libsepol-2.5-9

- Warn instead of fail if permission is not resolved - Ignore object_r when adding userrole mappings to policydb
2016-08-01 10:46:53 +02:00 · 2016-08-01 10:46:53 +02:00 · aac9abeb50
parent 5ec2ad1fb2
commit aac9abeb50
2 changed files with 63 additions and 30 deletions
--- a/libsepol-fedora.patch
+++ b/libsepol-fedora.patch
@ -19,10 +19,12 @@ index a43b343..6d89f17 100644
 	$(LOCAL_PATH)/include/ \
 	$(LOCAL_PATH)/src/ \
 diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog
-index ace3d54..4c997c5 100644
+index ace3d54..b45f3ad 100644
 --- libsepol-2.5/ChangeLog
 +++ libsepol-2.5/ChangeLog
-@@ -1,3 +1,21 @@
+@@ -1,3 +1,23 @@
+	* Warn instead of fail if permission is not resolved, from James Carter.
+	* Ignore object_r when adding userrole mappings to policydb, from Steve Lawrence.
 +	* Add missing return to sepol_node_query(), from Petr Lautrbach.
 +	* Add missing <stdarg.h> include, from Thomas Petazzoni.
 +	* Correctly detect unknown classes in sepol_string_to_security_class, from Joshua Brindle.
@ -118,7 +120,7 @@ index afdc240..929ab19 100644
 +	(*info)->path = NULL;
 +}
 diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c
-index f749e53..5d03127 100644
+index f749e53..46fea4b 100644
 --- libsepol-2.5/cil/src/cil_binary.c
 +++ libsepol-2.5/cil/src/cil_binary.c
@@ -31,6 +31,9 @@
@ -146,7 +148,20 @@ index f749e53..5d03127 100644
 		}
 
 	}
-@@ -1770,13 +1775,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -749,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci
+ 				goto exit;
+ 			}
+ 
+			if (sepol_role->s.value == 1) {
+				// role is object_r, ignore it since it is implicitly associated
+				// with all users
+				continue;
+			}
+
+ 			if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) {
+ 				cil_log(CIL_INFO, "Failed to set role bit for user\n");
+ 				rc = SEPOL_ERR;
+@@ -1770,13 +1781,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
 		cil_typetrans = (struct cil_nametypetransition*)node->data;
 		if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) {
 			cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n");
@ -162,7 +177,7 @@ index f749e53..5d03127 100644
 			goto exit;
 		}
 		break;
-@@ -1784,7 +1788,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1784,7 +1794,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
 		cil_type_rule = node->data;
 		rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor);
 		if (rc != SEPOL_OK) {
@ -171,7 +186,7 @@ index f749e53..5d03127 100644
 			goto exit;
 		}
 		break;
-@@ -1792,7 +1796,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1792,7 +1802,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
 		cil_avrule = node->data;
 		rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor);
 		if (rc != SEPOL_OK) {
@ -180,7 +195,7 @@ index f749e53..5d03127 100644
 			goto exit;
 		}
 		break;
-@@ -1800,8 +1804,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1800,8 +1810,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
 	case CIL_TUNABLEIF:
 		break;
 	default:
@ -190,7 +205,7 @@ index f749e53..5d03127 100644
 		goto exit;
 	}
 
-@@ -2060,14 +2063,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+@@ -2060,14 +2069,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
 	tmp_cond = cond_node_create(pdb, NULL);
 	if (tmp_cond == NULL) {
 		rc = SEPOL_ERR;
@ -207,7 +222,7 @@ index f749e53..5d03127 100644
 		goto exit;
 	}
 
-@@ -2123,7 +2125,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+@@ -2123,7 +2131,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
 		bool_args.cond_flavor = CIL_CONDTRUE;
 		rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
 		if (rc != SEPOL_OK) {
@ -216,7 +231,7 @@ index f749e53..5d03127 100644
 			goto exit;
 		}
 	}
-@@ -2132,7 +2134,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+@@ -2132,7 +2140,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
 		bool_args.cond_flavor = CIL_CONDFALSE;
 		rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
 		if (rc != SEPOL_OK) {
@ -225,7 +240,7 @@ index f749e53..5d03127 100644
 			goto exit;
 		}
 	}
-@@ -3035,6 +3037,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
+@@ -3035,6 +3043,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
 		case CIL_PROTOCOL_TCP:
 			new_ocon->u.port.protocol = IPPROTO_TCP;
 			break;
@ -235,7 +250,7 @@ index f749e53..5d03127 100644
 		default:
 			/* should not get here */
 			rc = SEPOL_ERR;
-@@ -3583,7 +3588,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
+@@ -3583,7 +3594,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
 
 exit:
 	if (rc != SEPOL_OK) {
@ -244,7 +259,7 @@ index f749e53..5d03127 100644
 	}
 	return rc;
 }
-@@ -4227,6 +4232,9 @@ exit:
+@@ -4227,6 +4238,9 @@ exit:
 static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node)
 {
 	avrule_t *avrule;
@ -254,7 +269,7 @@ index f749e53..5d03127 100644
 
 	avrule = cil_malloc(sizeof(avrule_t));
 	avrule->specified = kind;
-@@ -4235,8 +4243,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
+@@ -4235,8 +4249,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
 	__cil_init_sepol_type_set(&avrule->ttypes);
 	avrule->perms = NULL;
 	avrule->line = node->line;
@ -273,7 +288,7 @@ index f749e53..5d03127 100644
 	avrule->next = NULL;
 	return avrule;
 }
-@@ -4263,10 +4280,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n)
+@@ -4263,10 +4286,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n)
 
