Update Richard Haines patch to show constraint information
This commit is contained in:
parent
0557b38137
commit
a3698bbb34
@ -307,10 +307,24 @@ index 43a71a7..7615a9b 100644
|
||||
NULL
|
||||
};
|
||||
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
|
||||
index 9c2920c..04f9978 100644
|
||||
index 9c2920c..096c28e 100644
|
||||
--- a/libsepol/src/services.c
|
||||
+++ b/libsepol/src/services.c
|
||||
@@ -54,6 +54,7 @@
|
||||
@@ -1,4 +1,3 @@
|
||||
-
|
||||
/*
|
||||
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
|
||||
*/
|
||||
@@ -43,6 +42,8 @@
|
||||
* Implementation of the security services.
|
||||
*/
|
||||
|
||||
+#define REASON_BUF_SIZE 100000
|
||||
+
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
@@ -54,6 +55,7 @@
|
||||
#include <sepol/policydb/services.h>
|
||||
#include <sepol/policydb/conditional.h>
|
||||
#include <sepol/policydb/flask.h>
|
||||
@ -318,7 +332,7 @@ index 9c2920c..04f9978 100644
|
||||
|
||||
#include "debug.h"
|
||||
#include "private.h"
|
||||
@@ -112,20 +113,208 @@ int sepol_set_policydb_from_file(FILE * fp)
|
||||
@@ -112,20 +114,223 @@ int sepol_set_policydb_from_file(FILE * fp)
|
||||
static uint32_t latest_granting = 0;
|
||||
|
||||
/*
|
||||
@ -333,7 +347,9 @@ index 9c2920c..04f9978 100644
|
||||
+ * then the attributes associated to them (also count these). When
|
||||
+ * complete take the list of attributes and find those whose count
|
||||
+ * matches the number of types. The attributes in the final list will be
|
||||
+ * one of those that needs to has the type added (but which one !!!).
|
||||
+ * the ones that need to have the type added to give access should this
|
||||
+ * part of the expression fail (but which one - currently the only way
|
||||
+ * is to check the policy source).
|
||||
+ *
|
||||
+ * The best way to solve this is for the compilers (checkpolicy and
|
||||
+ * checkmodule) to add attributes to the constraint_expr_t structure
|
||||
@ -349,31 +365,34 @@ index 9c2920c..04f9978 100644
|
||||
+int get_names_list(const ebitmap_t * e, int type, char ** expr_buf)
|
||||
+{
|
||||
+ type_datum_t *t1 = NULL;
|
||||
+ ebitmap_t *attr;
|
||||
+
|
||||
+#define MAX_ATTRS 300
|
||||
+#define MAX_ATTRS 400
|
||||
+ /* Hold the type attribute names and count of instances */
|
||||
+ struct attr_entries {
|
||||
+ unsigned int entry;
|
||||
+ int count;
|
||||
+ } attr_info[MAX_ATTRS];
|
||||
+
|
||||
+ int struct_count = 0;
|
||||
+ int x;
|
||||
+ /* Various counters */
|
||||
+ int x, rc = 0;
|
||||
+ unsigned int i, z;
|
||||
+
|
||||
+ int rc = 0;
|
||||
+ unsigned int i;
|
||||
+ int entry_count = 0;
|
||||
+ /*
|
||||
+ * If an attribute is found in ->names then set to 1. Note this
|
||||
+ * will only happen with the CIL compiler 30-Mar-2012 version) and
|
||||
+ * is an error but we process anyway.
|
||||
+ */
|
||||
+ int is_attr = 0;
|
||||
+
|
||||
+ char tmp_buf[100];
|
||||
+ /* if empty_set is 0, then <empty_set> */
|
||||
+ /* if ->names is 0, then output string <empty_set> */
|
||||
+ int empty_set = 0;
|
||||
+
|
||||
+ ebitmap_t *attr;
|
||||
+ unsigned int j;
|
||||
+
|
||||
+ /* The number of types in ->names */
|
||||
+ int type_count = 0;
|
||||
+
|
||||
+ /* If no buffer set then just return. */
|
||||
+ if (!*expr_buf)
|
||||
+ return 0;
|
||||
+
|
||||
@ -384,15 +403,19 @@ index 9c2920c..04f9978 100644
|
||||
+
|
||||
+ /* For type entries find how many entries so we can check attributes */
|
||||
+ if (type == CEXPR_TYPE) {
|
||||
+ for (j = ebitmap_startbit(e); j < ebitmap_length(e); j++) {
|
||||
+ if ((rc = ebitmap_get_bit(e, j)) == 0)
|
||||
+ for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
|
||||
+ if ((rc = ebitmap_get_bit(e, i)) == 0)
|
||||
+ continue;
|
||||
+ type_count++;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Start the list of names where e = &e->names */
|
||||
+ strcat(*expr_buf, "{ ");
|
||||
+ /*
|
||||
+ * Start the list of names where e = &e->names, except for types as
|
||||
+ * a list of possible attributes will be given
|
||||
+ */
|
||||
+ if (type != CEXPR_TYPE)
|
||||
+ strncat(*expr_buf, "names-{ ", REASON_BUF_SIZE);
|
||||
+
|
||||
+ for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
|
||||
+ if ((rc = ebitmap_get_bit(e, i)) == 0)
|
||||
@ -400,13 +423,13 @@ index 9c2920c..04f9978 100644
|
||||
+
|
||||
+ switch (type) {
|
||||
+ case CEXPR_USER:
|
||||
+ sprintf(tmp_buf, "%s ", policydb->p_user_val_to_name[i]);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_user_val_to_name[i]);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+ break;
|
||||
+
|
||||
+ case CEXPR_ROLE:
|
||||
+ sprintf(tmp_buf, "%s ", policydb->p_role_val_to_name[i]);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_role_val_to_name[i]);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+ break;
|
||||
+
|
||||
+ case CEXPR_TYPE:
|
||||
@ -429,7 +452,7 @@ index 9c2920c..04f9978 100644
|
||||
+ * "can_change_process_role" is also in the others.
