Update Richard Haines patch to show constraint information

2012-11-27 16:31:35 -05:00 · 2012-11-27 16:31:35 -05:00 · a3698bbb34
parent 0557b38137
commit a3698bbb34
2 changed files with 257 additions and 281 deletions
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@ -307,10 +307,24 @@ index 43a71a7..7615a9b 100644
 	NULL
 };
 diff --git a/libsepol/src/services.c b/libsepol/src/services.c
-index 9c2920c..04f9978 100644
+index 9c2920c..096c28e 100644
 --- a/libsepol/src/services.c
 +++ b/libsepol/src/services.c
-@@ -54,6 +54,7 @@
+@@ -1,4 +1,3 @@
 -
 /*
  * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 
  */
@@ -43,6 +42,8 @@
  * Implementation of the security services.
  */
 +#define REASON_BUF_SIZE 100000
 +
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -54,6 +55,7 @@
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
@ -318,7 +332,7 @@ index 9c2920c..04f9978 100644
 #include "debug.h"
 #include "private.h"
-@@ -112,20 +113,208 @@ int sepol_set_policydb_from_file(FILE * fp)
+@@ -112,20 +114,223 @@ int sepol_set_policydb_from_file(FILE * fp)
 static uint32_t latest_granting = 0;
 /*
@ -333,7 +347,9 @@ index 9c2920c..04f9978 100644
 + * then the attributes associated to them (also count these). When
 + * complete take the list of attributes and find those whose count
 + * matches the number of types. The attributes in the final list will be
-+ * one of those that needs to has the type added (but which one !!!).
+ * the ones that need to have the type added to give access should this
 + * part of the expression fail (but which one - currently the only way
 + * is to check the policy source).
 + *
 + * The best way to solve this is for the compilers (checkpolicy and
 + * checkmodule) to add attributes to the constraint_expr_t structure
@ -349,31 +365,34 @@ index 9c2920c..04f9978 100644
 +int get_names_list(const ebitmap_t * e, int type, char ** expr_buf)
 +{
 +	type_datum_t *t1 = NULL;
 +	ebitmap_t *attr;
 +
-+#define MAX_ATTRS 300
+#define MAX_ATTRS 400
 +	/* Hold the type attribute names and count of instances */
 +	struct attr_entries {
 +		unsigned int entry;
 +		int count;
 +	} attr_info[MAX_ATTRS];
 +
-+	int struct_count = 0;
+	/* Various counters */
-+	int x;
+	int x, rc = 0;
 +	unsigned int i, z;
 +
-+	int rc = 0;
+	/*
-+	unsigned int i;
+	 * If an attribute is found in ->names then set to 1. Note this
-+	int entry_count = 0;
+	 * will only happen with the CIL compiler 30-Mar-2012 version) and
 +	 * is an error but we process anyway.
 +	 */
 +	int is_attr = 0;
 +
 +	char tmp_buf[100];
-+	/* if empty_set is 0, then <empty_set> */
+	/* if ->names is 0, then output string <empty_set> */
 +	int empty_set = 0;
 +
-+	ebitmap_t *attr;
+	/* The number of types in ->names */
 +	unsigned int j;
 +
 +	int type_count = 0;
 +
 +	/* If no buffer set then just return. */
 +	if (!*expr_buf)
 +		return 0;
 +
@ -384,15 +403,19 @@ index 9c2920c..04f9978 100644
 +
 +	/* For type entries find how many entries so we can check attributes */
 +	if (type == CEXPR_TYPE) {
-+		for (j = ebitmap_startbit(e); j < ebitmap_length(e); j++) {
+		for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
-+			if ((rc = ebitmap_get_bit(e, j)) == 0)
+			if ((rc = ebitmap_get_bit(e, i)) == 0)
 +				continue;
 +			type_count++;
 +		}
 +	}
 +
-+	/* Start the list of names where e = &e->names */
+	/*
-+	strcat(*expr_buf, "{ ");
+	 * Start the list of names where e = &e->names, except for types as
 +	 * a list of possible attributes will be given
 +	 */
 +	if (type != CEXPR_TYPE) 
 +		strncat(*expr_buf, "names-{ ", REASON_BUF_SIZE);
 +
 +	for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
 +		if ((rc = ebitmap_get_bit(e, i)) == 0)
@ -400,13 +423,13 @@ index 9c2920c..04f9978 100644
 +
 +		switch (type) {
 +		case CEXPR_USER:
-+			sprintf(tmp_buf, "%s ", policydb->p_user_val_to_name[i]);
+			snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_user_val_to_name[i]);
-+			strcat(*expr_buf, tmp_buf);
+			strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +			break;
 +
 +		case CEXPR_ROLE:
-+			sprintf(tmp_buf, "%s ", policydb->p_role_val_to_name[i]);
+			snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_role_val_to_name[i]);
-+			strcat(*expr_buf, tmp_buf);
+			strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +			break;
 +
 +		case CEXPR_TYPE:
@ -429,7 +452,7 @@ index 9c2920c..04f9978 100644
 + * "can_change_process_role" is also in the others.
