From a7ec325b4409690bbc4bc9f6fae7b23a2ba009cf Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 8 Apr 2016 20:27:32 +0200 Subject: [PATCH] libsepol-2.5-3 - Fix bug in CIL when resetting classes - Add support for portcon dccp protocol --- libsepol-fedora.patch | 170 ++++++++++++++++++++++++++++++++++++++++++ libsepol.spec | 8 +- 2 files changed, 176 insertions(+), 2 deletions(-) diff --git a/libsepol-fedora.patch b/libsepol-fedora.patch index e69de29..0a5c4d8 100644 --- a/libsepol-fedora.patch +++ b/libsepol-fedora.patch @@ -0,0 +1,170 @@ +diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog +index ace3d54..41bf8c0 100644 +--- libsepol-2.5/ChangeLog ++++ libsepol-2.5/ChangeLog +@@ -1,3 +1,6 @@ ++ * Add support for portcon dccp protocol, from Richard Haines ++ * Fix bug in CIL when resetting classes, from Steve Lawrence ++ + 2.5 2016-02-23 + * Fix unused variable annotations, from Nicolas Iooss. + * Fix uninitialized variable in CIL, from Nicolas Iooss. +diff --git libsepol-2.5/cil/src/cil.c libsepol-2.5/cil/src/cil.c +index afdc240..de7033a 100644 +--- libsepol-2.5/cil/src/cil.c ++++ libsepol-2.5/cil/src/cil.c +@@ -108,6 +108,7 @@ static void cil_init_keys(void) + CIL_KEY_STAR = cil_strpool_add("*"); + CIL_KEY_UDP = cil_strpool_add("udp"); + CIL_KEY_TCP = cil_strpool_add("tcp"); ++ CIL_KEY_DCCP = cil_strpool_add("dccp"); + CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow"); + CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif"); + CIL_KEY_ALLOW = cil_strpool_add("allow"); +diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c +index f749e53..5d7e52e 100644 +--- libsepol-2.5/cil/src/cil_binary.c ++++ libsepol-2.5/cil/src/cil_binary.c +@@ -3035,6 +3035,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) + case CIL_PROTOCOL_TCP: + new_ocon->u.port.protocol = IPPROTO_TCP; + break; ++ case CIL_PROTOCOL_DCCP: ++ new_ocon->u.port.protocol = IPPROTO_DCCP; ++ break; + default: + /* should not get here */ + rc = SEPOL_ERR; +diff --git libsepol-2.5/cil/src/cil_build_ast.c libsepol-2.5/cil/src/cil_build_ast.c +index 1135e06..90fee8e 100644 +--- libsepol-2.5/cil/src/cil_build_ast.c ++++ libsepol-2.5/cil/src/cil_build_ast.c +@@ -4261,6 +4261,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru + portcon->proto = CIL_PROTOCOL_UDP; + } else if (proto == CIL_KEY_TCP) { + portcon->proto = CIL_PROTOCOL_TCP; ++ } else if (proto == CIL_KEY_DCCP) { ++ portcon->proto = CIL_PROTOCOL_DCCP; + } else { + cil_log(CIL_ERR, "Invalid protocol\n"); + rc = SEPOL_ERR; +diff --git libsepol-2.5/cil/src/cil_internal.h libsepol-2.5/cil/src/cil_internal.h +index a0a5480..a75ddf8 100644 +--- libsepol-2.5/cil/src/cil_internal.h ++++ libsepol-2.5/cil/src/cil_internal.h +@@ -101,6 +101,7 @@ char *CIL_KEY_OBJECT_R; + char *CIL_KEY_STAR; + char *CIL_KEY_TCP; + char *CIL_KEY_UDP; ++char *CIL_KEY_DCCP; + char *CIL_KEY_AUDITALLOW; + char *CIL_KEY_TUNABLEIF; + char *CIL_KEY_ALLOW; +@@ -713,7 +714,8 @@ struct cil_filecon { + + enum cil_protocol { + CIL_PROTOCOL_UDP = 1, +- CIL_PROTOCOL_TCP ++ CIL_PROTOCOL_TCP, ++ CIL_PROTOCOL_DCCP + }; + + struct cil_portcon { +diff --git libsepol-2.5/cil/src/cil_policy.c libsepol-2.5/cil/src/cil_policy.c +index 2c9b158..382129b 100644 +--- libsepol-2.5/cil/src/cil_policy.c ++++ libsepol-2.5/cil/src/cil_policy.c +@@ -123,6 +123,8 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort) + fprintf(file_arr[NETIFCONS], "udp "); + } else if (portcon->proto == CIL_PROTOCOL_TCP) { + fprintf(file_arr[NETIFCONS], "tcp "); ++ } else if (portcon->proto == CIL_PROTOCOL_DCCP) { ++ fprintf(file_arr[NETIFCONS], "dccp "); + } + fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low); + fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high); +diff --git libsepol-2.5/cil/src/cil_reset_ast.c libsepol-2.5/cil/src/cil_reset_ast.c +index 06146ca..de00679 100644 +--- libsepol-2.5/cil/src/cil_reset_ast.c ++++ libsepol-2.5/cil/src/cil_reset_ast.c +@@ -23,7 +23,7 @@ static void cil_reset_class(struct cil_class *class) + { + if (class->common != NULL) { + struct cil_class *common = class->common; +- cil_symtab_map(&common->perms, __class_reset_perm_values, &common->num_perms); ++ cil_symtab_map(&class->perms, __class_reset_perm_values, &common->num_perms); + /* during a re-resolve, we need to reset the common, so a classcommon + * statement isn't seen as a duplicate */ + class->num_perms -= common->num_perms; +diff --git libsepol-2.5/cil/src/cil_tree.c libsepol-2.5/cil/src/cil_tree.c +index 1c23efc..563b817 100644 +--- libsepol-2.5/cil/src/cil_tree.c ++++ libsepol-2.5/cil/src/cil_tree.c +@@ -1319,6 +1319,8 @@ void cil_tree_print_node(struct cil_tree_node *node) + cil_log(CIL_INFO, " udp"); + } else if (portcon->proto == CIL_PROTOCOL_TCP) { + cil_log(CIL_INFO, " tcp"); ++ } else if (portcon->proto == CIL_PROTOCOL_DCCP) { ++ cil_log(CIL_INFO, " dccp"); + } + cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high); + +diff --git libsepol-2.5/include/sepol/port_record.h libsepol-2.5/include/sepol/port_record.h +index 697cea4..c07d1fa 100644 +--- libsepol-2.5/include/sepol/port_record.h ++++ libsepol-2.5/include/sepol/port_record.h +@@ -14,6 +14,7 @@ typedef struct sepol_port_key sepol_port_key_t; + + #define SEPOL_PROTO_UDP 0 + #define SEPOL_PROTO_TCP 1 ++#define SEPOL_PROTO_DCCP 2 + + /* Key */ + extern int sepol_port_compare(const sepol_port_t * port, +diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c +index 18ec6b9..b478d9f 100644 +--- libsepol-2.5/src/module_to_cil.c ++++ libsepol-2.5/src/module_to_cil.c +@@ -2537,6 +2537,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p + switch (portcon->u.port.protocol) { + case IPPROTO_TCP: protocol = "tcp"; break; + case IPPROTO_UDP: protocol = "udp"; break; ++ case IPPROTO_DCCP: protocol = "dccp"; break; + default: + log_err("Unknown portcon protocol: %i", portcon->u.port.protocol); + rc = -1; +diff --git libsepol-2.5/src/port_record.c libsepol-2.5/src/port_record.c +index 6a33d93..ed9093b 100644 +--- libsepol-2.5/src/port_record.c ++++ libsepol-2.5/src/port_record.c +@@ -184,6 +184,8 @@ const char *sepol_port_get_proto_str(int proto) + return "udp"; + case SEPOL_PROTO_TCP: + return "tcp"; ++ case SEPOL_PROTO_DCCP: ++ return "dccp"; + default: + return "???"; + } +diff --git libsepol-2.5/src/ports.c libsepol-2.5/src/ports.c +index 607a629..b1ee094 100644 +--- libsepol-2.5/src/ports.c ++++ libsepol-2.5/src/ports.c +@@ -16,6 +16,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto) + return IPPROTO_TCP; + case SEPOL_PROTO_UDP: + return IPPROTO_UDP; ++ case SEPOL_PROTO_DCCP: ++ return IPPROTO_DCCP; + default: + ERR(handle, "unsupported protocol %u", proto); + return STATUS_ERR; +@@ -30,6 +32,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto) + return SEPOL_PROTO_TCP; + case IPPROTO_UDP: + return SEPOL_PROTO_UDP; ++ case IPPROTO_DCCP: ++ return SEPOL_PROTO_DCCP; + default: + ERR(handle, "invalid protocol %u " "found in policy", proto); + return STATUS_ERR; diff --git a/libsepol.spec b/libsepol.spec index f7a55bf..ac4fbbb 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,14 +1,14 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.5 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol -# HEAD fedora-20160223 +# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562 # Patch1: libsepol-fedora.patch URL: https://github.com/SELinuxProject/selinux/wiki BuildRequires: flex @@ -107,6 +107,10 @@ exit 0 %{_libdir}/libsepol.so.1 %changelog +* Fri Apr 08 2016 Petr Lautrbach - 2.5-3 +- Fix bug in CIL when resetting classes +- Add support for portcon dccp protocol + * Sun Feb 28 2016 Petr Lautrbach 2.5-2 - Use fully versioned arch-specific requires