rpms
/
secilc
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: rpms:master
Branches Tags
rpms:master
rpms:main-riscv64
rpms:f38-riscv64
rpms:f37
rpms:f38
rpms:main
rpms:rawhide
rpms:f36
rpms:f35
rpms:f33-riscv64
rpms:f33
rpms:master-riscv64
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:epel7
rpms:f26
rpms:f24
rpms:f25
rpms:private-upstream-master
rpms:private-master-2.5
rpms:f23
..
compare: rpms:f27
Branches Tags
rpms:main-riscv64
rpms:f38-riscv64
rpms:f37
rpms:f38
rpms:main
rpms:rawhide
rpms:f36
rpms:f35
rpms:f33-riscv64
rpms:master
rpms:f33
rpms:master-riscv64
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:epel7
rpms:f26
rpms:f24
rpms:f25
rpms:private-upstream-master
rpms:private-master-2.5
rpms:f23

1 Commits
master ... f27

Author SHA1 Message Date
Petr Lautrbach 1d2d893dee secilc-2.7-2.fc27 
- libsepol: cil: Add ability to redeclare types[attributes]
- doc: Fixed bad reference in roleattribute
 2017-12-14 10:52:33 +01:00
8 changed files with 86 additions and 405 deletions
Show Stats Expand all files Collapse all files

9
.gitignore vendored
View File

@ -3,12 +3,3 @@
/secilc-2.5.tar.gz
/secilc-2.6.tar.gz
/secilc-2.7.tar.gz
/secilc-2.8-rc1.tar.gz
/secilc-2.8-rc3.tar.gz
/secilc-2.8.tar.gz
/secilc-2.9-rc1.tar.gz
/secilc-2.9-rc2.tar.gz
/secilc-2.9.tar.gz
/secilc-3.0-rc1.tar.gz
/secilc-3.0.tar.gz
/secilc-3.1.tar.gz

89
0001-Update-the-cil-docs-to-match-the-current-behaviour.patch
View File

@ -1,89 +0,0 @@
From fbe1e526dc01f6797428c88e24881fdc3d3ec6e8 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@googlemail.com>
Date: Thu, 9 Jul 2020 10:36:36 +0200
Subject: [PATCH] Update the cil docs to match the current behaviour.
Some features where dropped or change since the docs were last updated.
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
secilc/docs/cil_call_macro_statements.md | 6 ++++--
secilc/docs/cil_container_statements.md | 2 +-
secilc/docs/cil_reference_guide.md | 2 +-
secilc/docs/cil_user_statements.md | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
index 17c46ed9c893..98b703687e44 100644
--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
@@ -44,7 +44,7 @@ macro
Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
-Note that when resolving macros the callers namespace is not checked, only the following places:
+When resolving macros the following places are checked in this order:
- Items defined inside the macro
@@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
- Items defined in the same namespace of the macro
+- Items defined in the callers namespace
+
- Items defined in the global namespace
**Statement definition:**
@@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
<tr class="odd">
<td align="left"><p><code>param_type</code></p></td>
<td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
-<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
+<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>param_id</code></p></td>
diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
index a570cb235d7c..58b3224de211 100644
--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
@@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
in
--
-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
**Statement definition:**
diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
index 1b1fccca5faa..3e33c5f74283 100644
--- a/secilc/docs/cil_reference_guide.md
+++ b/secilc/docs/cil_reference_guide.md
@@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea
Expressions
-----------
-Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans)
+Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)
CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:
diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
index bbd76eff8645..26e45510405d 100644
--- a/secilc/docs/cil_user_statements.md
+++ b/secilc/docs/cil_user_statements.md
@@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivity s1)
- (dominance (s0 s1))
+ (sensitivityorder (s0 s1))
(sensitivitycategory s0 (c0 c1))
(level systemLow (s0))
(level systemHigh (s0 (c0 c1)))
--
2.29.2