 + *
 + * The "cron_source_domain" will give the largest amount of attributes
-+ * as there is only one type (crond_t) but has 36 associations.
+ * as there is only one type (crond_t) but has 36 attribute associations.
 + */
 +			/*
 +			 * Get node for the type ID and if an attribute just add name,
@ -438,17 +461,16 @@ index 9c2920c..04f9978 100644
 +			t1 = policydb->type_val_to_struct[i];
 +			if (t1->flavor == TYPE_ATTRIB) {
 +				is_attr = 1;
-+				sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]);
+				snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]);
-+				strcat(*expr_buf, tmp_buf);
+				strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +				break;
 +			} else {
-+				/* Have type so but names in buffer and sort out attrs */
+				/* Don't add type names to buffer, only attributes */
-+				sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]);
+				/* snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); */
-+				strcat(*expr_buf, tmp_buf);
+				/* strcat(*expr_buf, tmp_buf);  */
-+				/* Process attributes attached to the type */
+				/* Process attributes attached to this type */
 +				attr = &policydb->type_attr_map[t1->s.value-1];
-+				unsigned int z;
+				
 +				struct_count = 0;
 +				for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) {
 +					if ((rc = ebitmap_get_bit(attr, z)) == 0)
 +						continue;
@ -468,7 +490,6 @@ index 9c2920c..04f9978 100644
 +							}
 +							x++;
 +						}
 +						struct_count++;
 +					}
 +				}
 +				break;
@ -481,26 +502,35 @@ index 9c2920c..04f9978 100644
 +			break;
 +		}
 +		empty_set++;
 +		entry_count++;
 +	}
 +
-+	/* End the list of names but if type then check for attributes. */
+	/* End processing entries, now check for attributes if CEXPR_TYPE. */
 +	if (empty_set == 0) {
-+		strcat(*expr_buf, "<empty_set> }");
+		strncat(*expr_buf, "<empty_set>", REASON_BUF_SIZE);
 +	} else if (type == CEXPR_TYPE && is_attr == 0) {
-+		strcat(*expr_buf, "} ** Attributes associated to the types: ");
+		strncat(*expr_buf, "# POSSIBLE_ATTRIBUTES:", REASON_BUF_SIZE);
 +		for (x = 0; x < MAX_ATTRS; x++) {
 +			if (attr_info[x].count == type_count) {
-+				sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[attr_info[x].entry]);
+				snprintf(tmp_buf, sizeof(tmp_buf), "%s ",
-+				strcat(*expr_buf, tmp_buf);
+				policydb->p_type_val_to_name[attr_info[x].entry]);
 +				strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +			}
 +		}
-+		strcat(*expr_buf, "**");
+	}
-+	} else
+	strncat(*expr_buf, "\n", REASON_BUF_SIZE);
 +		strcat(*expr_buf, "}");
 +	return 0;
 +}
 +
 +static void msgcat(char **expr_buf, char *src, char *tgt, char *rel, int failed) {
 +	char tmp_buf[1024];
 +	if (*expr_buf) {
 +		if (failed)
 +			snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-)\n", src, rel, tgt);
 +		else
 +			snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-)\n", src, rel, tgt);
 +		strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +	}
 +}
 +
 +/*
 + * Modified version of constraint_expr_eval
@ -518,7 +548,7 @@ index 9c2920c..04f9978 100644
 + * 
 + * This function will also build a buffer as the constraint is processed
 + * for analysis. If this option is not required, then:
-+ *      'tclass' and 'allowed' should be '0' and expr_buf MUST be NULL.
+ *      'tclass' should be '0' and expr_buf MUST be NULL.
