SELinux userspace 3.5 release

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -177,3 +177,17 @@ libsepol-2.0.41.tgz
 /libsepol-3.0-rc1.tar.gz
 /libsepol-3.0.tar.gz
 /libsepol-3.1.tar.gz
+/libsepol-3.2-rc1.tar.gz
+/libsepol-3.2-rc2.tar.gz
+/libsepol-3.2.tar.gz
+/libsepol-3.3-rc2.tar.gz
+/libsepol-3.3-rc3.tar.gz
+/libsepol-3.3.tar.gz
+/libsepol-3.4-rc1.tar.gz
+/libsepol-3.4-rc2.tar.gz
+/libsepol-3.4-rc3.tar.gz
+/libsepol-3.4.tar.gz
+/libsepol-3.5-rc1.tar.gz
+/libsepol-3.5-rc2.tar.gz
+/libsepol-3.5-rc3.tar.gz
+/libsepol-3.5.tar.gz

0001-libsepol-checkpolicy-optimize-storage-of-filename-tr.patch

@@ -1,592 +0,0 @@
-From 42ae834a7428c57f7b2a9f448adf4cf991fa3487 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Fri, 31 Jul 2020 13:10:34 +0200
-Subject: [PATCH] libsepol,checkpolicy: optimize storage of filename
- transitions
-
-In preparation to support a new policy format with a more optimal
-representation of filename transition rules, this patch applies an
-equivalent change from kernel commit c3a276111ea2 ("selinux: optimize
-storage of filename transitions").
-
-See the kernel commit's description [1] for the rationale behind this
-representation. This change doesn't bring any measurable difference of
-policy build performance (semodule -B) on Fedora.
-
-[1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- libsepol/cil/src/cil_binary.c              |  26 ++---
- libsepol/include/sepol/policydb/policydb.h |  15 ++-
- libsepol/src/expand.c                      |  56 ++-------
- libsepol/src/kernel_to_cil.c               |  24 +++-
- libsepol/src/kernel_to_conf.c              |  24 +++-
- libsepol/src/policydb.c                    | 125 +++++++++++++++------
- libsepol/src/write.c                       |  46 ++++----
- 7 files changed, 183 insertions(+), 133 deletions(-)
-
-diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
-index 62178d998468..7726685809af 100644
---- a/libsepol/cil/src/cil_binary.c
-+++ b/libsepol/cil/src/cil_binary.c
-@@ -1131,11 +1131,10 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
- 	class_datum_t *sepol_obj = NULL;
- 	struct cil_list *class_list;
- 	type_datum_t *sepol_result = NULL;
--	filename_trans_t *newkey = NULL;
--	filename_trans_datum_t *newdatum = NULL, *otype = NULL;
- 	ebitmap_t src_bitmap, tgt_bitmap;
- 	ebitmap_node_t *node1, *node2;
- 	unsigned int i, j;
-+	uint32_t otype;
- 	struct cil_list_item *c;
- 	char *name = DATUM(typetrans->name)->name;
- 
-@@ -1176,22 +1175,14 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
- 				rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
- 				if (rc != SEPOL_OK) goto exit;
- 
--				newkey = cil_calloc(1, sizeof(*newkey));
--				newdatum = cil_calloc(1, sizeof(*newdatum));
--				newkey->stype = sepol_src->s.value;
--				newkey->ttype = sepol_tgt->s.value;
--				newkey->tclass = sepol_obj->s.value;
--				newkey->name = cil_strdup(name);
--				newdatum->otype = sepol_result->s.value;
--
--				rc = hashtab_insert(pdb->filename_trans,
--						    (hashtab_key_t)newkey,
--						    newdatum);
-+				rc = policydb_filetrans_insert(
-+					pdb, sepol_src->s.value, sepol_tgt->s.value,
-+					sepol_obj->s.value, name, NULL,
-+					sepol_result->s.value, &otype
-+				);
- 				if (rc != SEPOL_OK) {
- 					if (rc == SEPOL_EEXIST) {
--						otype = hashtab_search(pdb->filename_trans,
--								(hashtab_key_t)newkey);
--						if (newdatum->otype != otype->otype) {
-+						if (sepol_result->s.value!= otype) {
- 							cil_log(CIL_ERR, "Conflicting name type transition rules\n");
- 						} else {
- 							rc = SEPOL_OK;
-@@ -1199,9 +1190,6 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
- 					} else {
- 						cil_log(CIL_ERR, "Out of memory\n");
- 					}
--					free(newkey->name);
--					free(newkey);
--					free(newdatum);
- 					if (rc != SEPOL_OK) {
- 						goto exit;
- 					}
-diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
-index 81b63fefbb20..c3180c611c64 100644
---- a/libsepol/include/sepol/policydb/policydb.h
-+++ b/libsepol/include/sepol/policydb/policydb.h
-@@ -162,15 +162,16 @@ typedef struct role_allow {
- } role_allow_t;
- 
- /* filename_trans rules */
--typedef struct filename_trans {
--	uint32_t stype;
-+typedef struct filename_trans_key {
- 	uint32_t ttype;
- 	uint32_t tclass;
- 	char *name;
--} filename_trans_t;
-+} filename_trans_key_t;
- 
- typedef struct filename_trans_datum {
--	uint32_t otype;		/* expected of new object */
-+	ebitmap_t stypes;
-+	uint32_t otype;
-+	struct filename_trans_datum *next;
- } filename_trans_datum_t;
- 
- /* Type attributes */
-@@ -591,6 +592,7 @@ typedef struct policydb {
- 
- 	/* file transitions with the last path component */
- 	hashtab_t filename_trans;
-+	uint32_t filename_trans_count;
- 
- 	ebitmap_t *type_attr_map;
- 
-@@ -650,6 +652,11 @@ extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
- 
- extern int policydb_sort_ocontexts(policydb_t *p);
- 
-+extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype,
-+				     uint32_t ttype, uint32_t tclass,
-+				     const char *name, char **name_alloc,
-+				     uint32_t otype, uint32_t *present_otype);
-+
- /* Deprecated */
- extern int policydb_context_isvalid(const policydb_t * p,
- 				    const context_struct_t * c);
-diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
-index 529e1d356a89..19e48c507236 100644
---- a/libsepol/src/expand.c
-+++ b/libsepol/src/expand.c
-@@ -1371,8 +1371,6 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
- static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
- {
- 	unsigned int i, j;
--	filename_trans_t key, *new_trans;
--	filename_trans_datum_t *otype;
- 	filename_trans_rule_t *cur_rule;
- 	ebitmap_t stypes, ttypes;
- 	ebitmap_node_t *snode, *tnode;
-@@ -1380,7 +1378,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
- 
- 	cur_rule = rules;
- 	while (cur_rule) {
--		uint32_t mapped_otype;
-+		uint32_t mapped_otype, present_otype;
- 
- 		ebitmap_init(&stypes);
- 		ebitmap_init(&ttypes);
-@@ -1401,15 +1399,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
- 
- 		ebitmap_for_each_positive_bit(&stypes, snode, i) {
- 			ebitmap_for_each_positive_bit(&ttypes, tnode, j) {
--				key.stype = i + 1;
--				key.ttype = j + 1;
--				key.tclass = cur_rule->tclass;
--				key.name = cur_rule->name;
--				otype = hashtab_search(state->out->filename_trans,
--						       (hashtab_key_t) &key);
--				if (otype) {
-+				rc = policydb_filetrans_insert(
-+					state->out, i + 1, j + 1,
-+					cur_rule->tclass, cur_rule->name,
-+					NULL, mapped_otype, &present_otype
-+				);
-+				if (rc == SEPOL_EEXIST) {
- 					/* duplicate rule, ignore */
--					if (otype->otype == mapped_otype)
-+					if (present_otype == mapped_otype)
- 						continue;
- 
- 					ERR(state->handle, "Conflicting name-based type_transition %s %s:%s \"%s\":  %s vs %s",
-@@ -1417,44 +1414,11 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
- 					    state->out->p_type_val_to_name[j],
- 					    state->out->p_class_val_to_name[cur_rule->tclass - 1],
- 					    cur_rule->name,
--					    state->out->p_type_val_to_name[otype->otype - 1],
-+					    state->out->p_type_val_to_name[present_otype - 1],
- 					    state->out->p_type_val_to_name[mapped_otype - 1]);
- 					return -1;
--				}
--
--				new_trans = calloc(1, sizeof(*new_trans));
--				if (!new_trans) {
--					ERR(state->handle, "Out of memory!");
--					return -1;
--				}
--
--				new_trans->name = strdup(cur_rule->name);
--				if (!new_trans->name) {
--					ERR(state->handle, "Out of memory!");
--					free(new_trans);
--					return -1;
--				}
--				new_trans->stype = i + 1;
--				new_trans->ttype = j + 1;
--				new_trans->tclass = cur_rule->tclass;
--
--				otype = calloc(1, sizeof(*otype));
--				if (!otype) {
--					ERR(state->handle, "Out of memory!");
--					free(new_trans->name);
--					free(new_trans);
--					return -1;
--				}
--				otype->otype = mapped_otype;
--
--				rc = hashtab_insert(state->out->filename_trans,
--						    (hashtab_key_t)new_trans,
--						    otype);
--				if (rc) {
-+				} else if (rc < 0) {
- 					ERR(state->handle, "Out of memory!");
--					free(otype);
--					free(new_trans->name);
--					free(new_trans);
- 					return -1;
- 				}
- 			}
-diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
-index 958adc4cfc0a..c247b32f9e75 100644
---- a/libsepol/src/kernel_to_cil.c
-+++ b/libsepol/src/kernel_to_cil.c
-@@ -1841,21 +1841,35 @@ struct map_filename_trans_args {
- 
- static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
- {
--	filename_trans_t *ft = (filename_trans_t *)key;
-+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
- 	filename_trans_datum_t *datum = data;
- 	struct map_filename_trans_args *map_args = arg;
- 	struct policydb *pdb = map_args->pdb;
- 	struct strs *strs = map_args->strs;
- 	char *src, *tgt, *class, *filename, *new;
-+	struct ebitmap_node *node;
-+	uint32_t bit;
-+	int rc;
- 
--	src = pdb->p_type_val_to_name[ft->stype - 1];
- 	tgt = pdb->p_type_val_to_name[ft->ttype - 1];
- 	class = pdb->p_class_val_to_name[ft->tclass - 1];
- 	filename = ft->name;
--	new =  pdb->p_type_val_to_name[datum->otype - 1];
-+	do {
-+		new = pdb->p_type_val_to_name[datum->otype - 1];
-+
-+		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
-+			src = pdb->p_type_val_to_name[bit];
-+			rc = strs_create_and_add(strs,
-+						 "(typetransition %s %s %s %s %s)",
-+						 5, src, tgt, class, filename, new);
-+			if (rc)
-+				return rc;
-+		}
-+
-+		datum = datum->next;
-+	} while (datum);
- 
--	return strs_create_and_add(strs, "(typetransition %s %s %s %s %s)", 5,
--				   src, tgt, class, filename, new);
-+	return 0;
- }
- 
- static int write_filename_trans_rules_to_cil(FILE *out, struct policydb *pdb)
-diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
-index 7cc91eb3d129..62bf706c1aa0 100644
---- a/libsepol/src/kernel_to_conf.c
-+++ b/libsepol/src/kernel_to_conf.c
-@@ -1822,21 +1822,35 @@ struct map_filename_trans_args {
- 
- static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
- {
--	filename_trans_t *ft = (filename_trans_t *)key;
-+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
- 	filename_trans_datum_t *datum = data;
- 	struct map_filename_trans_args *map_args = arg;
- 	struct policydb *pdb = map_args->pdb;
- 	struct strs *strs = map_args->strs;
- 	char *src, *tgt, *class, *filename, *new;
-+	struct ebitmap_node *node;
-+	uint32_t bit;
-+	int rc;
- 
--	src = pdb->p_type_val_to_name[ft->stype - 1];
- 	tgt = pdb->p_type_val_to_name[ft->ttype - 1];
- 	class = pdb->p_class_val_to_name[ft->tclass - 1];
- 	filename = ft->name;
--	new =  pdb->p_type_val_to_name[datum->otype - 1];
-+	do {
-+		new = pdb->p_type_val_to_name[datum->otype - 1];
-+
-+		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
-+			src = pdb->p_type_val_to_name[bit];
-+			rc = strs_create_and_add(strs,
-+						 "type_transition %s %s:%s %s \"%s\";",
-+						 5, src, tgt, class, new, filename);
-+			if (rc)
-+				return rc;
-+		}
-+
-+		datum = datum->next;
-+	} while (datum);
- 
--	return strs_create_and_add(strs, "type_transition %s %s:%s %s \"%s\";", 5,
--				   src, tgt, class, new, filename);
-+	return 0;
- }
- 
- static int write_filename_trans_rules_to_conf(FILE *out, struct policydb *pdb)
-diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
-index 3992ea56f092..0b98d50b8096 100644
---- a/libsepol/src/policydb.c
-+++ b/libsepol/src/policydb.c
-@@ -789,12 +789,12 @@ partial_name_hash(unsigned long c, unsigned long prevhash)
- 
- static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
- {
--	const struct filename_trans *ft = (const struct filename_trans *)k;
-+	const filename_trans_key_t *ft = (const filename_trans_key_t *)k;
- 	unsigned long hash;
- 	unsigned int byte_num;
- 	unsigned char focus;
- 
--	hash = ft->stype ^ ft->ttype ^ ft->tclass;
-+	hash = ft->ttype ^ ft->tclass;
- 
- 	byte_num = 0;
- 	while ((focus = ft->name[byte_num++]))
-@@ -805,14 +805,10 @@ static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
- static int filenametr_cmp(hashtab_t h __attribute__ ((unused)),
- 			  const_hashtab_key_t k1, const_hashtab_key_t k2)
- {
--	const struct filename_trans *ft1 = (const struct filename_trans *)k1;
--	const struct filename_trans *ft2 = (const struct filename_trans *)k2;
-+	const filename_trans_key_t *ft1 = (const filename_trans_key_t *)k1;
-+	const filename_trans_key_t *ft2 = (const filename_trans_key_t *)k2;
- 	int v;
- 
--	v = ft1->stype - ft2->stype;
--	if (v)
--		return v;
--
- 	v = ft1->ttype - ft2->ttype;
- 	if (v)
- 		return v;
-@@ -1409,9 +1405,12 @@ common_destroy, class_destroy, role_destroy, type_destroy, user_destroy,
- static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum,
- 			      void *p __attribute__ ((unused)))
- {
--	struct filename_trans *ft = (struct filename_trans *)key;
-+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
-+	filename_trans_datum_t *fd = datum;
-+
- 	free(ft->name);
- 	free(key);
-+	ebitmap_destroy(&fd->stypes);
- 	free(datum);
- 	return 0;
- }
-@@ -2595,12 +2594,85 @@ int role_allow_read(role_allow_t ** r, struct policy_file *fp)
- 	return 0;
- }
- 
-+int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype,
-+			      uint32_t tclass, const char *name,
-+			      char **name_alloc, uint32_t otype,
-+			      uint32_t *present_otype)
-+{
-+	filename_trans_key_t *ft, key;
-+	filename_trans_datum_t *datum, *last;
-+
-+	key.ttype = ttype;
-+	key.tclass = tclass;
-+	key.name = (char *)name;
-+
-+	last = NULL;
-+	datum = hashtab_search(p->filename_trans, (hashtab_key_t)&key);
-+	while (datum) {
-+		if (ebitmap_get_bit(&datum->stypes, stype - 1)) {
-+			if (present_otype)
-+				*present_otype = datum->otype;
-+			return SEPOL_EEXIST;
-+		}
-+		if (datum->otype == otype)
-+			break;
-+		last = datum;
-+		datum = datum->next;
-+	}
-+	if (!datum) {
-+		datum = malloc(sizeof(*datum));
-+		if (!datum)
-+			return SEPOL_ENOMEM;
-+
-+		ebitmap_init(&datum->stypes);
-+		datum->otype = otype;
-+		datum->next = NULL;
-+
-+		if (last) {
-+			last->next = datum;
-+		} else {
-+			char *name_dup;
-+
-+			if (name_alloc) {
-+				name_dup = *name_alloc;
-+				*name_alloc = NULL;
-+			} else {
-+				name_dup = strdup(name);
-+				if (!name_dup) {
-+					free(datum);
-+					return SEPOL_ENOMEM;
-+				}
-+			}
-+
-+			ft = malloc(sizeof(*ft));
-+			if (!ft) {
-+				free(name_dup);
-+				free(datum);
-+				return SEPOL_ENOMEM;
-+			}
-+
-+			ft->ttype = ttype;
-+			ft->tclass = tclass;
-+			ft->name = name_dup;
-+
-+			if (hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
-+					   (hashtab_datum_t)datum)) {
-+				free(name_dup);
-+				free(datum);
-+				free(ft);
-+				return SEPOL_ENOMEM;
-+			}
-+		}
-+	}
-+
-+	p->filename_trans_count++;
-+	return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
-+}
-+
- int filename_trans_read(policydb_t *p, struct policy_file *fp)
- {
- 	unsigned int i;
--	uint32_t buf[4], nel, len;
--	filename_trans_t *ft;
--	filename_trans_datum_t *otype;
-+	uint32_t buf[4], nel, len, stype, ttype, tclass, otype;
- 	int rc;
- 	char *name;
- 
-@@ -2610,16 +2682,8 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
- 	nel = le32_to_cpu(buf[0]);
- 
- 	for (i = 0; i < nel; i++) {
--		ft = NULL;
--		otype = NULL;
- 		name = NULL;
- 
--		ft = calloc(1, sizeof(*ft));
--		if (!ft)
--			goto err;
--		otype = calloc(1, sizeof(*otype));
--		if (!otype)
--			goto err;
- 		rc = next_entry(buf, fp, sizeof(uint32_t));
- 		if (rc < 0)
- 			goto err;
-@@ -2631,8 +2695,6 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
- 		if (!name)
- 			goto err;
- 
--		ft->name = name;
--
- 		rc = next_entry(name, fp, len);
- 		if (rc < 0)
- 			goto err;
-@@ -2641,13 +2703,13 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
- 		if (rc < 0)
- 			goto err;
- 
--		ft->stype = le32_to_cpu(buf[0]);
--		ft->ttype = le32_to_cpu(buf[1]);
--		ft->tclass = le32_to_cpu(buf[2]);
--		otype->otype = le32_to_cpu(buf[3]);
-+		stype  = le32_to_cpu(buf[0]);
-+		ttype  = le32_to_cpu(buf[1]);
-+		tclass = le32_to_cpu(buf[2]);
-+		otype  = le32_to_cpu(buf[3]);
- 
--		rc = hashtab_insert(p->filename_trans, (hashtab_key_t) ft,
--				    otype);
-+		rc = policydb_filetrans_insert(p, stype, ttype, tclass, name,
-+					       &name, otype, NULL);
- 		if (rc) {
- 			if (rc != SEPOL_EEXIST)
- 				goto err;
-@@ -2657,16 +2719,11 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
- 			 * compatibility, do not reject such policies, just
- 			 * ignore the duplicate.
- 			 */
--			free(ft);
--			free(name);
--			free(otype);
--			/* continue, ignoring this one */
- 		}
-+		free(name);
- 	}
- 	return 0;
- err:
--	free(ft);
--	free(otype);
- 	free(name);
- 	return -1;
- }
-diff --git a/libsepol/src/write.c b/libsepol/src/write.c
-index 1fd6a16a248b..d3aee8d5bf22 100644
---- a/libsepol/src/write.c
-+++ b/libsepol/src/write.c
-@@ -571,44 +571,50 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
- 
- static int filename_write_helper(hashtab_key_t key, void *data, void *ptr)
- {
--	uint32_t buf[4];
-+	uint32_t bit, buf[4];
- 	size_t items, len;
--	struct filename_trans *ft = (struct filename_trans *)key;
--	struct filename_trans_datum *otype = data;
-+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
-+	filename_trans_datum_t *datum = data;
-+	ebitmap_node_t *node;
- 	void *fp = ptr;
- 
- 	len = strlen(ft->name);
--	buf[0] = cpu_to_le32(len);
--	items = put_entry(buf, sizeof(uint32_t), 1, fp);
--	if (items != 1)
--		return POLICYDB_ERROR;
-+	do {
-+		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
-+			buf[0] = cpu_to_le32(len);
-+			items = put_entry(buf, sizeof(uint32_t), 1, fp);
-+			if (items != 1)
-+				return POLICYDB_ERROR;
- 
--	items = put_entry(ft->name, sizeof(char), len, fp);
--	if (items != len)
--		return POLICYDB_ERROR;
-+			items = put_entry(ft->name, sizeof(char), len, fp);
-+			if (items != len)
-+				return POLICYDB_ERROR;
- 
--	buf[0] = cpu_to_le32(ft->stype);
--	buf[1] = cpu_to_le32(ft->ttype);
--	buf[2] = cpu_to_le32(ft->tclass);
--	buf[3] = cpu_to_le32(otype->otype);
--	items = put_entry(buf, sizeof(uint32_t), 4, fp);
--	if (items != 4)
--		return POLICYDB_ERROR;
-+			buf[0] = cpu_to_le32(bit + 1);
-+			buf[1] = cpu_to_le32(ft->ttype);
-+			buf[2] = cpu_to_le32(ft->tclass);
-+			buf[3] = cpu_to_le32(datum->otype);
-+			items = put_entry(buf, sizeof(uint32_t), 4, fp);
-+			if (items != 4)
-+				return POLICYDB_ERROR;
-+		}
-+
-+		datum = datum->next;
-+	} while (datum);
- 
- 	return 0;
- }
- 
- static int filename_trans_write(struct policydb *p, void *fp)
- {
--	size_t nel, items;
-+	size_t items;
- 	uint32_t buf[1];
- 	int rc;
- 
- 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
- 		return 0;
- 
--	nel =  p->filename_trans->nel;
--	buf[0] = cpu_to_le32(nel);
-+	buf[0] = cpu_to_le32(p->filename_trans_count);
- 	items = put_entry(buf, sizeof(uint32_t), 1, fp);
- 	if (items != 1)
- 		return POLICYDB_ERROR;
--- 
-2.29.0.rc2
-

0002-libsepol-implement-POLICYDB_VERSION_COMP_FTRANS.patch

@@ -1,394 +0,0 @@
-From 8206b8cb00392aab358f4eeae38f98850438085c Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Fri, 31 Jul 2020 13:10:35 +0200
-Subject: [PATCH] libsepol: implement POLICYDB_VERSION_COMP_FTRANS
-
-Implement a new, more space-efficient form of storing filename
-transitions in the binary policy. The internal structures have already
-been converted to this new representation; this patch just implements
-reading/writing an equivalent representation from/to the binary policy.
-
-This new format reduces the size of Fedora policy from 7.6 MB to only
-3.3 MB (with policy optimization enabled in both cases). With the
-unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- libsepol/include/sepol/policydb/policydb.h |   3 +-
- libsepol/src/policydb.c                    | 209 +++++++++++++++++----
- libsepol/src/write.c                       |  73 ++++++-
- 3 files changed, 242 insertions(+), 43 deletions(-)
-
-diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
-index c3180c611c64..9ef43abc2f12 100644
---- a/libsepol/include/sepol/policydb/policydb.h
-+++ b/libsepol/include/sepol/policydb/policydb.h
-@@ -755,10 +755,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
- #define POLICYDB_VERSION_XPERMS_IOCTL	30 /* Linux-specific */
- #define POLICYDB_VERSION_INFINIBAND		31 /* Linux-specific */
- #define POLICYDB_VERSION_GLBLUB		32
-+#define POLICYDB_VERSION_COMP_FTRANS	33 /* compressed filename transitions */
- 
- /* Range of policy versions we understand*/
- #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
--#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_GLBLUB
-+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_COMP_FTRANS
- 
- /* Module versions and specific changes*/
- #define MOD_POLICYDB_VERSION_BASE		4
-diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
-index 0b98d50b8096..ce8f3ad77005 100644
---- a/libsepol/src/policydb.c
-+++ b/libsepol/src/policydb.c
-@@ -200,6 +200,13 @@ static struct policydb_compat_info policydb_compat[] = {
- 	 .ocon_num = OCON_IBENDPORT + 1,
- 	 .target_platform = SEPOL_TARGET_SELINUX,
- 	},
-+	{
-+	 .type = POLICY_KERN,
-+	 .version = POLICYDB_VERSION_COMP_FTRANS,
-+	 .sym_num = SYM_NUM,
-+	 .ocon_num = OCON_IBENDPORT + 1,
-+	 .target_platform = SEPOL_TARGET_SELINUX,
-+	},
- 	{
- 	 .type = POLICY_BASE,
- 	 .version = MOD_POLICYDB_VERSION_BASE,
-@@ -2669,65 +2676,201 @@ int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype,
- 	return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
- }
- 
--int filename_trans_read(policydb_t *p, struct policy_file *fp)
-+static int filename_trans_read_one_compat(policydb_t *p, struct policy_file *fp)
- {
--	unsigned int i;
--	uint32_t buf[4], nel, len, stype, ttype, tclass, otype;
-+	uint32_t buf[4], len, stype, ttype, tclass, otype;
-+	char *name = NULL;
- 	int rc;
--	char *name;
- 
- 	rc = next_entry(buf, fp, sizeof(uint32_t));
- 	if (rc < 0)
- 		return -1;
--	nel = le32_to_cpu(buf[0]);
-+	len = le32_to_cpu(buf[0]);
-+	if (zero_or_saturated(len))
-+		return -1;
- 
--	for (i = 0; i < nel; i++) {
--		name = NULL;
-+	name = calloc(len + 1, sizeof(*name));
-+	if (!name)
-+		return -1;
- 
--		rc = next_entry(buf, fp, sizeof(uint32_t));
--		if (rc < 0)
--			goto err;
--		len = le32_to_cpu(buf[0]);
--		if (zero_or_saturated(len))
-+	rc = next_entry(name, fp, len);
-+	if (rc < 0)
-+		goto err;
-+
-+	rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
-+	if (rc < 0)
-+		goto err;
-+
-+	stype  = le32_to_cpu(buf[0]);
-+	ttype  = le32_to_cpu(buf[1]);
-+	tclass = le32_to_cpu(buf[2]);
-+	otype  = le32_to_cpu(buf[3]);
-+
-+	rc = policydb_filetrans_insert(p, stype, ttype, tclass, name, &name,
-+				       otype, NULL);
-+	if (rc) {
-+		if (rc != SEPOL_EEXIST)
- 			goto err;
-+		/*
-+		 * Some old policies were wrongly generated with
-+		 * duplicate filename transition rules.  For backward
-+		 * compatibility, do not reject such policies, just
-+		 * ignore the duplicate.
-+		 */
-+	}
-+	free(name);
-+	return 0;
-+err:
-+	free(name);
-+	return -1;
-+}
-+
-+static int filename_trans_check_datum(filename_trans_datum_t *datum)
-+{
-+	ebitmap_t stypes, otypes;
-+	int rc = -1;
-+
-+	ebitmap_init(&stypes);
-+	ebitmap_init(&otypes);
-+
-+	while (datum) {
-+		if (ebitmap_get_bit(&otypes, datum->otype))
-+			goto out;
-+
-+		if (ebitmap_set_bit(&otypes, datum->otype, 1))
-+			goto out;
-+
-+		if (ebitmap_match_any(&stypes, &datum->stypes))
-+			goto out;
- 
--		name = calloc(len + 1, sizeof(*name));
--		if (!name)
-+		if (ebitmap_union(&stypes, &datum->stypes))
-+			goto out;
-+
-+		datum = datum->next;
-+	}
-+	rc = 0;
-+out:
-+	ebitmap_destroy(&stypes);
-+	ebitmap_destroy(&otypes);
-+	return rc;
-+}
-+
-+static int filename_trans_read_one(policydb_t *p, struct policy_file *fp)
-+{
-+	filename_trans_key_t *ft = NULL;
-+	filename_trans_datum_t **dst, *datum, *first = NULL;
-+	unsigned int i;
-+	uint32_t buf[3], len, ttype, tclass, ndatum;
-+	char *name = NULL;
-+	int rc;
-+
-+	rc = next_entry(buf, fp, sizeof(uint32_t));
-+	if (rc < 0)
-+		return -1;
-+	len = le32_to_cpu(buf[0]);
-+	if (zero_or_saturated(len))
-+		return -1;
-+
-+	name = calloc(len + 1, sizeof(*name));
-+	if (!name)
-+		return -1;
-+
-+	rc = next_entry(name, fp, len);
-+	if (rc < 0)
-+		goto err;
-+
-+	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
-+	if (rc < 0)
-+		goto err;
-+
-+	ttype = le32_to_cpu(buf[0]);
-+	tclass = le32_to_cpu(buf[1]);
-+	ndatum = le32_to_cpu(buf[2]);
-+	if (ndatum == 0)
-+		goto err;
-+
-+	dst = &first;
-+	for (i = 0; i < ndatum; i++) {
-+		datum = malloc(sizeof(*datum));
-+		if (!datum)
- 			goto err;
- 
--		rc = next_entry(name, fp, len);
-+		*dst = datum;
-+
-+		/* ebitmap_read() will at least init the bitmap */
-+		rc = ebitmap_read(&datum->stypes, fp);
- 		if (rc < 0)
- 			goto err;
- 
--		rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
-+		rc = next_entry(buf, fp, sizeof(uint32_t));
- 		if (rc < 0)
- 			goto err;
- 
--		stype  = le32_to_cpu(buf[0]);
--		ttype  = le32_to_cpu(buf[1]);
--		tclass = le32_to_cpu(buf[2]);
--		otype  = le32_to_cpu(buf[3]);
-+		datum->otype = le32_to_cpu(buf[0]);
- 
--		rc = policydb_filetrans_insert(p, stype, ttype, tclass, name,
--					       &name, otype, NULL);
--		if (rc) {
--			if (rc != SEPOL_EEXIST)
--				goto err;
--			/*
--			 * Some old policies were wrongly generated with
--			 * duplicate filename transition rules.  For backward
--			 * compatibility, do not reject such policies, just
--			 * ignore the duplicate.
--			 */
--		}
--		free(name);
-+		p->filename_trans_count += ebitmap_cardinality(&datum->stypes);
-+
-+		dst = &datum->next;
- 	}
-+	*dst = NULL;
-+
-+	if (ndatum > 1 && filename_trans_check_datum(first))
-+		goto err;
-+
-+	ft = malloc(sizeof(*ft));
-+	if (!ft)
-+		goto err;
-+
-+	ft->ttype = ttype;
-+	ft->tclass = tclass;
-+	ft->name = name;
-+
-+	rc = hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
-+			    (hashtab_datum_t)first);
-+	if (rc)
-+		goto err;
-+
- 	return 0;
- err:
-+	free(ft);
- 	free(name);
-+	while (first) {
-+		datum = first;
-+		first = first->next;
-+
-+		ebitmap_destroy(&datum->stypes);
-+		free(datum);
-+	}
- 	return -1;
- }
- 
-+int filename_trans_read(policydb_t *p, struct policy_file *fp)
-+{
-+	unsigned int i;
-+	uint32_t buf[1], nel;
-+	int rc;
-+
-+	rc = next_entry(buf, fp, sizeof(uint32_t));
-+	if (rc < 0)
-+		return -1;
-+	nel = le32_to_cpu(buf[0]);
-+
-+	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
-+		for (i = 0; i < nel; i++) {
-+			rc = filename_trans_read_one_compat(p, fp);
-+			if (rc < 0)
-+				return -1;
-+		}
-+	} else {
-+		for (i = 0; i < nel; i++) {
-+			rc = filename_trans_read_one(p, fp);
-+			if (rc < 0)
-+				return -1;
-+		}
-+	}
-+	return 0;
-+}
-+
- static int ocontext_read_xen(struct policydb_compat_info *info,
- 	policydb_t *p, struct policy_file *fp)
- {
-diff --git a/libsepol/src/write.c b/libsepol/src/write.c
-index d3aee8d5bf22..84bcaf3f57ca 100644
---- a/libsepol/src/write.c
-+++ b/libsepol/src/write.c
-@@ -569,7 +569,7 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
- 	return POLICYDB_SUCCESS;
- }
- 
--static int filename_write_helper(hashtab_key_t key, void *data, void *ptr)
-+static int filename_write_one_compat(hashtab_key_t key, void *data, void *ptr)
- {
- 	uint32_t bit, buf[4];
- 	size_t items, len;
-@@ -605,6 +605,54 @@ static int filename_write_helper(hashtab_key_t key, void *data, void *ptr)
- 	return 0;
- }
- 
-+static int filename_write_one(hashtab_key_t key, void *data, void *ptr)
-+{
-+	uint32_t buf[3];
-+	size_t items, len, ndatum;
-+	filename_trans_key_t *ft = (filename_trans_key_t *)key;
-+	filename_trans_datum_t *datum;
-+	void *fp = ptr;
-+
-+	len = strlen(ft->name);
-+	buf[0] = cpu_to_le32(len);
-+	items = put_entry(buf, sizeof(uint32_t), 1, fp);
-+	if (items != 1)
-+		return POLICYDB_ERROR;
-+
-+	items = put_entry(ft->name, sizeof(char), len, fp);
-+	if (items != len)
-+		return POLICYDB_ERROR;
-+
-+	ndatum = 0;
-+	datum = data;
-+	do {
-+		ndatum++;
-+		datum = datum->next;
-+	} while (datum);
-+
-+	buf[0] = cpu_to_le32(ft->ttype);
-+	buf[1] = cpu_to_le32(ft->tclass);
-+	buf[2] = cpu_to_le32(ndatum);
-+	items = put_entry(buf, sizeof(uint32_t), 3, fp);
-+	if (items != 3)
-+		return POLICYDB_ERROR;
-+
-+	datum = data;
-+	do {
-+		if (ebitmap_write(&datum->stypes, fp))
-+			return POLICYDB_ERROR;
-+
-+		buf[0] = cpu_to_le32(datum->otype);
-+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
-+		if (items != 1)
-+			return POLICYDB_ERROR;
-+
-+		datum = datum->next;
-+	} while (datum);
-+
-+	return 0;
-+}
-+
- static int filename_trans_write(struct policydb *p, void *fp)
- {
- 	size_t items;
-@@ -614,16 +662,23 @@ static int filename_trans_write(struct policydb *p, void *fp)
- 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
- 		return 0;
- 
--	buf[0] = cpu_to_le32(p->filename_trans_count);
--	items = put_entry(buf, sizeof(uint32_t), 1, fp);
--	if (items != 1)
--		return POLICYDB_ERROR;
-+	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
-+		buf[0] = cpu_to_le32(p->filename_trans_count);
-+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
-+		if (items != 1)
-+			return POLICYDB_ERROR;
- 
--	rc = hashtab_map(p->filename_trans, filename_write_helper, fp);
--	if (rc)
--		return rc;
-+		rc = hashtab_map(p->filename_trans, filename_write_one_compat,
-+				 fp);
-+	} else {
-+		buf[0] = cpu_to_le32(p->filename_trans->nel);
-+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
-+		if (items != 1)
-+			return POLICYDB_ERROR;
- 
--	return 0;
-+		rc = hashtab_map(p->filename_trans, filename_write_one, fp);
-+	}
-+	return rc;
- }
- 
- static int role_set_write(role_set_t * x, struct policy_file *fp)
--- 
-2.29.0.rc2
-

0003-libsepol-cil-Validate-constraint-expressions-before-.patch

@@ -1,172 +0,0 @@
-From 685f577aa01ed378374cde9c0105b19c18ca7c07 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Wed, 9 Sep 2020 16:57:12 -0400
-Subject: [PATCH] libsepol/cil: Validate constraint expressions before adding
- to binary policy
-
-CIL was not correctly determining the depth of constraint expressions
-which prevented it from giving an error when the max depth was exceeded.
-This allowed invalid policy binaries with constraint expressions exceeding
-the max depth to be created.
-
-Validate the constraint expression using the same logic that is used
-when reading the binary policy. This includes checking the depth of the
-the expression.
-
-Reported-by: Jonathan Hettwer <j2468h@gmail.com>
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- libsepol/cil/src/cil_binary.c    | 48 ++++++++++++++++++++++++++++++++
- libsepol/cil/src/cil_build_ast.c | 20 ++++---------
- 2 files changed, 53 insertions(+), 15 deletions(-)
-
-diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
-index 7726685809af..c8e41f09e53f 100644
---- a/libsepol/cil/src/cil_binary.c
-+++ b/libsepol/cil/src/cil_binary.c
-@@ -2713,6 +2713,49 @@ int __cil_constrain_expr_to_sepol_expr(policydb_t *pdb, const struct cil_db *db,
- 	return SEPOL_OK;
- }
- 
-+int __cil_validate_constrain_expr(constraint_expr_t *sepol_expr)
-+{
-+	constraint_expr_t *e;
-+	int depth = -1;
-+
-+	for (e = sepol_expr; e != NULL; e = e->next) {
-+		switch (e->expr_type) {
-+		case CEXPR_NOT:
-+			if (depth < 0) {
-+				cil_log(CIL_ERR,"Invalid constraint expression\n");
-+				return SEPOL_ERR;
-+			}
-+			break;
-+		case CEXPR_AND:
-+		case CEXPR_OR:
-+			if (depth < 1) {
-+				cil_log(CIL_ERR,"Invalid constraint expression\n");
-+				return SEPOL_ERR;
-+			}
-+			depth--;
-+			break;
-+		case CEXPR_ATTR:
-+		case CEXPR_NAMES:
-+			if (depth == (CEXPR_MAXDEPTH - 1)) {
-+				cil_log(CIL_ERR,"Constraint expression exceeded max allowable depth\n");
-+				return SEPOL_ERR;
-+			}
-+			depth++;
-+			break;
-+		default:
-+			cil_log(CIL_ERR,"Invalid constraint expression\n");
-+			return SEPOL_ERR;
-+		}
-+	}
-+
-+	if (depth != 0) {
-+		cil_log(CIL_ERR,"Invalid constraint expression\n");
-+		return SEPOL_ERR;
-+	}
-+
-+	return SEPOL_OK;
-+}
-+
- int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, struct cil_symtab_datum *class, struct cil_list *perms, struct cil_list *expr)
- {
- 	int rc = SEPOL_ERR;
-@@ -2736,6 +2779,11 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
- 		goto exit;
- 	}
- 
-+	rc = __cil_validate_constrain_expr(sepol_expr);
-+	if (rc != SEPOL_OK) {
-+		goto exit;
-+	}
-+
- 	sepol_constrain->expr = sepol_expr;
- 	sepol_constrain->next = sepol_class->constraints;
- 	sepol_class->constraints = sepol_constrain;
-diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
-index 60ecaaff3060..870c6923b4de 100644
---- a/libsepol/cil/src/cil_build_ast.c
-+++ b/libsepol/cil/src/cil_build_ast.c
-@@ -2738,7 +2738,7 @@ exit:
- 	return SEPOL_ERR;
- }
- 
--static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr, int *depth)
-+static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr)
- {
- 	int rc = SEPOL_ERR;
- 	enum cil_flavor op;
-@@ -2750,12 +2750,6 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
- 		goto exit;
- 	}
- 
--	if (*depth > CEXPR_MAXDEPTH) {
--		cil_log(CIL_ERR, "Max depth of %d exceeded for constraint expression\n", CEXPR_MAXDEPTH);
--		rc = SEPOL_ERR;
--		goto exit;
--	}
--
- 	op = __cil_get_constraint_operator_flavor(current->data);
- 
- 	rc = cil_verify_constraint_expr_syntax(current, op);
-@@ -2769,14 +2763,13 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
- 	case CIL_CONS_DOM:
- 	case CIL_CONS_DOMBY:
- 	case CIL_CONS_INCOMP:
--		(*depth)++;
- 		rc = __cil_fill_constraint_leaf_expr(current, flavor, op, expr);
- 		if (rc != SEPOL_OK) {
- 			goto exit;
- 		}
- 		break;
- 	case CIL_NOT:
--		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr, depth);
-+		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr);
- 		if (rc != SEPOL_OK) {
- 			goto exit;
- 		}
-@@ -2785,11 +2778,11 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
- 		cil_list_append(*expr, CIL_LIST, lexpr);
- 		break;
- 	default:
--		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr, depth);
-+		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr);
- 		if (rc != SEPOL_OK) {
- 			goto exit;
- 		}
--		rc = __cil_fill_constraint_expr(current->next->next->cl_head, flavor, &rexpr, depth);
-+		rc = __cil_fill_constraint_expr(current->next->next->cl_head, flavor, &rexpr);
- 		if (rc != SEPOL_OK) {
- 			cil_list_destroy(&lexpr, CIL_TRUE);
- 			goto exit;
-@@ -2801,8 +2794,6 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
- 		break;
- 	}
- 
--	(*depth)--;
--
- 	return SEPOL_OK;
- exit:
- 
-@@ -2812,13 +2803,12 @@ exit:
- int cil_gen_constraint_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr)
- {
- 	int rc = SEPOL_ERR;
--	int depth = 0;
- 
- 	if (current->cl_head == NULL) {
- 		goto exit;
- 	}
- 
--	rc = __cil_fill_constraint_expr(current->cl_head, flavor, expr, &depth);
-+	rc = __cil_fill_constraint_expr(current->cl_head, flavor, expr);
- 	if (rc != SEPOL_OK) {
- 		goto exit;
- 	}
--- 
-2.29.0.rc2
-

0004-libsepol-cil-Validate-conditional-expressions-before.patch

@@ -1,172 +0,0 @@
-From 734e4beb55cb53d3370201838caa4850b2a6d276 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Wed, 9 Sep 2020 16:57:02 -0400
-Subject: [PATCH] libsepol/cil: Validate conditional expressions before adding
- to binary policy
-
-CIL was not correctly determining the depth of conditional expressions
-which prevented it from giving an error when the max depth was exceeded.
-This allowed invalid policy binaries to be created.
-
-Validate the conditional expression using the same logic that is used
-when evaluating a conditional expression. This includes checking the
-depth of the expression.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- libsepol/cil/src/cil_binary.c    | 50 ++++++++++++++++++++++++++++++++
- libsepol/cil/src/cil_build_ast.c | 26 +++++------------
- 2 files changed, 57 insertions(+), 19 deletions(-)
-
-diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
-index c8e41f09e53f..50cc7f757c62 100644
---- a/libsepol/cil/src/cil_binary.c
-+++ b/libsepol/cil/src/cil_binary.c
-@@ -2176,6 +2176,51 @@ static int __cil_cond_expr_to_sepol_expr(policydb_t *pdb, struct cil_list *cil_e
- 	return SEPOL_OK;
- }
- 
-+int __cil_validate_cond_expr(cond_expr_t *cond_expr)
-+{
-+	cond_expr_t *e;
-+	int depth = -1;
-+
-+	for (e = cond_expr; e != NULL; e = e->next) {
-+		switch (e->expr_type) {
-+		case COND_BOOL:
-+			if (depth == (COND_EXPR_MAXDEPTH - 1)) {
-+				cil_log(CIL_ERR,"Conditional expression exceeded max allowable depth\n");
-+				return SEPOL_ERR;
-+			}
-+			depth++;
-+			break;
-+		case COND_NOT:
-+			if (depth < 0) {
-+				cil_log(CIL_ERR,"Invalid conditional expression\n");
-+				return SEPOL_ERR;
-+			}
-+			break;
-+		case COND_OR:
-+		case COND_AND:
-+		case COND_XOR:
-+		case COND_EQ:
-+		case COND_NEQ:
-+			if (depth < 1) {
-+				cil_log(CIL_ERR,"Invalid conditional expression\n");
-+				return SEPOL_ERR;
-+			}
-+			depth--;
-+			break;
-+		default:
-+			cil_log(CIL_ERR,"Invalid conditional expression\n");
-+			return SEPOL_ERR;
-+		}
-+	}
-+
-+	if (depth != 0) {
-+		cil_log(CIL_ERR,"Invalid conditional expression\n");
-+		return SEPOL_ERR;
-+	}
-+
-+	return SEPOL_OK;
-+}
-+
- int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_tree_node *node)
- {
- 	int rc = SEPOL_ERR;
-@@ -2204,6 +2249,11 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
- 		goto exit;
- 	}
- 
-+	rc = __cil_validate_cond_expr(tmp_cond->expr);
-+	if (rc != SEPOL_OK) {
-+		goto exit;
-+	}
-+
- 	tmp_cond->true_list = &tmp_cl;
- 
- 	rc = cond_normalize_expr(pdb, tmp_cond);
-diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
-index 870c6923b4de..3aabb05ec534 100644
---- a/libsepol/cil/src/cil_build_ast.c
-+++ b/libsepol/cil/src/cil_build_ast.c
-@@ -2548,18 +2548,13 @@ static enum cil_flavor __cil_get_expr_operator_flavor(const char *op)
- 	else return CIL_NONE;
- }
- 
--static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr, int *depth);
-+static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr);
- 
--static int __cil_fill_expr_helper(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr, int *depth)
-+static int __cil_fill_expr_helper(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr)
- {
- 	int rc = SEPOL_ERR;
- 	enum cil_flavor op;
- 
--	if (flavor == CIL_BOOL && *depth > COND_EXPR_MAXDEPTH) {
--		cil_log(CIL_ERR, "Max depth of %d exceeded for boolean expression\n", COND_EXPR_MAXDEPTH);
--		goto exit;
--	}
--
- 	op = __cil_get_expr_operator_flavor(current->data);
- 
- 	rc = cil_verify_expr_syntax(current, op, flavor);
-@@ -2572,26 +2567,20 @@ static int __cil_fill_expr_helper(struct cil_tree_node *current, enum cil_flavor
- 		current = current->next;
- 	}
- 
--	if (op == CIL_NONE || op == CIL_ALL) {
--		(*depth)++;
--	}
--
- 	for (;current != NULL; current = current->next) {
--		rc = __cil_fill_expr(current, flavor, expr, depth);
-+		rc = __cil_fill_expr(current, flavor, expr);
- 		if (rc != SEPOL_OK) {
- 			goto exit;
- 		}
- 	}
- 
--	(*depth)--;
--
- 	return SEPOL_OK;
- 
- exit:
- 	return rc;
- }
- 
--static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr, int *depth)
-+static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr)
- {
- 	int rc = SEPOL_ERR;
- 
-@@ -2605,7 +2594,7 @@ static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor
- 	} else {
- 		struct cil_list *sub_expr;
- 		cil_list_init(&sub_expr, flavor);
--		rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr, depth);
-+		rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr);
- 		if (rc != SEPOL_OK) {
- 			cil_list_destroy(&sub_expr, CIL_TRUE);
- 			goto exit;
-@@ -2623,14 +2612,13 @@ exit:
- int cil_gen_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr)
- {
- 	int rc = SEPOL_ERR;
--	int depth = 0;
- 
- 	cil_list_init(expr, flavor);
- 
- 	if (current->cl_head == NULL) {
--		rc = __cil_fill_expr(current, flavor, *expr, &depth);
-+		rc = __cil_fill_expr(current, flavor, *expr);
- 	} else {
--		rc = __cil_fill_expr_helper(current->cl_head, flavor, *expr, &depth);
-+		rc = __cil_fill_expr_helper(current->cl_head, flavor, *expr);
- 	}
- 
- 	if (rc != SEPOL_OK) {
--- 
-2.29.0.rc2
-

0005-libsepol-cil-Fix-neverallow-checking-involving-class.patch

@@ -1,50 +0,0 @@
-From a152653b9a43fe2c776d239efc2d46d336555bc8 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Tue, 15 Sep 2020 14:48:06 -0400
-Subject: [PATCH] libsepol/cil: Fix neverallow checking involving classmaps
-
-When classmaps used in a neverallow were being expanded during CIL
-neverallow checking, an empty classmapping in the list of
-classmappings for a classmap would cause the classmap expansion to
-stop and the rest of the classmapping of the classmap to be ignored.
-This would mean that not all of the classes and permissions associated
-with the classmap would be used to check for a neverallow violation.
-
-Do not end the expansion of a classmap when one classmapping is empty.
-
-Reported-by: Jonathan Hettwer <j2468h@gmail.com>
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- libsepol/cil/src/cil_binary.c | 14 ++++++--------
- 1 file changed, 6 insertions(+), 8 deletions(-)
-
-diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
-index 50cc7f757c62..36720eda4549 100644
---- a/libsepol/cil/src/cil_binary.c
-+++ b/libsepol/cil/src/cil_binary.c
-@@ -4363,15 +4363,13 @@ static int __cil_rule_to_sepol_class_perms(policydb_t *pdb, struct cil_list *cla
- 
- 				rc = __cil_perms_to_datum(cp->perms, sepol_class, &data);
- 				if (rc != SEPOL_OK) goto exit;
--				if (data == 0) {
--					/* No permissions */
--					return SEPOL_OK;
-+				if (data != 0) { /* Only add if there are permissions */
-+					cpn = cil_malloc(sizeof(class_perm_node_t));
-+					cpn->tclass = sepol_class->s.value;
-+					cpn->data = data;
-+					cpn->next = *sepol_class_perms;
-+					*sepol_class_perms = cpn;
- 				}
--				cpn = cil_malloc(sizeof(class_perm_node_t));
--				cpn->tclass = sepol_class->s.value;
--				cpn->data = data;
--				cpn->next = *sepol_class_perms;
--				*sepol_class_perms = cpn;
- 			} else { /* MAP */
- 				struct cil_list_item *j = NULL;
- 				cil_list_for_each(j, cp->perms) {
--- 
-2.29.0.rc2
-

0006-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch

@@ -1,90 +0,0 @@
-From 521e6a2f478a4c7a7c198c017d4d12e8667d89e7 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Oct 2020 15:19:08 +0200
-Subject: [PATCH] libsepol/cil: fix signed overflow caused by using (1 << 31) -
- 1
-
-When compiling SELinux userspace tools with -ftrapv (this option
-generates traps for signed overflow on addition, subtraction,
-multiplication operations, instead of silently wrapping around),
-semodule crashes when running the tests from
-scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
-
-    [root@localhost selinux-testsuite]# make test
-    make -C policy load
-    make[1]: Entering directory '/root/selinux-testsuite/policy'
-    # Test for "expand-check = 0" in /etc/selinux/semanage.conf
-    # General policy build
-    make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
-    Compiling targeted test_policy module
-    Creating targeted test_policy.pp policy package
-    rm tmp/test_policy.mod.fc
-    make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
-    # General policy load
-    domain_fd_use --> off
-    /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
-    make[1]: *** [Makefile:174: load] Aborted (core dumped)
-
-Using "coredumpctl gdb" leads to the following strack trace:
-
-    (gdb) bt
-    #0  0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
-    #1  0x00007f608fe38895 in abort () from /lib64/libc.so.6
-    #2  0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
-    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
-        at ../cil/src/cil_binary.c:1551
-    #4  0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
-        at ../cil/src/cil_binary.c:1596
-    #5  0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
-        args=0x239a640) at ../cil/src/cil_binary.c:1649
-    #6  0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
-        args=0x239a640) at hashtab.c:234
-    #7  0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
-        at ../cil/src/cil_binary.c:4969
-    #8  0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
-    #9  0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
-        at ../cil/src/cil.c:631
-    #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
-    #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
-    #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
-
-    (gdb) f 3
-    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
-        at ../cil/src/cil_binary.c:1551
-    1551     xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
-
-A signed integer overflow therefore occurs in XPERM_SETBITS(h):
-
-    #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
-
-This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
-
-* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
-* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
-  results in 0x7fffffff (which is unsigned)
-
-Using unsigned integers (with "1U") fixes the crash, as
-(1U << 31) = 0x80000000U has no overflowing issues.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsepol/cil/src/cil_binary.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
-index 36720eda4549..e417c5c28b8b 100644
---- a/libsepol/cil/src/cil_binary.c
-+++ b/libsepol/cil/src/cil_binary.c
-@@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
- /* index of the u32 containing the permission */
- #define XPERM_IDX(x) (x >> 5)
- /* set bits 0 through x-1 within the u32 */
--#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
-+#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
- /* low value for this u32 */
- #define XPERM_LOW(x) (x << 5)
- /* high value for this u32 */
--- 
-2.29.0.rc2
-

0007-libsepol-drop-confusing-BUG_ON-macro.patch

@@ -1,77 +0,0 @@
-From 64387cb37379fc8f135eeecd2bd9fdf3c591c763 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Oct 2020 15:34:19 +0200
-Subject: [PATCH] libsepol: drop confusing BUG_ON macro
-
-Contrary to Linux kernel, BUG_ON() does not halt the execution, in
-libsepol/src/services.c. Instead it displays an error message and
-continues the execution.
-
-This means that this code does not prevent an out-of-bound write from
-happening:
-
-    case CEXPR_AND:
-        BUG_ON(sp < 1);
-        sp--;
-        s[sp] &= s[sp + 1];
-
-Use if(...){BUG();rc=-EINVAL;goto out;} constructions instead, to make
-sure that the array access is always in-bound.
-
-This issue has been found using clang's static analyzer:
-https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-50a861.html#EndPath
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libsepol/src/services.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/libsepol/src/services.c b/libsepol/src/services.c
-index 90da1f4efef3..beb0711f6680 100644
---- a/libsepol/src/services.c
-+++ b/libsepol/src/services.c
-@@ -67,7 +67,6 @@
- #include "flask.h"
- 
- #define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
--#define BUG_ON(x) do { if (x) ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
- 
- static int selinux_enforcing = 1;
- 
-@@ -469,18 +468,30 @@ static int constraint_expr_eval_reason(context_struct_t *scontext,
- 		/* Now process each expression of the constraint */
- 		switch (e->expr_type) {
- 		case CEXPR_NOT:
--			BUG_ON(sp < 0);
-+			if (sp < 0) {
-+				BUG();
-+				rc = -EINVAL;
-+				goto out;
-+			}
- 			s[sp] = !s[sp];
- 			cat_expr_buf(expr_list[expr_counter], "not");
- 			break;
- 		case CEXPR_AND:
--			BUG_ON(sp < 1);
-+			if (sp < 1) {
-+				BUG();
-+				rc = -EINVAL;
-+				goto out;
-+			}
- 			sp--;
- 			s[sp] &= s[sp + 1];
- 			cat_expr_buf(expr_list[expr_counter], "and");
- 			break;
- 		case CEXPR_OR:
--			BUG_ON(sp < 1);
-+			if (sp < 1) {
-+				BUG();
-+				rc = -EINVAL;
-+				goto out;
-+			}
- 			sp--;
- 			s[sp] |= s[sp + 1];
- 			cat_expr_buf(expr_list[expr_counter], "or");
--- 
-2.29.0.rc2
-

0008-libsepol-silence-potential-NULL-pointer-dereference-.patch

@@ -1,66 +0,0 @@
-From c97d63c6b40c71c693d3b5bb25628869a95dff24 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Oct 2020 15:56:58 +0200
-Subject: [PATCH] libsepol: silence potential NULL pointer dereference warning
-
-When find_avtab_node() is called with key->specified & AVTAB_XPERMS and
-xperms=NULL, xperms is being dereferenced. This is detected as a
-"NULL pointer dereference issue" by static analyzers.
-
-Even though it does not make much sense to call find_avtab_node() in a
-way which triggers the NULL pointer dereference issue, static analyzers
-have a hard time with calls such as:
-
-    node = find_avtab_node(handle, avtab, &avkey, cond, NULL);
-
-... where xperms=NULL.
-
-So, make the function report an error instead of crashing.
-
-Here is an example of report from clang's static analyzer:
-https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-d86a57.html#EndPath
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libsepol/src/expand.c | 23 ++++++++++++++---------
- 1 file changed, 14 insertions(+), 9 deletions(-)
-
-diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
-index 19e48c507236..eac7e4507d02 100644
---- a/libsepol/src/expand.c
-+++ b/libsepol/src/expand.c
-@@ -1570,17 +1570,22 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
- 
- 	/* AVTAB_XPERMS entries are not necessarily unique */
- 	if (key->specified & AVTAB_XPERMS) {
--		node = avtab_search_node(avtab, key);
--		while (node) {
--			if ((node->datum.xperms->specified == xperms->specified) &&
--				(node->datum.xperms->driver == xperms->driver)) {
--				match = 1;
--				break;
-+		if (xperms == NULL) {
-+			ERR(handle, "searching xperms NULL");
-+			node = NULL;
-+		} else {
-+			node = avtab_search_node(avtab, key);
-+			while (node) {
-+				if ((node->datum.xperms->specified == xperms->specified) &&
-+					(node->datum.xperms->driver == xperms->driver)) {
-+					match = 1;
-+					break;
-+				}
-+				node = avtab_search_node_next(node, key->specified);
- 			}
--			node = avtab_search_node_next(node, key->specified);
-+			if (!match)
-+				node = NULL;
- 		}
--		if (!match)
--			node = NULL;
- 	} else {
- 		node = avtab_search_node(avtab, key);
- 	}
--- 
-2.29.0.rc2
-

0009-libsepol-Get-rid-of-the-old-and-duplicated-symbols.patch

@@ -1,193 +0,0 @@
-From ae58e84b4fd825b6cd2c67f3856ac35557c45e9c Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 9 Oct 2020 15:00:47 +0200
-Subject: [PATCH] libsepol: Get rid of the old and duplicated symbols
-
-Versioned duplicate symbols cause problems for LTO. These symbols were
-introduced during the CIL integration several releases ago and were only
-consumed by other SELinux userspace components.
-
-Fixes: https://github.com/SELinuxProject/selinux/issues/245
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsepol/cil/src/cil.c       | 84 ------------------------------------
- libsepol/src/libsepol.map.in |  5 ---
- 2 files changed, 89 deletions(-)
-
-diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
-index a3c6a2934c72..95bdb5e5854c 100644
---- a/libsepol/cil/src/cil.c
-+++ b/libsepol/cil/src/cil.c
-@@ -51,27 +51,6 @@
- #include "cil_policy.h"
- #include "cil_strpool.h"
- 
--#if !defined(SHARED) || defined(ANDROID) || defined(__APPLE__)
--    #define DISABLE_SYMVER 1
--#endif
--
--#ifndef DISABLE_SYMVER
--asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
--asm(".symver cil_build_policydb_create_pdb, cil_build_policydb@@LIBSEPOL_1.1");
--
--asm(".symver cil_compile_pdb,   cil_compile@LIBSEPOL_1.0");
--asm(".symver cil_compile_nopdb, cil_compile@@LIBSEPOL_1.1");
--
--asm(".symver cil_userprefixes_to_string_pdb,   cil_userprefixes_to_string@LIBSEPOL_1.0");
--asm(".symver cil_userprefixes_to_string_nopdb, cil_userprefixes_to_string@@LIBSEPOL_1.1");
--
--asm(".symver cil_selinuxusers_to_string_pdb,   cil_selinuxusers_to_string@LIBSEPOL_1.0");
--asm(".symver cil_selinuxusers_to_string_nopdb, cil_selinuxusers_to_string@@LIBSEPOL_1.1");
--
--asm(".symver cil_filecons_to_string_pdb,   cil_filecons_to_string@LIBSEPOL_1.0");
--asm(".symver cil_filecons_to_string_nopdb, cil_filecons_to_string@@LIBSEPOL_1.1");
--#endif
--
- int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM] = {
- 	{64, 64, 64, 1 << 13, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64},
- 	{64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64},
-@@ -549,11 +528,7 @@ exit:
- 	return rc;
- }
- 
--#ifdef DISABLE_SYMVER
- int cil_compile(struct cil_db *db)
--#else
--int cil_compile_nopdb(struct cil_db *db)
--#endif
- {
- 	int rc = SEPOL_ERR;
- 
-@@ -597,33 +572,7 @@ exit:
- 	return rc;
- }
- 
--#ifndef DISABLE_SYMVER
--int cil_compile_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db)
--{
--	return cil_compile_nopdb(db);
--}
--
--int cil_build_policydb_pdb(cil_db_t *db, sepol_policydb_t *sepol_db)
--{
--	int rc;
--
--	cil_log(CIL_INFO, "Building policy binary\n");
--	rc = cil_binary_create_allocated_pdb(db, sepol_db);
--	if (rc != SEPOL_OK) {
--		cil_log(CIL_ERR, "Failed to generate binary\n");
--		goto exit;
--	}
--
--exit:
--	return rc;
--}
--#endif
--
--#ifdef DISABLE_SYMVER
- int cil_build_policydb(cil_db_t *db, sepol_policydb_t **sepol_db)
--#else
--int cil_build_policydb_create_pdb(cil_db_t *db, sepol_policydb_t **sepol_db)
--#endif
- {
- 	int rc;
- 
-@@ -1371,11 +1320,7 @@ const char * cil_node_to_string(struct cil_tree_node *node)
- 	return "<unknown>";
- }
- 
--#ifdef DISABLE_SYMVER
- int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
--#else
--int cil_userprefixes_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
--#endif
- {
- 	int rc = SEPOL_ERR;
- 	size_t str_len = 0;
-@@ -1420,13 +1365,6 @@ exit:
- 
- }
- 
--#ifndef DISABLE_SYMVER
--int cil_userprefixes_to_string_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db, char **out, size_t *size)
--{
--	return cil_userprefixes_to_string_nopdb(db, out, size);
--}
--#endif
--
- static int cil_cats_to_ebitmap(struct cil_cats *cats, struct ebitmap* cats_ebitmap)
- {
- 	int rc = SEPOL_ERR;
-@@ -1614,11 +1552,7 @@ static int __cil_level_to_string(struct cil_level *lvl, char *out)
- 	return str_tmp - out;
- }
- 
--#ifdef DISABLE_SYMVER
- int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size)
--#else
--int cil_selinuxusers_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
--#endif
- {
- 	size_t str_len = 0;
- 	int buf_pos = 0;
-@@ -1675,18 +1609,7 @@ int cil_selinuxusers_to_string_nopdb(struct cil_db *db, char **out, size_t *size
- 	return SEPOL_OK;
- }
- 
--#ifndef DISABLE_SYMVER
--int cil_selinuxusers_to_string_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db, char **out, size_t *size)
--{
--	return cil_selinuxusers_to_string_nopdb(db, out, size);
--}
--#endif
--
--#ifdef DISABLE_SYMVER
- int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size)
--#else
--int cil_filecons_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
--#endif
- {
- 	uint32_t i = 0;
- 	int buf_pos = 0;
-@@ -1804,13 +1727,6 @@ int cil_filecons_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
- 	return SEPOL_OK;
- }
- 
--#ifndef DISABLE_SYMVER
--int cil_filecons_to_string_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db, char **out, size_t *size)
--{
--	return cil_filecons_to_string_nopdb(db, out, size);
--}
--#endif
--
- void cil_set_disable_dontaudit(struct cil_db *db, int disable_dontaudit)
- {
- 	db->disable_dontaudit = disable_dontaudit;
-diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
-index f08c2a861693..98da9789b71b 100644
---- a/libsepol/src/libsepol.map.in
-+++ b/libsepol/src/libsepol.map.in
-@@ -1,19 +1,14 @@
- LIBSEPOL_1.0 {
-   global:
- 	cil_add_file;
--	cil_build_policydb;
--	cil_compile;
- 	cil_db_destroy;
- 	cil_db_init;
--	cil_filecons_to_string;
--	cil_selinuxusers_to_string;
- 	cil_set_disable_dontaudit;
- 	cil_set_disable_neverallow;
- 	cil_set_handle_unknown;
- 	cil_set_log_handler;
- 	cil_set_log_level;
- 	cil_set_preserve_tunables;
--	cil_userprefixes_to_string;
- 	expand_module_avrules;
- 	sepol_bool_clone;
- 	sepol_bool_compare;
--- 
-2.29.0.rc2
-

0010-libsepol-Drop-deprecated-functions.patch

@@ -1,134 +0,0 @@
-From 506c7b95b802ab157fe9ae1dae22fab12c515306 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 9 Oct 2020 15:00:48 +0200
-Subject: [PATCH] libsepol: Drop deprecated functions
-
-These functions were converted to no-op by commit
-c3f9492d7ff0 ("selinux: Remove legacy local boolean and user code") and
-left in libsepol/src/deprecated_functions.c to preserve API/ABI. As we
-change libsepol ABI dropping duplicate symbols it's time to drop these
-functions too.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsepol/include/sepol/booleans.h |  5 ----
- libsepol/include/sepol/users.h    |  6 ----
- libsepol/src/deprecated_funcs.c   | 50 -------------------------------
- libsepol/src/libsepol.map.in      |  4 ---
- 4 files changed, 65 deletions(-)
- delete mode 100644 libsepol/src/deprecated_funcs.c
-
-diff --git a/libsepol/include/sepol/booleans.h b/libsepol/include/sepol/booleans.h
-index 06d2230c395d..25229057dbd7 100644
---- a/libsepol/include/sepol/booleans.h
-+++ b/libsepol/include/sepol/booleans.h
-@@ -10,11 +10,6 @@
- extern "C" {
- #endif
- 
--/* These two functions are deprecated. See src/deprecated_funcs.c */
--extern int sepol_genbools(void *data, size_t len, const char *boolpath);
--extern int sepol_genbools_array(void *data, size_t len,
--				char **names, int *values, int nel);
--
- /* Set the specified boolean */
- extern int sepol_bool_set(sepol_handle_t * handle,
- 			  sepol_policydb_t * policydb,
-diff --git a/libsepol/include/sepol/users.h b/libsepol/include/sepol/users.h
-index 70158ac41e40..156d1adb2d60 100644
---- a/libsepol/include/sepol/users.h
-+++ b/libsepol/include/sepol/users.h
-@@ -10,12 +10,6 @@
- extern "C" {
- #endif
- 
--/* These two functions are deprecated. See src/deprecated_funcs.c */
--extern int sepol_genusers(void *data, size_t len,
--			  const char *usersdir,
--			  void **newdata, size_t * newlen);
--extern void sepol_set_delusers(int on);
--
- /* Modify the user, or add it, if the key is not found */
- extern int sepol_user_modify(sepol_handle_t * handle,
- 			     sepol_policydb_t * policydb,
-diff --git a/libsepol/src/deprecated_funcs.c b/libsepol/src/deprecated_funcs.c
-deleted file mode 100644
-index d0dab7dfcb4a..000000000000
---- a/libsepol/src/deprecated_funcs.c
-+++ /dev/null
-@@ -1,50 +0,0 @@
--#include <stdio.h>
--#include "debug.h"
--
--/*
-- * Need to keep these stubs for the libsepol interfaces exported in
-- * libsepol.map.in, as they are part of the shared library ABI.
-- */
--
--static const char *msg = "Deprecated interface";
--
--/*
-- * These two functions are deprecated and referenced in:
-- *	include/libsepol/users.h
-- */
--int sepol_genusers(void *data __attribute((unused)),
--		   size_t len __attribute((unused)),
--		   const char *usersdir __attribute((unused)),
--		   void **newdata __attribute((unused)),
--		   size_t *newlen __attribute((unused)))
--{
--	WARN(NULL, "%s", msg);
--	return -1;
--}
--
--void sepol_set_delusers(int on __attribute((unused)))
--{
--	WARN(NULL, "%s", msg);
--}
--
--/*
-- * These two functions are deprecated and referenced in:
-- *	include/libsepol/booleans.h
-- */
--int sepol_genbools(void *data __attribute((unused)),
--		   size_t len __attribute((unused)),
--		   const char *booleans __attribute((unused)))
--{
--	WARN(NULL, "%s", msg);
--	return -1;
--}
--
--int sepol_genbools_array(void *data __attribute((unused)),
--			 size_t len __attribute((unused)),
--			 char **names __attribute((unused)),
--			 int *values __attribute((unused)),
--			 int nel __attribute((unused)))
--{
--	WARN(NULL, "%s", msg);
--	return -1;
--}
-diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
-index 98da9789b71b..eb5721257638 100644
---- a/libsepol/src/libsepol.map.in
-+++ b/libsepol/src/libsepol.map.in
-@@ -45,9 +45,6 @@ LIBSEPOL_1.0 {
- 	sepol_context_to_string;
- 	sepol_debug;
- 	sepol_expand_module;
--	sepol_genbools;
--	sepol_genbools_array;
--	sepol_genusers;
- 	sepol_get_disable_dontaudit;
- 	sepol_get_preserve_tunables;
- 	sepol_handle_create;
-@@ -213,7 +210,6 @@ LIBSEPOL_1.0 {
- 	sepol_port_set_port;
- 	sepol_port_set_proto;
- 	sepol_port_set_range;
--	sepol_set_delusers;
- 	sepol_set_disable_dontaudit;
- 	sepol_set_expand_consume_base;
- 	sepol_set_policydb_from_file;
--- 
-2.29.0.rc2
-

0011-libsepol-Bump-libsepol.so-version.patch

@@ -1,45 +0,0 @@
-From 4a142ac46a116feb9f978eaec68a30efef979c73 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 9 Oct 2020 15:00:49 +0200
-Subject: [PATCH] libsepol: Bump libsepol.so version
-
-Previous commits removed some symbols and broke ABI, therefore we need to change
-SONAME.
-
-See the following quotes from distribution guidelines:
-
-https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
-
-Every time the shared library ABI changes in a way that may break
-binaries linked against older versions of the shared library, the SONAME
-of the library and the corresponding name for the binary package
-containing the runtime shared library should change.
-
-https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
-
-When new versions of the library are released, you should use an ABI
-comparison tool to check for ABI differences in the built shared
-libraries. If it detects any incompatibilities, bump the n number by
-one.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsepol/src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
-index 8d466f56ed0e..dc8b1773d974 100644
---- a/libsepol/src/Makefile
-+++ b/libsepol/src/Makefile
-@@ -7,7 +7,7 @@ RANLIB ?= ranlib
- CILDIR ?= ../cil
- 
- VERSION = $(shell cat ../VERSION)
--LIBVERSION = 1
-+LIBVERSION = 2
- 
- LEX = flex
- CIL_GENERATED = $(CILDIR)/src/cil_lexer.c
--- 
-2.29.0.rc2
-

0012-libsepol-cil-Give-error-for-more-than-one-true-or-fa.patch

@@ -1,170 +0,0 @@
-From 3b26f0566698926ba38cbf3fa702f3ff78862c5e Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Tue, 20 Oct 2020 09:28:56 -0400
-Subject: [PATCH] libsepol/cil: Give error for more than one true or false
- block
-
-Both tunableif and booleanif use conditional blocks (either true or
-false). No ordering is imposed, so a false block can be first (or even
-the only) block. Checks are made to ensure that the first and second
-(if it exists) blocks are either true or false, but no checks are made
-to ensure that there is only one true and/or one false block. If there
-are more than one true or false block, only the first will be used and
-the other will be ignored.
-
-Create a function, cil_verify_conditional_blocks(), that gives an error
-along with a message if more than one true or false block is specified
-and call that function when building tunableif and booleanif blocks in
-the AST.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
-Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- libsepol/cil/src/cil_build_ast.c | 44 +++++---------------------------
- libsepol/cil/src/cil_verify.c    | 35 +++++++++++++++++++++++++
- libsepol/cil/src/cil_verify.h    |  1 +
- 3 files changed, 42 insertions(+), 38 deletions(-)
-
-diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
-index 3aabb05ec534..a895583404a7 100644
---- a/libsepol/cil/src/cil_build_ast.c
-+++ b/libsepol/cil/src/cil_build_ast.c
-@@ -2821,7 +2821,6 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
- 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
- 	struct cil_booleanif *bif = NULL;
- 	struct cil_tree_node *next = NULL;
--	struct cil_tree_node *cond = NULL;
- 	int rc = SEPOL_ERR;
- 
- 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
-@@ -2841,27 +2840,12 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
- 		goto exit;
- 	}
- 
--	cond = parse_current->next->next;
--
--	/* Destroying expr tree after stack is created*/
--	if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
--		cond->cl_head->data != CIL_KEY_CONDFALSE) {
--		rc = SEPOL_ERR;
--		cil_log(CIL_ERR, "Conditional neither true nor false\n");
-+	rc = cil_verify_conditional_blocks(parse_current->next->next);
-+	if (rc != SEPOL_OK) {
- 		goto exit;
- 	}
- 
--	if (cond->next != NULL) {
--		cond = cond->next;
--		if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
--			cond->cl_head->data != CIL_KEY_CONDFALSE) {
--			rc = SEPOL_ERR;
--			cil_log(CIL_ERR, "Conditional neither true nor false\n");
--			goto exit;
--		}
--	}
--
--
-+	/* Destroying expr tree */
- 	next = parse_current->next->next;
- 	cil_tree_subtree_destroy(parse_current->next);
- 	parse_current->next = next;
-@@ -2905,7 +2889,6 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
- 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
- 	struct cil_tunableif *tif = NULL;
- 	struct cil_tree_node *next = NULL;
--	struct cil_tree_node *cond = NULL;
- 	int rc = SEPOL_ERR;
- 
- 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
-@@ -2924,27 +2907,12 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
- 		goto exit;
- 	}
- 
--	cond = parse_current->next->next;
--
--	if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
--		cond->cl_head->data != CIL_KEY_CONDFALSE) {
--		rc = SEPOL_ERR;
--		cil_log(CIL_ERR, "Conditional neither true nor false\n");
-+	rc = cil_verify_conditional_blocks(parse_current->next->next);
-+	if (rc != SEPOL_OK) {
- 		goto exit;
- 	}
- 
--	if (cond->next != NULL) {
--		cond = cond->next;
--
--		if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
--			cond->cl_head->data != CIL_KEY_CONDFALSE) {
--			rc = SEPOL_ERR;
--			cil_log(CIL_ERR, "Conditional neither true nor false\n");
--			goto exit;
--		}
--	}
--
--	/* Destroying expr tree after stack is created*/
-+	/* Destroying expr tree */
- 	next = parse_current->next->next;
- 	cil_tree_subtree_destroy(parse_current->next);
- 	parse_current->next = next;
-diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
-index c73bbeee371b..6706e21921fe 100644
---- a/libsepol/cil/src/cil_verify.c
-+++ b/libsepol/cil/src/cil_verify.c
-@@ -324,6 +324,41 @@ exit:
- 	return SEPOL_ERR;
- }
- 
-+int cil_verify_conditional_blocks(struct cil_tree_node *current)
-+{
-+	int found_true = CIL_FALSE;
-+	int found_false = CIL_FALSE;
-+
-+	if (current->cl_head->data == CIL_KEY_CONDTRUE) {
-+		found_true = CIL_TRUE;
-+	} else if (current->cl_head->data == CIL_KEY_CONDFALSE) {
-+		found_false = CIL_TRUE;
-+	} else {
-+		cil_tree_log(current, CIL_ERR, "Expected true or false block in conditional");
-+		return SEPOL_ERR;
-+	}
-+
-+	current = current->next;
-+	if (current != NULL) {
-+		if (current->cl_head->data == CIL_KEY_CONDTRUE) {
-+			if (found_true) {
-+				cil_tree_log(current, CIL_ERR, "More than one true block in conditional");
-+				return SEPOL_ERR;
-+			}
-+		} else if (current->cl_head->data == CIL_KEY_CONDFALSE) {
-+			if (found_false) {
-+				cil_tree_log(current, CIL_ERR, "More than one false block in conditional");
-+				return SEPOL_ERR;
-+			}
-+		} else {
-+			cil_tree_log(current, CIL_ERR, "Expected true or false block in conditional");
-+			return SEPOL_ERR;
-+		}
-+	}
-+
-+	return SEPOL_OK;
-+}
-+
- int cil_verify_no_self_reference(struct cil_symtab_datum *datum, struct cil_list *datum_list)
- {
- 	struct cil_list_item *i;
-diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h
-index bda1565fced5..905761b0a19c 100644
---- a/libsepol/cil/src/cil_verify.h
-+++ b/libsepol/cil/src/cil_verify.h
-@@ -61,6 +61,7 @@ int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[]
- int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor);
- int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor);
- int cil_verify_constraint_expr_syntax(struct cil_tree_node *current, enum cil_flavor op);
-+int cil_verify_conditional_blocks(struct cil_tree_node *current);
- int cil_verify_no_self_reference(struct cil_symtab_datum *datum, struct cil_list *datum_list);
- int __cil_verify_ranges(struct cil_list *list);
- int __cil_verify_ordered_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args);
--- 
-2.29.2
-

0013-libsepol-free-memory-when-realloc-fails.patch

@@ -1,81 +0,0 @@
-From a2bd2a8ea5ef687e8b4dc2694f7d5e99a1ec2a06 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Thu, 12 Nov 2020 21:24:06 +0100
-Subject: [PATCH] libsepol: free memory when realloc() fails
-
-In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
-grow the memory, the function returns NULL without freeing class_buf.
-This leads to a memory leak which is reported by clang's static
-analyzer:
-https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath
-
-Fix the memory leak by calling free(class_buf).
-
-While at it, use size_t insted of int to store the size of the buffer
-which is growing.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libsepol/src/services.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libsepol/src/services.c b/libsepol/src/services.c
-index beb0711f6680..72b39657cd2e 100644
---- a/libsepol/src/services.c
-+++ b/libsepol/src/services.c
-@@ -312,17 +312,20 @@ static char *get_class_info(sepol_security_class_t tclass,
- 	else
- 		state_num = mls + 2;
- 
--	int class_buf_len = 0;
--	int new_class_buf_len;
--	int len, buf_used;
-+	size_t class_buf_len = 0;
-+	size_t new_class_buf_len;
-+	size_t buf_used;
-+	int len;
- 	char *class_buf = NULL, *p;
- 	char *new_class_buf = NULL;
- 
- 	while (1) {
- 		new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
- 		new_class_buf = realloc(class_buf, new_class_buf_len);
--			if (!new_class_buf)
--				return NULL;
-+		if (!new_class_buf) {
-+			free(class_buf);
-+			return NULL;
-+		}
- 		class_buf_len = new_class_buf_len;
- 		class_buf = new_class_buf;
- 		buf_used = 0;
-@@ -330,7 +333,7 @@ static char *get_class_info(sepol_security_class_t tclass,
- 
- 		/* Add statement type */
- 		len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
--		if (len < 0 || len >= class_buf_len - buf_used)
-+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
- 			continue;
- 
- 		/* Add class entry */
-@@ -338,7 +341,7 @@ static char *get_class_info(sepol_security_class_t tclass,
- 		buf_used += len;
- 		len = snprintf(p, class_buf_len - buf_used, "%s ",
- 				policydb->p_class_val_to_name[tclass - 1]);
--		if (len < 0 || len >= class_buf_len - buf_used)
-+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
- 			continue;
- 
- 		/* Add permission entries (validatetrans does not have perms) */
-@@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
- 		} else {
- 			len = snprintf(p, class_buf_len - buf_used, "(");
- 		}
--		if (len < 0 || len >= class_buf_len - buf_used)
-+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
- 			continue;
- 		break;
- 	}
--- 
-2.29.2
-

libsepol.spec

@@ -1,28 +1,15 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
-Version: 3.1
-Release: 5%{?dist}
-License: LGPLv2+
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsepol-3.1.tar.gz
+Version: 3.5
+Release: 1%{?dist}
+License: LGPL-2.1-or-later
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libsepol-3.5.tar.gz
 URL: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N libsepol-3.1 -- libsepol
-# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+# $ git format-patch -N libsepol-3.5 -- libsepol
+# $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
-Patch0001: 0001-libsepol-checkpolicy-optimize-storage-of-filename-tr.patch
-Patch0002: 0002-libsepol-implement-POLICYDB_VERSION_COMP_FTRANS.patch
-Patch0003: 0003-libsepol-cil-Validate-constraint-expressions-before-.patch
-Patch0004: 0004-libsepol-cil-Validate-conditional-expressions-before.patch
-Patch0005: 0005-libsepol-cil-Fix-neverallow-checking-involving-class.patch
-Patch0006: 0006-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch
-Patch0007: 0007-libsepol-drop-confusing-BUG_ON-macro.patch
-Patch0008: 0008-libsepol-silence-potential-NULL-pointer-dereference-.patch
-Patch0009: 0009-libsepol-Get-rid-of-the-old-and-duplicated-symbols.patch
-Patch0010: 0010-libsepol-Drop-deprecated-functions.patch
-Patch0011: 0011-libsepol-Bump-libsepol.so-version.patch
-Patch0012: 0012-libsepol-cil-Give-error-for-more-than-one-true-or-fa.patch
-Patch0013: 0013-libsepol-free-memory-when-realloc-fails.patch
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
@@ -61,6 +48,13 @@ Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 The libsepol-static package contains the static libraries and header files
 needed for developing applications that manipulate binary policies. 
 
+%package utils
+Summary: SELinux libsepol utilities
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description utils
+The libsepol-utils package contains the utilities
+
 %prep
 %autosetup -p 2 -n libsepol-%{version}
 
@@ -72,20 +66,16 @@ sed -i 's/fpic/fPIC/g' src/Makefile
 %build
 %set_build_flags
 CFLAGS="$CFLAGS -fno-semantic-interposition"
-%make_build
+%make_build LIBDIR="%{_libdir}"
 
 %install
-mkdir -p ${RPM_BUILD_ROOT}/%{_lib} 
-mkdir -p ${RPM_BUILD_ROOT}/%{_libdir} 
+mkdir -p ${RPM_BUILD_ROOT}%{_libdir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_bindir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man3
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8
 %make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolbools
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolusers
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/chkcon
-rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8
+rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8/gen*
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 
 %files static
@@ -103,11 +93,88 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 %{_includedir}/sepol/cil/*.h
 
 %files
-%{!?_licensedir:%global license %%doc}
-%license COPYING
+%license LICENSE
 %{_libdir}/libsepol.so.2
 
+%files utils
+%{_bindir}/chkcon
+%{_bindir}/sepol_check_access
+%{_bindir}/sepol_compute_av
+%{_bindir}/sepol_compute_member
+%{_bindir}/sepol_compute_relabel
+%{_bindir}/sepol_validate_transition
+%{_mandir}/man8/chkcon.8.gz
+
 %changelog
+* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
+- SELinux userspace 3.5 release
+
+* Mon Feb 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
+- SELinux userspace 3.5-rc3 release
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
+- SELinux userspace 3.5-rc2 release
+
+* Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
+- SELinux userspace 3.5-rc1 release
+
+* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-4
+- Rebase on upstream f56a72ac9e86
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed May 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
+- rebuilt
+
+* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
+- SELinux userspace 3.4 release
+
+* Tue May 10 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc3.1
+- SELinux userspace 3.4-rc3 release
+
+* Thu Apr 21 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc2.1
+- SELinux userspace 3.4-rc2 release
+
+* Tue Apr 12 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc1.1
+- SELinux userspace 3.4-rc1 release
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Nov 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
+- Use correct libdir in libsepol.pc (#2018492)
+
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Thu Oct  7 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
+- Rebase on upstream commit 32611aea6543
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
+
+* Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
 * Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
 - Drop and obsolete libsepol-compat subpackage
 - cil: Give error for more than one true or false block

plans/selinux.fmf

@@ -0,0 +1,7 @@
+summary: selinux tests - Tier 1 | libsepol
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/selinux
+    filter: "tier: 1 | component: libsepol"
+execute:
+    how: tmt

sources

@@ -1 +1 @@
-SHA512 (libsepol-3.1.tar.gz) = 4b5f4e82853ff3e9b4fac2dbdea5c2fc3bb7b508af912217ac4b75da6540fbcd77aa314ab95cd9dfa94fbc4a885000656a663c1a152f65b4cf6970ea0b6034ab
+SHA512 (libsepol-3.5.tar.gz) = 66f45a9f4951589855961955db686b006b4c0cddead6ac49ad238a0e4a34775905bd10fb8cf0c0ff2ab64f9b7d8366b97fcd5b19c382dec39971a2835cc765c8

tests/tests.yml

@@ -1,12 +0,0 @@
----
-# Tests that run in all contexts
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    - container
-    repositories:
-    - repo: "https://src.fedoraproject.org/tests/selinux.git"
-      dest: "selinux"
-      fmf_filter: "tier: 1 | component: libsepol"