The filename_trans code had a bug where duplicate detection was being

done between the unmapped type value of a new rule and the type value of
rules already in policy.  This meant that duplicates were not being
silently dropped and were instead outputting a message that there was a
problem.  It made things hard because the message WAS using the mapped
type to convert to the string representation, so it didn't look like a
dup!

.gitignore

@@ -151,3 +151,8 @@ libsepol-2.0.41.tgz
 /libsepol-2.0.42.tgz
 /libsepol-2.0.43.tgz
 /libsepol-2.0.44.tgz
+/libsepol-2.0.45.tgz
+/libsepol-2.1.0.tgz
+/libsepol-2.1.1.tgz
+/libsepol-2.1.2.tgz
+/libsepol-2.1.3.tgz

libsepol-rhat.patch

@@ -1,48 +1,49 @@
 diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
-index b1af365..42bc931 100644
+index 2861776..493e478 100644
 --- a/libsepol/src/expand.c
 +++ b/libsepol/src/expand.c
-@@ -1181,23 +1181,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+@@ -1329,6 +1329,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
  
- 					cur_trans = state->out->role_tr;
- 					while (cur_trans) {
-+						unsigned int mapped_role;
+ 	cur_rule = rules;
+ 	while (cur_rule) {
++		uint32_t mapped_otype;
 +
-+						mapped_role = state->rolemap[cur->new_role - 1];
-+
- 						if ((cur_trans->role ==
- 								i + 1) &&
- 						    (cur_trans->type ==
- 								j + 1) &&
- 						    (cur_trans->tclass ==
- 								k + 1)) {
--							if (cur_trans->
--							    new_role ==
--								cur->new_role) {
-+							if (cur_trans->new_role == mapped_role) {
- 								break;
- 							} else {
- 								ERR(state->handle,
--									"Conflicting role trans rule %s %s : %s %s",
-+									"Conflicting role trans rule %s %s : %s { %s vs %s }",
- 									state->out->p_role_val_to_name[i],
- 									state->out->p_type_val_to_name[j],
- 									state->out->p_class_val_to_name[k],
--									state->out->p_role_val_to_name[cur->new_role - 1]);
-+									state->out->p_role_val_to_name[mapped_role],
-+									state->out->p_role_val_to_name[cur_trans->new_role - 1]);
- 								return -1;
- 							}
- 						}
-diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
-index 6d8ff91..3d8dc80 100644
---- a/libsepol/src/policydb.c
-+++ b/libsepol/src/policydb.c
-@@ -2280,6 +2280,7 @@ int filename_trans_read(filename_trans_t **t, struct policy_file *fp)
- 			lft->next = ft;
- 		else
- 			*t = ft;
-+		lft = ft;
- 		rc = next_entry(buf, fp, sizeof(uint32_t));
- 		if (rc < 0)
+ 		ebitmap_init(&stypes);
+ 		ebitmap_init(&ttypes);
+ 
+@@ -1344,6 +1346,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
  			return -1;
+ 		}
+ 
++		mapped_otype = state->typemap[cur_rule->otype - 1];
++
+ 		ebitmap_for_each_bit(&stypes, snode, i) {
+ 			if (!ebitmap_node_get_bit(snode, i))
+ 				continue;
+@@ -1358,7 +1362,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ 					    (cur_trans->tclass == cur_rule->tclass) &&
+ 					    (!strcmp(cur_trans->name, cur_rule->name))) {
+ 						/* duplicate rule, who cares */
+-						if (cur_trans->otype == cur_rule->otype)
++						if (cur_trans->otype == mapped_otype)
+ 							break;
+ 
+ 						ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
+@@ -1367,7 +1371,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ 						    state->out->p_type_val_to_name[j],
+ 						    state->out->p_class_val_to_name[cur_trans->tclass - 1],
+ 						    state->out->p_type_val_to_name[cur_trans->otype - 1],
+-						    state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]);
++						    state->out->p_type_val_to_name[mapped_otype - 1]);
+ 						    
+ 						return -1;
+ 					}
+@@ -1397,7 +1401,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ 				new_trans->stype = i + 1;
+ 				new_trans->ttype = j + 1;
+ 				new_trans->tclass = cur_rule->tclass;
+-				new_trans->otype = state->typemap[cur_rule->otype - 1];
++				new_trans->otype = mapped_otype;
+ 			}
+ 		}
+ 

libsepol.spec

@@ -1,12 +1,12 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
-Version: 2.0.44
+Version: 2.1.3
 Release: 2%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
+Patch: libsepol-rhat.patch
 URL: http://www.selinuxproject.org
-patch: libsepol-rhat.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
@@ -46,6 +46,7 @@ needed for developing applications that manipulate binary policies.
 %prep
 %setup -q
 %patch -p2 -b .rhat
+
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile
@@ -98,6 +99,52 @@ exit 0
 /%{_lib}/libsepol.so.1
 
 %changelog
+* Mon Oct 31 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-2
+-The filename_trans code had a bug where duplicate detection was being
+done between the unmapped type value of a new rule and the type value of
+rules already in policy.  This meant that duplicates were not being
+silently dropped and were instead outputting a message that there was a
+problem.  It made things hard because the message WAS using the mapped
+type to convert to the string representation, so it didn't look like a
+dup!
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-1
+-Update to upstream
+	* Skip writing role attributes for policy.X and
+	* Indicate when boolean is indeed a tunable.
+	* Separate tunable from boolean during compile.
+	* Write and read TUNABLE flags in related
+	* Copy and check the cond_bool_datum_t.flags during link.
+	* Permanently discard disabled branches of tunables in
+	* Skip tunable identifier and cond_node_t in expansion.
+	* Create a new preserve_tunables flag
+	* Preserve tunables when required by semodule program.
+	* setools expects expand_module_avrules to be an exported
+	* tree: default make target to all not
+
+* Thu Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
+- Add patch to handle preserving tunables
+
+* Thu Sep 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-2
+- export expand_module_avrules 
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
+- Update to upstream 
+	* Only call role_fix_callback for base.p_roles during expansion.
+	* use mapped role number instead of module role number
+
+* Mon Aug 1 2011 Dan Walsh <dwalsh@redhat.com> 2.1.1-1
+- Update to upstream 
+	* Minor fix to reading policy with filename transition rules
+
+* Wed Jul 27 2011 Dan Walsh <dwalsh@redhat.com> 2.1.0-1
+- Update to upstream 
+	* Release, minor version bump
+
+* Thu May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.45-1
+- Update to upstream 
+  * Warn if filename_trans rules are dropped by Steve Lawrence.
+
 * Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> 2.0.44-2
 - Fixes for new role_transition class field by Eric Paris.
 

sources

@@ -1,2 +1 @@
-fc7a01f0e15d9b056767c23911eab208  libsepol-2.0.43.tgz
-654cc43f8f50b0e3fea9352ea8434397  libsepol-2.0.44.tgz
+8278689ecf9d5219887b72fc24ff66ff  libsepol-2.1.3.tgz