  */
 -static int constraint_expr_eval(context_struct_t * scontext,
 +static int constraint_expr_eval_reason(context_struct_t * scontext,
@ -526,16 +556,16 @@ index 9c2920c..04f9978 100644
 				context_struct_t * xcontext,
 -				constraint_expr_t * cexpr)
 +				sepol_security_class_t tclass,
-+				sepol_access_vector_t allowed,
+				constraint_node_t *constraint,
 +				constraint_expr_t * cexpr,
 +				char ** expr_buf)
 {
 	uint32_t val1, val2;
 	context_struct_t *c;
-@@ -135,21 +324,68 @@ static int constraint_expr_eval(context_struct_t * scontext,
+@@ -135,56 +340,112 @@ static int constraint_expr_eval(context_struct_t * scontext,
 	int s[CEXPR_MAXDEPTH];
 	int sp = -1;
 -	for (e = cexpr; e; e = e->next) {
 +	char tmp_buf[1024];
 +
 +/*
@ -547,72 +577,75 @@ index 9c2920c..04f9978 100644
 +#define XTARGET 3
 +
 +	int s_t_x_num = SOURCE;
-+
+	int rc = 0;
 +	/* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */
 +	int u_r_t = 0;
 +
 +	char *name1, *name2;
 +	char *src=NULL;
 +	char *tgt=NULL;
 +
 +	if (*expr_buf) {
 +		/* Get constraint statement type */
-+		sprintf(tmp_buf, "constrain ");
+		strncpy(tmp_buf, "constrain ", sizeof(tmp_buf));
-+		for (e = cexpr; e; e = e->next) {
+		for (e = constraint->expr; e; e = e->next) {
 +			if (e->attr >= CEXPR_L1L2) {
-+				sprintf(tmp_buf, "mlsconstrain ");
+				strncpy(tmp_buf, "mlsconstrain ", sizeof(tmp_buf));
 +				break;
 +			}
 +		}
-+		strcat(*expr_buf, tmp_buf);
+		strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +
 +		/* Get class entry */
-+		sprintf(tmp_buf, "%s ", policydb->p_class_val_to_name[tclass - 1]);
+		snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_class_val_to_name[tclass - 1]);
-+		strcat(*expr_buf, tmp_buf);
+		strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +
-+		/*
+		/* Get permission entries from the constraint node. */
-+		 * Get permission entries sepol_av_to_string defined in util.c
+		snprintf(tmp_buf, sizeof(tmp_buf), "{%s } (", sepol_av_to_string(policydb, tclass,
-+		 * and its buffer to hold the perm list is 1024 chars.
+				constraint->permissions));
-+		 */
+		strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
 +		sprintf(tmp_buf, "{%s } ", sepol_av_to_string(policydb, tclass, allowed));
 +		strcat(*expr_buf, tmp_buf);
 +	}
 +
 +	/* Original function but with buffer support */
- 	for (e = cexpr; e; e = e->next) {
+	for (e = constraint->expr; e; e = e->next) {
 		switch (e->expr_type) {
 		case CEXPR_NOT:
 			BUG_ON(sp < 0);
 			s[sp] = !s[sp];
 +			if (*expr_buf)
-+				strcat(*expr_buf, " not ");
+				strncat(*expr_buf, " not ", REASON_BUF_SIZE);
 			break;
 		case CEXPR_AND:
 			BUG_ON(sp < 1);
 			sp--;
 			s[sp] &= s[sp + 1];
 +			if (*expr_buf)
-+				strcat(*expr_buf, " and ");
+				strncat(*expr_buf, " and ", REASON_BUF_SIZE);
 			break;
 		case CEXPR_OR:
 			BUG_ON(sp < 1);
 			sp--;
 			s[sp] |= s[sp + 1];
 +			if (*expr_buf)
-+				strcat(*expr_buf, " or ");
+				strncat(*expr_buf, " or ", REASON_BUF_SIZE);
 			break;
 		case CEXPR_ATTR:
 			if (sp == (CEXPR_MAXDEPTH - 1))
-@@ -158,33 +394,57 @@ static int constraint_expr_eval(context_struct_t * scontext,
+-				return 0;
 +				goto out;
 +
 			switch (e->attr) {
 			case CEXPR_USER:
 				val1 = scontext->user;
 				val2 = tcontext->user;
-+				if (*expr_buf)
+				free(src); src = strdup("u1");
-+					strcat(*expr_buf, "(u1 u2 ");
+				free(tgt); tgt = strdup("u2");
 				break;
 			case CEXPR_TYPE:
 				val1 = scontext->type;
 				val2 = tcontext->type;
-+				if (*expr_buf)
+				free(src); src = strdup("t1");
-+					strcat(*expr_buf, "(t1 t2 ");
+				free(tgt); tgt = strdup("t2");
 				break;
 			case CEXPR_ROLE:
 				val1 = scontext->role;
@ -622,8 +655,10 @@ index 9c2920c..04f9978 100644
 +				if (*expr_buf) {
 +					name1 = policydb->p_role_val_to_name[r1->s.value - 1];
 +					name2 = policydb->p_role_val_to_name[r2->s.value - 1];
