The filename_trans code had a bug where duplicate detection was being
done between the unmapped type value of a new rule and the type value of rules already in policy. This meant that duplicates were not being silently dropped and were instead outputting a message that there was a problem. It made things hard because the message WAS using the mapped type to convert to the string representation, so it didn't look like a dup!
This commit is contained in:
parent
c6364af8db
commit
5f22c47a3a
2
.gitignore
vendored
2
.gitignore
vendored
@ -154,3 +154,5 @@ libsepol-2.0.41.tgz
|
|||||||
/libsepol-2.0.45.tgz
|
/libsepol-2.0.45.tgz
|
||||||
/libsepol-2.1.0.tgz
|
/libsepol-2.1.0.tgz
|
||||||
/libsepol-2.1.1.tgz
|
/libsepol-2.1.1.tgz
|
||||||
|
/libsepol-2.1.2.tgz
|
||||||
|
/libsepol-2.1.3.tgz
|
||||||
|
@ -1,36 +1,49 @@
|
|||||||
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
|
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
|
||||||
index b42acbe..cc700ab 100644
|
index 2861776..493e478 100644
|
||||||
--- a/libsepol/src/expand.c
|
--- a/libsepol/src/expand.c
|
||||||
+++ b/libsepol/src/expand.c
|
+++ b/libsepol/src/expand.c
|
||||||
@@ -1249,23 +1249,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
|
@@ -1329,6 +1329,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
|
||||||
|
|
||||||
cur_trans = state->out->role_tr;
|
cur_rule = rules;
|
||||||
while (cur_trans) {
|
while (cur_rule) {
|
||||||
+ unsigned int mapped_role;
|
+ uint32_t mapped_otype;
|
||||||
+
|
+
|
||||||
+ mapped_role = state->rolemap[cur->new_role - 1];
|
ebitmap_init(&stypes);
|
||||||
|
ebitmap_init(&ttypes);
|
||||||
|
|
||||||
|
@@ -1344,6 +1346,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mapped_otype = state->typemap[cur_rule->otype - 1];
|
||||||
+
|
+
|
||||||
if ((cur_trans->role ==
|
ebitmap_for_each_bit(&stypes, snode, i) {
|
||||||
i + 1) &&
|
if (!ebitmap_node_get_bit(snode, i))
|
||||||
(cur_trans->type ==
|
continue;
|
||||||
j + 1) &&
|
@@ -1358,7 +1362,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
|
||||||
(cur_trans->tclass ==
|
(cur_trans->tclass == cur_rule->tclass) &&
|
||||||
k + 1)) {
|
(!strcmp(cur_trans->name, cur_rule->name))) {
|
||||||
- if (cur_trans->
|
/* duplicate rule, who cares */
|
||||||
- new_role ==
|
- if (cur_trans->otype == cur_rule->otype)
|
||||||
- cur->new_role) {
|
+ if (cur_trans->otype == mapped_otype)
|
||||||
+ if (cur_trans->new_role == mapped_role) {
|
break;
|
||||||
break;
|
|
||||||
} else {
|
ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
|
||||||
ERR(state->handle,
|
@@ -1367,7 +1371,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
|
||||||
- "Conflicting role trans rule %s %s : %s %s",
|
state->out->p_type_val_to_name[j],
|
||||||
+ "Conflicting role trans rule %s %s : %s { %s vs %s }",
|
state->out->p_class_val_to_name[cur_trans->tclass - 1],
|
||||||
state->out->p_role_val_to_name[i],
|
state->out->p_type_val_to_name[cur_trans->otype - 1],
|
||||||
state->out->p_type_val_to_name[j],
|
- state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]);
|
||||||
state->out->p_class_val_to_name[k],
|
+ state->out->p_type_val_to_name[mapped_otype - 1]);
|
||||||
- state->out->p_role_val_to_name[cur->new_role - 1]);
|
|
||||||
+ state->out->p_role_val_to_name[mapped_role],
|
return -1;
|
||||||
+ state->out->p_role_val_to_name[cur_trans->new_role - 1]);
|
}
|
||||||
return -1;
|
@@ -1397,7 +1401,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
|
||||||
}
|
new_trans->stype = i + 1;