|
||||
+ *
|
||||
+ * The "cron_source_domain" will give the largest amount of attributes
|
||||
+ * as there is only one type (crond_t) but has 36 associations.
|
||||
+ * as there is only one type (crond_t) but has 36 attribute associations.
|
||||
+ */
|
||||
+ /*
|
||||
+ * Get node for the type ID and if an attribute just add name,
|
||||
@ -438,17 +461,16 @@ index 9c2920c..04f9978 100644
|
||||
+ t1 = policydb->type_val_to_struct[i];
|
||||
+ if (t1->flavor == TYPE_ATTRIB) {
|
||||
+ is_attr = 1;
|
||||
+ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+ break;
|
||||
+ } else {
|
||||
+ /* Have type so but names in buffer and sort out attrs */
|
||||
+ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ /* Process attributes attached to the type */
|
||||
+ /* Don't add type names to buffer, only attributes */
|
||||
+ /* snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); */
|
||||
+ /* strcat(*expr_buf, tmp_buf); */
|
||||
+ /* Process attributes attached to this type */
|
||||
+ attr = &policydb->type_attr_map[t1->s.value-1];
|
||||
+ unsigned int z;
|
||||
+ struct_count = 0;
|
||||
+
|
||||
+ for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) {
|
||||
+ if ((rc = ebitmap_get_bit(attr, z)) == 0)
|
||||
+ continue;
|
||||
@ -468,7 +490,6 @@ index 9c2920c..04f9978 100644
|
||||
+ }
|
||||
+ x++;
|
||||
+ }
|
||||
+ struct_count++;
|
||||
+ }
|
||||
+ }
|
||||
+ break;
|
||||
@ -481,26 +502,35 @@ index 9c2920c..04f9978 100644
|
||||
+ break;
|
||||
+ }
|
||||
+ empty_set++;
|
||||
+ entry_count++;
|
||||
+ }
|
||||
+
|
||||
+ /* End the list of names but if type then check for attributes. */
|
||||
+ /* End processing entries, now check for attributes if CEXPR_TYPE. */
|
||||
+ if (empty_set == 0) {
|
||||
+ strcat(*expr_buf, "<empty_set> }");
|
||||
+ strncat(*expr_buf, "<empty_set>", REASON_BUF_SIZE);
|
||||
+ } else if (type == CEXPR_TYPE && is_attr == 0) {
|
||||
+ strcat(*expr_buf, "} ** Attributes associated to the types: ");
|
||||
+ strncat(*expr_buf, "# POSSIBLE_ATTRIBUTES:", REASON_BUF_SIZE);
|
||||
+ for (x = 0; x < MAX_ATTRS; x++) {
|
||||
+ if (attr_info[x].count == type_count) {
|
||||
+ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[attr_info[x].entry]);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ",
|
||||
+ policydb->p_type_val_to_name[attr_info[x].entry]);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+ }
|
||||
+ }
|
||||
+ strcat(*expr_buf, "**");
|
||||
+ } else
|
||||
+ strcat(*expr_buf, "}");
|
||||
+ }
|
||||
+ strncat(*expr_buf, "\n", REASON_BUF_SIZE);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void msgcat(char **expr_buf, char *src, char *tgt, char *rel, int failed) {
|
||||
+ char tmp_buf[1024];
|
||||
+ if (*expr_buf) {
|
||||
+ if (failed)
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-)\n", src, rel, tgt);
|
||||
+ else
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-)\n", src, rel, tgt);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Modified version of constraint_expr_eval
|
||||
@ -518,7 +548,7 @@ index 9c2920c..04f9978 100644
|
||||
+ *
|
||||
+ * This function will also build a buffer as the constraint is processed
|
||||
+ * for analysis. If this option is not required, then:
|
||||
+ * 'tclass' and 'allowed' should be '0' and expr_buf MUST be NULL.