91
0002-secilc-docs-document-expandtypeattribute.patch
View File

@ -1,91 +0,0 @@
From 9e9b8103400badc09ba98c66044e5ca57cc80446 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Wed, 5 Aug 2020 21:48:23 +0200
Subject: [PATCH] secilc/docs: document expandtypeattribute
This was added for Androids Treble in 2017.
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: James Carter <jwcart2@gmail.com>
---
secilc/docs/README.md | 1 +
secilc/docs/cil_type_statements.md | 51 ++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/secilc/docs/README.md b/secilc/docs/README.md
index 3f1838e63be1..efab2a71bbf3 100644
--- a/secilc/docs/README.md
+++ b/secilc/docs/README.md
@@ -126,6 +126,7 @@ CIL (Common Intermediate Language)
* [typealiasactual](cil_type_statements.md#typealiasactual)
* [typeattribute](cil_type_statements.md#typeattribute)
* [typeattributeset](cil_type_statements.md#typeattributeset)
+ * [expandtypeattribute](cil_type_statements.md#expandtypeattribute)
* [typebounds](cil_type_statements.md#typebounds)
* [typechange](cil_type_statements.md#typechange)
* [typemember](cil_type_statements.md#typemember)
diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md
index f9dd3a7697ae..432cede5df53 100644
--- a/secilc/docs/cil_type_statements.md
+++ b/secilc/docs/cil_type_statements.md
@@ -213,6 +213,57 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p
)
)
+expandtypeattribute
+-------------------
+
+Overrides the compiler defaults for the expansion of one or more
+previously declared [`typeattribute`](cil_type_statements.md#typeattribute)
+identifiers.
+
+This rule gives more control over type attribute expansion and
+removal. When the value is true, all rules involving the type
+attribute will be expanded and the type attribute will be removed from
+the policy. When the value is false, the type attribute will not be
+removed from the policy, even if the default expand rules or "-X"
+option cause the rules involving the type attribute to be expanded.
+
+**Statement definition:**
+
+ (expandtypeattribute typeattribute_id expand_value)
+
+**Where:**
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><code>expandtypeattribute</code></p></td>
+<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code>typeattribute_id</code></p></td>
+<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><code>expand_value</code></p></td>
+<td align="left"><p>Either true or false.</p></td>
+</tr>
+</tbody>
+</table>
+
+**Examples:**
+
+This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute.
+
+ (expandtypeattribute domain true)
+
+This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults.
+
+ (expandtypeattribute (file_type port_type) false)
+
typebounds
----------
--
2.29.2

88
0003-cil_access_vector_rules-allowx-auditallowx-and-donta.patch
View File

@ -1,88 +0,0 @@
From eefa5511ddfa674e79ce4e5f4e55e565f2a92d57 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Sat, 12 Sep 2020 15:14:11 +0200
Subject: [PATCH] cil_access_vector_rules: allowx, auditallowx and dontauditx
fixes
allowx requires a equivalent "allow ioctl" rule to be present
auditallowx requires a equivalent "auditallow" ioctl rule to be present
dontauditx requires atleast one equivalent "allowx" rule to be present (can be a random irrelevant ioctlcmd)
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
secilc/docs/cil_access_vector_rules.md | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
index 9c03c71001d4..683cc28cd8de 100644
--- a/secilc/docs/cil_access_vector_rules.md
+++ b/secilc/docs/cil_access_vector_rules.md
@@ -238,6 +238,8 @@ allowx
Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx).
+Note that for this to work there must *also* be valid equivalent [`allow`](cil_access_vector_rules.md#allow) rules present.
+
**Rule definition:**
(allowx source_id target_id|self permissionx_id)
@@ -274,18 +276,21 @@ Specifies the access allowed between a source and target type using extended per
These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules:
+ (allow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite
(allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
(permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
+ (allow type_3 type_4 (udp_socket (ioctl))) ;; pre-requisite
(allowx type_3 type_4 ioctl_nodebug)
-
auditallowx
-----------
Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event.
+Note that for this to work there must *also* be valid equivalent [`auditallow`](cil_access_vector_rules.md#auditallow) rules present.
+
**Rule definition:**
(auditallowx source_id target_id|self permissionx_id)
@@ -324,6 +329,7 @@ This example will log an audit event whenever the corresponding [`allowx`](cil_a
(allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
+ (auditallow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite
(auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010)))
@@ -332,6 +338,8 @@ dontauditx
Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
+Note that for this to work there must *also* be atleast one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type.
+
Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
**Rule definition:**
@@ -370,6 +378,7 @@ Note that these rules can be omitted by the CIL compiler command line parameter
This example will not audit the denied access:
+ (allowx type_1 type_2 (ioctl tcp_socket (0x1))) ;; pre-requisite, just some irrelevant random ioctl
(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
@@ -392,7 +401,7 @@ Note that these rules can be over-ridden by the CIL compiler command line parame
</colgroup>
<tbody>
<tr class="odd">
-<td align="left"><p><code>neverallows</code></p></td>
+<td align="left"><p><code>neverallowx</code></p></td>
<td align="left"><p>The <code>neverallowx</code> keyword.</p></td>
</tr>
<tr class="even">
--
2.29.2

48
0004-cil_network_labeling_statements-fixes-nodecon-exampl.patch
View File

@ -1,48 +0,0 @@
From e8bcdb84dc0937b65ca1e9167b436b21375b96ab Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Tue, 8 Sep 2020 10:53:29 +0200
Subject: [PATCH] cil_network_labeling_statements: fixes nodecon examples
The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet
Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737
Add ipv6 example: https://tools.ietf.org/html/rfc3849
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
.../docs/cil_network_labeling_statements.md | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md
index 49a836c16c55..60aec80d7988 100644
--- a/secilc/docs/cil_network_labeling_statements.md
+++ b/secilc/docs/cil_network_labeling_statements.md
@@ -145,12 +145,21 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme
(context context_1 (unconfined.user object_r unconfined.object low_low))
(context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
- (ipaddr netmask_1 255.255.255.0)
- (ipaddr ipv4_1 192.168.1.64)
+ (ipaddr netmask_1 255.255.255.255)
+ (ipaddr ipv4_1 192.0.2.64)
+
+ (nodecon ipv4_1 netmask_1 context_2)
+ (nodecon (192.0.2.64) (255.255.255.255) context_1)
+ (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
+
+ (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0))))
+
+ (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0)
+ (ipaddr ipv6_2 2001:db8:1:0:0:0:0:0)
- (nodecon netmask_1 ipv4_1 context_2)
- (nodecon (255.255.255.0) (192.168.1.64) context_1)
- (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
+ (nodecon ipv6_2 netmask_2 context_3)
+ (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3)
+ (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0))))
portcon
-------
--
2.29.2

68
secilc-fedora.patch Normal file
View File

@ -0,0 +1,68 @@
diff --git secilc-2.7/docs/cil_role_statements.md secilc-2.7/docs/cil_role_statements.md
index 0c4cadb..d92f628 100644
--- secilc-2.7/docs/cil_role_statements.md
+++ secilc-2.7/docs/cil_role_statements.md
@@ -84,7 +84,7 @@ This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil
roleattribute
-------------
-Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`typeattributeset`](cil_type_statements.md#typeattributeset) statement.
+Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement.
**Statement definition:**
diff --git secilc-2.7/secilc.c secilc-2.7/secilc.c
index f2232e7..0be6975 100644
--- secilc-2.7/secilc.c
+++ secilc-2.7/secilc.c
@@ -63,6 +63,7 @@ static __attribute__((__noreturn__)) void usage(const char *prog)
printf(" statement if present in the policy\n");
printf(" -D, --disable-dontaudit do not add dontaudit rules to the binary policy\n");
printf(" -P, --preserve-tunables treat tunables as booleans\n");
+ printf(" -m, --multiple-decls allow some statements to be re-declared\n");
printf(" -N, --disable-neverallow do not check neverallow rules\n");
printf(" -G, --expand-generated Expand and remove auto-generated attributes\n");
printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n");
@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
int target = SEPOL_TARGET_SELINUX;
int mls = -1;
int disable_dontaudit = 0;
+ int multiple_decls = 0;
int disable_neverallow = 0;
int preserve_tunables = 0;
int handle_unknown = -1;
@@ -108,6 +110,7 @@ int main(int argc, char *argv[])
{"policyversion", required_argument, 0, 'c'},
{"handle-unknown", required_argument, 0, 'U'},
{"disable-dontaudit", no_argument, 0, 'D'},
+ {"multiple-decls", no_argument, 0, 'm'},
{"disable-neverallow", no_argument, 0, 'N'},
{"preserve-tunables", no_argument, 0, 'P'},
{"output", required_argument, 0, 'o'},
@@ -119,7 +122,7 @@ int main(int argc, char *argv[])
int i;
while (1) {
- opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDNc:GX:", long_opts, &opt_index);
+ opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNc:GX:", long_opts, &opt_index);
if (opt_char == -1) {
break;
}
@@ -175,6 +178,9 @@ int main(int argc, char *argv[])
case 'D':
disable_dontaudit = 1;
break;
+ case 'm':
+ multiple_decls = 1;
+ break;
case 'N':
disable_neverallow = 1;
break;
@@ -223,6 +229,7 @@ int main(int argc, char *argv[])
cil_db_init(&db);
cil_set_disable_dontaudit(db, disable_dontaudit);
+ cil_set_multiple_decls(db, multiple_decls);
cil_set_disable_neverallow(db, disable_neverallow);
cil_set_preserve_tunables(db, preserve_tunables);
if (handle_unknown != -1) {