-+					sprintf(tmp_buf, "(r1-%s r2-%s ", name1, name2);
+					snprintf(tmp_buf,sizeof(tmp_buf), "r1-%s", name1);
-+					strcat(*expr_buf, tmp_buf);
+					free(src); src = strdup(tmp_buf);
 +					snprintf(tmp_buf,sizeof(tmp_buf), "r2-%s ", name2);
 +					free(tgt); tgt = strdup(tmp_buf);
 +				}
 				switch (e->op) {
 				case CEXPR_DOM:
@ -631,26 +666,14 @@ index 9c2920c..04f9978 100644
 -					    ebitmap_get_bit(&r1->dominates,
 -							    val2 - 1);
 +					s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "dom", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "dom -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "dom -Fail-) ");
 +						}
 +					}
 					continue;
 				case CEXPR_DOMBY:
 -					s[++sp] =
 -					    ebitmap_get_bit(&r2->dominates,
 -							    val1 - 1);
 +					s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "domby", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "domby -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "domby +Pass+) ");
 +						}
 +					}
 					continue;
 				case CEXPR_INCOMP:
 -					s[++sp] =
@ -660,136 +683,101 @@ index 9c2920c..04f9978 100644
 -								 val1 - 1));
 +					s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1)
 +						 && !ebitmap_get_bit(&r2->dominates, val1 - 1));
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "incomp -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "incomp +Pass+) ");
 +						}
 +					}
 					continue;
 				default:
 					break;
-@@ -193,43 +453,90 @@ static int constraint_expr_eval(context_struct_t * scontext,
+@@ -193,112 +454,203 @@ static int constraint_expr_eval(context_struct_t * scontext,
 			case CEXPR_L1L2:
 				l1 = &(scontext->range.level[0]);
 				l2 = &(tcontext->range.level[0]);
-+				if (*expr_buf)
+				free(src); src = strdup("l1");
-+					strcat(*expr_buf, "(l1 l2 ");
+				free(tgt); tgt = strdup("l2");
 				goto mls_ops;
 			case CEXPR_L1H2:
 				l1 = &(scontext->range.level[0]);
 				l2 = &(tcontext->range.level[1]);
-+				if (*expr_buf)
+				free(src); src = strdup("l1");
-+					strcat(*expr_buf, "(l1 h2 ");
+				free(tgt); tgt = strdup("h2");
 				goto mls_ops;
 			case CEXPR_H1L2:
 				l1 = &(scontext->range.level[1]);
 				l2 = &(tcontext->range.level[0]);
-+				if (*expr_buf)
+				free(src); src = strdup("h1");
-+					strcat(*expr_buf,"(h1 l2 ");
+				free(tgt); tgt = strdup("L2");
 				goto mls_ops;
 			case CEXPR_H1H2:
 				l1 = &(scontext->range.level[1]);
 				l2 = &(tcontext->range.level[1]);
-+				if (*expr_buf)
+				free(src); src = strdup("h1");
-+					strcat(*expr_buf, "(h1 h2 ");
+				free(tgt); tgt = strdup("h2");
 				goto mls_ops;
 			case CEXPR_L1H1:
 				l1 = &(scontext->range.level[0]);
 				l2 = &(scontext->range.level[1]);
-+				if (*expr_buf)
+				free(src); src = strdup("l1");
-+					strcat(*expr_buf, "(l1 h1 ");
+				free(tgt); tgt = strdup("h1");
 				goto mls_ops;
 			case CEXPR_L2H2:
 				l1 = &(tcontext->range.level[0]);
 				l2 = &(tcontext->range.level[1]);
-+				if (*expr_buf)
+-				goto mls_ops;
 +					strcat(*expr_buf, "(l2 h2 ");
 				goto mls_ops;
 -			      mls_ops:
-+				  mls_ops:
+				free(src); src = strdup("l2");
 +				free(tgt); tgt = strdup("h2");
 +			mls_ops:
 				switch (e->op) {
 				case CEXPR_EQ:
 					s[++sp] = mls_level_eq(l1, l2);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "eq", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "eq -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "eq +Pass+) ");
 +						}
 +					}
 					continue;
 				case CEXPR_NEQ:
 					s[++sp] = !mls_level_eq(l1, l2);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "neq -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "neq +Pass+) ");
 +						}
 +					}
 					continue;
 				case CEXPR_DOM:
 					s[++sp] = mls_level_dom(l1, l2);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "dom", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "dom -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "dom +Pass+) ");
 +						}
 +					}
 					continue;
 				case CEXPR_DOMBY:
 					s[++sp] = mls_level_dom(l2, l1);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "domby", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "domby -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "domby +Pass+) ");
 +						}
 +					}
 					continue;
 				case CEXPR_INCOMP:
 					s[++sp] = mls_level_incomp(l2, l1);
-+					if (*expr_buf) {
+					msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0);
 +						if (s[sp] == 0) {
 +							strcat(*expr_buf, "incomp -Fail-) ");
 +						} else {
 +							strcat(*expr_buf, "incomp +Pass+) ");
 +						}
 +					}
 					continue;
 				default:
 					BUG();
-@@ -244,9 +551,23 @@ static int constraint_expr_eval(context_struct_t * scontext,
+-					return 0;
- 			switch (e->op) {
+					goto out;
- 			case CEXPR_EQ:
+ 				}
 				s[++sp] = (val1 == val2);
 +				if (*expr_buf) {
 +					if (s[sp] == 0) {
 +						strcat(*expr_buf, "eq -Fail-) ");
 +					} else {
 +						strcat(*expr_buf, "eq +Pass+) ");
 +					}
 +				}
 				break;
 			case CEXPR_NEQ:
 				s[++sp] = (val1 != val2);
 +				if (*expr_buf) {
 +					if (s[sp] == 0) {
 +						strcat(*expr_buf, "neq -Fail-) ");
 +					} else {
 +						strcat(*expr_buf, "neq +Pass+) ");
 +					}
 +				}
 				break;
 			default:
 				BUG();
-@@ -256,22 +577,46 @@ static int constraint_expr_eval(context_struct_t * scontext,
+-				return 0;
 +				goto out;
 			}
 			switch (e->op) {
 			case CEXPR_EQ:
 				s[++sp] = (val1 == val2);
 +				msgcat(expr_buf, src, tgt, "eq", s[sp] == 0);
 				break;
 			case CEXPR_NEQ:
 				s[++sp] = (val1 != val2);
 +				msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
 				break;
 			default:
 				BUG();
 -				return 0;
 +				goto out;
 			}
 			break;
 		case CEXPR_NAMES:
 			if (sp == (CEXPR_MAXDEPTH - 1))
- 				return 0;
+-				return 0;
 +				goto out;
 +			s_t_x_num = SOURCE;
 			c = scontext;
 -			if (e->attr & CEXPR_TARGET)
@ -808,7 +796,7 @@ index 9c2920c..04f9978 100644
 -			if (e->attr & CEXPR_USER)
 +			if (!c) {
 +				BUG();
-+				return 0;
+				goto out;
 +			}
 +			if (e->attr & CEXPR_USER) {
 +				u_r_t = CEXPR_USER;
@ -816,8 +804,8 @@ index 9c2920c..04f9978 100644
 -			else if (e->attr & CEXPR_ROLE)
 +				if (*expr_buf) {
 +					name1 = policydb->p_user_val_to_name[val1 - 1];
-+					sprintf(tmp_buf, "(u%d-%s ", s_t_x_num, name1);
+					snprintf(tmp_buf,sizeof(tmp_buf), "u%d=%s ", s_t_x_num, name1);
-+					strcat(*expr_buf, tmp_buf);
+					free(src); src = strdup(tmp_buf);
 +				}
 +			}
 +			else if (e->attr & CEXPR_ROLE) {
@ -826,8 +814,8 @@ index 9c2920c..04f9978 100644
 -			else if (e->attr & CEXPR_TYPE)
 +				if (*expr_buf) {
 +					name1 = policydb->p_role_val_to_name[val1 - 1];
-+					sprintf(tmp_buf, "(r%d-%s ", s_t_x_num, name1);
+					snprintf(tmp_buf,sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1);
-+					strcat(*expr_buf, tmp_buf);
+					free(src); src = strdup(tmp_buf);
 +				}
 +			}
 +			else if (e->attr & CEXPR_TYPE) {
@ -835,14 +823,15 @@ index 9c2920c..04f9978 100644
 				val1 = c->type;
 +				if (*expr_buf) {
 +					name1 = policydb->p_type_val_to_name[val1 - 1];
-+					sprintf(tmp_buf, "(t%d-%s ", s_t_x_num, name1);
+					snprintf(tmp_buf,sizeof(tmp_buf), "t%d=%s ", s_t_x_num, name1);
-+					strcat(*expr_buf, tmp_buf);
+					free(src); src = strdup(tmp_buf);
 +				}
 +			}
 			else {
 				BUG();
- 				return 0;
+-				return 0;
-@@ -279,10 +624,61 @@ static int constraint_expr_eval(context_struct_t * scontext,
+				goto out;
 			}
 			switch (e->op) {
 			case CEXPR_EQ:
@ -861,16 +850,12 @@ index 9c2920c..04f9978 100644
 +					ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
 +					break;
 +				}
 +
 +				get_names_list(&e->names, u_r_t, expr_buf);