|
||||
+ * 'tclass' should be '0' and expr_buf MUST be NULL.
|
||||
*/
|
||||
-static int constraint_expr_eval(context_struct_t * scontext,
|
||||
+static int constraint_expr_eval_reason(context_struct_t * scontext,
|
||||
@ -526,16 +556,16 @@ index 9c2920c..04f9978 100644
|
||||
context_struct_t * xcontext,
|
||||
- constraint_expr_t * cexpr)
|
||||
+ sepol_security_class_t tclass,
|
||||
+ sepol_access_vector_t allowed,
|
||||
+ constraint_expr_t * cexpr,
|
||||
+ constraint_node_t *constraint,
|
||||
+ char ** expr_buf)
|
||||
{
|
||||
uint32_t val1, val2;
|
||||
context_struct_t *c;
|
||||
@@ -135,21 +324,68 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
@@ -135,56 +340,112 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
int s[CEXPR_MAXDEPTH];
|
||||
int sp = -1;
|
||||
|
||||
- for (e = cexpr; e; e = e->next) {
|
||||
+ char tmp_buf[1024];
|
||||
+
|
||||
+/*
|
||||
@ -547,72 +577,75 @@ index 9c2920c..04f9978 100644
|
||||
+#define XTARGET 3
|
||||
+
|
||||
+ int s_t_x_num = SOURCE;
|
||||
+
|
||||
+ int rc = 0;
|
||||
+ /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */
|
||||
+ int u_r_t = 0;
|
||||
+
|
||||
+ char *name1, *name2;
|
||||
+ char *src=NULL;
|
||||
+ char *tgt=NULL;
|
||||
+
|
||||
+ if (*expr_buf) {
|
||||
+ /* Get constraint statement type */
|
||||
+ sprintf(tmp_buf, "constrain ");
|
||||
+ for (e = cexpr; e; e = e->next) {
|
||||
+ strncpy(tmp_buf, "constrain ", sizeof(tmp_buf));
|
||||
+ for (e = constraint->expr; e; e = e->next) {
|
||||
+ if (e->attr >= CEXPR_L1L2) {
|
||||
+ sprintf(tmp_buf, "mlsconstrain ");
|
||||
+ strncpy(tmp_buf, "mlsconstrain ", sizeof(tmp_buf));
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+
|
||||
+ /* Get class entry */
|
||||
+ sprintf(tmp_buf, "%s ", policydb->p_class_val_to_name[tclass - 1]);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_class_val_to_name[tclass - 1]);
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+
|
||||
+ /*
|
||||
+ * Get permission entries sepol_av_to_string defined in util.c
|
||||
+ * and its buffer to hold the perm list is 1024 chars.
|
||||
+ */
|
||||
+ sprintf(tmp_buf, "{%s } ", sepol_av_to_string(policydb, tclass, allowed));
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ /* Get permission entries from the constraint node. */
|
||||
+ snprintf(tmp_buf, sizeof(tmp_buf), "{%s } (", sepol_av_to_string(policydb, tclass,
|
||||
+ constraint->permissions));
|
||||
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
|
||||
+ }
|
||||
+
|
||||
+ /* Original function but with buffer support */
|
||||
for (e = cexpr; e; e = e->next) {
|
||||
+ for (e = constraint->expr; e; e = e->next) {
|
||||
switch (e->expr_type) {
|
||||
case CEXPR_NOT:
|
||||
BUG_ON(sp < 0);
|
||||
s[sp] = !s[sp];
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, " not ");
|
||||
+ strncat(*expr_buf, " not ", REASON_BUF_SIZE);
|
||||
break;
|
||||
case CEXPR_AND:
|
||||
BUG_ON(sp < 1);
|
||||
sp--;
|
||||
s[sp] &= s[sp + 1];
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, " and ");
|
||||
+ strncat(*expr_buf, " and ", REASON_BUF_SIZE);
|
||||
break;
|
||||
case CEXPR_OR:
|
||||
BUG_ON(sp < 1);
|
||||
sp--;
|
||||
s[sp] |= s[sp + 1];
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, " or ");
|
||||
+ strncat(*expr_buf, " or ", REASON_BUF_SIZE);
|
||||
break;
|
||||
case CEXPR_ATTR:
|
||||
if (sp == (CEXPR_MAXDEPTH - 1))
|
||||
@@ -158,33 +394,57 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
- return 0;
|
||||
+ goto out;
|
||||
+
|
||||
switch (e->attr) {
|
||||
case CEXPR_USER:
|
||||
val1 = scontext->user;
|
||||
val2 = tcontext->user;
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(u1 u2 ");
|
||||
+ free(src); src = strdup("u1");
|
||||
+ free(tgt); tgt = strdup("u2");
|
||||
break;
|
||||
case CEXPR_TYPE:
|
||||
val1 = scontext->type;
|
||||
val2 = tcontext->type;
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(t1 t2 ");
|
||||
+ free(src); src = strdup("t1");
|
||||
+ free(tgt); tgt = strdup("t2");
|
||||
break;
|
||||
case CEXPR_ROLE:
|
||||
val1 = scontext->role;
|
||||
@ -622,8 +655,10 @@ index 9c2920c..04f9978 100644
|
