = OCON_NODE6 + 1,
|
||||
.target_platform = SEPOL_TARGET_SELINUX,
|
||||
},
|
||||
|
|
@ -297,7 +302,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
{
|
||||
.type = POLICY_BASE,
|
||||
.version = MOD_POLICYDB_VERSION_BASE,
|
||||
@@ -186,6 +193,13 @@ static struct policydb_compat_info polic
|
||||
@@ -200,6 +207,13 @@ static struct policydb_compat_info policydb_compat[] = {
|
||||
.target_platform = SEPOL_TARGET_SELINUX,
|
||||
},
|
||||
{
|
||||
|
|
@ -311,7 +316,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
.type = POLICY_MOD,
|
||||
.version = MOD_POLICYDB_VERSION_BASE,
|
||||
.sym_num = SYM_NUM,
|
||||
@@ -234,6 +248,13 @@ static struct policydb_compat_info polic
|
||||
@@ -255,6 +269,13 @@ static struct policydb_compat_info policydb_compat[] = {
|
||||
.ocon_num = 0,
|
||||
.target_platform = SEPOL_TARGET_SELINUX,
|
||||
},
|
||||
|
|
@ -325,7 +330,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
};
|
||||
|
||||
#if 0
|
||||
@@ -433,6 +454,33 @@ void role_trans_rule_list_destroy(role_t
|
||||
@@ -456,6 +477,33 @@ void role_trans_rule_list_destroy(role_trans_rule_t * x)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -359,7 +364,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
void role_allow_rule_init(role_allow_rule_t * x)
|
||||
{
|
||||
memset(x, 0, sizeof(role_allow_rule_t));
|
||||
@@ -1112,6 +1160,7 @@ void policydb_destroy(policydb_t * p)
|
||||
@@ -1135,6 +1183,7 @@ void policydb_destroy(policydb_t * p)
|
||||
role_allow_t *ra, *lra = NULL;
|
||||
role_trans_t *tr, *ltr = NULL;
|
||||
range_trans_t *rt, *lrt = NULL;
|
||||
|
|
@ -367,7 +372,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
|
||||
if (!p)
|
||||
return;
|
||||
@@ -1177,6 +1226,14 @@ void policydb_destroy(policydb_t * p)
|
||||
@@ -1200,6 +1249,14 @@ void policydb_destroy(policydb_t * p)
|
||||
if (ltr)
|
||||
free(ltr);
|
||||
|
||||
|
|
@ -382,7 +387,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
for (ra = p->role_allow; ra; ra = ra->next) {
|
||||
if (lra)
|
||||
free(lra);
|
||||
@@ -2168,6 +2225,55 @@ int role_allow_read(role_allow_t ** r, s
|
||||
@@ -2201,6 +2258,55 @@ int role_allow_read(role_allow_t ** r, struct policy_file *fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -438,7 +443,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
static int ocontext_read_xen(struct policydb_compat_info *info,
|
||||
policydb_t *p, struct policy_file *fp)
|
||||
{
|
||||
@@ -2971,6 +3077,62 @@ static int role_allow_rule_read(role_all
|
||||
@@ -3007,6 +3113,62 @@ static int role_allow_rule_read(role_allow_rule_t ** r, struct policy_file *fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -501,7 +506,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
static int range_trans_rule_read(range_trans_rule_t ** r,
|
||||
struct policy_file *fp)
|
||||
{
|
||||
@@ -3064,6 +3226,11 @@ static int avrule_decl_read(policydb_t *
|
||||
@@ -3100,6 +3262,11 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
|
||||
role_allow_rule_read(&decl->role_allow_rules, fp) == -1) {
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -513,7 +518,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
|
||||
range_trans_rule_read(&decl->range_tr_rules, fp) == -1) {
|
||||
return -1;
|
||||
@@ -3455,6 +3622,9 @@ int policydb_read(policydb_t * p, struct
|
||||
@@ -3491,6 +3658,9 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
|
||||
goto bad;
|
||||
if (role_allow_read(&p->role_allow, fp))
|
||||
goto bad;
|
||||
|
|
@ -523,10 +528,11 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
|
|||
} else {
|
||||
/* first read the AV rule blocks, then the scope tables */
|
||||
avrule_block_destroy(p->global);
|
||||
diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c
|
||||
--- libsepol-2.0.42/src/write.c.eparis 2010-12-21 16:41:58.000000000 -0500
|
||||
+++ libsepol-2.0.42/src/write.c 2011-03-23 12:15:48.245980639 -0400