 +
 				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
-+				if (*expr_buf) {
+				free(tgt); tgt=strdup("ATTRIBUTE");
-+					if (s[sp] == 0) {
+				msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
-+						strcat(*expr_buf, " eq -Fail-) ");
+				if (s[sp] == 0) {
-+					} else {
+					get_names_list(&e->names, u_r_t, expr_buf);
 +						strcat(*expr_buf, " eq +Pass+) ");
 +					}
 +				}
 				break;
 +
@ -890,151 +875,138 @@ index 9c2920c..04f9978 100644
 +					ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
 +					break;
 +				}
 +
 +				get_names_list(&e->names, u_r_t, expr_buf);
 +
 				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
-+				if (*expr_buf) {
+				free(tgt); tgt=strdup("ATTRIBUTE");
-+					if (s[sp] == 0) {
+				msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
-+						strcat(*expr_buf, " neq -Fail-) ");
+				get_names_list(&e->names, u_r_t, expr_buf);
 +					} else {
 +						strcat(*expr_buf, " neq +Pass+) ");
 +					}
 +				}
 				break;
 			default:
 				BUG();
-@@ -296,9 +692,21 @@ static int constraint_expr_eval(context_struct_t * scontext,
+-				return 0;
 +				goto out;
 			}
 			break;
 		default:
 			BUG();
 -			return 0;
 +			goto out;
 		}
 	}
 +	if (*expr_buf)
 +		strncat(*expr_buf, ")", REASON_BUF_SIZE);
 +	rc = s[0];
 +
 +out:
 +	free(src); 
 +	free(tgt);
 	BUG_ON(sp != 0);
-+
+-	return s[0];
-+	if (*expr_buf) {
+	return rc;
 +		if (s[0] == 0) {
 +			char *denied = {"\n** Constraint DENIED access **\n\n"};
 +			strcat(*expr_buf, denied);
 +		} else {
 +			char *allow = {"\n** Constraint ALLOWED access **\n\n"};
 +			strcat(*expr_buf, allow);
 +		}
 +	}
 	return s[0];
 }
 +
 +
 /*
  * Compute access vectors based on a context structure pair for
  * the permissions in a particular class.
-@@ -308,7 +716,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
+@@ -308,7 +660,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
 				     sepol_security_class_t tclass,
 				     sepol_access_vector_t requested,
 				     struct sepol_av_decision *avd,
 -				     unsigned int *reason)
 +				     unsigned int *reason,
-+					 char *expr_buf)
+				     char *expr_buf)
 {
 	constraint_node_t *constraint;
 	struct role_allow *ra;
-@@ -383,8 +792,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
+@@ -383,8 +736,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
 	constraint = tclass_datum->constraints;
 	while (constraint) {
 		if ((constraint->permissions & (avd->allowed)) &&
 -		    !constraint_expr_eval(scontext, tcontext, NULL,
 -					  constraint->expr)) {
 +		    !constraint_expr_eval_reason(scontext, tcontext, NULL,
-+					  tclass, avd->allowed, constraint->expr, &expr_buf)) {
+					  tclass, constraint, &expr_buf)) {
 			avd->allowed =
 			    (avd->allowed) & ~(constraint->permissions);
 		}
-@@ -459,8 +868,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
+@@ -459,8 +812,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
 	constraint = tclass_datum->validatetrans;
 	while (constraint) {
 -		if (!constraint_expr_eval(ocontext, ncontext, tcontext,
 -					  constraint->expr)) {
 +		if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext,
-+					  0, 0, constraint->expr, NULL)) {
+					  0, constraint, NULL)) {
 			return -EPERM;
 		}
 		constraint = constraint->next;
-@@ -469,13 +878,21 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
+@@ -493,11 +846,57 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
- 	return 0;
+ 	}
 	rc = context_struct_compute_av(scontext, tcontext, tclass,
 -				       requested, avd, reason);
 +					requested, avd, reason, NULL);
       out:
 	return rc;
 }
 -int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
 +/* 
 + * sepol_compute_av_reason_buffer - the reason buffer is malloc'd
 + * to REASON_BUF_SIZE that seems okay for the Reference Policy.
 + * TODO manage size using realloc at some stage.
 + */
 +#define REASON_BUF_SIZE 100000
 +int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
 				   sepol_security_id_t tsid,
 				   sepol_security_class_t tclass,
 				   sepol_access_vector_t requested,
 				   struct sepol_av_decision *avd,
 -				   unsigned int *reason)
 +				   unsigned int *reason,
 +				   char **reason_buf)
 {
 +	char *expr_buf = NULL;
 	context_struct_t *scontext = 0, *tcontext = 0;
 	int rc = 0;
@@ -485,6 +902,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
 		rc = -EINVAL;
 		goto out;
 	}
 +
 	tcontext = sepol_sidtab_search(sidtab, tsid);
 	if (!tcontext) {
 		ERR(NULL, "unrecognized SID %d", tsid);
@@ -493,11 +911,36 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
 	}
 	rc = context_struct_compute_av(scontext, tcontext, tclass,
 -				       requested, avd, reason);
 -      out:
 +				       requested, avd, reason, expr_buf);
 +	if (rc) {
 +		goto out;
 +	}
 +
 +	if (!avd->allowed && (*reason & SEPOL_COMPUTEAV_CONS) && reason_buf) {
 +		expr_buf = calloc(REASON_BUF_SIZE,1);
 +		if (!expr_buf) {
 +			ERR(NULL, "malloc failed to allocate constraint reason buffer");
 +			return -ENOMEM;
 +		}
 +		rc = context_struct_compute_av(scontext, tcontext, tclass,
 +					       requested, avd, reason, expr_buf);
 +		*reason_buf = expr_buf;
 +	}
 +
 +out:
 	return rc;
 }
 +int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
 +				   sepol_security_id_t tsid,
 +				   sepol_security_class_t tclass,
 +				   sepol_access_vector_t requested,
 +				   struct sepol_av_decision *avd,
-+				   unsigned int *reason)
+				   unsigned int *reason,
 +				   char **reason_buf)
 +{
-+	return sepol_compute_av_reason_buffer(ssid, tsid, tclass, requested, avd, reason, NULL);
+	char *expr_buf = NULL;
 +
 +	expr_buf = malloc(REASON_BUF_SIZE);
 +	if (!expr_buf) {
 +		ERR(NULL, "malloc failed to allocate constraint reason buffer");
 +		return -ENOMEM;
 +	}
 +	bzero(expr_buf, REASON_BUF_SIZE);
 +
 +	context_struct_t *scontext = 0, *tcontext = 0;
 +	int rc = 0;
 +
 +	scontext = sepol_sidtab_search(sidtab, ssid);
 +	if (!scontext) {
 +		ERR(NULL, "unrecognized SID %d", ssid);
 +		rc = -EINVAL;
 +		goto out;
 +	}
 +	tcontext = sepol_sidtab_search(sidtab, tsid);
 +	if (!tcontext) {
 +		ERR(NULL, "unrecognized SID %d", tsid);
 +		rc = -EINVAL;
 +		goto out;
 +	}
 +
 +	rc = context_struct_compute_av(scontext, tcontext, tclass,
 +					   requested, avd, reason, expr_buf);
 +	*reason_buf = expr_buf;
 +
 +	  out:
 +	return rc;
 +}
 +
 int hidden sepol_compute_av(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
-@@ -510,6 +953,65 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
+@@ -510,6 +909,66 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
 }
 /*
-+ * Return a class ID associated with the class string representation
+ * Return a class ID associated with the class string specified by
-+ * specified by `class_name'.
+ * class_name.
 + */
 +int hidden sepol_class_name_to_id(const char *class_name,
 +			sepol_security_class_t *tclass)
@ -1055,15 +1027,15 @@ index 9c2920c..04f9978 100644
 +}
 +
 +/*
-+ * Return access vertor bit associated with the class / permission string.
+ * Return access vector bit associated with the class ID and permission
 + * string.
 + */
 +int hidden sepol_perm_name_to_av(sepol_security_class_t tclass,
 +					const char *perm_name,
 +					sepol_access_vector_t *av)
 +{
 +	class_datum_t *tclass_datum;
-+	perm_datum_t *base_perm;
+	perm_datum_t *perm_datum;
 +	perm_datum_t *common_perm;
 +
 +	if (!tclass || tclass > policydb->p_classes.nprim) {
 +		ERR(NULL, "unrecognized class %d", tclass);
@ -1071,19 +1043,20 @@ index 9c2920c..04f9978 100644
 +	}
 +	tclass_datum = policydb->class_val_to_struct[tclass - 1];
 +
-+	base_perm = (perm_datum_t *)
+	/* Check for unique perms then the common ones */
 +	perm_datum = (perm_datum_t *)
 +			hashtab_search(tclass_datum->permissions.table,
 +			(hashtab_key_t)perm_name);
-+	if (base_perm != NULL) {
+	if (perm_datum != NULL) {
-+		*av = 0x1 << (base_perm->s.value - 1);
+		*av = 0x1 << (perm_datum->s.value - 1);
 +		return STATUS_SUCCESS;
 +	}
 +
-+	common_perm = (perm_datum_t *)
+	perm_datum = (perm_datum_t *)
 +			hashtab_search(tclass_datum->comdatum->permissions.table,
 +			(hashtab_key_t)perm_name);
-+	if (common_perm != NULL) {
+	if (perm_datum != NULL) {
-+		*av = 0x1 << (common_perm->s.value - 1);
+		*av = 0x1 << (perm_datum->s.value - 1);
 +		return STATUS_SUCCESS;
 +	}	
 +
@ -1095,7 +1068,7 @@ index 9c2920c..04f9978 100644
  * Write the security context string representation of 
  * the context associated with `sid' into a dynamically
  * allocated string of the correct size.  Set `*scontext'
-@@ -1337,7 +1839,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
+@@ -1337,7 +1796,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
 			rc = context_struct_compute_av(fromcon, &usercon,
 						       SECCLASS_PROCESS,
 						       PROCESS__TRANSITION,
--- a/libsepol.spec
+++ b/libsepol.spec
@ -1,7 +1,7 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.1.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
@ -99,6 +99,9 @@ exit 0
 /%{_lib}/libsepol.so.1
 %changelog
 * Tue Nov 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
 - Update Richard Haines patch to show constraint information
 * Mon Nov 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
 - Add sepol_compute_av_reason_buffer patch from Richard Haines
@ -185,7 +188,7 @@ dup!
 	* setools expects expand_module_avrules to be an exported
 	* tree: default make target to all not
-* Thu Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
+* Thu Sep 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
 - Add patch to handle preserving tunables
 * Thu Sep 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-2
@ -204,7 +207,7 @@ dup!
 - Update to upstream 
 	* Release, minor version bump
-* Thu May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.45-1
+* Tue May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.45-1
 - Update to upstream 
  * Warn if filename_trans rules are dropped by Steve Lawrence.
@ -254,7 +257,7 @@ Resolves: #555835
 - Upgrade to latest from NSA
  * Add pkgconfig file from Eamon Walsh.
-* Tue Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.39-1
+* Wed Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.39-1
 - Upgrade to latest from NSA
  * Add support for building Xen policies from Paul Nuzzi.
@ -512,7 +515,7 @@ Resolves: #555835
    a policy requires the compatibility support for network checks
    to be enabled in the kernel.
-* Thu May 15 2006 Dan Walsh <dwalsh@redhat.com> 1.12.11-1
+* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 1.12.11-1
 - Upgrade to latest from NSA
  * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
    Reworked to use calloc in the first place, and converted some other
@ -619,7 +622,7 @@ Resolves: #555835
 - Upgrade to latest from NSA
  * Merged 2nd const in APIs patch from Ivan Gyurdiev.
-* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.11.7-1
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.11.7-1
 - Upgrade to latest from NSA
  * Merged const in APIs patch from Ivan Gyurdiev.
  * Merged compare2 function patch from Ivan Gyurdiev.
@ -855,7 +858,7 @@ Resolves: #555835
  * Merged fix for sepol_enable/disable_debug from Ivan
  Gyurdiev.
-* Mon Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.9.1-2
+* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.9.1-2
 - Upgrade to latest from NSA
  * Merged stddef.h patch and debug conversion patch from 
  Ivan Gyurdiev.