||||
+ if (*expr_buf) {
|
||||
+ name1 = policydb->p_role_val_to_name[r1->s.value - 1];
|
||||
+ name2 = policydb->p_role_val_to_name[r2->s.value - 1];
|
||||
+ sprintf(tmp_buf, "(r1-%s r2-%s ", name1, name2);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf,sizeof(tmp_buf), "r1-%s", name1);
|
||||
+ free(src); src = strdup(tmp_buf);
|
||||
+ snprintf(tmp_buf,sizeof(tmp_buf), "r2-%s ", name2);
|
||||
+ free(tgt); tgt = strdup(tmp_buf);
|
||||
+ }
|
||||
switch (e->op) {
|
||||
case CEXPR_DOM:
|
||||
@ -631,26 +666,14 @@ index 9c2920c..04f9978 100644
|
||||
- ebitmap_get_bit(&r1->dominates,
|
||||
- val2 - 1);
|
||||
+ s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "dom -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "dom -Fail-) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "dom", s[sp] == 0);
|
||||
continue;
|
||||
case CEXPR_DOMBY:
|
||||
- s[++sp] =
|
||||
- ebitmap_get_bit(&r2->dominates,
|
||||
- val1 - 1);
|
||||
+ s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "domby -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "domby +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "domby", s[sp] == 0);
|
||||
continue;
|
||||
case CEXPR_INCOMP:
|
||||
- s[++sp] =
|
||||
@ -660,136 +683,101 @@ index 9c2920c..04f9978 100644
|
||||
- val1 - 1));
|
||||
+ s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1)
|
||||
+ && !ebitmap_get_bit(&r2->dominates, val1 - 1));
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "incomp -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "incomp +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0);
|
||||
continue;
|
||||
default:
|
||||
break;
|
||||
@@ -193,43 +453,90 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
@@ -193,112 +454,203 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
case CEXPR_L1L2:
|
||||
l1 = &(scontext->range.level[0]);
|
||||
l2 = &(tcontext->range.level[0]);
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(l1 l2 ");
|
||||
+ free(src); src = strdup("l1");
|
||||
+ free(tgt); tgt = strdup("l2");
|
||||
goto mls_ops;
|
||||
case CEXPR_L1H2:
|
||||
l1 = &(scontext->range.level[0]);
|
||||
l2 = &(tcontext->range.level[1]);
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(l1 h2 ");
|
||||
+ free(src); src = strdup("l1");
|
||||
+ free(tgt); tgt = strdup("h2");
|
||||
goto mls_ops;
|
||||
case CEXPR_H1L2:
|
||||
l1 = &(scontext->range.level[1]);
|
||||
l2 = &(tcontext->range.level[0]);
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf,"(h1 l2 ");
|
||||
+ free(src); src = strdup("h1");
|
||||
+ free(tgt); tgt = strdup("L2");
|
||||
goto mls_ops;
|
||||
case CEXPR_H1H2:
|
||||
l1 = &(scontext->range.level[1]);
|
||||
l2 = &(tcontext->range.level[1]);
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(h1 h2 ");
|
||||
+ free(src); src = strdup("h1");
|
||||
+ free(tgt); tgt = strdup("h2");
|
||||
goto mls_ops;
|
||||
case CEXPR_L1H1:
|
||||
l1 = &(scontext->range.level[0]);
|
||||
l2 = &(scontext->range.level[1]);
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(l1 h1 ");
|
||||
+ free(src); src = strdup("l1");
|
||||
+ free(tgt); tgt = strdup("h1");
|
||||
goto mls_ops;
|
||||
case CEXPR_L2H2:
|
||||
l1 = &(tcontext->range.level[0]);
|
||||
l2 = &(tcontext->range.level[1]);
|
||||
+ if (*expr_buf)
|
||||
+ strcat(*expr_buf, "(l2 h2 ");
|
||||
goto mls_ops;
|
||||
- goto mls_ops;
|
||||
- mls_ops:
|
||||
+ mls_ops:
|
||||
+ free(src); src = strdup("l2");
|
||||
+ free(tgt); tgt = strdup("h2");
|
||||
+ mls_ops:
|
||||
switch (e->op) {
|
||||
case CEXPR_EQ:
|
||||
s[++sp] = mls_level_eq(l1, l2);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "eq -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "eq +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "eq", s[sp] == 0);
|
||||
continue;
|
||||
case CEXPR_NEQ:
|
||||
s[++sp] = !mls_level_eq(l1, l2);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "neq -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "neq +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
|
||||
continue;
|
||||
case CEXPR_DOM:
|
||||