|
||||
@@ -510,6 +510,42 @@ static int role_allow_write(role_allow_t
|
||||
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
|
||||
index f9d59b6..c4f5035 100644
|
||||
--- a/libsepol/src/write.c
|
||||
+++ b/libsepol/src/write.c
|
||||
@@ -528,6 +528,42 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
|
||||
return POLICYDB_SUCCESS;
|
||||
}
|
||||
|
||||
|
|
@ -569,7 +575,7 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c
|
|||
static int role_set_write(role_set_t * x, struct policy_file *fp)
|
||||
{
|
||||
size_t items;
|
||||
@@ -1476,6 +1512,47 @@ static int role_allow_rule_write(role_al
|
||||
@@ -1496,6 +1532,47 @@ static int role_allow_rule_write(role_allow_rule_t * r, struct policy_file *fp)
|
||||
return POLICYDB_SUCCESS;
|
||||
}
|
||||
|
||||
|
|
@ -617,7 +623,7 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c
|
|||
static int range_trans_rule_write(range_trans_rule_t * t,
|
||||
struct policy_file *fp)
|
||||
{
|
||||
@@ -1543,6 +1620,11 @@ static int avrule_decl_write(avrule_decl
|
||||
@@ -1563,6 +1640,11 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms,
|
||||
role_allow_rule_write(decl->role_allow_rules, fp) == -1) {
|
||||
return POLICYDB_ERROR;
|
||||
}
|
||||
|
|
@ -629,7 +635,7 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c
|
|||
if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
|
||||
range_trans_rule_write(decl->range_tr_rules, fp) == -1) {
|
||||
return POLICYDB_ERROR;
|
||||
@@ -1819,6 +1901,9 @@ int policydb_write(policydb_t * p, struc
|
||||
@@ -1839,6 +1921,9 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
|
||||
return POLICYDB_ERROR;
|
||||
if (role_allow_write(p->role_allow, fp))
|
||||
return POLICYDB_ERROR;
|
||||
|
|
@ -639,6 +645,3 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c
|
|||
} else {
|
||||
if (avrule_block_write(p->global, num_syms, p, fp) == -1) {
|
||||
return POLICYDB_ERROR;
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
Summary: SELinux binary policy manipulation library
|
||||
Name: libsepol
|
||||
Version: 2.0.43
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
|
||||
Patch: libsepol-rhat.patch
|
||||
URL: http://www.selinuxproject.org
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
|
@ -45,6 +46,7 @@ needed for developing applications that manipulate binary policies.
|
|||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -p2 -b .rhat
|
||||
# sparc64 is an -fPIC arch, so we need to fix it here
|
||||
%ifarch sparc64
|
||||
sed -i 's/fpic/fPIC/g' src/Makefile
|
||||
|
|
@ -97,14 +99,12 @@ exit 0
|
|||
/%{_lib}/libsepol.so.1
|
||||
|
||||
%changelog
|
||||
* Tue Apr 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.43-2
|
||||
- re-add Erics patch for filename transitions
|
||||
|
||||
* Tue Apr 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.43-1
|
||||
* Give correct names to mount points in load_policy by Dan Walsh.
|
||||
* Make sure selinux state is reported correctly if selinux is disabled or
|
||||
fails to load by Dan Walsh.
|
||||
* Fix crash if selinux_key_create was never called by Dan Walsh.
|
||||
* Add new file_context.subs_dist for distro specific filecon substitutions
|
||||
by Dan Walsh.
|
||||
* Update man pages for selinux_color_* functions by Richard Haines.
|
||||
-Update to upstream
|
||||
* Add new class field in role_transition by Harry Ciao.
|
||||
|
||||
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.42-3
|
||||
- Apply Eparis Patch
|
||||
|
|
@ -115,7 +115,6 @@ the number of rules grows to an significant size I will likely choose to
|
|||
store these in a hash, both in libsepol and in the kernel. But as long
|
||||
as the number of such rules stays small, this should be good.
|
||||
|
||||
|
||||
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.42-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue