diff --git a/setools-TresysTechnology-setools3.patch b/setools-TresysTechnology-setools3.patch new file mode 100644 index 0000000..db82c60 --- /dev/null +++ b/setools-TresysTechnology-setools3.patch @@ -0,0 +1,18398 @@ +diff --git a/ChangeLog b/ChangeLog +index 1bce21d..c13a4dc 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,40 @@ ++2014-04-15 Richard Haines ++ ++ * Updates to libqpol to support policy source file expansion ++ to version 29. Source policies with the filename transition ++ rule will have their entries expanded twice, this is a bug ++ in libsepol. ++ Fixed bug in default_range to now diplay range component. ++ ++2014-04-14 Richard Haines ++ ++ * Updates to apol and the libapol/libqpol libraries to support ++ new policy statements and rules to version 29 (Note the features ++ for loading source code (policy.conf etc.) have not been updated ++ to support the new statements and rules. ++ These are the enhancements and bug fixes: ++ * Add permissive type and typebound support to Types tab. ++ * Add new Constraints tab to search all constraint statements. ++ * Add new Bounds tab to search for userbound, rolebound and ++ typebound statements. ++ * Add new policy capabilities tab. ++ * Add filename type_transition support on TE Rules tab. ++ * Add new Default Object tab to support defaultuser, defaultrole, ++ defaulttype and defaultrange rules. ++ * Add new Namespaces tab to list CIL namespaces. This will also ++ show any users, roles, types, classes, booleans, sensitivities ++ and categories declared in each namespace. ++ * Update Query/Policy Summary page to show the number of new ++ rules added plus the policy handle_unknown flag. ++ * Fixed File Contexts tab to stop hang when building the fc ++ index when broken links/files found (libsefs). ++ * Fixed Booleans tab to display CIL namespace booleans. ++ * Updated apol_help.txt to reflect the changes made plus how to ++ load the running policy. ++ ++2014-01-16 Chris PeBenito ++ * Fix bug preventing sediffx from starting. ++ + 2013-01-08 Steve Lawrence + + * SETools 3.3.8 +diff --git a/README b/README +index 04b159b..fcd6378 100644 +--- a/README ++++ b/README +@@ -1,4 +1,4 @@ +-SETools - Policy analysis tools for SELinux (C) 2001-2010 ++SETools - Policy analysis tools for SELinux (C) 2001-2014 + Tresys Technology + setools@tresys.com, http://oss.tresys.com/projects/setools + +@@ -9,7 +9,7 @@ TABLE OF CONTENTS + 1. Overview + 2. Installation + 2.1. compiling from official distribution +- 2.2. compiling from SVN checkout ++ 2.2. compiling from git clone + 2.3. configure flags + 2.4. using development version of SELinux + 2.5. Logwatch support +@@ -119,11 +119,11 @@ Assuming that /usr/local/bin is in your $PATH and /usr/local/lib in + $LD_LIBRARY_PATH everything should now work. + + +-2.2. compiling from SVN checkout ++2.2. compiling from git clone + -------------------------------- + + If you prefer the bleeding edge of SETools development, you could +-instead obtain the development version of SETools from the Subversion ++instead obtain the development version of SETools from the git + repository (see Section 4). + + $ cd setools +@@ -424,13 +424,13 @@ Open Source Software website, http://oss.tresys.com/projects/setools. + Tresys builds RPM packages of SETools. They may also be obtained from + the website listed above. + +-SETools source code is maintained within a Subversion repository. ++SETools source code is maintained within a git repository. + From the command line do: + +- $ svn co http://oss.tresys.com/repos/setools/trunk/ setools ++ $ git clone https://github.com/TresysTechnology/setools3.git + +-You may also browse the SVN repository at +-http://oss.tresys.com/projects/setools/browser. ++You may also browse the git repository at ++https://github.com/TresysTechnology/setools3 + + Other binary releases SETools are available for your favorite Linux + packaging system from third-party sources. Gentoo users have an +diff --git a/apol/Makefile.am b/apol/Makefile.am +index 646d8b1..4fc5562 100644 +--- a/apol/Makefile.am ++++ b/apol/Makefile.am +@@ -27,12 +27,15 @@ dist_setools_DATA = apol_help.txt domaintrans_help.txt file_relabel_help.txt \ + + EXTRA_DIST = \ + analysis_tab.tcl \ ++ bounds_tab.tcl \ + classes_perms_tab.tcl \ + common_widgets.tcl \ + cond_bools_tab.tcl \ + cond_rules_tab.tcl \ ++ constraints_tab.tcl \ + context_dialog.tcl \ + context_selector.tcl \ ++ default_objects_tab.tcl \ + directflow_module.tcl \ + domaintrans_module.tcl \ + file_contexts_tab.tcl \ +@@ -43,9 +46,11 @@ EXTRA_DIST = \ + initial_sids_tab.tcl \ + level_dialog.tcl \ + mls_tab.tcl \ ++ namespaces_tab.tcl \ + netcontexts_tab.tcl \ + open_policy_dialog.tcl \ + perms_map.tcl \ ++ polcap_tab.tcl \ + policyconf.tcl \ + progress_dialog.tcl \ + range_dialog.tcl \ +diff --git a/apol/apol_help.txt b/apol/apol_help.txt +index aad309b..1ed5a9e 100644 +--- a/apol/apol_help.txt ++++ b/apol/apol_help.txt +@@ -29,7 +29,7 @@ not report line numbers when searching monolithic binary polices. + + Apol provides compatibility with the current and previous policy + syntax. It supports analysis of monolithic policy versions 12 to the +-current version 21 and modular policy versions 5 and 6. ++current version 29 and modular policy versions to 17. + + See setools/ChangeLog for a list of new features in this release. See + setools/KNOWN_BUGS for a list of current bugs. +@@ -40,7 +40,12 @@ Menus + Use 'Open' from the File menu to open a valid policy. The policy may + be monolithic or be composed of a base linked with multiple modules. + Only one policy can be open at a time; opening a second policy will +-result in the first being closed. ++result in the first being closed. Note: If the kernel supports reading ++the currently loaded policy, then select "monolithic" and set the ++"Policy filename" path to either: ++ /selinux/policy ++ or ++ /sys/fs/selinux/policy + + The Query menu allows the user to save or load a query for a TE Rules + search or for an analysis module listed on the Analysis tab. Saving a +@@ -85,6 +90,8 @@ relate the core components of an SELinux policy. + to search for types and/or attributes using a POSIX-style regular + expression. + ++ Permissive and bound types may also be searched. ++ + Classes/Perms tab + ----------------- + Use the Classes/Perms tab to view and search object classes, common +@@ -149,6 +156,23 @@ relate the core components of an SELinux policy. + Select the FS Contexts tab to search filesystem-based contexts + (fs_use_ and genfscon statements) defined in the policy. + ++ Policy Capabilities tab ++ --------------- ++ Select the Policy Capabilities tab to display policy capabilities ++ defined in the policy. ++ ++ Policy Namespaces tab ++ --------------- ++ Select the Policy Namespaces tab to display the namespaces defined ++ in the policy. For policies with a single namespace there will be ++ one namespace displayed: "GLOBAL-NS". For policies that can define ++ multiple namespaces (e.g CIL), all namespaces will be displayed ++ including "GLOBAL-NS". ++ If the namespace entry is double clicked then a list of Users, Roles, ++ Types, Attributes, Classes and Booleans applicable to that namespace ++ will be displayed (also if MLS enabled the Sensitivities and ++ Categories will also be shown). ++ + + Policy Rules tabs + ----------------- +@@ -226,6 +250,10 @@ rules in a policy based on selected search criteria. + the checkbox is enabled, returned rules instead will contain + all of them. + ++ 4. FILENAME SUBTAB: provides options to refine a search ++ using the file name type_transition rule filename. Only rules ++ that contain the selected file name will be returned. ++ + In the Results Tab for a given search, all rules that meet the + search criteria are displayed. In addition, if the policy that is + opened is capable of showing line numbers, a hyperlink for each rule +@@ -260,6 +288,57 @@ rules in a policy based on selected search criteria. + [Enabled] - indicates the rule is enabled + [Disabled] - indicates the rule is disabled + ++ Constraints tab ++ --------------- ++ Select the Constraints tab to search through the constrain and ++ validatetrans constraint rules. If the current policy supports MLS ++ then these variants are also enabled. ++ ++ Four different types of search criteria exist for constraints: ++ ++ 1. CONSTRAINT SELECTION: provides options to limit the scope of the ++ search as only those constraints selected will be included in the ++ search. At least one must be selected. NOTE: If no additional ++ search criteria is specified, apol will search for all of the ++ selected constraints. ++ ++ 2. CLASSES/PERMISSIONS SUBTAB: provides options to refine a search ++ using object classes and/or permissions in the same way as the ++ TE Rules tab described above. Note that the validatetrans rules ++ do not use permissions. ++ ++ 3. LEFT SIDE OF EXPRESSION SUBTAB: provides an option to refine a ++ search based on the left keyword of a constraint. When checked ++ the left hand side of each expression is read from the policy and ++ displayed in the drop down box. A single keyword may then be ++ selected. ++ ++ 4. RIGHT SIDE OF EXPRESSION SUBTAB: provides options to refine a ++ search based on either the right keyword, user, role, type or type ++ attribute of a constraint. When one of the boxes is checked ++ the right keywords, users, roles, types or type attributes are ++ read from the policy and displayed in the drop down box. A single ++ item may then be selected. ++ ++ Note: When displaying the constraint details from a binary policy, the ++ result will depend on the policy version: ++ a) For versions <= 28 it will always display types as the ++ compiler expanded any attributes before writing the binary ++ policy. Therefore searches should always be for types. ++ b) For versions >= 29 it will display whatever was defined in ++ the source policy, therefore searches may be on types or ++ attributes. ++ ++ The Constraints Tab also supports multiple results windows. Each ++ active window remembers the search options used for it, and will set ++ all the options accordingly when selected. Use the "Update Search" ++ button to change the results displayed for the current window based ++ on the current search option. "New Search" creates a new results ++ window based on the current search options. Use the "Close Tab" bar ++ at the bottom to destroy a results window. Also, the Constraints tab ++ provides the means to save/load search criteria to a file (see Menus ++ section above). ++ + RBAC Rules tab + -------------- + Select the RBAC Rules tab to search role-based access control rules. +@@ -271,13 +350,18 @@ rules in a policy based on selected search criteria. + + Range Transition Rules tab + -------------------------- +- Select the Range Transition Rules tab to search to search ++ Select the Range Transition Rules tab to search for + range_transition rules by source and target types and by the MLS + range. There are three options when searching for ranges; find + exact matches to the entered range, find rules that have ranges + that contain the entered range, or find rules that have ranges + within the entered range. + ++ Bounds Rules tab ++ -------------------------- ++ Select the Bounds Rules tab to search for userbound, rolebound or ++ typebound rules by parent or child types. ++ + + File Contexts tab + ----------------- +diff --git a/apol/bounds_tab.tcl b/apol/bounds_tab.tcl +new file mode 100644 +index 0000000..906eade +--- /dev/null ++++ b/apol/bounds_tab.tcl +@@ -0,0 +1,433 @@ ++# Copyright (C) 2001-2007 Tresys Technology, LLC ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ ++namespace eval Apol_Bounds { ++ variable vals ++ variable widgets ++} ++ ++proc Apol_Bounds::create {tab_name nb} { ++ variable vals ++ variable widgets ++ ++ _initializeVars ++ ++ set frame [$nb insert end $tab_name -text "Bounds Rules"] ++ set topf [frame $frame.top] ++ set bottomf [frame $frame.bottom] ++ pack $topf -expand 0 -fill both -pady 2 ++ pack $bottomf -expand 1 -fill both -pady 2 ++ ++ set rsbox [TitleFrame $topf.rs -ipad 30 -text "Rule Selection"] ++ set obox [TitleFrame $topf.opts -text "Search Options"] ++ set dbox [TitleFrame $bottomf.results -text "Bounds Rules Display"] ++ pack $rsbox -side left -expand 0 -fill both -padx 2 ++ pack $obox -side left -expand 1 -fill both -padx 2 ++ pack $dbox -expand 1 -fill both -padx 2 ++ ++ # Rule selection subframe ++ set rs [$rsbox getframe] ++ radiobutton $rs.user -text user -value user \ ++ -variable Apol_Bounds::vals(rule_selection) ++ radiobutton $rs.role -text role -value role \ ++ -variable Apol_Bounds::vals(rule_selection) ++ radiobutton $rs.type -text type -value type \ ++ -variable Apol_Bounds::vals(rule_selection) ++ trace add variable Apol_Bounds::vals(rule_selection) write \ ++ [list Apol_Bounds::_ruleChanged] ++ pack $rs.user $rs.role $rs.type -side top -anchor w ++ ++ set widgets(options_pm) [PagesManager [$obox getframe].opts] ++ ++ _userCreate [$widgets(options_pm) add user] ++ _roleCreate [$widgets(options_pm) add role] ++ _typeCreate [$widgets(options_pm) add type] ++ ++ $widgets(options_pm) compute_size ++ pack $widgets(options_pm) -expand 1 -fill both -side left ++ $widgets(options_pm) raise type ++ ++ set ok [button [$obox getframe].ok -text OK -width 6 -command Apol_Bounds::_searchBounds] ++ pack $ok -side right -padx 5 -pady 5 -anchor ne ++ ++ set widgets(results) [Apol_Widget::makeSearchResults [$dbox getframe].results] ++ pack $widgets(results) -expand yes -fill both ++ ++ return $frame ++} ++ ++proc Apol_Bounds::open {ppath} { ++ variable vals ++ variable widgets ++ $widgets(user:user_parent) configure -values $Apol_Users::users_list ++ $widgets(user:user_child) configure -values $Apol_Users::users_list ++ $widgets(role:role_parent) configure -values $Apol_Roles::role_list ++ $widgets(role:role_child) configure -values $Apol_Roles::role_list ++ $widgets(type:type_parent) configure -values $Apol_Types::typelist ++ $widgets(type:type_child) configure -values $Apol_Types::typelist ++ ++ set vals(rule_selection) type ++} ++ ++proc Apol_Bounds::close {} { ++ variable widgets ++ ++ _initializeVars ++ $widgets(user:user_parent) configure -values {} ++ $widgets(user:user_child) configure -values {} ++ $widgets(role:role_parent) configure -values {} ++ $widgets(role:role_child) configure -values {} ++ $widgets(type:type_parent) configure -values {} ++ $widgets(type:type_child) configure -values {} ++} ++ ++proc Apol_Bounds::getTextWidget {} { ++ variable widgets ++} ++ ++#### private functions below #### ++ ++proc Apol_Bounds::_initializeVars {} { ++ variable vals ++ array set vals { ++ rule_selection type ++ ++ user_parent:use 0 ++ user_parent:sym {} ++ user_child:sym {} ++ user_child:use 0 ++ ++ role_parent:use 0 ++ role_parent:sym {} ++ role_child:sym {} ++ role_child:use 0 ++ ++ type_parent:use 0 ++ type_parent:sym {} ++ type_child:sym {} ++ type_child:use 0 ++ } ++} ++ ++proc Apol_Bounds::_userCreate {a_f} { ++ variable vals ++ variable widgets ++ ++ set user_parent [frame $a_f.user_parent] ++ set user_parent_cb [checkbutton $user_parent.enable -text "Parent user" \ ++ -variable Apol_Bounds::vals(user_parent:use)] ++ set widgets(user:user_parent) [ComboBox $user_parent.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Bounds::vals(user_parent:sym) \ ++ -helptext "Select the bounding user" -autopost 1] ++ ++ trace add variable Apol_Bounds::vals(user_parent:use) write \ ++ [list Apol_Bounds::_toggleCheckbutton $widgets(user:user_parent) {}] ++ pack $user_parent_cb -side top -anchor w ++ pack $widgets(user:user_parent) -side top -expand 0 -fill x -padx 4 ++ ++ pack $user_parent -side left -padx 4 -pady 2 -expand 0 -anchor nw ++ ++ set user_child [frame $a_f.user_child] ++ set widgets(user:user_child_cb) [checkbutton $user_child.enable -text "Child user" \ ++ -variable Apol_Bounds::vals(user_child:use)] ++ set widgets(user:user_child) [ComboBox $user_child.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Bounds::vals(user_child:sym) \ ++ -helptext "Select the bounded user" -autopost 1] ++ trace add variable Apol_Bounds::vals(user_child:use) write \ ++ [list Apol_Bounds::_toggleCheckbutton $widgets(user:user_child) {}] ++ pack $widgets(user:user_child_cb) -side top -anchor w ++ pack $widgets(user:user_child) -side top -expand 0 -fill x -padx 4 ++ pack $user_child -side left -padx 4 -pady 2 -expand 0 -fill y ++} ++ ++proc Apol_Bounds::_roleCreate {t_f} { ++ variable vals ++ variable widgets ++ ++ set role_parent [frame $t_f.role_parent] ++ set role_parent_cb [checkbutton $role_parent.enable -text "Parent role" \ ++ -variable Apol_Bounds::vals(role_parent:use)] ++ set widgets(role:role_parent) [ComboBox $role_parent.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Bounds::vals(role_parent:sym) \ ++ -helptext "Select the bounding role" -autopost 1] ++ ++ trace add variable Apol_Bounds::vals(role_parent:use) write \ ++ [list Apol_Bounds::_toggleCheckbutton $widgets(role:role_parent) {}] ++ pack $role_parent_cb -side top -anchor w ++ pack $widgets(role:role_parent) -side top -expand 0 -fill x -padx 4 ++ ++ pack $role_parent -side left -padx 4 -pady 2 -expand 0 -anchor nw ++ ++ set role_child [frame $t_f.role_child] ++ set widgets(role:role_child_cb) [checkbutton $role_child.enable -text "Child role" \ ++ -variable Apol_Bounds::vals(role_child:use)] ++ set widgets(role:role_child) [ComboBox $role_child.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Bounds::vals(role_child:sym) \ ++ -helptext "Select the bounded role" -autopost 1] ++ trace add variable Apol_Bounds::vals(role_child:use) write \ ++ [list Apol_Bounds::_toggleCheckbutton $widgets(role:role_child) {}] ++ pack $widgets(role:role_child_cb) -side top -anchor w ++ pack $widgets(role:role_child) -side top -expand 0 -fill x -padx 4 ++ pack $role_child -side left -padx 4 -pady 2 -expand 0 -fill y ++} ++ ++proc Apol_Bounds::_typeCreate {b_t} { ++ variable vals ++ variable widgets ++ ++ set type_parent [frame $b_t.type_parent] ++ set type_parent_cb [checkbutton $type_parent.enable -text "Parent type" \ ++ -variable Apol_Bounds::vals(type_parent:use)] ++ set widgets(type:type_parent) [ComboBox $type_parent.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Bounds::vals(type_parent:sym) \ ++ -helptext "Select the bounding type" -autopost 1] ++ ++ trace add variable Apol_Bounds::vals(type_parent:use) write \ ++ [list Apol_Bounds::_toggleCheckbutton $widgets(type:type_parent) {}] ++ pack $type_parent_cb -side top -anchor w ++ pack $widgets(type:type_parent) -side top -expand 0 -fill x -padx 4 ++ ++ pack $type_parent -side left -padx 4 -pady 2 -expand 0 -anchor nw ++ ++ set type_child [frame $b_t.type_child] ++ set widgets(type:type_child_cb) [checkbutton $type_child.enable -text "Child type" \ ++ -variable Apol_Bounds::vals(type_child:use)] ++ set widgets(type:type_child) [ComboBox $type_child.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Bounds::vals(type_child:sym) \ ++ -helptext "Select the bounded type" -autopost 1] ++ trace add variable Apol_Bounds::vals(type_child:use) write \ ++ [list Apol_Bounds::_toggleCheckbutton $widgets(type:type_child) {}] ++ pack $widgets(type:type_child_cb) -side top -anchor w ++ pack $widgets(type:type_child) -side top -expand 0 -fill x -padx 4 ++ pack $type_child -side left -padx 4 -pady 2 -expand 0 -fill y ++} ++ ++proc Apol_Bounds::_toggleCheckbutton {cb w name1 name2 ops} { ++ variable vals ++ ++ if {$vals($name2)} { ++ $cb configure -state normal -entrybg white ++ foreach x $w { ++ $x configure -state normal ++ } ++ } else { ++ $cb configure -state disabled -entrybg $ApolTop::default_bg_color ++ foreach x $w { ++ $x configure -state disabled ++ } ++ } ++} ++ ++# callback invoked when the user changes which Bounds rule to search ++proc Apol_Bounds::_ruleChanged {name1 name2 ops} { ++ variable vals ++ variable widgets ++ Apol_Widget::clearSearchResults $widgets(results) ++ $widgets(options_pm) raise $vals(rule_selection) ++} ++ ++proc Apol_Bounds::_searchBounds {} { ++ variable vals ++ variable widgets ++ ++ Apol_Widget::clearSearchResults $widgets(results) ++ if {![ApolTop::is_policy_open]} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened." ++ return ++ } ++ ++ if {$vals(rule_selection) == "user"} { ++ Apol_Bounds::_searchUserBounds ++ return ++ } ++ if {$vals(rule_selection) == "role"} { ++ Apol_Bounds::_searchRoleBounds ++ return ++ } ++ ++ if {$vals(rule_selection) == "type" } { ++ Apol_Bounds::_searchTypeBounds ++ return ++ } ++} ++ ++proc Apol_Bounds::_searchUserBounds {} { ++ variable vals ++ variable widgets ++ ++ set results {} ++ set bounds {} ++ set counter 0 ++ set printit 0 ++ set parent_regexp 0 ++ set child_regexp 0 ++ ++ if {$vals(user_parent:use) && $vals(user_parent:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No parent user selected." ++ } elseif {$vals(user_parent:use)} { ++ set parent_regexp 1 ++ } ++ if {$vals(user_child:use) && $vals(user_child:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No child user selected." ++ } elseif {$vals(user_child:use)} { ++ set child_regexp 1 ++ } ++ ++ set q [new_apol_userbounds_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_userbounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ set child [$q get_child_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ if {$parent_regexp == 1 && $parent == $vals(user_parent:sym)} { ++ set printit 1 ++ } ++ if {$child_regexp == 1 && $child == $vals(user_child:sym)} { ++ set printit 1 ++ } ++ if {$parent_regexp == 0 && $child_regexp == 0} { ++ set printit 1 ++ } ++ if {$printit == 1} { ++ append bounds "userbounds $parent " ++ append bounds "$child;\n" ++ set counter [expr $counter + 1] ++ } ++ } ++ set printit 0 ++ } ++ } ++ append results "$counter rules match search criteria.\n\n$bounds\n" ++ Apol_Widget::appendSearchResultText $widgets(results) $results ++} ++ ++proc Apol_Bounds::_searchRoleBounds {} { ++ variable vals ++ variable widgets ++ ++ set results {} ++ set bounds {} ++ set counter 0 ++ set printit 0 ++ set parent_regexp 0 ++ set child_regexp 0 ++ ++ if {$vals(role_parent:use) && $vals(role_parent:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No parent role selected." ++ } elseif {$vals(role_parent:use)} { ++ set parent_regexp 1 ++ } ++ if {$vals(role_child:use) && $vals(role_child:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No child role selected." ++ } elseif {$vals(role_child:use)} { ++ set child_regexp 1 ++ } ++ ++ set q [new_apol_rolebounds_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_rolebounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ set child [$q get_child_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ if {$parent_regexp == 1 && $parent == $vals(role_parent:sym)} { ++ set printit 1 ++ } ++ if {$child_regexp == 1 && $child == $vals(role_child:sym)} { ++ set printit 1 ++ } ++ if {$parent_regexp == 0 && $child_regexp == 0} { ++ set printit 1 ++ } ++ if {$printit == 1} { ++ append bounds "rolebounds $parent " ++ append bounds "$child;\n" ++ set counter [expr $counter + 1] ++ } ++ } ++ set printit 0 ++ } ++ } ++ append results "$counter rules match search criteria.\n\n$bounds\n" ++ Apol_Widget::appendSearchResultText $widgets(results) $results ++} ++ ++proc Apol_Bounds::_searchTypeBounds {} { ++ variable vals ++ variable widgets ++ ++ set results {} ++ set bounds {} ++ set counter 0 ++ set printit 0 ++ set parent_regexp 0 ++ set child_regexp 0 ++ ++ if {$vals(type_parent:use) && $vals(type_parent:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No parent type selected." ++ } elseif {$vals(type_parent:use)} { ++ set parent_regexp 1 ++ } ++ if {$vals(type_child:use) && $vals(type_child:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No child type selected." ++ } elseif {$vals(type_child:use)} { ++ set child_regexp 1 ++ } ++ ++ set q [new_apol_typebounds_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_typebounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ set child [$q get_child_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ if {$parent_regexp == 1 && $parent == $vals(type_parent:sym)} { ++ set printit 1 ++ } ++ if {$child_regexp == 1 && $child == $vals(type_child:sym)} { ++ set printit 1 ++ } ++ if {$parent_regexp == 0 && $child_regexp == 0} { ++ set printit 1 ++ } ++ if {$printit == 1} { ++ append bounds "typebounds $parent " ++ append bounds "$child;\n" ++ set counter [expr $counter + 1] ++ } ++ } ++ set printit 0 ++ } ++ } ++ append results "$counter rules match search criteria.\n\n$bounds\n" ++ Apol_Widget::appendSearchResultText $widgets(results) $results ++} ++ +diff --git a/apol/cond_bools_tab.tcl b/apol/cond_bools_tab.tcl +index 76356f1..25c8dee 100644 +--- a/apol/cond_bools_tab.tcl ++++ b/apol/cond_bools_tab.tcl +@@ -107,7 +107,9 @@ proc Apol_Cond_Bools::open {ppath} { + foreach bool $cond_bools_list { + set b [new_qpol_bool_t $::ApolTop::qpolicy $bool] + set cond_bools_defaults($bool) [$b get_state $::ApolTop::qpolicy] +- _insert_listbox_item $bool $cond_bools_defaults($bool) ++ # This is a workaround as frames do not like the "." in CIL booleans ++ set frame_bool [string map {. *} $bool] ++ _insert_listbox_item $bool $cond_bools_defaults($bool) $frame_bool + } + + variable widgets +@@ -161,21 +163,21 @@ proc Apol_Cond_Bools::_initializeVars {} { + } + } + +-proc Apol_Cond_Bools::_insert_listbox_item {bool initial_state} { ++proc Apol_Cond_Bools::_insert_listbox_item {bool initial_state frame_bool} { + variable widgets + variable cond_bools_values + + set cond_bools_values($bool) $initial_state + set subf [$widgets(listbox) getframe] +- set rb_true [radiobutton $subf.t:$bool -bg white \ ++ set rb_true [radiobutton $subf.t:$frame_bool -bg white \ + -variable Apol_Cond_Bools::cond_bools_values($bool) \ + -value 1 -highlightthickness 0 -text "True"] +- set rb_false [radiobutton $subf.f:$bool -bg white \ ++ set rb_false [radiobutton $subf.f:$frame_bool -bg white \ + -variable Apol_Cond_Bools::cond_bools_values($bool) \ + -value 0 -highlightthickness 0 -text "False"] + trace add variable Apol_Cond_Bools::cond_bools_values($bool) write \ + [list Apol_Cond_Bools::_set_bool_value] +- set rb_label [label $subf.l:$bool -bg white -text "- $bool"] ++ set rb_label [label $subf.l:$frame_bool -bg white -text "- $bool"] + grid $rb_true $rb_false $rb_label -padx 2 -pady 5 -sticky w + } + +diff --git a/apol/constraints_tab.tcl b/apol/constraints_tab.tcl +new file mode 100644 +index 0000000..965e584 +--- /dev/null ++++ b/apol/constraints_tab.tcl +@@ -0,0 +1,1589 @@ ++# This tab will allow searching of constrain and validatetrans constraint ++# rules within the policy. The mls versions are also searched if an ++# mls policy is loaded. ++# ++# This tab has been derived from the terules_tab. ++# ++# Author: Richard Haines richard_c_haines@btinternet.com ++# ++# Copyright (C) 2001-2007 Tresys Technology, LLC ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ ++namespace eval Apol_Constraint { ++ variable vals ++ variable widgets ++ variable tabs ++ variable enabled ++ ++ variable opts ++ variable constraint_list {} ++ variable left_expr_list {} ++ variable right_expr_list {} ++ variable mls_enabled {0} ++ variable match_right_type_names 0 ++ variable statement_count 0 ++} ++ ++proc Apol_Constraint::create {tab_name nb} { ++ variable vals ++ variable widgets ++ ++ _initializeVars ++ ++ set frame [$nb insert end $tab_name -text "Constraints"] ++ set pw [PanedWindow $frame.pw -side left -weights extra] ++ set topf [$pw add -weight 0] ++ set bottomf [$pw add -weight 1] ++ pack $pw -expand 1 -fill both ++ ++ # Major SubFrames: ++ # rsbox - constrain selection ++ # rbox - holds display window widgets ++ # abox - action buttons ++ set top_leftf [frame $topf.tl] ++ set widgets(search_opts) [NoteBook $topf.nb] ++ set abox [frame $topf.abox] ++ pack $top_leftf -side left -expand 0 -fill y ++ pack $widgets(search_opts) -side left -expand 1 -fill both -padx 10 ++ pack $abox -side right -fill y -padx 5 ++ set rsbox [TitleFrame $top_leftf.rsbox -text "Constraint Selection"] ++ set rbox [TitleFrame $bottomf.rbox -text "Constraint Search Results"] ++ pack $rsbox -side top -fill both -expand 1 ++ pack $rbox -expand yes -fill both -padx 2 ++ ++ # Constraint selection subframe ++ set fm_constraints [$rsbox getframe] ++ set constrain [checkbutton $fm_constraints.constrain -text "constrain" \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(rs:constrain_enabled)] ++ set mlsconstrain [checkbutton $fm_constraints.mlsconstrain -text "mlsconstrain" \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(rs:mlsconstrain_enabled)] ++ set validatetrans [checkbutton $fm_constraints.validatetrans -text "validatetrans" \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(rs:validatetrans_enabled)] ++ set mlsvalidatetrans [checkbutton $fm_constraints.mlsvalidatetrans -text "mlsvalidatetrans" \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(rs:mlsvalidatetrans_enabled)] ++ grid $constrain -sticky w -padx 10 ++ grid $mlsconstrain -sticky w -padx 10 ++ grid $validatetrans -sticky w -padx 10 -pady {30 0} ++ grid $mlsvalidatetrans -sticky w -padx 10 ++ ++ _createClassesPermsTab ++ _createLeftExpressionTab ++ _createRightExpressionTab ++ ++ # Action buttons ++ set widgets(new) [button $abox.new -text "New Search" -width 12 \ ++ -command [list Apol_Constraint::_search_constraints new]] ++ set widgets(update) [button $abox.update -text "Update Search" -width 12 -state disabled \ ++ -command [list Apol_Constraint::_search_constraints update]] ++ set widgets(reset) [button $abox.reset -text "Reset Criteria" -width 12 \ ++ -command Apol_Constraint::_reset] ++ pack $widgets(new) $widgets(update) $widgets(reset) \ ++ -side top -pady 5 -padx 5 -anchor ne ++ ++ $widgets(search_opts) compute_size ++ ++ # Popup menu widget ++ set popupTab_Menu [menu .popup_constrain_rules -tearoff 0] ++ set tab_menu_callbacks \ ++ [list {"Close Tab" Apol_Constraint::_delete_results} \ ++ {"Rename Tab" Apol_Constraint::_display_rename_tab_dialog}] ++ ++ # Notebook creation for results ++ set widgets(results) [NoteBook [$rbox getframe].results] ++ $widgets(results) bindtabs Apol_Constraint::_switch_to_tab ++ $widgets(results) bindtabs \ ++ [list ApolTop::popup \ ++ %W %x %y $popupTab_Menu $tab_menu_callbacks] ++ set close [button [$rbox getframe].close -text "Close Tab" \ ++ -command Apol_Constraint::_delete_current_results] ++ pack $widgets(results) -expand 1 -fill both -padx 4 ++ pack $close -expand 0 -fill x -padx 4 -pady 2 ++ ++ _initializeVars ++ return $frame ++} ++ ++ ++proc Apol_Constraint::open {ppath} { ++ variable mls_enabled ++ ++ if {[ApolTop::is_capable "mls"]} { ++ set mls_enabled 1 ++ } else { ++ set mls_enabled 0 ++ } ++ ++ _initializeVars ++ _initializeWidgets ++ _initializeTabs ++ ++ variable vals ++ variable enabled ++ set vals(cp:classes) [Apol_Class_Perms::getClasses] ++ set enabled(cp:classes) 1 ++ set enabled(cp:perms) 1 ++} ++ ++ ++proc Apol_Constraint::close {} { ++ _initializeTabs ++ _initializeWidgets ++ _initializeVars ++ set enabled(cp:perms) 1 ++ ++ variable constraint_list {} ++ variable left_expr_list {} ++ variable right_expr_list {} ++} ++ ++ ++proc Apol_Constraint::getTextWidget {} { ++ variable widgets ++ variable tabs ++ ++ if {[$widgets(results) pages] != {}} { ++ set raisedPage [$widgets(results) raise] ++ if {$raisedPage != {}} { ++ return $tabs($raisedPage).tb ++ } ++ } ++ return {} ++} ++ ++ ++proc Apol_Constraint::save_query_options {file_channel query_file} { ++ variable vals ++ ++ foreach {key value} [array get vals] { ++ if {$key != "cp:classes" && $key != "cp:perms"} { ++ puts $file_channel "$key $value" ++ } ++ } ++} ++ ++ ++proc Apol_Constraint::load_query_options {file_channel} { ++ variable vals ++ variable widgets ++ variable enabled ++ _initializeVars ++ ++ # load as many values as possible ++ set classes_selected {} ++ set perms_selected {} ++ while {[gets $file_channel line] >= 0} { ++ set line [string trim $line] ++ # Skip empty lines and comments ++ if {$line == {} || [string index $line 0] == "#"} { ++ continue ++ } ++ regexp -line -- {^(\S+)( (.+))?} $line -> key --> value ++ if {$key == "cp:classes_selected"} { ++ set classes_selected $value ++ } elseif {$key == "cp:perms_selected"} { ++ set perms_selected $value ++ } else { ++ set vals($key) $value ++ } ++ } ++ ++ # update the display ++ _initializeWidgets ++ set vals(cp:classes) [Apol_Class_Perms::getClasses] ++ set enabled(cp:classes) 1 ++ set enabled(cp:perms) 1 ++ _toggle_perms_toshow -> -> reset ++ ++ # then verify that selected object classes and permissions exist ++ # for this policy ++ set unknowns {} ++ set vals(cp:classes_selected) {} ++ foreach class $classes_selected { ++ if {[set i [lsearch $vals(cp:classes) $class]] >= 0} { ++ $widgets(cp:classes) selection set $i ++ lappend vals(cp:classes_selected) $class ++ } else { ++ lappend unknowns $class ++ } ++ } ++ if {[llength $unknowns] > 0} { ++ tk_messageBox -icon warning -type ok -title "Open Apol Query" \ ++ -message "The following object classes do not exist in the currently loaded policy and were ignored:\n\n[join $unknowns ", "]" \ ++ -parent . ++ } ++ ++ _toggle_perms_toshow {} {} {} ++ set unknowns {} ++ set vals(cp:perms_selected) {} ++ foreach perm $perms_selected { ++ if {[set i [lsearch $vals(cp:perms) $perm]] >= 0} { ++ $widgets(cp:perms) selection set $i ++ lappend vals(cp:perms_selected) $perm ++ } else { ++ lappend unknowns $perm ++ } ++ } ++ if {[llength $unknowns] > 0} { ++ tk_messageBox -icon warning -type ok -title "Open Apol Query" \ ++ -message "The following permissions do not exist in the currently loaded policy and were ignored:\n\n[join $unknowns ", "]" \ ++ -parent $parentDlg ++ } ++} ++ ++ ++#### private functions below #### ++ ++proc Apol_Constraint::_initializeVars {} { ++ variable vals ++ variable mls_enabled ++ ++ array set vals [list \ ++ rs:constrain_enabled 1 \ ++ rs:mlsconstrain_enabled $mls_enabled \ ++ rs:validatetrans_enabled 1 \ ++ rs:mlsvalidatetrans_enabled $mls_enabled \ ++ ++ kta:left_expr,left_keyword 1 \ ++ kta:right_expr,right_keyword 0 \ ++ kta:right_expr,types 0 \ ++ kta:right_expr,users 0 \ ++ kta:right_expr,roles 0 \ ++ kta:right_expr,attribs 0 \ ++ ] ++ ++ array set vals { ++ kta:use_left_expr 0 ++ kta:left_expr {} ++ ++ kta:use_right_expr 0 ++ kta:right_expr {} ++ kta:right_expr_replace_types 0 ++ ++ cp:classes {} ++ cp:classes_selected {} ++ cp:perms {} ++ cp:perms_selected {} ++ cp:perms_toshow all ++ cp:perms_matchall 0 ++ } ++ ++ variable enabled ++ array set enabled { ++ kta:use_left_expr 1 ++ kta:use_right_expr 1 ++ ++ cp:classes 0 ++ cp:perms 0 ++ } ++} ++ ++ ++proc Apol_Constraint::_initializeTabs {} { ++ variable widgets ++ variable tabs ++ ++ array set tabs { ++ next_result_id 1 ++ } ++ foreach p [$widgets(results) pages 0 end] { ++ _delete_results $p ++ } ++} ++ ++ ++proc Apol_Constraint::_initializeWidgets {} { ++ variable widgets ++ ++ $widgets(search_opts) raise left_expr_entry ++ $widgets(search_opts) raise right_expr_entry ++ ++ $widgets(cp:classes) selection clear 0 end ++ $widgets(cp:perms) selection clear 0 end ++} ++ ++ ++proc Apol_Constraint::_createLeftExpressionTab {} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ set ta_tab [$widgets(search_opts) insert end left_expr_entry -text "Left Side of Expression"] ++ set fm_left_expr [frame $ta_tab.left_expr] ++ grid $fm_left_expr -padx 4 -sticky ewns ++ foreach i {0} { ++ grid columnconfigure $ta_tab $i -weight 1 -uniform 1 ++ } ++ grid rowconfigure $ta_tab 0 -weight 1 ++# prefix frame title left_side right_side ++ _create_expression_box left_expr $fm_left_expr "Keyword" 1 0 ++ ++ $widgets(search_opts) raise left_expr_entry ++} ++ ++ ++proc Apol_Constraint::_createRightExpressionTab {} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ set ta_tab [$widgets(search_opts) insert end right_expr_entry -text "Right Side of Expression"] ++ set fm_right_expr [frame $ta_tab.right_expr] ++ grid $fm_right_expr -padx 4 -sticky ewns ++ foreach i {0} { ++ grid columnconfigure $ta_tab $i -weight 1 -uniform 1 ++ } ++ grid rowconfigure $ta_tab 0 -weight 1 ++# prefix frame title left_side right_side ++ _create_expression_box right_expr $fm_right_expr "Select either a keyword, user, role, type or type attribute" 0 1 ++ ++ $widgets(search_opts) raise right_expr_entry ++} ++ ++ ++proc Apol_Constraint::_create_expression_box {prefix f title left_expr right_expr} { ++ variable vals ++ variable widgets ++ ++ set widgets(kta:use_${prefix}) [checkbutton $f.use -text $title \ ++ -variable Apol_Constraint::vals(kta:use_${prefix})] ++ pack $widgets(kta:use_${prefix}) -side top -anchor w ++ trace add variable Apol_Constraint::vals(kta:use_${prefix}) write \ ++ [list Apol_Constraint::_toggle_expression_box $prefix] ++ ++ set w {} ++ ++ if {$right_expr} { ++ set helptext "Select a keyword, user, role, type or type attribute for the right hand side of the constraint expression e.g.: \ ++\n (left right) \ ++\n (t1 == mlstrustedobject) \ ++\n (r1 dom r2) \ ++\n (r1 != system_r)\n \ ++\nIf a type or attribute is selected the \"Only direct matches\" box can be used to determine searching as follows:\n \ ++\n - If selected the type or type attribute identifier will be used for the match.\n \ ++\n - If unselected and a type is selected: \ ++\n The type identifier will be used for matching, also any type attributes found within the constraints expression will \ ++\n be expanded and its list of types searched for a match.\n \ ++\n - If unselected and an attribute is selected: \ ++\n The type attribute identifier will be used for matching, also any types found within the constraints expression will \ ++\n have its associated type attributes searched for a match.\n" ++ } else { ++ set helptext "Select a keyword for the left hand side of the constraint expression e.g.: \ ++\n (left right)\n (r1 == r2)" ++ } ++ ++ set widgets(kta:${prefix}) [ComboBox $f.sym \ ++ -state disabled -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_Constraint::vals(kta:${prefix}) \ ++ -helptext $helptext -autopost 1] ++ pack $widgets(kta:${prefix}) -expand 0 -fill x -padx 8 ++ lappend w $widgets(kta:${prefix}) ++ ++ if {$left_expr} { ++ set ta_frame [frame $f.ta] ++ pack $ta_frame -expand 0 -anchor center -pady 2 ++ trace add variable Apol_Constraint::vals(kta:${prefix},left_keyword) write \ ++ [list Apol_Constraint::_toggle_left_side $prefix] ++ pack $widgets(kta:${prefix}) -expand 0 -fill x -padx 8 ++ lappend w $widgets(kta:${prefix}) ++ ++ } ++ ++ if {$right_expr} { ++ set ta_frame [frame $f.ta] ++ pack $ta_frame -expand 0 -anchor w -pady 2 ++ set right_keyword [checkbutton $ta_frame.right_keyword -text "Keyword" -state disabled \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(kta:${prefix},right_keyword)] ++ ++ set users [checkbutton $ta_frame.users -text "Users" -state disabled \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(kta:${prefix},users)] ++ ++ set roles [checkbutton $ta_frame.roles -text "Roles" -state disabled \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(kta:${prefix},roles)] ++ ++ set types [checkbutton $ta_frame.types -text "Types" -state disabled \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(kta:${prefix},types)] ++ set attribs [checkbutton $ta_frame.attribs -text "Attributes" -state disabled \ ++ -onvalue 1 -offvalue 0 \ ++ -variable Apol_Constraint::vals(kta:${prefix},attribs)] ++ ++ $right_keyword configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $right_keyword] ++ $users configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $users] ++ $roles configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $roles] ++ $types configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $types] ++ $attribs configure -command [list Apol_Constraint::_toggle_kta_pushed $prefix $attribs] ++ ++ trace add variable Apol_Constraint::vals(kta:${prefix},right_keyword) write \ ++ [list Apol_Constraint::_toggle_right_side $prefix] ++ trace add variable Apol_Constraint::vals(kta:${prefix},users) write \ ++ [list Apol_Constraint::_toggle_right_side $prefix] ++ trace add variable Apol_Constraint::vals(kta:${prefix},roles) write \ ++ [list Apol_Constraint::_toggle_right_side $prefix] ++ trace add variable Apol_Constraint::vals(kta:${prefix},types) write \ ++ [list Apol_Constraint::_toggle_right_side $prefix] ++ trace add variable Apol_Constraint::vals(kta:${prefix},attribs) write \ ++ [list Apol_Constraint::_toggle_right_side $prefix] ++ ++ pack $right_keyword $users $roles $types $attribs -side left -anchor w -padx 2 ++ lappend w $right_keyword $users $roles $types $attribs ++ } ++ ++ set widgets(kta:${prefix}_widgets) $w ++ trace add variable Apol_Constraint::enabled(kta:use_${prefix}) write \ ++ [list Apol_Constraint::_toggle_left_right_box $prefix] ++} ++ ++ ++# called when there is a change in state to the top checkbutton within ++# an expression box ++proc Apol_Constraint::_toggle_expression_box {col name1 name2 op} { ++ variable enabled ++ ++ # force a refresh of this box's state; this invokes ++ # _toggle_left_right_box callback ++ set enabled(kta:use_${col}) $enabled(kta:use_${col}) ++} ++ ++ ++# disallow keyword, types and attribs to be selected within a kta box ++proc Apol_Constraint::_toggle_kta_pushed {col cb} { ++ variable vals ++ ++ if {($vals(kta:${col},right_keyword) && $vals(kta:${col},attribs)) || \ ++ ($vals(kta:${col},right_keyword) && $vals(kta:${col},users)) || \ ++ ($vals(kta:${col},right_keyword) && $vals(kta:${col},roles)) || \ ++ ($vals(kta:${col},right_keyword) && $vals(kta:${col},types)) || \ ++ ($vals(kta:${col},attribs) && $vals(kta:${col},users)) || \ ++ ($vals(kta:${col},attribs) && $vals(kta:${col},roles)) || \ ++ ($vals(kta:${col},attribs) && $vals(kta:${col},types)) || \ ++ ($vals(kta:${col},users) && $vals(kta:${col},roles)) || \ ++ ($vals(kta:${col},users) && $vals(kta:${col},types)) || \ ++ ($vals(kta:${col},roles) && $vals(kta:${col},types)) } { ++ tk_messageBox -icon error -type ok -title "Constraint Search" -message "Select either a keyword, user, role, type or type attribute." ++ $cb deselect ++ return ++ } ++} ++ ++ ++# called whenever the left or right box is enabled or disabled ++proc Apol_Constraint::_toggle_left_right_box {col name1 name2 op} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ if {$enabled(kta:use_${col})} { ++ $widgets(kta:use_${col}) configure -state normal ++ } else { ++ $widgets(kta:use_${col}) configure -state disabled ++ } ++ if {$enabled(kta:use_${col}) && $vals(kta:use_${col})} { ++ foreach w $widgets(kta:${col}_widgets) { ++ $w configure -state normal ++ } ++ $widgets(kta:${col}) configure -entrybg white ++ } else { ++ foreach w $widgets(kta:${col}_widgets) { ++ $w configure -state disabled ++ } ++ $widgets(kta:${col}) configure -entrybg $ApolTop::default_bg_color ++ } ++ ++ # update this tab's name if one of the columns is enabled and used ++ if {($enabled(kta:use_left_expr) && $vals(kta:use_left_expr))} { ++ $widgets(search_opts) itemconfigure left_expr_entry -text "Left Side of Expression *" ++ } else { ++ $widgets(search_opts) itemconfigure left_expr_entry -text "Left Side of Expression" ++ } ++ ++ if {($enabled(kta:use_right_expr) && $vals(kta:use_right_expr))} { ++ $widgets(search_opts) itemconfigure right_expr_entry -text "Right Side of Expression *" ++ } else { ++ $widgets(search_opts) itemconfigure right_expr_entry -text "Right Side of Expression" ++ } ++} ++ ++ ++proc Apol_Constraint::_toggle_left_side {col name1 name2 op} { ++ variable vals ++ variable widgets ++ ++ set items {} ++ ++ if {$vals(kta:${col},left_keyword)} { ++ append items [Apol_Constraint::getLeftKeyword] ++ } ++ $widgets(kta:${col}) configure -values $items ++} ++ ++ ++proc Apol_Constraint::_toggle_right_side {col name1 name2 op} { ++ variable vals ++ variable widgets ++ ++ set items {} ++ ++ if {$vals(kta:${col},right_keyword)} { ++ append items [Apol_Constraint::getRightKeyword] ++ } ++ if {$vals(kta:${col},users)} { ++ append items [Apol_Users::getUsers] ++ } ++ if {$vals(kta:${col},roles)} { ++ append items [Apol_Roles::getRoles] ++ } ++ if {$vals(kta:${col},types)} { ++ append items [Apol_Types::getTypes] ++ } ++ if {$vals(kta:${col},attribs)} { ++ append items [Apol_Types::getAttributes] ++ } ++ ++ $widgets(kta:${col}) configure -values $items ++} ++ ++ ++# Returns a list of left keywords ++proc Apol_Constraint::getLeftKeyword {} { ++ variable vals ++ variable left_expr_list ++ set left_expr_list {} ++ ++ if {[ApolTop::is_policy_open]} { ++ if { $vals(rs:constrain_enabled) == 1 || $vals(rs:mlsconstrain_enabled) == 1 } { ++ append left_expr_list [Apol_Constraint::_getKeywords "l" new_apol_constraint_query_t] ++ } ++ if { $vals(rs:validatetrans_enabled) == 1 || $vals(rs:mlsvalidatetrans_enabled) == 1 } { ++ append left_expr_list [Apol_Constraint::_getKeywords "l" new_apol_validatetrans_query_t] ++ } ++ lsort -unique $left_expr_list ++ } else { ++ set left_expr_list "" ++ } ++} ++ ++ ++# Returns a list of right keywords ++proc Apol_Constraint::getRightKeyword {} { ++ variable vals ++ variable right_expr_list ++ set right_expr_list {} ++ ++ if {[ApolTop::is_policy_open]} { ++ if { $vals(rs:constrain_enabled) == 1 || $vals(rs:mlsconstrain_enabled) == 1 } { ++ append right_expr_list [Apol_Constraint::_getKeywords "r" new_apol_constraint_query_t] ++ } ++ if { $vals(rs:validatetrans_enabled) == 1 || $vals(rs:mlsvalidatetrans_enabled) == 1 } { ++ append right_expr_list [Apol_Constraint::_getKeywords "r" new_apol_validatetrans_query_t] ++ } ++ lsort -unique $right_expr_list ++ } else { ++ set right_expr_list "" ++ } ++} ++ ++ ++ ++# code to create and handle the classe/permissions subtab ++proc Apol_Constraint::_createClassesPermsTab {} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ set objects_tab [$widgets(search_opts) insert end classperms -text "Classes/Permissions"] ++ set fm_objs [TitleFrame $objects_tab.objs -text "Object Classes"] ++ set fm_perms [TitleFrame $objects_tab.perms -text "Permissions"] ++ pack $fm_objs -side left -expand 0 -fill both -padx 2 -pady 2 ++ pack $fm_perms -side left -expand 1 -fill both -padx 2 -pady 2 ++ ++ # object classes subframe ++ set sw [ScrolledWindow [$fm_objs getframe].sw -auto both] ++ set widgets(cp:classes) [listbox [$sw getframe].lb -height 5 -width 24 \ ++ -highlightthickness 0 -selectmode multiple \ ++ -exportselection 0 -state disabled \ ++ -bg $ApolTop::default_bg_color \ ++ -listvar Apol_Constraint::vals(cp:classes)] ++ $sw setwidget $widgets(cp:classes) ++ update ++ grid propagate $sw 0 ++ bind $widgets(cp:classes) <> \ ++ [list Apol_Constraint::_toggle_cp_select classes] ++ pack $sw -expand 1 -fill both ++ set clear [button [$fm_objs getframe].b -text "Clear" -width 6 -state disabled \ ++ -command [list Apol_Constraint::_clear_cp_listbox $widgets(cp:classes) classes]] ++ pack $clear -expand 0 -pady 2 ++ set widgets(cp:classes_widgets) [list $widgets(cp:classes) $clear] ++ ++ # permissions subframe ++ set f [$fm_perms getframe] ++ set sw [ScrolledWindow $f.sw -auto both] ++ set widgets(cp:perms) [listbox [$sw getframe].lb -height 5 -width 24 \ ++ -highlightthickness 0 -selectmode multiple \ ++ -exportselection 0 -bg white \ ++ -listvar Apol_Constraint::vals(cp:perms)] ++ $sw setwidget $widgets(cp:perms) ++ update ++ grid propagate $sw 0 ++ bind $widgets(cp:perms) <> \ ++ [list Apol_Constraint::_toggle_cp_select perms] ++ set clear [button $f.clear -text "Clear" \ ++ -command [list Apol_Constraint::_clear_cp_listbox $widgets(cp:perms) perms]] ++ set reverse [button $f.reverse -text "Reverse" \ ++ -command [list Apol_Constraint::_reverse_cp_listbox $widgets(cp:perms)]] ++ set perm_opts_f [frame $f.perms] ++ set perm_rb_f [frame $perm_opts_f.rb] ++ set l [label $perm_rb_f.l -text "Permissions to show:" -state disabled] ++ set all [radiobutton $perm_rb_f.all -text "All" \ ++ -variable Apol_Constraint::vals(cp:perms_toshow) -value all] ++ set union [radiobutton $perm_rb_f.union -text "All for selected classes" \ ++ -variable Apol_Constraint::vals(cp:perms_toshow) -value union] ++ set intersect [radiobutton $perm_rb_f.inter -text "Common to selected classes" \ ++ -variable Apol_Constraint::vals(cp:perms_toshow) -value intersect] ++ trace add variable Apol_Constraint::vals(cp:perms_toshow) write \ ++ Apol_Constraint::_toggle_perms_toshow ++ pack $l $all $union $intersect -anchor w ++ set all_perms [checkbutton $perm_opts_f.all -text "Constraint must have all selected permissions" \ ++ -variable Apol_Constraint::vals(cp:perms_matchall)] ++ pack $perm_rb_f $all_perms -anchor w -pady 4 -padx 4 ++ grid $sw - $perm_opts_f -sticky nsw ++ grid $clear $reverse ^ -pady 2 -sticky ew ++ grid columnconfigure $f 0 -weight 0 -uniform 1 -pad 2 ++ grid columnconfigure $f 1 -weight 0 -uniform 1 -pad 2 ++ grid columnconfigure $f 2 -weight 1 ++ grid rowconfigure $f 0 -weight 1 ++ set widgets(cp:perms_widgets) \ ++ [list $widgets(cp:perms) $clear $reverse $l $all $union $intersect $all_perms] ++ ++ trace add variable Apol_Constraint::vals(cp:classes_selected) write \ ++ [list Apol_Constraint::_update_cp_tabname] ++ trace add variable Apol_Constraint::vals(cp:perms_selected) write \ ++ [list Apol_Constraint::_update_cp_tabname] ++ trace add variable Apol_Constraint::enabled(cp:classes) write \ ++ [list Apol_Constraint::_toggle_enable_cp classes] ++ trace add variable Apol_Constraint::enabled(cp:perms) write \ ++ [list Apol_Constraint::_toggle_enable_cp perms] ++} ++ ++ ++proc Apol_Constraint::_toggle_enable_cp {prefix name1 name2 op} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ if {$enabled(cp:${prefix})} { ++ foreach w $widgets(cp:${prefix}_widgets) { ++ $w configure -state normal ++ } ++ $widgets(cp:${prefix}) configure -bg white ++ } else { ++ foreach w $widgets(cp:${prefix}_widgets) { ++ $w configure -state disabled ++ } ++ $widgets(cp:${prefix}) configure -bg $ApolTop::default_bg_color ++ } ++ # force a refresh of this tab's name ++ set vals(cp:${prefix}_selected) $vals(cp:${prefix}_selected) ++} ++ ++ ++proc Apol_Constraint::_toggle_perms_toshow {name1 name2 op} { ++ variable vals ++ variable widgets ++ ++ if {$vals(cp:perms_toshow) == "all"} { ++ # don't change the list of permissions if there was a new ++ # object class selection and the current radiobutton is all ++ if {$op != "update"} { ++ set vals(cp:perms) $Apol_Class_Perms::perms_list ++ set vals(cp:perms_selected) {} ++ } ++ } elseif {$vals(cp:perms_toshow) == "union"} { ++ set vals(cp:perms) {} ++ set vals(cp:perms_selected) {} ++ foreach class $vals(cp:classes_selected) { ++ set vals(cp:perms) [lsort -unique -dictionary [concat $vals(cp:perms) [Apol_Class_Perms::getPermsForClass $class]]] ++ } ++ } else { ;# intersection ++ set vals(cp:perms) {} ++ set vals(cp:perms_selected) {} ++ set classes {} ++ foreach i [$widgets(cp:classes) curselection] { ++ lappend classes [$widgets(cp:classes) get $i] ++ } ++ if {$classes == {}} { ++ return ++ } ++ set vals(cp:perms) [Apol_Class_Perms::getPermsForClass [lindex $classes 0]] ++ foreach class [lrange $classes 1 end] { ++ set this_perms [Apol_Class_Perms::getPermsForClass $class] ++ set new_perms {} ++ foreach p $vals(cp:perms) { ++ if {[lsearch -exact $this_perms $p] >= 0} { ++ lappend new_perms $p ++ } ++ } ++ set vals(cp:perms) $new_perms ++ } ++ } ++} ++ ++ ++# called whenever an item with a class/perm listbox is ++# selected/deselected ++proc Apol_Constraint::_toggle_cp_select {col} { ++ variable vals ++ variable widgets ++ ++ set items {} ++ foreach i [$widgets(cp:${col}) curselection] { ++ lappend items [$widgets(cp:${col}) get $i] ++ } ++ set vals(cp:${col}_selected) $items ++ if {$col == "classes"} { ++ _toggle_perms_toshow {} {} update ++ } ++} ++ ++ ++proc Apol_Constraint::_clear_cp_listbox {lb prefix} { ++ variable vals ++ ++ $lb selection clear 0 end ++ set vals(cp:${prefix}_selected) {} ++ if {$prefix == "classes"} { ++ _toggle_perms_toshow {} {} update ++ } ++} ++ ++ ++proc Apol_Constraint::_reverse_cp_listbox {lb} { ++ variable vals ++ ++ set old_selection [$lb curselection] ++ set items {} ++ for {set i 0} {$i < [$lb index end]} {incr i} { ++ if {[lsearch $old_selection $i] >= 0} { ++ $lb selection clear $i ++ } else { ++ $lb selection set $i ++ lappend items [$lb get $i] ++ } ++ } ++ set vals(cp:perms_selected) $items ++} ++ ++ ++proc Apol_Constraint::_update_cp_tabname {name1 name2 op} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ if {($enabled(cp:classes) && $vals(cp:classes_selected) > 0) || \ ++ ($enabled(cp:perms) && $vals(cp:perms_selected) > 0)} { ++ $widgets(search_opts) itemconfigure classperms -text "Classes/Permissions *" ++ } else { ++ $widgets(search_opts) itemconfigure classperms -text "Classes/Permissions" ++ } ++} ++ ++ ++proc Apol_Constraint::_delete_results {pageID} { ++ variable widgets ++ variable tabs ++ ++ # Remove tab and its widgets ++ set curpos [$widgets(results) index $pageID] ++ $widgets(results) delete $pageID ++ array unset tabs $pageID:* ++ array unset tabs $pageID ++ ++ # try to raise the next tab ++ if {[set next_id [$widgets(results) pages $curpos]] != {}} { ++ _switch_to_tab $next_id ++ } elseif {$curpos > 0} { ++ # raise the previous page instead ++ _switch_to_tab [$widgets(results) pages [expr {$curpos - 1}]] ++ } else { ++ # no tabs remaining ++ $widgets(update) configure -state disabled ++ } ++} ++ ++ ++proc Apol_Constraint::_display_rename_tab_dialog {pageID} { ++ variable widgets ++ variable tabs ++ ++ set d [Dialog .apol_te_tab_rename -homogeneous 1 -spacing 2 -cancel 1 \ ++ -default 0 -modal local -parent . -place center -separator 1 \ ++ -side bottom -title "Rename Results Tab"] ++ $d add -text "OK" -command [list $d enddialog "ok"] ++ $d add -text "Cancel" -command [list $d enddialog "cancel"] ++ set f [$d getframe] ++ set l [label $f.l -text "Tab name:"] ++ set tabs(tab:new_name) [$widgets(results) itemcget $pageID -text] ++ set e [entry $f.e -textvariable Apol_Constraint::tabs(tab:new_name) -width 16 -bg white] ++ pack $l $e -side left -padx 2 ++ set retval [$d draw] ++ destroy $d ++ if {$retval == "ok"} { ++ $widgets(results) itemconfigure $pageID -text $tabs(tab:new_name) ++ } ++} ++ ++ ++proc Apol_Constraint::_delete_current_results {} { ++ variable widgets ++ ++ if {[set curid [$widgets(results) raise]] != {}} { ++ _delete_results $curid ++ } ++} ++ ++ ++proc Apol_Constraint::_create_new_results_tab {} { ++ variable vals ++ variable widgets ++ variable tabs ++ ++ set i $tabs(next_result_id) ++ incr tabs(next_result_id) ++ set id "results$i" ++ set frame [$widgets(results) insert end "$id" -text "Results $i"] ++ $widgets(results) raise $id ++ set tabs($id) [Apol_Widget::makeSearchResults $frame.results] ++ pack $tabs($id) -expand 1 -fill both ++ ++ set tabs($id:vals) [array get vals] ++ return $tabs($id) ++} ++ ++ ++proc Apol_Constraint::_switch_to_tab {pageID} { ++ variable vals ++ variable widgets ++ variable tabs ++ ++ # check if switching to already visible tab ++ if {[$Apol_Constraint::widgets(results) raise] == $pageID} { ++ return ++ } ++ $widgets(results) raise $pageID ++ set cur_search_opts [$widgets(search_opts) raise] ++ ++ # restore the tab's search criteria ++ array set tmp_vals $tabs($pageID:vals) ++ set classes_selected $tmp_vals(cp:classes_selected) ++ set perms_selected $tmp_vals(cp:perms_selected) ++ array set vals $tabs($pageID:vals) ++ _initializeWidgets ++ set vals(cp:classes_selected) $classes_selected ++ set vals(cp:perms_selected) $perms_selected ++ foreach c $classes_selected { ++ $widgets(cp:classes) selection set [lsearch $vals(cp:classes) $c] ++ } ++ foreach p $perms_selected { ++ $widgets(cp:perms) selection set [lsearch $vals(cp:perms) $p] ++ } ++ $widgets(search_opts) raise $cur_search_opts ++} ++ ++ ++proc Apol_Constraint::_reset {} { ++ variable enabled ++ ++ set old_classes_enabled $enabled(cp:classes) ++ _initializeVars ++ _initializeWidgets ++ if {[set enabled(cp:classes) $old_classes_enabled]} { ++ variable vals ++ set vals(cp:classes) [Apol_Class_Perms::getClasses] ++ set enabled(cp:classes) 1 ++ set enabled(cp:perms) 1 ++ } ++} ++ ++# This is the main constraint search option ++proc Apol_Constraint::_search_constraints {whichButton} { ++ variable vals ++ variable widgets ++ variable enabled ++ variable tabs ++ variable statement_count ++ ++ if {![ApolTop::is_policy_open]} { ++ tk_messageBox -icon error -type ok -title "Constraint Search" \ ++ -message "No current policy file is opened." ++ return ++ } ++ ++ if { $vals(rs:constrain_enabled) == 0 && \ ++ $vals(rs:mlsconstrain_enabled) == 0 && \ ++ $vals(rs:validatetrans_enabled) == 0 && \ ++ $vals(rs:mlsvalidatetrans_enabled) == 0 } { ++ tk_messageBox -icon error -type ok -title "Constraint Search" \ ++ -message "At least one constraint must be selected." ++ return ++ } ++ ++ if {$whichButton == "new"} { ++ set sr [_create_new_results_tab] ++ } else { ++ set id [$widgets(results) raise] ++ set tabs($id:vals) [array get vals] ++ set sr $tabs($id) ++ Apol_Widget::clearSearchResults $sr ++ } ++ ++ if {$enabled(kta:use_left_expr) && $vals(kta:use_left_expr) && $vals(kta:left_expr) == {}} { ++ tk_messageBox -icon error -type ok -title "Constraint Search" -message "No left keyword has been selected." ++ return ++ } ++ if {$enabled(kta:use_right_expr) && $vals(kta:use_right_expr) && $vals(kta:right_expr) == {}} { ++ tk_messageBox -icon error -type ok -title "Constraint Search" -message "No right keyword, type or attribute has been selected." ++ return ++ } ++ ++ set results {} ++ set header {} ++ ++ # Check if the statements are enabled for mls/constrain and then get info ++ if { $vals(rs:constrain_enabled) == 1 } { ++ append results [Apol_Constraint::_searchForMatch "constrain" "constrain" new_apol_constraint_query_t] ++ append header "$statement_count constrain rules match the search criteria.\n" ++ } ++ if { $vals(rs:mlsconstrain_enabled) == 1 } { ++ append results [Apol_Constraint::_searchForMatch "mlsconstrain" "constrain" new_apol_constraint_query_t] ++ append header "$statement_count mlsconstrain rules match the search criteria.\n" ++ } ++ ++ # Check if the statements are enabled for mls/validatetrans and then get info ++ if { $vals(rs:validatetrans_enabled) == 1 } { ++ append results [Apol_Constraint::_searchForMatch "validatetrans" "validatetrans" new_apol_validatetrans_query_t] ++ append header "$statement_count validatetrans rules match the search criteria.\n" ++ } ++ if { $vals(rs:mlsvalidatetrans_enabled) == 1 } { ++ append results [Apol_Constraint::_searchForMatch "mlsvalidatetrans" "validatetrans" new_apol_validatetrans_query_t] ++ append header "$statement_count mlsvalidatetrans match the search criteria.\n" ++ } ++ ++ foreach x {new update reset} { ++ $widgets($x) configure -state disabled ++ } ++ ++ Apol_Progress_Dialog::wait "Constraint Rules" "Searching rules" { ++ Apol_Widget::appendSearchResultText $sr "$header\n" ++ Apol_Widget::appendSearchResultText $sr $results ++ } ++ ++ $widgets(new) configure -state normal ++ $widgets(reset) configure -state normal ++ if {[$widgets(results) pages] != {} || $retval == 0} { ++ $widgets(update) configure -state normal ++ } ++ return ++} ++ ++ ++# Start here to process constraints ++proc Apol_Constraint::_searchForMatch {statement family command} { ++ variable vals ++ variable widgets ++ variable enabled ++ variable match_right_type_names ++ variable statement_count ++ ++ set statement_count 0 ++ set entries {} ++ ++ set q [$command] ++ # This reads in the constraint info ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ ++ # This loop will process each constraint in the policy ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set constrain_type {} ++ set perm_list {} ++ set class_list {} ++ set expr_type {} ++ set op {} ++ set sym_type {} ++ ++ # These are used to check if the search criteria has been met when ++ # the left or right expression info has been set. ++ set match_left_keyword_names 0 ++ set match_left_keyword_attr 0 ++ set match_right_keyword_attr 0 ++ set match_right_type_names 0 ++ ++ set q [qpol_constraint_from_void [$v get_element $i]] ++ ++ # Find if this is an mls rule or not ++ set x [$q get_expr_iter $::ApolTop::qpolicy] ++ while {![$x end]} { ++ foreach t [iter_to_list $x] { ++ set t [qpol_constraint_expr_node_from_void $t] ++ # Get Symbol type and save it ++ set sym_type [$t get_sym_type $::ApolTop::qpolicy] ++ if { $sym_type >= $::QPOL_CEXPR_SYM_L1L2 } { ++ set constrain_type "mls" ++ break ++ } ++ } ++ } ++ append constrain_type $family ++ $x -acquire ++ $x -delete ++ ++ # Check if the statement is the requested type ++ if { $statement != $constrain_type } { ++ continue ++ } ++ ++ # This gets the class name ++ set match_class 0 ++ append class_list "\{ " ++ set class_name [[$q get_class $::ApolTop::qpolicy] get_name $::ApolTop::qpolicy] ++ append class_list $class_name ++ append class_list " \}" ++ ++ # Check if class selected ++ if {($enabled(cp:classes) && $vals(cp:classes_selected) > 0)} { ++ foreach c $vals(cp:classes_selected) { ++ if { $c == $class_name } { ++ set match_class 1 ++ } ++ } ++ } ++ # Skip this constraint if it does not match criteria ++ if {($match_class == 0 && $vals(cp:classes_selected) > 0)} { ++ continue ++ } ++ ++ # validatetrans does not use permissions ++ if { $family == "constrain" } { ++ # This gets perm list: ++ set x [$q get_perm_iter $::ApolTop::qpolicy] ++ set match_perm 0 ++ append perm_list "\{ " ++ foreach perm [iter_to_str_list $x] { ++ append perm_list "$perm " ++ # Check if perm selected ++ if {($enabled(cp:perms) && $vals(cp:perms_selected) > 0)} { ++ foreach c $vals(cp:perms_selected) { ++ if { $c == $perm } { ++ set match_perm 1 ++ } ++ } ++ } ++ } ++ # Skip this constraint as it does not match criteria ++ if {($match_perm == 0 && $vals(cp:perms_selected) > 0)} { ++ continue ++ } ++ append perm_list "\}" ++ $x -acquire ++ $x -delete ++ } ++ ++ # This get expressions ++ set x [$q get_expr_iter $::ApolTop::qpolicy] ++ ++ # This contains the number of constraint expr's processed. ++ set constraint_expr_counter 0 ++ # This is the constraint_expr buffer that is indexed by the ++ # $constraint_expr_counter ++ set array constraint_expr_buf($constraint_expr_counter) ++ array unset constraint_expr_buf ++ ++ # This loop will process each part of the expression consisting of: ++ # Operators: !, &&, ||. The ! applies only to an operand. ++ # Operands/expressions such as: (r1 == r2), (t1 != name) ++ while {![$x end]} { ++ foreach t [iter_to_list $x] { ++ set t [qpol_constraint_expr_node_from_void $t] ++ ++ # Get Operator and save it ++ set op [$t get_op $::ApolTop::qpolicy] ++ ++ # Get Symbol type and save it ++ set sym_type [$t get_sym_type $::ApolTop::qpolicy] ++ ++ # Get expression and save it ++ set expr_type [$t get_expr_type $::ApolTop::qpolicy] ++ ++ # Now check expression for entry type !, && or ||. ++ # These are the operators between constraint expressions ++ if { $expr_type == $::QPOL_CEXPR_TYPE_NOT } { ++ set constraint_expr_counter [expr $constraint_expr_counter + 1] ++ append constraint_expr_buf($constraint_expr_counter) "not" ++ } ++ ++ if { $expr_type == $::QPOL_CEXPR_TYPE_AND } { ++ set constraint_expr_counter [expr $constraint_expr_counter + 1] ++ append constraint_expr_buf($constraint_expr_counter) "and" ++ } ++ ++ if { $expr_type == $::QPOL_CEXPR_TYPE_OR } { ++ set constraint_expr_counter [expr $constraint_expr_counter + 1] ++ append constraint_expr_buf($constraint_expr_counter) "or" ++ } ++ ++ # If the expression is TYPE_ATTR then it's form is (t1 == t2) ++ if { $expr_type == $::QPOL_CEXPR_TYPE_ATTR } { ++ set constraint_expr_counter [expr $constraint_expr_counter + 1] ++ ++ # Get the symbol name, this will be used twice, once ++ # to retrieve the string name for source entry, then ++ # the string name for the target entry. ++ set sym_name [Apol_Constraint::_getSym $sym_type] ++ append constraint_expr_buf($constraint_expr_counter) "( $sym_name " ++ ++ # Check if keyword selected ++ if {$vals(kta:use_left_expr) == 1 && $vals(kta:left_expr) == $sym_name} { ++ set match_left_keyword_attr 1 ++ } ++ ++ # Get the operator and change to "eq" if required ++ set op [$t get_op $::ApolTop::qpolicy] ++ set op_name [Apol_Constraint::_getOp $op] ++ if { $op_name == "==" && \ ++ ([string compare -length 1 $sym_name "r"] == 0 || \ ++ [string compare -length 1 $sym_name "l"] == 0 || \ ++ [string compare -length 1 $sym_name "h"] == 0) } { ++ set op_name "eq" ++ } ++ append constraint_expr_buf($constraint_expr_counter) $op_name ++ ++ # Then using the sym_name again, get the target entry. ++ set sym_type [expr $sym_type | $::QPOL_CEXPR_SYM_TARGET] ++ set sym_name [Apol_Constraint::_getSym $sym_type] ++ append constraint_expr_buf($constraint_expr_counter) " $sym_name )" ++ ++ # Check if keyword selected ++ if {$vals(kta:use_right_expr) == 1 && \ ++ $vals(kta:right_expr) == $sym_name && \ ++ $vals(kta:right_expr,right_keyword) == 1} { ++ set match_right_keyword_attr 1 ++ } ++ } ++ ++ # If the expression is TYPE_NAMES then expand the source ++ # types or attributes using 'get_names_iter' ++ # Example entries: ( t1 == mlstrustedobject ) ++ # ( t1 != { unconfined_t init_t } ) ++ # Note that if an attribute has been selected it could be ++ # an empty_set. ++ if { $expr_type == $::QPOL_CEXPR_TYPE_NAMES } { ++ set constraint_expr_counter [expr $constraint_expr_counter + 1] ++ ++ # Get the symbol name, this is only used once to ++ # to retrieve the string name for source entry. ++ set sym_name [Apol_Constraint::_getSym $sym_type] ++ append constraint_expr_buf($constraint_expr_counter) "( $sym_name " ++ ++ # Check if keyword selected ++ if {$vals(kta:use_left_expr) == 1 && \ ++ $vals(kta:left_expr) == $sym_name} { ++ set match_left_keyword_names 1 ++ } ++ ++ set op [$t get_op $::ApolTop::qpolicy] ++ set op_name [Apol_Constraint::_getOp $op] ++ append constraint_expr_buf($constraint_expr_counter) $op_name ++ ++ # Need to get the number of entries. These can be ++ # type or attribute identifiers. ++ set tmp_list {} ++ set return_list {} ++ set n [$t get_names_iter $::ApolTop::qpolicy] ++ set n_size [[$t get_names_iter $::ApolTop::qpolicy] get_size] ++ ++ # If > 0 then put entries in a tmp_list for later processing. ++ if { $n_size > 0 } { ++ foreach name [iter_to_str_list $n] { ++ append tmp_list "$name " ++ } ++ # ++ # Now check search parameters for the $name entries of ++ # the right side of the expression. The $tmp_list can ++ # contain user, role, type or type attribute names ++ # depending on the initial letter of $sym_name. ++ # ++ if { ([string compare -length 1 $sym_name "t"] == 0 && \ ++ $vals(kta:use_right_expr) == 1) && \ ++ ($vals(kta:right_expr,types) == 1 || \ ++ $vals(kta:right_expr,attribs) == 1) } { ++ # This calls type and attribute processing: ++ set tmp_list [Apol_Constraint::_process_TA $vals(kta:right_expr) $tmp_list] ++ } elseif { ($vals(kta:use_right_expr) == 1 && \ ++ $vals(kta:right_expr,roles) == 1 && \ ++ [string compare -length 1 $sym_name "r"] == 0) || \ ++ ($vals(kta:use_right_expr) == 1 && \ ++ $vals(kta:right_expr,users) == 1 && \ ++ [string compare -length 1 $sym_name "u"] == 0) } { ++ foreach c $tmp_list { ++ if { $c == $vals(kta:right_expr) } { ++ set match_right_type_names 1 ++ set tmp_list $name ++ continue ++ } ++ } ++ } ++ # else if size == 0 then just say an empty set. Also ++ # check if the requested attribute is an empty set. ++ } elseif { $n_size == 0 } { ++ set tmp_list "" ++ if { [Apol_Constraint::_checkIfEmptyAttr $vals(kta:right_expr)] && \ ++ [string compare -length 1 $sym_name "t"] == 0 } { ++ set match_right_type_names 1 ++ } ++ } ++ ++ # Copy tmp_list to the constraint buffer. ++ if { [llength $tmp_list] > 1 } { ++ append constraint_expr_buf($constraint_expr_counter) " \{ $tmp_list\} )" ++ } else { ++ append constraint_expr_buf($constraint_expr_counter) " $tmp_list )" ++ } ++ $n -acquire ++ $n -delete ++ } ++ } ++ } ++ $x -acquire ++ $x -delete ++ # Done with processing all the expressions, now check if they ++ # were enabled or not and valid search entries found. ++ if {($vals(kta:use_left_expr) == 1 && $vals(kta:use_right_expr) == 1) && \ ++ [expr (($match_left_keyword_names | $match_left_keyword_attr) & \ ++ ($match_right_keyword_attr | $match_right_type_names))] == 0} { ++ continue ++ } ++ ++ if {($vals(kta:use_left_expr) == 1 && $vals(kta:use_right_expr) == 0) && \ ++ [expr $match_left_keyword_names | $match_left_keyword_attr] == 0} { ++ continue ++ } ++ ++ if {($vals(kta:use_left_expr) == 0 && $vals(kta:use_right_expr) == 1) && \ ++ ($vals(kta:right_expr,users) == 1 || \ ++ $vals(kta:right_expr,roles) == 1 || \ ++ $vals(kta:right_expr,attribs) == 1 || \ ++ $vals(kta:right_expr,types) == 1 || \ ++ $vals(kta:right_expr,right_keyword) == 1) && \ ++ [expr $match_right_type_names | $match_right_keyword_attr ] == 0} { ++ continue ++ } ++ ++ # ++ # This takes each entry in the RPN formatted constraint_expr_buf and ++ # converts to infix format that resembles the constraint string in ++ # policy language format. It is a modified version from: ++ # http://rosettacode.org/wiki/Parsing/RPN_to_infix_conversion ++ # ++ set stack {} ++ foreach entry [lsort -integer [array names constraint_expr_buf]] { ++ set token $constraint_expr_buf($entry) ++ switch $token { ++ "not" - "and" - "or" { ++ lassign [Apol_Constraint::_pop stack] expr2rec expr2 ++ # The ! is not treated the same as && || as it only ++ # applies to a single expression i.e. !(expression) ++ # So just pop the stack and add the !. Should there be ++ # another ! in the expression, then add brackets. ++ if { $token == "not" } { ++ set ans [string compare -length 1 $expr2 "not"] ++ if { $ans == 0 } { ++ lappend stack [list 1 "$token \($expr2\)"] ++ } else { ++ lappend stack [list 1 "$token$expr2"] ++ } ++ continue ++ } else { ++ lassign [Apol_Constraint::_pop stack] expr1rec expr1 ++ lappend stack [list 1 "$expr1 $token $expr2"] ++ } ++ } ++ default { ++ lappend stack [list 2 $token] ++ } ++ } ++ } ++ if { [array size constraint_expr_buf] == 1 } { ++ set expression "[lindex $stack end 1];" ++ } else { ++ set expression "([lindex $stack end 1]);" ++ } ++ set statement_count [expr $statement_count + 1] ++ append entries "$constrain_type $class_list $perm_list\n $expression\n\n" ++ } ++ return $entries ++} ++ ++######### End of search routine - Start supporting procs ################ ++ ++# The pop stack routine for RPN conversion ++proc Apol_Constraint::_pop {stk} { ++ upvar 1 $stk s ++ set val [lindex $s end] ++ set s [lreplace $s end end] ++ return $val ++} ++ ++ ++# Take an attribute name and expands it to a list of types. ++proc Apol_Constraint::_renderAttrib {attrib_name} { ++ set type_list {} ++ set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $attrib_name] ++ set i [$qpol_type_datum get_type_iter $::ApolTop::qpolicy] ++ foreach t [iter_to_list $i] { ++ set t [qpol_type_from_void $t] ++ lappend type_list [$t get_name $::ApolTop::qpolicy] ++ } ++ if { $type_list == "" } { ++ lappend type_list "" ++ } ++ $i -acquire ++ $i -delete ++ return $type_list ++} ++ ++ ++# This will return a list of attributes linked to the type_name ++proc Apol_Constraint::_renderType {type_name} { ++ set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $type_name] ++ set aliases {} ++ set attribs {} ++ ++ set i [$qpol_type_datum get_alias_iter $::ApolTop::qpolicy] ++ set aliases [iter_to_str_list $i] ++ $i -acquire ++ $i -delete ++ ++ set i [$qpol_type_datum get_attr_iter $::ApolTop::qpolicy] ++ foreach a [iter_to_list $i] { ++ set a [qpol_type_from_void $a] ++ lappend attribs [$a get_name $::ApolTop::qpolicy] ++ } ++ $i -acquire ++ $i -delete ++ return $attribs ++} ++ ++ ++# Check if the name is a type or attribute. ++proc Apol_Constraint::_checkTypeOrAttr {name} { ++ set type_list {} ++ ++ set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $name] ++ set x [$qpol_type_datum get_isattr $::ApolTop::qpolicy ] ++ if { $x == 1 } { ++ return "attribute" ++ } else { ++ return "type" ++ } ++ $x -acquire ++ $x -delete ++} ++ ++ ++# Return Left or Right expr keywords ++proc Apol_Constraint::_getKeywords {side command} { ++ set list {} ++ set left_list {} ++ set right_list {} ++ ++ set q [$command] ++ # This reads in the constraint info ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ ++ # This loop will process each constraint in the policy ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set expr_type {} ++ set sym_type {} ++ set q [qpol_constraint_from_void [$v get_element $i]] ++ ++ # This get expressions ++ set x [$q get_expr_iter $::ApolTop::qpolicy] ++ while {![$x end]} { ++ foreach t [iter_to_list $x] { ++ set t [qpol_constraint_expr_node_from_void $t] ++ set sym_type [$t get_sym_type $::ApolTop::qpolicy] ++ set expr_type [$t get_expr_type $::ApolTop::qpolicy] ++ ++ if { $expr_type == $::QPOL_CEXPR_TYPE_ATTR } { ++ set sym_name [Apol_Constraint::_getSym $sym_type] ++ append left_list "$sym_name " ++ # Then using the sym_name again, get the target entry. ++ set sym_type [expr $sym_type | $::QPOL_CEXPR_SYM_TARGET] ++ set sym_name [Apol_Constraint::_getSym $sym_type] ++ append right_list "$sym_name " ++ } ++ ++ if { $expr_type == $::QPOL_CEXPR_TYPE_NAMES } { ++ set sym_name [Apol_Constraint::_getSym $sym_type] ++ append left_list "$sym_name " ++ } ++ } ++ } ++ $x -acquire ++ $x -delete ++ ++ if {$side == "l"} { ++ append list $left_list ++ } else { ++ append list $right_list ++ } ++ } ++ $v -acquire ++ $v -delete ++ return $list ++} ++ ++ ++# Here because a type or type_attribute search has been actioned ++proc Apol_Constraint::_process_TA {name search_list} { ++ variable match_right_type_names ++ variable vals ++ ++ foreach ta $search_list { ++ if { $ta == $name } { ++ set match_right_type_names 1 ++ return $search_list ++ } ++ } ++ return $search_list ++} ++ ++ ++# Get symbol from expression ++proc Apol_Constraint::_getSym {sym_type} { ++ set symbol {} ++ ++ # These are source for mls/constrain and old for mls/validatetrans ++ if { $sym_type == $::QPOL_CEXPR_SYM_USER } { ++ append symbol "u1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_ROLE } { ++ append symbol "r1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_TYPE } { ++ append symbol "t1" ++ } ++ ++ # These are target for mls/constrain and new for mls/validatetrans ++ if { $sym_type == $::QPOL_CEXPR_SYM_USER+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "u2" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_ROLE+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "r2" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_TYPE+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "t2" ++ } ++ # These are source for mls/validatetrans ++ if { $sym_type == $::QPOL_CEXPR_SYM_USER+$::QPOL_CEXPR_SYM_XTARGET } { ++ append symbol "u3" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_ROLE+$::QPOL_CEXPR_SYM_XTARGET } { ++ append symbol "r3" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_TYPE+$::QPOL_CEXPR_SYM_XTARGET } { ++ append symbol "t3" ++ } ++ ++ # Source levels for mlsconstrain and mlsvalidatetrans ++ if { $sym_type == $::QPOL_CEXPR_SYM_L1L2 } { ++ append symbol "l1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_L1H2 } { ++ append symbol "l1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_H1L2 } { ++ append symbol "h1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_H1H2 } { ++ append symbol "h1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_L1H1 } { ++ append symbol "l1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_L2H2 } { ++ append symbol "l2" ++ } ++ ++ # Target levels for mlsconstrain and mlsvalidatetrans ++ if { $sym_type == $::QPOL_CEXPR_SYM_L1L2+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "l2" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_L1H2+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "h2" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_H1L2+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "l2" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_H1H2+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "h2" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_L1H1+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "h1" ++ } ++ if { $sym_type == $::QPOL_CEXPR_SYM_L2H2+$::QPOL_CEXPR_SYM_TARGET } { ++ append symbol "h2" ++ } ++ if { $symbol == "" } { ++ append symbol "err_sym_missing" ++ } ++ return $symbol ++} ++ ++ ++# Get Operator ++proc Apol_Constraint::_getOp {op} { ++ set entry {} ++ ++ if { $op == $::QPOL_CEXPR_OP_EQ } { ++ append entry "==" ++ } ++ if { $op == $::QPOL_CEXPR_OP_NEQ } { ++ append entry "!=" ++ } ++ if { $op == $::QPOL_CEXPR_OP_DOM } { ++ append entry "dom" ++ } ++ if { $op == $::QPOL_CEXPR_OP_DOMBY } { ++ append entry "domby" ++ } ++ if { $op == $::QPOL_CEXPR_OP_INCOMP } { ++ append entry "incomp" ++ } ++ if { $entry == "" } { ++ append entry "op_missing" ++ } ++ return $entry ++} ++ +diff --git a/apol/default_objects_tab.tcl b/apol/default_objects_tab.tcl +new file mode 100644 +index 0000000..6cf764b +--- /dev/null ++++ b/apol/default_objects_tab.tcl +@@ -0,0 +1,370 @@ ++# Copyright (C) 2001-2007 Tresys Technology, LLC ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ ++namespace eval Apol_DefaultObjects { ++ variable vals ++ variable widgets ++ variable mls_enabled {0} ++ variable statement_count ++} ++ ++proc Apol_DefaultObjects::create {tab_name nb} { ++ variable vals ++ variable widgets ++ ++ _initializeVars ++ ++ set frame [$nb insert end $tab_name -text "Default Object Rules"] ++ set topf [frame $frame.top] ++ set bottomf [frame $frame.bottom] ++ pack $topf -expand 0 -fill both -pady 2 ++ pack $bottomf -expand 1 -fill both -pady 2 ++ ++ set rsbox [TitleFrame $topf.rs -ipad 30 -text "Rule Selection"] ++ set obox [TitleFrame $topf.opts -text "Search Options"] ++ set dbox [TitleFrame $bottomf.results -text "Default Object Rules Display"] ++ pack $rsbox -side left -expand 0 -fill both -padx 2 ++ pack $obox -side left -expand 1 -fill both -padx 2 ++ pack $dbox -expand 1 -fill both -padx 2 ++ ++ # Rule selection subframe ++ set rs [$rsbox getframe] ++ checkbutton $rs.default_user -text "default_user" -onvalue 1 -offvalue 0 \ ++ -variable Apol_DefaultObjects::vals(default_user_enabled) ++ trace add variable Apol_DefaultObjects::vals(default_user_enabled) write \ ++ [list Apol_DefaultObjects::_ruleChanged] ++ checkbutton $rs.default_role -text "default_role" -onvalue 1 -offvalue 0 \ ++ -variable Apol_DefaultObjects::vals(default_role_enabled) ++ trace add variable Apol_DefaultObjects::vals(default_role_enabled) write \ ++ [list Apol_DefaultObjects::_ruleChanged] ++ checkbutton $rs.default_type -text "default_type" -onvalue 1 -offvalue 0 \ ++ -variable Apol_DefaultObjects::vals(default_type_enabled) ++ trace add variable Apol_DefaultObjects::vals(default_type_enabled) write \ ++ [list Apol_DefaultObjects::_ruleChanged] ++ checkbutton $rs.default_range -text "default_range" -onvalue 1 -offvalue 0 \ ++ -variable Apol_DefaultObjects::vals(default_range_enabled) ++ trace add variable Apol_DefaultObjects::vals(default_range_enabled) write \ ++ [list Apol_DefaultObjects::_ruleChanged] ++ pack $rs.default_user $rs.default_role $rs.default_type $rs.default_range -side top -anchor w ++ ++ set widgets(options_pm) [PagesManager [$obox getframe].opts] ++ ++ _defaultObjectCreate [$widgets(options_pm) add default_object] ++ ++ $widgets(options_pm) compute_size ++ pack $widgets(options_pm) -expand 1 -fill both -side left ++ $widgets(options_pm) raise default_object ++ ++ set ok [button [$obox getframe].ok -text OK -width 6 -command Apol_DefaultObjects::_searchDefaultObjects] ++ pack $ok -side right -padx 5 -pady 5 -anchor ne ++ ++ set widgets(results) [Apol_Widget::makeSearchResults [$dbox getframe].results] ++ pack $widgets(results) -expand yes -fill both ++ ++ return $frame ++} ++ ++proc Apol_DefaultObjects::open {ppath} { ++ variable vals ++ variable widgets ++ variable mls_enabled ++ ++ if {[ApolTop::is_capable "mls"]} { ++ set mls_enabled 1 ++ } else { ++ set mls_enabled 0 ++ } ++ ++ $widgets(default_object:class) configure -values [Apol_Class_Perms::getClasses] ++ $widgets(default_object:default) configure -values {"source" "target"} ++ $widgets(default_object:range) configure -values {"low" "high" "low_high"} ++ ++ set vals(default_range_enabled) $mls_enabled ++ set vals(default_type_enabled) [ApolTop::is_capable "default_type"] ++} ++ ++proc Apol_DefaultObjects::close {} { ++ variable widgets ++ variable mls_enabled ++ ++ _initializeVars ++ $widgets(default_object:class) configure -values {} ++ $widgets(default_object:default) configure -values {} ++ $widgets(default_object:range) configure -values {} ++ set mls_enabled 0 ++} ++ ++proc Apol_DefaultObjects::getTextWidget {} { ++ variable widgets ++} ++ ++proc Apol_DefaultObjects::_initializeVars {} { ++ variable vals ++ ++ array set vals { ++ class:use 0 ++ class:sym {} ++ default:sym {} ++ default:use 0 ++ range:sym {} ++ range:use 0 ++ ++ default_user_enabled 1 ++ default_role_enabled 1 ++ default_type_enabled 1 ++ default_range_enabled 0 ++ } ++} ++ ++proc Apol_DefaultObjects::_defaultObjectCreate {r_c} { ++ variable vals ++ variable widgets ++ ++ set class [frame $r_c.class] ++ set class_cb [checkbutton $class.enable -text "Object class" \ ++ -variable Apol_DefaultObjects::vals(class:use)] ++ set widgets(default_object:class) [ComboBox $class.