s[++sp] = mls_level_dom(l1, l2);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "dom -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "dom +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "dom", s[sp] == 0);
|
||||
continue;
|
||||
case CEXPR_DOMBY:
|
||||
s[++sp] = mls_level_dom(l2, l1);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "domby -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "domby +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "domby", s[sp] == 0);
|
||||
continue;
|
||||
case CEXPR_INCOMP:
|
||||
s[++sp] = mls_level_incomp(l2, l1);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "incomp -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "incomp +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0);
|
||||
continue;
|
||||
default:
|
||||
BUG();
|
||||
@@ -244,9 +551,23 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
switch (e->op) {
|
||||
case CEXPR_EQ:
|
||||
s[++sp] = (val1 == val2);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "eq -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "eq +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
break;
|
||||
case CEXPR_NEQ:
|
||||
s[++sp] = (val1 != val2);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, "neq -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, "neq +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
- return 0;
|
||||
+ goto out;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
BUG();
|
||||
@@ -256,22 +577,46 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
- return 0;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
switch (e->op) {
|
||||
case CEXPR_EQ:
|
||||
s[++sp] = (val1 == val2);
|
||||
+ msgcat(expr_buf, src, tgt, "eq", s[sp] == 0);
|
||||
break;
|
||||
case CEXPR_NEQ:
|
||||
s[++sp] = (val1 != val2);
|
||||
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
|
||||
break;
|
||||
default:
|
||||
BUG();
|
||||
- return 0;
|
||||
+ goto out;
|
||||
}
|
||||
break;
|
||||
case CEXPR_NAMES:
|
||||
if (sp == (CEXPR_MAXDEPTH - 1))
|
||||
return 0;
|
||||
- return 0;
|
||||
+ goto out;
|
||||
+ s_t_x_num = SOURCE;
|
||||
c = scontext;
|
||||
- if (e->attr & CEXPR_TARGET)
|
||||
@ -808,7 +796,7 @@ index 9c2920c..04f9978 100644
|
||||
- if (e->attr & CEXPR_USER)
|
||||
+ if (!c) {
|
||||
+ BUG();
|
||||
+ return 0;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (e->attr & CEXPR_USER) {
|
||||
+ u_r_t = CEXPR_USER;
|
||||
@ -816,8 +804,8 @@ index 9c2920c..04f9978 100644
|
||||
- else if (e->attr & CEXPR_ROLE)
|
||||
+ if (*expr_buf) {
|
||||
+ name1 = policydb->p_user_val_to_name[val1 - 1];
|
||||
+ sprintf(tmp_buf, "(u%d-%s ", s_t_x_num, name1);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf,sizeof(tmp_buf), "u%d=%s ", s_t_x_num, name1);
|
||||
+ free(src); src = strdup(tmp_buf);
|
||||
+ }
|
||||
+ }
|
||||
+ else if (e->attr & CEXPR_ROLE) {
|
||||
@ -826,8 +814,8 @@ index 9c2920c..04f9978 100644
|
||||
- else if (e->attr & CEXPR_TYPE)
|
||||
+ if (*expr_buf) {
|
||||
+ name1 = policydb->p_role_val_to_name[val1 - 1];
|
||||
+ sprintf(tmp_buf, "(r%d-%s ", s_t_x_num, name1);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf,sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1);
|
||||
+ free(src); src = strdup(tmp_buf);
|
||||
+ }
|
||||
+ }
|
||||
+ else if (e->attr & CEXPR_TYPE) {
|
||||
@ -835,14 +823,15 @@ index 9c2920c..04f9978 100644
|
||||
val1 = c->type;
|
||||
+ if (*expr_buf) {
|
||||
+ name1 = policydb->p_type_val_to_name[val1 - 1];
|
||||
+ sprintf(tmp_buf, "(t%d-%s ", s_t_x_num, name1);
|
||||
+ strcat(*expr_buf, tmp_buf);
|
||||
+ snprintf(tmp_buf,sizeof(tmp_buf), "t%d=%s ", s_t_x_num, name1);
|
||||
+ free(src); src = strdup(tmp_buf);
|
||||
+ }
|
||||
+ }
|
||||
else {
|
||||
BUG();
|
||||
return 0;
|
||||
@@ -279,10 +624,61 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
- return 0;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
switch (e->op) {
|
||||
case CEXPR_EQ:
|
||||
@ -861,16 +850,12 @@ index 9c2920c..04f9978 100644
|
||||
+ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ get_names_list(&e->names, u_r_t, expr_buf);
|
||||
+
|
||||
s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, " eq -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, " eq +Pass+) ");