96
secilc.spec
View File

@ -1,23 +1,20 @@
%global libsepolver 3.1-5
%global libsepolver 2.7-2
Name: secilc
Version: 3.1
Release: 3%{?dist}
Version: 2.7
Release: 2%{?dist}
Summary: The SELinux CIL Compiler
License: BSD
URL: https://github.com/SELinuxProject/selinux/wiki
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/secilc-3.1.tar.gz
# fedora-selinux/selinux: git format-patch -N secilc-3.1 -- secilc
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-Update-the-cil-docs-to-match-the-current-behaviour.patch
Patch0002: 0002-secilc-docs-document-expandtypeattribute.patch
Patch0003: 0003-cil_access_vector_rules-allowx-auditallowx-and-donta.patch
Patch0004: 0004-cil_network_labeling_statements-fixes-nodecon-exampl.patch
# Patch list end
BuildRequires: gcc
BuildRequires: libsepol-static >= %{libsepolver}, dblatex, flex, xmlto, pandoc-pdf, texlive-mdwtools
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/secilc-2.7.tar.gz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run:
# HEAD https://github.com/fedora-selinux/selinux/commit/7d95e8cfa8df699ba53651de06dd0b2b9e428903
# $ VERSION=2.7 ./make-fedora-selinux-patch.sh secilc
Patch1: secilc-fedora.patch
BuildRequires: libsepol-static >= %{libsepolver}, dblatex, flex, xmlto, pandoc
%description
The SELinux CIL Compiler is a compiler that converts the CIL language as
@ -38,18 +35,18 @@ http://github.com/SELinuxProject/cil/wiki/
for more information about the goals and features on the CIL language.
%prep
%autosetup -p 2 -n secilc-%{version}
%setup -q -n secilc-%{version}
%build
%set_build_flags
make %{?_smp_mflags} LIBSEPOL_STATIC=%{_libdir}/libsepol.a
make %{?_smp_mflags} CFLAGS="%{optflags}" LIBSEPOL_STATIC=%{_libdir}/libsepol.a
pushd docs
make %{?_smp_mflags}
popd
%install
rm -rf %{buildroot}
make %{?_smp_mflags} DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install
@ -66,68 +63,9 @@ make %{?_smp_mflags} DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LI
%license COPYING
%changelog
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-3
- Rebuilt with libsepol.so.2
- cil_network_labeling_statements: fixes nodecon examples
- cil_access_vector_rules: allowx, auditallowx and dontauditx fixes
- secilc/docs: document expandtypeattribute
- Update the cil docs to match the current behaviour.
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
- SELinux userspace 3.1 release
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
- SELinux userspace 3.0 release
* Tue Nov 12 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc1.1
- SELinux userspace 3.0-rc1 release candidate
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Mar 19 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
- SELinux userspace 2.9 release
* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
- SELinux userspace 2.9-rc2 release
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
- SELinux userspace 2.9-rc1 release
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri May 25 2018 Petr Lautrbach <plautrba@workstation> - 2.8-1
- SELinux userspace 2.8 release
* Tue May 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
- SELinux userspace 2.8-rc3 release candidate
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
- SELinux userspace 2.8-rc1 release candidate
* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
- build: follow standard semantics for DESTDIR and PREFIX
- Describe multiple-decls in secilc.8.xml
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-3
- Rebuild with libsepol-2.7-3
* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
- Fixed bad reference in roleattribute
- cil: Add ability to redeclare types[attributes]
* Fri Nov 24 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
- libsepol: cil: Add ability to redeclare types[attributes]
- doc: Fixed bad reference in roleattribute
* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
- Update to upstream release 2017-08-04

2
sources
View File

@ -1 +1 @@
SHA512 (secilc-3.1.tar.gz) = 79e3e4910178af49ea164d620aa997adb21dd18581c054a4023dd9116ec9dd203bd12989ef308aa1d253b47fcd251ee2b99c26e143d1db3de22a7f374ff38e0b
SHA512 (secilc-2.7.tar.gz) = cd828ad34e80151951f94414d27246b480cd4831d1d57cb35d5958ce23c30fe74f26ec1c4b29b51fe382bf03ec3144311b35ca645ffc6b914b7abfe677684c06