|
||||||
}
|
new_trans->ttype = j + 1;
|
||||||
|
new_trans->tclass = cur_rule->tclass;
|
||||||
|
- new_trans->otype = state->typemap[cur_rule->otype - 1];
|
||||||
|
+ new_trans->otype = mapped_otype;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
Summary: SELinux binary policy manipulation library
|
Summary: SELinux binary policy manipulation library
|
||||||
Name: libsepol
|
Name: libsepol
|
||||||
Version: 2.1.1
|
Version: 2.1.3
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
|
||||||
|
Patch: libsepol-rhat.patch
|
||||||
URL: http://www.selinuxproject.org
|
URL: http://www.selinuxproject.org
|
||||||
patch: libsepol-rhat.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -46,6 +46,7 @@ needed for developing applications that manipulate binary policies.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch -p2 -b .rhat
|
%patch -p2 -b .rhat
|
||||||
|
|
||||||
# sparc64 is an -fPIC arch, so we need to fix it here
|
# sparc64 is an -fPIC arch, so we need to fix it here
|
||||||
%ifarch sparc64
|
%ifarch sparc64
|
||||||
sed -i 's/fpic/fPIC/g' src/Makefile
|
sed -i 's/fpic/fPIC/g' src/Makefile
|
||||||
@ -98,6 +99,40 @@ exit 0
|
|||||||
/%{_lib}/libsepol.so.1
|
/%{_lib}/libsepol.so.1
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 31 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-2
|
||||||
|
-The filename_trans code had a bug where duplicate detection was being
|
||||||
|
done between the unmapped type value of a new rule and the type value of
|
||||||
|
rules already in policy. This meant that duplicates were not being
|
||||||
|
silently dropped and were instead outputting a message that there was a
|
||||||
|
problem. It made things hard because the message WAS using the mapped
|
||||||
|
type to convert to the string representation, so it didn't look like a
|
||||||
|
dup!
|
||||||
|
|
||||||
|
* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-1
|
||||||
|
-Update to upstream
|
||||||
|
* Skip writing role attributes for policy.X and
|
||||||
|
* Indicate when boolean is indeed a tunable.
|
||||||
|
* Separate tunable from boolean during compile.
|
||||||
|
* Write and read TUNABLE flags in related
|
||||||
|
* Copy and check the cond_bool_datum_t.flags during link.
|
||||||
|
* Permanently discard disabled branches of tunables in
|
||||||
|
* Skip tunable identifier and cond_node_t in expansion.
|
||||||
|
* Create a new preserve_tunables flag
|
||||||
|
* Preserve tunables when required by semodule program.
|
||||||
|
* setools expects expand_module_avrules to be an exported
|
||||||
|
* tree: default make target to all not
|
||||||
|
|
||||||
|
* Thu Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
|
||||||
|
- Add patch to handle preserving tunables
|
||||||
|
|
||||||
|
* Thu Sep 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-2
|
||||||
|
- export expand_module_avrules
|
||||||
|
|
||||||
|
* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
|
||||||
|
- Update to upstream
|
||||||
|
* Only call role_fix_callback for base.p_roles during expansion.
|
||||||
|
* use mapped role number instead of module role number
|
||||||
|
|
||||||
* Mon Aug 1 2011 Dan Walsh <dwalsh@redhat.com> 2.1.1-1
|
* Mon Aug 1 2011 Dan Walsh <dwalsh@redhat.com> 2.1.1-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
* Minor fix to reading policy with filename transition rules
|
* Minor fix to reading policy with filename transition rules
|
||||||
|
Loading…
Reference in New Issue
Block a user