|
||||
+ }
|
||||
+ free(tgt); tgt=strdup("ATTRIBUTE");
|
||||
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
|
||||
+ if (s[sp] == 0) {
|
||||
+ get_names_list(&e->names, u_r_t, expr_buf);
|
||||
+ }
|
||||
break;
|
||||
+
|
||||
@ -890,151 +875,138 @@ index 9c2920c..04f9978 100644
|
||||
+ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ get_names_list(&e->names, u_r_t, expr_buf);
|
||||
+
|
||||
s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[sp] == 0) {
|
||||
+ strcat(*expr_buf, " neq -Fail-) ");
|
||||
+ } else {
|
||||
+ strcat(*expr_buf, " neq +Pass+) ");
|
||||
+ }
|
||||
+ }
|
||||
+ free(tgt); tgt=strdup("ATTRIBUTE");
|
||||
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
|
||||
+ get_names_list(&e->names, u_r_t, expr_buf);
|
||||
break;
|
||||
default:
|
||||
BUG();
|
||||
@@ -296,9 +692,21 @@ static int constraint_expr_eval(context_struct_t * scontext,
|
||||
- return 0;
|
||||
+ goto out;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
BUG();
|
||||
- return 0;
|
||||
+ goto out;
|
||||
}
|
||||
}
|
||||
+ if (*expr_buf)
|
||||
+ strncat(*expr_buf, ")", REASON_BUF_SIZE);
|
||||
+ rc = s[0];
|
||||
+
|
||||
+out:
|
||||
+ free(src);
|
||||
+ free(tgt);
|
||||
|
||||
BUG_ON(sp != 0);
|
||||
+
|
||||
+ if (*expr_buf) {
|
||||
+ if (s[0] == 0) {
|
||||
+ char *denied = {"\n** Constraint DENIED access **\n\n"};
|
||||
+ strcat(*expr_buf, denied);
|
||||
+ } else {
|
||||
+ char *allow = {"\n** Constraint ALLOWED access **\n\n"};
|
||||
+ strcat(*expr_buf, allow);
|
||||
+ }
|
||||
+ }
|
||||
return s[0];
|
||||
- return s[0];
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
+
|
||||
+
|
||||
/*
|
||||
* Compute access vectors based on a context structure pair for
|
||||
* the permissions in a particular class.
|
||||
@@ -308,7 +716,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
|
||||
@@ -308,7 +660,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
|
||||
sepol_security_class_t tclass,
|
||||
sepol_access_vector_t requested,
|
||||
struct sepol_av_decision *avd,
|
||||
- unsigned int *reason)
|
||||
+ unsigned int *reason,
|
||||
+ char *expr_buf)
|
||||
+ char *expr_buf)
|
||||
{
|
||||
constraint_node_t *constraint;
|
||||
struct role_allow *ra;
|
||||
@@ -383,8 +792,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
|
||||
@@ -383,8 +736,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
|
||||
constraint = tclass_datum->constraints;
|
||||
while (constraint) {
|
||||
if ((constraint->permissions & (avd->allowed)) &&
|
||||
- !constraint_expr_eval(scontext, tcontext, NULL,
|
||||
- constraint->expr)) {
|
||||
+ !constraint_expr_eval_reason(scontext, tcontext, NULL,
|
||||
+ tclass, avd->allowed, constraint->expr, &expr_buf)) {
|
||||
+ tclass, constraint, &expr_buf)) {
|
||||
avd->allowed =
|
||||
(avd->allowed) & ~(constraint->permissions);
|
||||
}
|
||||
@@ -459,8 +868,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
|
||||
@@ -459,8 +812,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
|
||||
|
||||
constraint = tclass_datum->validatetrans;
|
||||
while (constraint) {
|
||||
- if (!constraint_expr_eval(ocontext, ncontext, tcontext,
|
||||
- constraint->expr)) {
|
||||
+ if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext,
|
||||
+ 0, 0, constraint->expr, NULL)) {
|
||||
+ 0, constraint, NULL)) {
|
||||
return -EPERM;
|
||||
}
|
||||
constraint = constraint->next;
|
||||
@@ -469,13 +878,21 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
|
||||
return 0;
|
||||
@@ -493,11 +846,57 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
|
||||
}
|
||||
|
||||
rc = context_struct_compute_av(scontext, tcontext, tclass,
|
||||
- requested, avd, reason);
|
||||
+ requested, avd, reason, NULL);
|
||||
out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
-int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
|
||||
+/*
|
||||
+ * sepol_compute_av_reason_buffer - the reason buffer is malloc'd
|
||||
+ * to REASON_BUF_SIZE that seems okay for the Reference Policy.
|
||||
+ * TODO manage size using realloc at some stage.
|
||||
+ */
|
||||
+#define REASON_BUF_SIZE 100000
|
||||
+int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
|
||||
sepol_security_id_t tsid,
|
||||
sepol_security_class_t tclass,
|
||||
sepol_access_vector_t requested,
|
||||
struct sepol_av_decision *avd,
|
||||
- unsigned int *reason)
|
||||
+ unsigned int *reason,
|
||||
+ char **reason_buf)
|
||||
{
|
||||
+ char *expr_buf = NULL;
|
||||
context_struct_t *scontext = 0, *tcontext = 0;
|
||||
int rc = 0;
|
||||
|
||||
@@ -485,6 +902,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
tcontext = sepol_sidtab_search(sidtab, tsid);
|
||||
if (!tcontext) {
|
||||
ERR(NULL, "unrecognized SID %d", tsid);
|
||||
@@ -493,11 +911,36 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
|
||||
}
|
||||
|
||||
rc = context_struct_compute_av(scontext, tcontext, tclass,
|
||||
- requested, avd, reason);
|
||||
- out:
|
||||
+ requested, avd, reason, expr_buf);
|
||||
+ if (rc) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (!avd->allowed && (*reason & SEPOL_COMPUTEAV_CONS) && reason_buf) {
|
||||
+ expr_buf = calloc(REASON_BUF_SIZE,1);
|
||||
+ if (!expr_buf) {
|
||||
+ ERR(NULL, "malloc failed to allocate constraint reason buffer");
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+ rc = context_struct_compute_av(scontext, tcontext, tclass,
|
||||
+ requested, avd, reason, expr_buf);
|
||||
+ *reason_buf = expr_buf;
|
||||
+ }
|
||||
+
|
||||
+out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
+int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
|
||||
+ sepol_security_id_t tsid,
|
||||
+ sepol_security_class_t tclass,
|
||||
+ sepol_access_vector_t requested,
|
||||
+ struct sepol_av_decision *avd,
|
||||
+ unsigned int *reason)
|
||||
+ unsigned int *reason,
|
||||
+ char **reason_buf)
|
||||
+{
|
||||
+ return sepol_compute_av_reason_buffer(ssid, tsid, tclass, requested, avd, reason, NULL);
|
||||
+ char *expr_buf = NULL;
|
||||
+
|
||||
+ expr_buf = malloc(REASON_BUF_SIZE);
|
||||
+ if (!expr_buf) {
|
||||
+ ERR(NULL, "malloc failed to allocate constraint reason buffer");
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+ bzero(expr_buf, REASON_BUF_SIZE);
|
||||
+
|
||||
+ context_struct_t *scontext = 0, *tcontext = 0;
|
||||
+ int rc = 0;
|
||||
+
|
||||
+ scontext = sepol_sidtab_search(sidtab, ssid);
|
||||
+ if (!scontext) {
|
||||
+ ERR(NULL, "unrecognized SID %d", ssid);
|
||||
+ rc = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ tcontext = sepol_sidtab_search(sidtab, tsid);
|
||||
+ if (!tcontext) {
|
||||
+ ERR(NULL, "unrecognized SID %d", tsid);
|
||||
+ rc = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ rc = context_struct_compute_av(scontext, tcontext, tclass,
|
||||
+ requested, avd, reason, expr_buf);
|
||||
+ *reason_buf = expr_buf;
|
||||
+
|
||||
+ out:
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
int hidden sepol_compute_av(sepol_security_id_t ssid,
|
||||
sepol_security_id_t tsid,
|
||||
sepol_security_class_t tclass,
|
||||
@@ -510,6 +953,65 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
|
||||
@@ -510,6 +909,66 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Return a class ID associated with the class string representation
|
||||
+ * specified by `class_name'.
|
||||
+ * Return a class ID associated with the class string specified by
|
||||
+ * class_name.
|
||||
+ */
|
||||
+int hidden sepol_class_name_to_id(const char *class_name,
|
||||
+ sepol_security_class_t *tclass)
|
||||
@ -1055,15 +1027,15 @@ index 9c2920c..04f9978 100644
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Return access vertor bit associated with the class / permission string.
|
||||
+ * Return access vector bit associated with the class ID and permission
|
||||
+ * string.