 	__cil_print_parents(pad, n->parent);
 
@ -286,7 +301,7 @@ index f749e53..5d03127 100644
 	}
 }
 
-@@ -4357,7 +4372,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
+@@ -4357,7 +4378,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
 		allow_str = CIL_KEY_ALLOWX;
 		avrule_flavor = CIL_AVRULEX;
 	}
@ -295,7 +310,7 @@ index f749e53..5d03127 100644
 	__cil_print_rule("  ", neverallow_str, cil_rule);
 	cil_list_init(&matching, CIL_NODE);
 	rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE);
-@@ -4380,10 +4395,9 @@ exit:
+@@ -4380,10 +4401,9 @@ exit:
 	return rc;
 }
 
@ -308,7 +323,7 @@ index f749e53..5d03127 100644
 	struct cil_avrule *cil_rule = node->data;
 	struct cil_symtab_datum *tgt = cil_rule->tgt;
 	uint32_t kind;
-@@ -4422,11 +4436,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
+@@ -4422,11 +4442,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
 
 		rc = check_assertion(pdb, rule);
 		if (rc == CIL_TRUE) {
@ -321,7 +336,7 @@ index f749e53..5d03127 100644
 		}
 
 	} else {
-@@ -4444,12 +4458,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
+@@ -4444,12 +4464,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
 			rule->xperms = item->data;
 			rc = check_assertion(pdb, rule);
 			if (rc == CIL_TRUE) {
@ -335,7 +350,7 @@ index f749e53..5d03127 100644
 			}
 		}
 	}
-@@ -4466,34 +4479,23 @@ exit:
+@@ -4466,34 +4485,23 @@ exit:
 	rule->xperms = NULL;
 	__cil_destroy_sepol_avrules(rule);
 
@ -375,7 +390,7 @@ index f749e53..5d03127 100644
 }
 
 static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
-@@ -4548,7 +4550,7 @@ exit:
+@@ -4548,7 +4556,7 @@ exit:
 	return rc;
 }
 
@ -384,7 +399,7 @@ index f749e53..5d03127 100644
 {
 	int rc = SEPOL_OK;
 	int i;
-@@ -4574,6 +4576,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4574,6 +4582,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 		if (bad) {
 			avtab_ptr_t cur;
 			struct cil_avrule target;
@ -394,7 +409,7 @@ index f749e53..5d03127 100644
 
                         target.is_extended = 0;
 			target.rule_kind = CIL_AVRULE_ALLOWED;
-@@ -4585,7 +4590,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4585,7 +4596,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 			for (cur = bad; cur; cur = cur->next) {
 				struct cil_list_item *i2;
 				struct cil_list *matching;
@ -402,7 +417,7 @@ index f749e53..5d03127 100644
 
 				rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
 				if (rc != SEPOL_OK) {
-@@ -4594,7 +4598,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4594,7 +4604,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 				}
 				__cil_print_rule("  ", "allow", &target);
 				cil_list_init(&matching, CIL_NODE);
@ -411,7 +426,7 @@ index f749e53..5d03127 100644
 				if (rc) {
 					cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
 					cil_list_destroy(&matching, CIL_FALSE);
-@@ -4602,14 +4606,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4602,14 +4612,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 					bounds_destroy_bad(bad);
 					goto exit;
 				}
@ -435,7 +450,7 @@ index f749e53..5d03127 100644
 				cil_list_destroy(&matching, CIL_FALSE);
 				cil_list_destroy(&target.perms.classperms, CIL_TRUE);
 			}
-@@ -4753,20 +4760,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
+@@ -4753,20 +4766,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
 	__cil_set_conditional_state_and_flags(pdb);
 
 	if (db->disable_neverallow != CIL_TRUE) {
@ -2014,9 +2029,23 @@ index 06146ca..de00679 100644
 		 * statement isn't seen as a duplicate */
 		class->num_perms -= common->num_perms;
 diff --git libsepol-2.5/cil/src/cil_resolve_ast.c libsepol-2.5/cil/src/cil_resolve_ast.c
-index 1489680..70e4462 100644
+index 1489680..8348d57 100644
 --- libsepol-2.5/cil/src/cil_resolve_ast.c
 +++ libsepol-2.5/cil/src/cil_resolve_ast.c
+@@ -131,10 +131,10 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
+ 				}
+ 			}
+ 			if (rc != SEPOL_OK) {
+-				cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
+-				goto exit;
+				cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+			} else {
+				cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
+ 			}
+-			cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
+ 		} else {
+ 			cil_list_append(*perm_datums, curr->flavor, curr->data);
+ 		}
@@ -497,7 +497,7 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f
 	int limit = 2;
 
@ -2197,7 +2226,7 @@ index 1489680..70e4462 100644
 
 -		cil_log(lvl, "Failed to resolve '%s' in %s statement at line %d of %s\n",
 -		        args->last_resolved_name, cil_node_to_string(node), node->line, node->path);
-+		cil_tree_log(node, lvl, "Failed to resolve '%s' in %s statement", args->last_resolved_name, cil_node_to_string(node));
+		cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node));
 		goto exit;
 	}
 
--- a/libsepol.spec
+++ b/libsepol.spec
@ -1,14 +1,14 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.5
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol
-# HEAD https://github.com/fedora-selinux/selinux/commit/9eb71873eb6e6073228257abbeb42f61b2719336
+# HEAD https://github.com/fedora-selinux/selinux/commit/dbf42c22e798a5e2cf9c1fc711c803e7da20cfb4
 Patch1: libsepol-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 BuildRequires: flex
@ -106,6 +106,10 @@ exit 0
 %{_libdir}/libsepol.so.1

 %changelog
+* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-9
+- Warn instead of fail if permission is not resolved
+- Ignore object_r when adding userrole mappings to policydb
+
 * Thu Jul 14 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-8
 - Add missing return to sepol_node_query()
 - Add missing <stdarg.h> include