|
||||
+ */
|
||||
+int hidden sepol_perm_name_to_av(sepol_security_class_t tclass,
|
||||
+ const char *perm_name,
|
||||
+ sepol_access_vector_t *av)
|
||||
+{
|
||||
+ class_datum_t *tclass_datum;
|
||||
+ perm_datum_t *base_perm;
|
||||
+ perm_datum_t *common_perm;
|
||||
+ perm_datum_t *perm_datum;
|
||||
+
|
||||
+ if (!tclass || tclass > policydb->p_classes.nprim) {
|
||||
+ ERR(NULL, "unrecognized class %d", tclass);
|
||||
@ -1071,19 +1043,20 @@ index 9c2920c..04f9978 100644
|
||||
+ }
|
||||
+ tclass_datum = policydb->class_val_to_struct[tclass - 1];
|
||||
+
|
||||
+ base_perm = (perm_datum_t *)
|
||||
+ /* Check for unique perms then the common ones */
|
||||
+ perm_datum = (perm_datum_t *)
|
||||
+ hashtab_search(tclass_datum->permissions.table,
|
||||
+ (hashtab_key_t)perm_name);
|
||||
+ if (base_perm != NULL) {
|
||||
+ *av = 0x1 << (base_perm->s.value - 1);
|
||||
+ if (perm_datum != NULL) {
|
||||
+ *av = 0x1 << (perm_datum->s.value - 1);
|
||||
+ return STATUS_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ common_perm = (perm_datum_t *)
|
||||
+ perm_datum = (perm_datum_t *)
|
||||
+ hashtab_search(tclass_datum->comdatum->permissions.table,
|
||||
+ (hashtab_key_t)perm_name);
|
||||
+ if (common_perm != NULL) {
|
||||
+ *av = 0x1 << (common_perm->s.value - 1);
|
||||
+ if (perm_datum != NULL) {
|
||||
+ *av = 0x1 << (perm_datum->s.value - 1);
|
||||
+ return STATUS_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
@ -1095,7 +1068,7 @@ index 9c2920c..04f9978 100644
|
||||
* Write the security context string representation of
|
||||
* the context associated with `sid' into a dynamically
|
||||
* allocated string of the correct size. Set `*scontext'
|
||||
@@ -1337,7 +1839,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
|
||||
@@ -1337,7 +1796,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
|
||||
rc = context_struct_compute_av(fromcon, &usercon,
|
||||
SECCLASS_PROCESS,
|
||||
PROCESS__TRANSITION,
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: SELinux binary policy manipulation library
|
||||
Name: libsepol
|
||||
Version: 2.1.8
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
|
||||
@ -99,6 +99,9 @@ exit 0
|
||||
/%{_lib}/libsepol.so.1
|
||||
|
||||
%changelog
|
||||
* Tue Nov 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
|
||||
- Update Richard Haines patch to show constraint information
|
||||
|
||||
* Mon Nov 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
|
||||
- Add sepol_compute_av_reason_buffer patch from Richard Haines
|
||||
|
||||
@ -185,7 +188,7 @@ dup!
|
||||
* setools expects expand_module_avrules to be an exported
|
||||
* tree: default make target to all not
|
||||
|
||||
* Thu Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
|
||||
* Thu Sep 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
|
||||
- Add patch to handle preserving tunables
|
||||
|
||||
* Thu Sep 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-2
|
||||
@ -204,7 +207,7 @@ dup!
|
||||
- Update to upstream
|
||||
* Release, minor version bump
|
||||
|
||||
* Thu May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.45-1
|
||||
* Tue May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.45-1
|
||||
- Update to upstream
|
||||
* Warn if filename_trans rules are dropped by Steve Lawrence.
|
||||
|
||||
@ -254,7 +257,7 @@ Resolves: #555835
|
||||
- Upgrade to latest from NSA
|
||||
* Add pkgconfig file from Eamon Walsh.
|
||||
|
||||
* Tue Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.39-1
|
||||
* Wed Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.39-1
|
||||
- Upgrade to latest from NSA
|
||||
* Add support for building Xen policies from Paul Nuzzi.
|
||||
|
||||
@ -512,7 +515,7 @@ Resolves: #555835
|
||||
a policy requires the compatibility support for network checks
|
||||
to be enabled in the kernel.
|
||||
|
||||
* Thu May 15 2006 Dan Walsh <dwalsh@redhat.com> 1.12.11-1
|
||||
* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 1.12.11-1
|
||||
- Upgrade to latest from NSA
|
||||
* Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
|
||||
Reworked to use calloc in the first place, and converted some other
|
||||
@ -619,7 +622,7 @@ Resolves: #555835
|
||||
- Upgrade to latest from NSA
|
||||
* Merged 2nd const in APIs patch from Ivan Gyurdiev.
|
||||
|
||||
* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.11.7-1
|
||||
* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.11.7-1
|
||||
- Upgrade to latest from NSA
|
||||
* Merged const in APIs patch from Ivan Gyurdiev.
|
||||
* Merged compare2 function patch from Ivan Gyurdiev.
|
||||
@ -855,7 +858,7 @@ Resolves: #555835
|
||||
* Merged fix for sepol_enable/disable_debug from Ivan
|
||||
Gyurdiev.
|
||||
|
||||
* Mon Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.9.1-2
|
||||
* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.9.1-2
|
||||
- Upgrade to latest from NSA
|
||||
* Merged stddef.h patch and debug conversion patch from
|
||||
Ivan Gyurdiev.
|
||||
|
Loading…
Reference in New Issue
Block a user