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_DefaultObjects::vals(class:sym)] ++ ++ trace add variable Apol_DefaultObjects::vals(class:use) write \ ++ [list Apol_DefaultObjects::_toggleCheckbutton $widgets(default_object:class) {}] ++ pack $class_cb -side top -anchor w ++ pack $widgets(default_object:class) -side top -expand 0 -fill x -padx 4 ++ pack $class -side left -padx 4 -pady 2 -expand 0 -anchor nw ++ ++ set default [frame $r_c.default] ++ set widgets(default_object:default_cb) [checkbutton $default.enable -text "Default" \ ++ -variable Apol_DefaultObjects::vals(default:use)] ++ set widgets(default_object:default) [ComboBox $default.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_DefaultObjects::vals(default:sym)] ++ trace add variable Apol_DefaultObjects::vals(default:use) write \ ++ [list Apol_DefaultObjects::_toggleCheckbutton $widgets(default_object:default) {}] ++ pack $widgets(default_object:default_cb) -side top -anchor w ++ pack $widgets(default_object:default) -side top -expand 0 -fill x -padx 4 ++ pack $default -side left -padx 4 -pady 2 -expand 0 -fill y ++ ++ set range [frame $r_c.range] ++ set widgets(default_object:range_cb) [checkbutton $range.enable -text "Range" \ ++ -variable Apol_DefaultObjects::vals(range:use)] ++ set widgets(default_object:range) [ComboBox $range.cb -width 20 -state disabled \ ++ -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_DefaultObjects::vals(range:sym)] ++ trace add variable Apol_DefaultObjects::vals(range:use) write \ ++ [list Apol_DefaultObjects::_toggleCheckbutton $widgets(default_object:range) {}] ++ pack $widgets(default_object:range_cb) -side top -anchor w ++ pack $widgets(default_object:range) -side top -expand 0 -fill x -padx 4 ++ pack $range -side left -padx 4 -pady 2 -expand 0 -fill y ++} ++ ++proc Apol_DefaultObjects::_toggleCheckbutton {cb w name1 name2 ops} { ++ variable vals ++ variable mls_enabled ++ ++ if {$name2 == "range:use" && $mls_enabled == 0 || $vals(default_range_enabled) == 0} { ++ set vals(range:use) 0 ++ $cb configure -state disabled ++ } ++ ++ if {$vals($name2)} { ++ $cb configure -state normal -entrybg white ++ foreach x $w { ++ $x configure -state normal ++ } ++ } else { ++ $cb configure -state disabled -entrybg $ApolTop::default_bg_color ++ foreach x $w { ++ $x configure -state disabled ++ } ++ } ++} ++ ++proc Apol_DefaultObjects::_ruleChanged {name1 name2 ops} { ++ variable vals ++ variable widgets ++ Apol_Widget::clearSearchResults $widgets(results) ++ ++ if {$vals(default_user_enabled) == 0} { ++ set vals(user:use) 0 ++ } ++ if {$vals(default_role_enabled) == 0} { ++ set vals(role:use) 0 ++ } ++ if {$vals(default_type_enabled) == 0} { ++ set vals(type:use) 0 ++ } ++ if {$vals(default_range_enabled) == 0} { ++ set vals(range:use) 0 ++ } ++} ++ ++proc Apol_DefaultObjects::_searchDefaultObjects {} { ++ variable vals ++ variable widgets ++ variable statement_count ++ ++ Apol_Widget::clearSearchResults $widgets(results) ++ if {![ApolTop::is_policy_open]} { ++ tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened." ++ } ++ ++ if {$vals(class:use) == 1 && $vals(class:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Default object Rule Search" -message "No class selected." ++ return ++ } ++ if {$vals(default:use) == 1 && $vals(default:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Default object Rule Search" -message "No default selected." ++ return ++ } ++ if {$vals(range:use) == 1 && $vals(range:sym) == {}} { ++ tk_messageBox -icon error -type ok -title "Default object Rule Search" -message "No range selected." ++ return ++ } ++ ++ set results {} ++ set header {} ++ set print_results {} ++ ++ if {$vals(default_user_enabled) == 1} { ++ append results [Apol_DefaultObjects::searchForDefault "user" get_user_default] ++ append header "$statement_count default_user rules match the search criteria.\n" ++ } ++ if {$vals(default_role_enabled) == 1} { ++ append results [Apol_DefaultObjects::searchForDefault "role" get_role_default] ++ append header "$statement_count default_role rules match the search criteria.\n" ++ } ++ if {$vals(default_type_enabled) == 1} { ++ append results [Apol_DefaultObjects::searchForDefault "type" get_type_default] ++ append header "$statement_count default_type rules match the search criteria.\n" ++ } ++ if {$vals(default_range_enabled) == 1} { ++ append results [Apol_DefaultObjects::searchDefaultRange "range" get_range_default] ++ append header "$statement_count default_range rules match the search criteria.\n" ++ } ++ append print_results "$header\n$results" ++ Apol_Widget::appendSearchResultText $widgets(results) $print_results ++} ++ ++proc Apol_DefaultObjects::searchForDefault {type type_cmd} { ++ variable vals ++ variable widgets ++ variable statement_count ++ set results {} ++ set printit 0 ++ set class_regexp 0 ++ set default_regexp 0 ++ set statement_count 0 ++ ++ if {$vals(class:use)} { ++ set class_regexp 1 ++ } ++ if {$vals(default:use)} { ++ set default_regexp 1 ++ } ++ ++ set q [new_apol_default_object_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_default_object_from_void [$v get_element $i]] ++ set class [$q get_class $::ApolTop::qpolicy] ++ set default [$q $type_cmd $::ApolTop::qpolicy] ++ if {$default != ""} { ++ if {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 1 && $default == $vals(default:sym)} { ++ set printit 1 ++ } elseif {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 0} { ++ set printit 1 ++ } elseif {$default_regexp == 1 && $default == $vals(default:sym) && $class_regexp == 0} { ++ set printit 1 ++ } elseif {$class_regexp == 0 && $default_regexp == 0} { ++ set printit 1 ++ } ++ if {$printit == 1} { ++ append results "default_$type $class $default;\n" ++ set statement_count [expr $statement_count + 1] ++ } ++ } ++ set printit 0 ++ } ++ } ++ return "$results\n" ++} ++ ++proc Apol_DefaultObjects::searchDefaultRange {type type_cmd} { ++ variable vals ++ variable widgets ++ variable statement_count ++ set results {} ++ set printit 0 ++ set class_regexp 0 ++ set default_regexp 0 ++ set range_regexp 0 ++ set statement_count 0 ++ ++ if {$vals(class:use)} { ++ set class_regexp 1 ++ } ++ if {$vals(default:use)} { ++ set default_regexp 1 ++ } ++ if {$vals(range:use)} { ++ set range_regexp 1 ++ } ++ ++ set q [new_apol_default_object_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_default_object_from_void [$v get_element $i]] ++ set class [$q get_class $::ApolTop::qpolicy] ++ set default [$q $type_cmd $::ApolTop::qpolicy] ++ if {$default != ""} { ++ # split into the two components ++ set entries [split $default " "] ++ lassign $entries src_tgt range ++ ++ if {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 1 && \ ++ $src_tgt== $vals(default:sym) && $range_regexp == 1 && $range == $vals(range:sym)} { ++ set printit 1 ++ } elseif {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 0 && $range_regexp == 0} { ++ set printit 1 ++ } elseif {$class_regexp == 0 && $default_regexp == 1 && $src_tgt == $vals(default:sym) && $range_regexp == 0} { ++ set printit 1 ++ } elseif {$class_regexp == 0 && $default_regexp == 0 && $range_regexp == 1 && $range == $vals(range:sym)} { ++ set printit 1 ++ } elseif {$class_regexp == 0 && $default_regexp == 1 && $src_tgt == $vals(default:sym) && \ ++ $range_regexp == 1 && $range == $vals(range:sym)} { ++ set printit 1 ++ } elseif {$class_regexp == 1 && $class == $vals(class:sym) && $default_regexp == 0 && \ ++ $range_regexp == 1 && $range == $vals(range:sym)} { ++ set printit 1 ++ } elseif {$class_regexp == 0 && $default_regexp == 0 && $range_regexp == 0} { ++ set printit 1 ++ } ++ if {$printit == 1} { ++ append results "default_$type $class $default;\n" ++ set statement_count [expr $statement_count + 1] ++ } ++ } ++ set printit 0 ++ } ++ } ++ return "$results\n" ++} +diff --git a/apol/initial_sids_tab.tcl b/apol/initial_sids_tab.tcl +index ff81a32..356a45a 100644 +--- a/apol/initial_sids_tab.tcl ++++ b/apol/initial_sids_tab.tcl +@@ -110,7 +110,7 @@ proc Apol_Initial_SIDS::_search {} { + $q set_context $::ApolTop::policy $context $range_match + } + +- set v [$q run $::ApolTop::policy] #line causing segfaulting ++ set v [$q run $::ApolTop::policy] + + $q -acquire + $q -delete +diff --git a/apol/namespaces_tab.tcl b/apol/namespaces_tab.tcl +new file mode 100644 +index 0000000..da8a1af +--- /dev/null ++++ b/apol/namespaces_tab.tcl +@@ -0,0 +1,206 @@ ++# Copyright (C) 2001-2007 Tresys Technology, LLC ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ ++namespace eval Apol_Namespaces { ++ variable widgets ++ variable namespace_list {} ++} ++ ++proc Apol_Namespaces::create {tab_name nb} { ++ variable widgets ++ variable namespace_list {} ++ ++ set frame [$nb insert end $tab_name -text "Policy Namespaces"] ++ set pw [PanedWindow $frame.pw -side top] ++ set leftf [$pw add -weight 0] ++ set rightf [$pw add -weight 1] ++ pack $pw -fill both -expand yes ++ ++ set namespaces_box [TitleFrame $leftf.namespaces_box -text "Policy Namespaces"] ++ pack $namespaces_box -fill both -expand yes ++ ++ set nlistbox [Apol_Widget::makeScrolledListbox [$namespaces_box getframe].lb \ ++ -width 60 -listvar Apol_Namespaces::namespace_list] ++ Apol_Widget::setListboxCallbacks $nlistbox \ ++ {{"Show Namespace Users, Roles, Types, Attributes and Classes Info" {Apol_Namespaces::popupNsInfo nfi}}} ++ pack $nlistbox -expand 1 -fill both ++ pack $nlistbox -fill both -expand yes ++ ++ return $frame ++} ++ ++proc Apol_Namespaces::open {ppath} { ++ variable namespace_list {} ++ ++ append list1 "$Apol_Users::users_list $Apol_Roles::role_list $Apol_Types::typelist $Apol_Types::attriblist $Apol_Class_Perms::class_list" ++ set names [split $list1 " "] ++ # Split on the ns separator, chop off the end entry then add "." back ++ set list1 {} ++ foreach n $names { ++ set ns [split $n "."] ++ set ns [lreplace $ns end end] ++ set l [string length $ns] ++ if {$l > 0} { ++ regsub -all " " $ns "." ns ++ lappend list1 "$ns" ++ } ++ } ++ set list2 {} ++ set namespace_list "GLOBAL-NS\n" ++ lappend list2 [lsort -dictionary -unique $list1] ++ ++ foreach entry $list2 { ++ append namespace_list "$entry\n" ++ } ++} ++ ++proc Apol_Namespaces::close {} { ++ variable namespace_list {} ++ ++ set namespace_list {} ++} ++ ++proc Apol_Namespaces::getTextWidget {} { ++ variable widgets ++} ++ ++ ++proc Apol_Namespaces::popupNsInfo {which ns} { ++ ++ set w .ns_infobox ++ destroy $w ++ ++ set w [Dialog .ns_infobox -cancel 0 -default 0 -modal none -parent . -separator 1 -title $ns] ++ $w add -text "Close" -command [list destroy $w] ++ ++ set notebook [NoteBook [$w getframe].nb] ++ pack $notebook -expand 1 -fill both ++ ++ set user_info_tab [$notebook insert end user_info_tab -text "Users"] ++ set role_info_tab [$notebook insert end role_info_tab -text "Roles"] ++ set type_info_tab [$notebook insert end type_info_tab -text "Types"] ++ set attrib_info_tab [$notebook insert end attrib_info_tab -text "Attributes"] ++ set class_info_tab [$notebook insert end class_info_tab -text "Classes"] ++ set boolean_info_tab [$notebook insert end boolean_info_tab -text "Booleans"] ++ ++ if {[ApolTop::is_capable "mls"]} { ++ set sensitivity_info_tab [$notebook insert end sensitivity_info_tab -text "Sensitivities"] ++ set category_info_tab [$notebook insert end category_info_tab -text "Categories"] ++ } ++ ++ # Display users ++ set sw [ScrolledWindow [$notebook getframe user_info_tab].sw -scrollbar both -auto both] ++ set user_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $user_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_Users::users_list $user_text $ns "users" ++ ++ # Display roles ++ set sw [ScrolledWindow [$notebook getframe role_info_tab].sw -scrollbar both -auto both] ++ set role_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $role_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_Roles::role_list $role_text $ns "roles" ++ ++ # Display types ++ set sw [ScrolledWindow [$notebook getframe type_info_tab].sw -scrollbar both -auto both] ++ set type_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $type_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_Types::typelist $type_text $ns "types" ++ ++ # Display attributes ++ set sw [ScrolledWindow [$notebook getframe attrib_info_tab].sw -scrollbar both -auto both] ++ set attrib_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $attrib_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_Types::attriblist $attrib_text $ns "attributes" ++ ++ # Display classes ++ set sw [ScrolledWindow [$notebook getframe class_info_tab].sw -scrollbar both -auto both] ++ set class_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $class_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_Class_Perms::class_list $class_text $ns "classes" ++ ++ # Display booleans ++ set sw [ScrolledWindow [$notebook getframe boolean_info_tab].sw -scrollbar both -auto both] ++ set boolean_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $boolean_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_Cond_Bools::cond_bools_list $boolean_text $ns "booleans" ++ ++ if {[ApolTop::is_capable "mls"]} { ++ # Display sensitivities ++ set sw [ScrolledWindow [$notebook getframe sensitivity_info_tab].sw -scrollbar both -auto both] ++ set sensitivity_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $sensitivity_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_MLS::vals(senslist) $sensitivity_text $ns "sensitivities" ++ ++ # Display categories ++ set sw [ScrolledWindow [$notebook getframe category_info_tab].sw -scrollbar both -auto both] ++ set category_text [text [$sw getframe].text -wrap none -font {helvetica 10} -bg white] ++ $sw setwidget $category_text ++ pack $sw -expand 1 -fill both ++ Apol_Namespaces::DisplayMatches $Apol_MLS::vals(catslist) $category_text $ns "categories" ++ } ++ ++ $notebook raise [$notebook page 0] ++ $w draw {} 0 600x400 ++} ++ ++proc Apol_Namespaces::DisplayMatches {item_list display_entry ns text} { ++ set counter 0 ++ set print_list {} ++ ++ if {$ns == "GLOBAL-NS"} { ++ set ns {} ++ set off_set 0 ++ } else { ++ set off_set 1 ++ } ++ # Get len of the ns selected ++ set l [string length $ns] ++ #For each entry check if in this ns ++ foreach t $item_list { ++ set i [string compare -length $l $t $ns] ++ # kludge to get round a problem. ++ # If $z is same as $ns, but no . in $t then ignore as $t just ++ # happens to begin with a match to $ns. So reset $i ++ set z [string range $t 0 $l-1] ++ if {![regexp -nocase {[.]} $t] && $z == $ns && $ns != ""} { ++ set i 1 ++ } ++ ++ if {$i == 0} { ++ set x [string range $t $l+$off_set end] ++ if {![regexp -nocase {[.]} $x]} { ++ append print_list " $x\n" ++ set counter [expr $counter + 1] ++ } ++ } ++ } ++ if {$counter == 0} { ++ $display_entry insert end "No entries\n" ++ } else { ++ if {$ns == ""} { ++ set ns "global" ++ } ++ $display_entry insert end "$ns namespace ($counter $text)\n$print_list" ++ } ++ $display_entry configure -state disabled ++ ++} +diff --git a/apol/polcap_tab.tcl b/apol/polcap_tab.tcl +new file mode 100644 +index 0000000..dfeade4 +--- /dev/null ++++ b/apol/polcap_tab.tcl +@@ -0,0 +1,73 @@ ++# Copyright (C) 2001-2007 Tresys Technology, LLC ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ ++namespace eval Apol_Polcaps { ++ variable widgets ++ variable polcap_list {} ++} ++ ++proc Apol_Polcaps::create {tab_name nb} { ++ variable widgets ++ ++ set frame [$nb insert end $tab_name -text "Policy Capabilities"] ++ set pw [PanedWindow $frame.pw -side top] ++ set leftf [$pw add -weight 0] ++ set rightf [$pw add -weight 1] ++ pack $pw -fill both -expand yes ++ ++ set polcap_box [TitleFrame $leftf.polcap_box -text "Policy Capabilities"] ++ pack $polcap_box -fill both -expand yes ++ ++ set rlistbox [Apol_Widget::makeScrolledListbox [$polcap_box getframe].lb \ ++ -width 60 -listvar Apol_Polcaps::polcap_list] ++ pack $rlistbox -fill both -expand yes ++ ++ return $frame ++} ++ ++proc Apol_Polcaps::open {ppath} { ++ variable polcap_list ++ ++ set polcapnames {} ++ set q [new_apol_polcap_query_t] ++ # This reads in the polcap info ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ # This loop will process polcap name in the policy ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_polcap_from_void [$v get_element $i]] ++ append polcapnames [$q get_name $::ApolTop::qpolicy] ++ append polcapnames "\n" ++ } ++ } ++ ++ set polcap_list $polcapnames ++} ++ ++proc Apol_Polcaps::close {} { ++ variable widgets ++ variable polcap_list {} ++} ++ ++proc Apol_Polcaps::getTextWidget {} { ++ variable widgets ++} ++ ++#### private functions below #### ++ ++ ++ +diff --git a/apol/policyconf.tcl b/apol/policyconf.tcl +index 8f7e9c1..161f959 100644 +--- a/apol/policyconf.tcl ++++ b/apol/policyconf.tcl +@@ -63,7 +63,9 @@ proc Apol_PolicyConf::open {ppath} { + $textbox fakedelete 0.0 end + if {![ApolTop::is_capable "source"]} { + $textbox fakeinsert end "The currently loaded policy is not a source policy." ++ ApolTop::_toplevel_enable_tabs tag_source disabled + } else { ++ ApolTop::_toplevel_enable_tabs tag_source normal + set primary_file [$ppath get_primary] + if {[catch {::open $primary_file r} f]} { + $textbox fakeinsert end "$primary_file does not exist or could not be read by the user." +diff --git a/apol/terules_tab.tcl b/apol/terules_tab.tcl +index c5a490f..266d670 100644 +--- a/apol/terules_tab.tcl ++++ b/apol/terules_tab.tcl +@@ -93,6 +93,7 @@ proc Apol_TE::create {tab_name nb} { + + _createTypesAttribsTab + _createClassesPermsTab ++ _createFilenameTab + + # Action buttons + set widgets(new) [button $abox.new -text "New Search" -width 12 \ +@@ -138,6 +139,7 @@ proc Apol_TE::open {ppath} { + set vals(cp:classes) [Apol_Class_Perms::getClasses] + set enabled(cp:classes) 1 + set enabled(cp:perms) 1 ++ set vals(ta:use_filename) 0 + } + + proc Apol_TE::close {} { +@@ -252,6 +254,7 @@ proc Apol_TE::_initializeVars {} { + ta:source_sym,types $::APOL_QUERY_SYMBOL_IS_TYPE \ + ta:target_sym,types $::APOL_QUERY_SYMBOL_IS_TYPE \ + ta:default_sym,types $::APOL_QUERY_SYMBOL_IS_TYPE \ ++ ta:filename,files 1 \ + ] + + array set vals { +@@ -273,6 +276,10 @@ proc Apol_TE::_initializeVars {} { + ta:default_sym,attribs 0 + ta:default_sym {} + ++ ta:use_filename 0 ++ ta:filename {} ++ ta:filename,files 0 ++ + cp:classes {} + cp:classes_selected {} + cp:perms {} +@@ -286,6 +293,7 @@ proc Apol_TE::_initializeVars {} { + ta:use_source 1 + ta:use_target 1 + ta:use_default 1 ++ ta:use_filename 1 + + cp:classes 0 + cp:perms 0 +@@ -535,6 +543,156 @@ proc Apol_TE::_toggle_ta_pushed {col cb} { + } + } + ++proc Apol_TE::_createFilenameTab {} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ set fn_tab [$widgets(search_opts) insert end filename -text "Filename"] ++ set fm_filename [frame $fn_tab.filename] ++ grid $fm_filename -padx 4 -sticky ewns ++ foreach i {0 1 2} { ++ grid columnconfigure $fn_tab $i -weight 1 -uniform 1 ++ } ++ grid rowconfigure $fn_tab 0 -weight 1 ++ ++ set widgets(ta:use_filename) [checkbutton $fm_filename.use -text "type_transition filename" \ ++ -onvalue 1 -offvalue 0 -variable Apol_TE::vals(ta:use_filename)] ++ pack $widgets(ta:use_filename) -side top -anchor w ++ ++ trace add variable Apol_TE::vals(ta:use_filename) write \ ++ [list Apol_TE::_toggle_fn_box filename] ++ ++ set w {} ++ ++ set helptext "Select a filename - Note: no search using regular expr" ++ ++ set widgets(ta:filename_sym) [ComboBox $fm_filename.sym \ ++ -state normal -entrybg $ApolTop::default_bg_color \ ++ -textvariable Apol_TE::vals(ta:filename_sym) \ ++ -helptext $helptext -autopost 1] ++ pack $widgets(ta:filename_sym) -expand 0 -fill x -padx 8 ++ lappend w $widgets(ta:filename_sym) ++ ++ set widgets(ta:filename_widgets) $w ++ trace add variable Apol_TE::enabled(ta:use_filename) write \ ++ [list Apol_TE::_maybe_enable_filename filename] ++ ++ trace add variable Apol_TE::vals(ta:filename,files) write \ ++ [list Apol_TE::_toggle_FileNames filename] ++} ++ ++ ++proc Apol_TE::_toggle_fn_box {col name1 name2 op} { ++ variable vals ++ variable enabled ++ variable widgets ++ ++ if {$enabled(ta:use_${col})} { ++ $widgets(ta:use_${col}) configure -state normal ++ } else { ++ $widgets(ta:use_${col}) configure -state disabled ++ } ++ if {$enabled(ta:use_${col}) && $vals(ta:use_${col})} { ++ foreach w $widgets(ta:${col}_widgets) { ++ $w configure -state normal ++ } ++ $widgets(ta:${col}_sym) configure -entrybg white ++ } else { ++ foreach w $widgets(ta:${col}_widgets) { ++ $w configure -state disabled ++ } ++ $widgets(ta:${col}_sym) configure -entrybg $ApolTop::default_bg_color ++ } ++ ++ # update this tab's name if one of the columns is enabled and used ++ if {($enabled(ta:use_${col}) && $vals(ta:use_${col}))} { \ ++ $widgets(search_opts) itemconfigure filename -text "Filename *" ++ } else { ++ $widgets(search_opts) itemconfigure filename -text "Filename" ++ } ++} ++ ++proc Apol_TE::_maybe_enable_filename {col name1 name2 op} { ++ variable vals ++ variable enabled ++ variable widgets ++ ++ set typerule_set 0 ++ ++ foreach x {type_transition} { ++ if {$vals(rs:$x)} { ++ set typerule_set 1 ++ break ++ } ++ } ++ ++ if {$typerule_set && [ApolTop::is_capable "filename_trans"]} { ++ set enabled(ta:use_filename) 1 ++ } else { ++ set enabled(ta:use_filename) 0 ++ } ++ ++ set enabled(ta:use_${col}) $enabled(ta:use_${col}) ++} ++ ++ ++proc Apol_TE::_toggle_FileNames {col name1 name2 op} { ++ variable vals ++ variable widgets ++ variable enabled ++ ++ if {![ApolTop::is_policy_open]} { ++ return ++ } ++ ++ set items [lsort -unique -dictionary [Apol_TE::Get_FileNames]] ++ $widgets(ta:${col}_sym) configure -values $items ++} ++ ++proc Apol_TE::Get_FileNames {} { ++ set filenames {} ++ set q [new_apol_filename_trans_query_t] ++ # This reads in the filename_trans info ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ # This loop will process each filename_trans in the policy ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_filename_trans_from_void [$v get_element $i]] ++ lappend filenames [$q get_filename $::ApolTop::qpolicy] ++ } ++ } ++ return $filenames ++} ++ ++ ++proc Apol_TE::appendFilenameSearchResultRules {path indent rule_list cast filename} { ++ set curstate [$path.tb cget -state] ++ $path.tb configure -state normal ++ ++ variable enabled ++ variable vals ++ set num_rules 0 ++ ++ if { $vals(ta:use_filename) == 0} { ++ set filename "" ++ } ++ ++ for {set i 0} {$i < [$rule_list get_size]} {incr i} { ++ set rule [$cast [$rule_list get_element $i]] ++ if {$filename == "" || [$rule get_filename $::ApolTop::qpolicy] == $filename} { ++ $path.tb insert end [string repeat " " $indent] ++ $path.tb insert end [apol_filename_trans_render $::ApolTop::policy $rule] ++ incr num_rules ++ $path.tb insert end "\n" ++ } ++ } ++ $path.tb configure -state $curstate ++ list $num_rules $num_rules 0 ++} ++ + # code to create and handle the classe/permissions subtab + + proc Apol_TE::_createClassesPermsTab {} { +@@ -875,10 +1033,13 @@ proc Apol_TE::_search_terules {whichButton} { + return + } + if {$enabled(ta:use_default) && $vals(ta:use_default) && $vals(ta:default_sym) == {}} { +- + tk_messageBox -icon error -type ok -title "TE Rule Search" -message "No default type selected." + return + } ++ if {$enabled(ta:use_filename) && $vals(ta:use_filename) && $vals(ta:filename_sym) == {}} { ++ tk_messageBox -icon error -type ok -title "TE Rule Search" -message "No filename selected." ++ return ++ } + + set avrule_selection 0 + foreach {key value} [array get vals rs:avrule_*] { +@@ -896,6 +1057,7 @@ proc Apol_TE::_search_terules {whichButton} { + # start building queries + set avq [new_apol_avrule_query_t] + set teq [new_apol_terule_query_t] ++ set fnteq [new_apol_filename_trans_query_t] + + if {$enabled(ta:use_source) && $vals(ta:use_source)} { + if {$vals(ta:source_which) == "either"} { +@@ -905,21 +1067,28 @@ proc Apol_TE::_search_terules {whichButton} { + $avq set_source_component $::ApolTop::policy [expr {$vals(ta:source_sym,types) | $vals(ta:source_sym,attribs)}] + $teq set_source $::ApolTop::policy $vals(ta:source_sym) $vals(ta:source_indirect) + $teq set_source_component $::ApolTop::policy [expr {$vals(ta:source_sym,types) | $vals(ta:source_sym,attribs)}] ++ $fnteq set_source $::ApolTop::policy $vals(ta:source_sym) $vals(ta:source_indirect) + } + if {$enabled(ta:use_target) && $vals(ta:use_target)} { + $avq set_target $::ApolTop::policy $vals(ta:target_sym) $vals(ta:target_indirect) + $avq set_target_component $::ApolTop::policy [expr {$vals(ta:target_sym,types) | $vals(ta:target_sym,attribs)}] + $teq set_target $::ApolTop::policy $vals(ta:target_sym) $vals(ta:target_indirect) + $teq set_target_component $::ApolTop::policy [expr {$vals(ta:target_sym,types) | $vals(ta:target_sym,attribs)}] ++ $fnteq set_target $::ApolTop::policy $vals(ta:target_sym) $vals(ta:target_indirect) + } + if {$enabled(ta:use_default) && $vals(ta:use_default)} { + $teq set_default $::ApolTop::policy $vals(ta:default_sym) ++ $fnteq set_default $::ApolTop::policy $vals(ta:default_sym) ++ } ++ if {$enabled(ta:use_filename) && $vals(ta:use_filename)} { ++ $fnteq set_filename $::ApolTop::policy $vals(ta:filename_sym) + } + + if {$enabled(cp:classes)} { + foreach c $vals(cp:classes_selected) { + $avq append_class $::ApolTop::policy $c + $teq append_class $::ApolTop::policy $c ++ $fnteq append_class $::ApolTop::policy $c + } + } + if {$enabled(cp:perms)} { +@@ -935,6 +1104,7 @@ proc Apol_TE::_search_terules {whichButton} { + $teq set_enabled $::ApolTop::policy $vals(oo:enabled) + $avq set_regex $::ApolTop::policy $vals(oo:regexp) + $teq set_regex $::ApolTop::policy $vals(oo:regexp) ++ $fnteq set_regex $::ApolTop::policy $vals(oo:regexp) + + foreach x {new update reset} { + $widgets($x) configure -state disabled +@@ -952,16 +1122,20 @@ proc Apol_TE::_search_terules {whichButton} { + { + set numTEs {0 0 0} + set numAVs {0 0 0} ++ set numFNTEs {0 0 0} + set avresults NULL + set teresults NULL ++ set fnteresults NULL + set num_avresults 0 + set num_teresults 0 ++ set num_fnteresults 0 + if {![ApolTop::is_capable "syntactic rules"]} { + if {$avrule_selection != 0} { + set avresults [$avq run $::ApolTop::policy] + } + if {$terule_selection != 0} { + set teresults [$teq run $::ApolTop::policy] ++ set fnteresults [$fnteq run $::ApolTop::policy] + } + } else { + $::ApolTop::qpolicy build_syn_rule_table +@@ -972,11 +1146,16 @@ proc Apol_TE::_search_terules {whichButton} { + set teresults [$teq run_syn $::ApolTop::policy] + } + } ++ if {$terule_selection != 0} { ++ set fnteresults [$fnteq run $::ApolTop::policy] ++ } + + $avq -acquire + $avq -delete + $teq -acquire + $teq -delete ++ $fnteq -acquire ++ $fnteq -delete + if {$avresults != "NULL"} { + set num_avresults [$avresults get_size] + } +@@ -984,6 +1163,10 @@ proc Apol_TE::_search_terules {whichButton} { + set num_teresults [$teresults get_size] + } + ++ if {$fnteresults != "NULL"} { ++ set num_fnteresults [$fnteresults get_size] ++ } ++ + if {$whichButton == "new"} { + set sr [_create_new_results_tab] + } else { +@@ -1014,7 +1197,21 @@ proc Apol_TE::_search_terules {whichButton} { + set numTEs [Apol_Widget::appendSearchResultSynRules $sr 0 $teresults qpol_syn_terule_from_void] + } + } +- set num_rules [expr {[lindex $numAVs 0] + [lindex $numTEs 0]}] ++ ++ if { $vals(ta:use_filename) == 1 && $vals(ta:use_source) == 0 && $vals(ta:use_target) == 0 && $vals(ta:use_default) == 0} { ++ Apol_Widget::clearSearchResults $sr ++ set numTEs {0 0 0} ++ set numAVs {0 0 0} ++ } ++ ++ if {$vals(rs:type_transition) != 0} { ++ apol_tcl_set_info_string $::ApolTop::policy "Rendering $num_fnteresults Filename TE rule results" ++ if {$num_fnteresults > 0} { ++ set numFNTEs [Apol_TE::appendFilenameSearchResultRules $sr 0 $fnteresults qpol_filename_trans_from_void $vals(ta:filename_sym)] ++ } ++ } ++ ++ set num_rules [expr {[lindex $numAVs 0] + [lindex $numTEs 0] + [lindex $numFNTEs 0]}] + set num_enabled [expr {[lindex $numAVs 1] + [lindex $numTEs 1]}] + set num_disabled [expr {[lindex $numAVs 2] + [lindex $numTEs 2]}] + set header "$num_rules rule" +diff --git a/apol/top.tcl b/apol/top.tcl +index f930318..a267dde 100644 +--- a/apol/top.tcl ++++ b/apol/top.tcl +@@ -18,8 +18,9 @@ set COPYRIGHT_INFO "Copyright (C) 2001-2008 Tresys Technology, LLC" + namespace eval ApolTop { + variable policy {} ;# handle to an apol_policy, or {} if none opened + variable qpolicy {} ;# handle to policy's qpol_policy_t, or {} if none opened +- # these three are shown on the status line of the toplevel window ++ # these four are shown on the status line of the toplevel window + variable policy_version_string {} ++ variable policy_handle_unknown_string {} + variable policy_source_linenum {} + variable policy_stats_summary {} + variable policy_stats ;# array of statistics for the current policy +@@ -68,10 +69,15 @@ namespace eval ApolTop { + {Apol_Initial_SIDS components {}} + {Apol_NetContexts components {}} + {Apol_FSContexts components {}} ++ {Apol_Polcaps components {tag_polcap}} ++ {Apol_Namespaces components {}} + {Apol_TE rules {tag_query_saveable}} + {Apol_Cond_Rules rules {tag_conditionals}} ++ {Apol_Constraint rules {tag_query_saveable}} + {Apol_RBAC rules {}} + {Apol_Range rules {tag_mls}} ++ {Apol_Bounds rules {tag_bounds}} ++ {Apol_DefaultObjects rules {tag_default_objects}} + {Apol_File_Contexts {} {}} + {Apol_Analysis {} {tag_query_saveable}} + {Apol_PolicyConf {} {tag_source}} +@@ -108,6 +114,12 @@ proc ApolTop::is_capable {capability} { + "neverallow" { set cap $::QPOL_CAP_NEVERALLOW } + "source" { set cap $::QPOL_CAP_SOURCE } + "syntactic rules" { set cap $::QPOL_CAP_SYN_RULES } ++ "polcap" { set cap $::QPOL_CAP_POLCAPS } ++ "bounds" { set cap $::QPOL_CAP_BOUNDS } ++ "default_objects" { set cap $::QPOL_CAP_DEFAULT_OBJECTS } ++ "default_type" { set cap $::QPOL_CAP_DEFAULT_TYPE } ++ "permissive" { set cap $::QPOL_CAP_PERMISSIVE } ++ "filename_trans" { set cap $::QPOL_CAP_FILENAME_TRANS } + default { return 0 } + } + variable qpolicy +@@ -368,6 +380,15 @@ proc ApolTop::_toplevel_policy_open {ppath} { + if {![is_capable "source"]} { + _toplevel_enable_tabs tag_source disabled + } ++ if {![is_capable "polcap"]} { ++ _toplevel_enable_tabs tag_polcap disabled ++ } ++ if {![is_capable "bounds"]} { ++ _toplevel_enable_tabs tag_bounds disabled ++ } ++ if {![is_capable "default_objects"]} { ++ _toplevel_enable_tabs tag_default_objects disabled ++ } + _toplevel_tab_switched + + variable mainframe +@@ -376,6 +397,23 @@ proc ApolTop::_toplevel_policy_open {ppath} { + + _toplevel_update_stats + variable policy_version_string [$::ApolTop::policy get_version_type_mls_str] ++# Set how to handle unknown class/perms. ++#define SEPOL_DENY_UNKNOWN 0 ++#define SEPOL_REJECT_UNKNOWN 2 ++#define SEPOL_ALLOW_UNKNOWN 4 ++ variable policy_handle_unknown_string ++ set policy_handle_unknown -1 ++ set policy_handle_unknown [$::ApolTop::policy get_policy_handle_unknown] ++ ++ if {$policy_handle_unknown == 0} { ++ set policy_handle_unknown_string "deny" ++ } elseif {$policy_handle_unknown == 2} { ++ set policy_handle_unknown_string "reject" ++ } elseif {$policy_handle_unknown == 4} { ++ set policy_handle_unknown_string "allow" ++ } else { ++ set policy_handle_unknown_string "unknown" ++ } + + set primary_file [$ppath get_primary] + wm title . "SELinux Policy Analysis - $primary_file" +@@ -457,6 +495,9 @@ proc ApolTop::_toplevel_update_stats {} { + "sens" get_level_iter + "cats" get_cat_iter + "range_trans" get_range_trans_iter ++ "constraints" get_constraint_iter ++ "validatetrans" get_validatetrans_iter ++ "filename_trans" get_filename_trans_iter + + "sids" get_isid_iter + "portcons" get_portcon_iter +@@ -464,6 +505,8 @@ proc ApolTop::_toplevel_update_stats {} { + "nodecons" get_nodecon_iter + "genfscons" get_genfscon_iter + "fs_uses" get_fs_use_iter ++ "permissive" get_permissive_iter ++ "polcap" get_polcap_iter + } + foreach {key func} $iter_funcs { + set i [$::ApolTop::qpolicy $func] +@@ -518,6 +561,109 @@ proc ApolTop::_toplevel_update_stats {} { + $i -delete + } + ++ # Determine number of mlsconstrain and mlsvalidatetrans rules and ++ # recalculate the numbers accordingly. ++ if {[ApolTop::is_capable "mls"]} { ++ set mlsconstrain_count [ApolTop::_get_mls_count new_apol_constraint_query_t] ++ set policy_stats(constraints) [expr $policy_stats(constraints) - $mlsconstrain_count] ++ set policy_stats(mlsconstraints) $mlsconstrain_count ++ ++ set mlsvalidatetrans_count [ApolTop::_get_mls_count new_apol_validatetrans_query_t] ++ set policy_stats(validatetrans) [expr $policy_stats(validatetrans) - $mlsvalidatetrans_count] ++ set policy_stats(mlsvalidatetrans) $mlsvalidatetrans_count ++ } else { ++ set policy_stats(mlsconstraints) 0 ++ set policy_stats(mlsvalidatetrans) 0 ++ } ++ ++ # Determine number of bounds statements ++ set policy_stats(userbounds) 0 ++ set policy_stats(rolebounds) 0 ++ set policy_stats(typebounds) 0 ++ ++ if {[is_capable "bounds"]} { ++ # Determine number of userbounds statements ++ set q [new_apol_userbounds_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_userbounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ set policy_stats(userbounds) [expr $policy_stats(userbounds) + 1] ++ } ++ } ++ } ++ ++ # Determine number of rolebounds statements ++ set q [new_apol_rolebounds_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_rolebounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ set policy_stats(rolebounds) [expr $policy_stats(rolebounds) + 1] ++ } ++ } ++ } ++ ++ # Determine number of typebounds statements ++ set q [new_apol_typebounds_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_typebounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ set policy_stats(typebounds) [expr $policy_stats(typebounds) + 1] ++ } ++ } ++ } ++ } ++ ++ # Determine number of default_object statements ++ set policy_stats(default_user) 0 ++ set policy_stats(default_role) 0 ++ set policy_stats(default_type) 0 ++ set policy_stats(default_range) 0 ++ ++ if {[is_capable "default_objects"]} { ++ set q [new_apol_default_object_query_t] ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_default_object_from_void [$v get_element $i]] ++ set default [$q get_user_default $::ApolTop::qpolicy] ++ if {$default != ""} { ++ set policy_stats(default_user) [expr $policy_stats(default_user) + 1] ++ } ++ set default [$q get_role_default $::ApolTop::qpolicy] ++ if {$default != ""} { ++ set policy_stats(default_role) [expr $policy_stats(default_role) + 1] ++ } ++ if {[is_capable "default_type"]} { ++ set default [$q get_type_default $::ApolTop::qpolicy] ++ if {$default != ""} { ++ set policy_stats(default_type) [expr $policy_stats(default_type) + 1] ++ } ++ } ++ set default [$q get_range_default $::ApolTop::qpolicy] ++ if {$default != ""} { ++ set policy_stats(default_range) [expr $policy_stats(default_range) + 1] ++ } ++ } ++ } ++ } ++ + set policy_stats_summary "" + append policy_stats_summary "Classes: $policy_stats(classes) " + append policy_stats_summary "Perms: $policy_stats(perms) " +@@ -551,6 +697,7 @@ proc ApolTop::_user_close_policy {} { + + proc ApolTop::_close_policy {} { + variable policy_version_string {} ++ variable policy_handle_unknown {} + variable policy_stats_summary {} + + wm title . "SELinux Policy Analysis" +@@ -579,7 +726,9 @@ proc ApolTop::_close_policy {} { + + _toplevel_enable_tabs tag_conditionals normal + _toplevel_enable_tabs tag_mls normal +- _toplevel_enable_tabs tag_source normal ++ _toplevel_enable_tabs tag_polcap normal ++ _toplevel_enable_tabs tag_bounds normal ++ _toplevel_enable_tabs tag_default_objects normal + } + + proc ApolTop::_exit {} { +@@ -678,6 +827,7 @@ proc ApolTop::_save_query_file {} { + + proc ApolTop::_show_policy_summary {} { + variable policy_version_string ++ variable policy_handle_unknown_string + variable policy_stats + + if {![regexp -- {^([^\(]+) \(([^,]+), ([^\)]+)} $ApolTop::policy_version_string -> policy_version policy_type policy_mls_type]} { +@@ -696,8 +846,8 @@ proc ApolTop::_show_policy_summary {} { + + label $w.title -text "Policy Summary Statistics" + set f [frame $w.summary] +- label $f.l -justify left -text " Policy Version:\n Policy Type:\n MLS Status:" +- label $f.r -justify left -text "$policy_version\n$policy_type\n$policy_mls_type" ++ label $f.l -justify left -text " Policy Version:\n Policy Type:\n MLS Status:\n Handle unknown Class/Perms:" ++ label $f.r -justify left -text "$policy_version\n$policy_type\n$policy_mls_type\n$policy_handle_unknown_string" + grid $f.l $f.r -sticky w + grid configure $f.r -padx 30 + grid $w.title - -sticky w -padx 8 +@@ -714,6 +864,8 @@ proc ApolTop::_show_policy_summary {} { + } + "Number of Types and Attributes" { + "Types" types ++ " that includes permissive types" permissive ++ " that includes bounded types" typebounds + "Attributes" attribs + } + "Number of Type Enforcement Rules" { +@@ -722,16 +874,24 @@ proc ApolTop::_show_policy_summary {} { + "dontaudits" avrule_dontaudit + "neverallows" avrule_neverallow + "type_transitions" type_trans ++ "type_transitions - filename" filename_trans + "type_members" type_member + "type_changes" type_change + } + "Number of Roles" { + "Roles" roles ++ " that includes bounded roles" rolebounds + } + "Number of RBAC Rules" { + "allows" role_allow + "role_transitions" role_trans + } ++ "Number of Default Object Rules" { ++ "default_user" default_user ++ "default_role" default_role ++ "default_type" default_type ++ "default_range" default_range ++ } + } { + set ltext "$title:" + set rtext {} +@@ -754,16 +914,23 @@ proc ApolTop::_show_policy_summary {} { + foreach {title block} { + "Number of Users" { + "Users" users ++ " that includes bounded users" userbounds + } + "Number of Booleans" { + "Booleans" bools + } ++ "Number of Constraints" { ++ "constrain" constraints ++ "validatetrans" validatetrans ++ } + "Number of MLS Components" { + "Sensitivities" sens + "Categories" cats + } + "Number of MLS Rules" { + "range_transitions" range_trans ++ "mlsconstrain" mlsconstraints ++ "mlsvalidatetrans" mlsvalidatetrans + } + "Number of Initial SIDs" { + "SIDs" sids +@@ -775,6 +942,9 @@ proc ApolTop::_show_policy_summary {} { + "GenFSCons" genfscons + "fs_use statements" fs_uses + } ++ "Number of Policy Capabilities" { ++ "polcap" polcap ++ } + } { + set ltext "$title:" + set rtext {} +@@ -1067,6 +1237,41 @@ proc ApolTop::_write_configuration_file {} { + close $f + } + ++# This will work out how many mlsconstrain and mlsvalidatetrans rules ++# there are as the get_iter numbers are overall count. ++proc ApolTop::_get_mls_count {command} { ++ ++ set q [$command] ++ # This reads in the constraint info ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ ++ set mls_count 0 ++ ++ # This loop will process each constraint in the policy ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_constraint_from_void [$v get_element $i]] ++ ++ # Find if this is an mls rule or not ++ set x [$q get_expr_iter $::ApolTop::qpolicy] ++ while {![$x end]} { ++ foreach t [iter_to_list $x] { ++ set t [qpol_constraint_expr_node_from_void $t] ++ # Get Symbol type ++ set sym_type [$t get_sym_type $::ApolTop::qpolicy] ++ if { $sym_type >= $::QPOL_CEXPR_SYM_L1L2 } { ++ set mls_count [expr $mls_count + 1] ++ break ++ } ++ } ++ } ++ $x -acquire ++ $x -delete ++ } ++ return $mls_count ++} ++ + ####################################################### + # Start script here + +diff --git a/apol/types_tab.tcl b/apol/types_tab.tcl +index 26def34..fed82fa 100644 +--- a/apol/types_tab.tcl ++++ b/apol/types_tab.tcl +@@ -60,7 +60,8 @@ proc Apol_Types::create {tab_name nb} { + set ofm [$obox getframe] + set fm_types_select [frame $ofm.to] + set fm_attribs_select [frame $ofm.ao] +- pack $fm_types_select $fm_attribs_select -side left -padx 4 -pady 2 -anchor nw ++ set fm_permissive_bounds [frame $ofm.po] ++ pack $fm_types_select $fm_attribs_select $fm_permissive_bounds -side left -padx 4 -pady 2 -anchor nw + + set types_select [checkbutton $fm_types_select.type -text "Show types" -variable Apol_Types::opts(types)] + set typeattribs [checkbutton $fm_types_select.typeattribs -text "Include attributes" \ +@@ -81,6 +82,18 @@ proc Apol_Types::create {tab_name nb} { + trace add variable Apol_Types::opts(attribs) write \ + [list Apol_Types::_toggleCheckbuttons [list $a_typeattribs $a_types]] + ++ set permissive_select [checkbutton $fm_permissive_bounds.type -text "Show permissive types" \ ++ -variable Apol_Types::opts(permissive)] ++ pack $permissive_select -anchor w ++ trace add variable Apol_Types::opts(permissive:show_names) write \ ++ [list Apol_Types::_toggleCheckbuttons $permissive_select] ++ ++ set typebounds_select [checkbutton $fm_permissive_bounds.bounds -text "Show typebounds rules" \ ++ -variable Apol_Types::opts(typebounds)] ++ pack $typebounds_select -anchor w ++ trace add variable Apol_Types::opts(typebounds:show_names) write \ ++ [list Apol_Types::_toggleCheckbuttons $typebounds_select] ++ + set widgets(regexp) [Apol_Widget::makeRegexpEntry $ofm.regexpf] + Apol_Widget::setRegexpEntryState $widgets(regexp) 1 + +@@ -96,6 +109,11 @@ proc Apol_Types::create {tab_name nb} { + } + + proc Apol_Types::open {ppath} { ++ variable opts ++ ++ set opts(permissive:show_names) [ApolTop::is_capable "permissive"] ++ set opts(typebounds:show_names) [ApolTop::is_capable "bounds"] ++ + set q [new_apol_type_query_t] + set v [$q run $::ApolTop::policy] + $q -acquire +@@ -180,12 +198,15 @@ proc Apol_Types::_initializeVars {} { + array set opts { + types 1 types:show_attribs 1 types:show_aliases 1 + attribs 0 attribs:show_types 1 attribs:show_attribs 1 ++ permissive 1 permissive:show_names 0 ++ typebounds 1 typebounds:show_names 0 + } + } + + proc Apol_Types::_toggleCheckbuttons {w name1 name2 op} { + variable opts + variable widgets ++ + if {$opts($name2)} { + foreach x $w { + $x configure -state normal +@@ -195,7 +216,7 @@ proc Apol_Types::_toggleCheckbuttons {w name1 name2 op} { + $x configure -state disabled + } + } +- if {!$opts(types) && !$opts(attribs)} { ++ if {!$opts(types) && !$opts(attribs) && !$opts(typebounds)} { + Apol_Widget::setRegexpEntryState $widgets(regexp) 0 + } else { + Apol_Widget::setRegexpEntryState $widgets(regexp) 1 +@@ -210,7 +231,6 @@ proc Apol_Types::_popupTypeInfo {which ta} { + set entry_vector {} + set index_file_loaded 0 + } +- + if {$which == "type"} { + set info_ta [_renderType $ta 1 1] + } else { +@@ -283,7 +303,7 @@ proc Apol_Types::_searchTypes {} { + tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened." + return + } +- if {$opts(types) == 0 && $opts(attribs) == 0} { ++ if {$opts(types) == 0 && $opts(attribs) == 0 && $opts(permissive) == 0 && $opts(typebounds) == 0} { + tk_messageBox -icon error -type ok -title "Error" -message "No search options provided." + return + } +@@ -332,6 +352,52 @@ proc Apol_Types::_searchTypes {} { + append results "[_renderAttrib $a $opts(attribs:show_types) $opts(attribs:show_attribs)]\n" + } + } ++ if {$opts(permissive) && [ApolTop::is_capable "permissive"]} { ++ set q [new_apol_permissive_query_t] ++ $q set_name $::ApolTop::policy $regexp ++ $q set_regex $::ApolTop::policy $use_regexp ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ set permissive_data [type_vector_to_list $v] ++ $v -acquire ++ $v -delete ++ if {$opts(types) || $opts(attribs)} { ++ append results "\n\n" ++ } ++ append results "PERMISSIVE TYPES ([llength $permissive_data]):\n\n" ++ foreach p [lsort $permissive_data] { ++ append results "[_renderType $p 0 0]\n" ++ } ++ } ++ if {$opts(typebounds) && [ApolTop::is_capable "bounds"]} { ++ set bounds {} ++ set counter 0 ++ ++ set q [new_apol_typebounds_query_t] ++ $q set_name $::ApolTop::policy $regexp ++ $q set_regex $::ApolTop::policy $use_regexp ++ ++ set v [$q run $::ApolTop::policy] ++ $q -acquire ++ $q -delete ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ for {set i 0} {$v != "NULL" && $i < [$v get_size]} {incr i} { ++ set q [qpol_typebounds_from_void [$v get_element $i]] ++ set parent [$q get_parent_name $::ApolTop::qpolicy] ++ if {$parent != ""} { ++ append bounds "typebounds $parent " ++ append bounds "[$q get_child_name $::ApolTop::qpolicy];\n" ++ set counter [expr $counter + 1] ++ } ++ } ++ } ++ if {$opts(types) || $opts(attribs) || $opts(permissive)} { ++ append results "\n\n" ++ } ++ append results "BOUNDED TYPES ($counter):\n\n" ++ append results "$bounds\n" ++ } + Apol_Widget::appendSearchResultText $widgets(results) $results + } + +@@ -369,6 +435,9 @@ proc Apol_Types::_renderType {type_name show_attribs show_aliases} { + } + + proc Apol_Types::_renderAttrib {attrib_name show_types show_attribs} { ++ ++ set permissive {} ++ + set qpol_type_datum [new_qpol_type_t $::ApolTop::qpolicy $attrib_name] + + set text "$attrib_name" +diff --git a/configure.ac b/configure.ac +index 577ce48..ae20da7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -25,9 +25,9 @@ libseaudit_version=4.5 + setoolsdir='${prefix}/share/setools-3.3' + javadir='${prefix}/share/java' + +-version_min_sepol_major=1 +-version_min_sepol_minor=12 +-version_min_sepol_patch=27 ++version_min_sepol_major=2 ++version_min_sepol_minor=4 ++version_min_sepol_patch=0 + + dnl *** end of tunable values *** + +@@ -548,6 +548,36 @@ int main () { + fi + fi + ++dnl check for constraint names, added in libsepol version ?? ++AC_CHECK_DECL([POLICYDB_VERSION_CONSTRAINT_NAMES], ++ sepol_new_constraint_names="yes", ++ sepol_new_constraint_names="no", ++ [#include ]) ++ ++dnl check for default object type, added in libsepol version ?? ++AC_CHECK_DECL([POLICYDB_VERSION_DEFAULT_TYPE], ++ sepol_new_default_type="yes", ++ sepol_new_default_type="no", ++ [#include ]) ++ ++dnl check for default object user/role/range added in libsepol version ?? ++AC_CHECK_DECL([POLICYDB_VERSION_NEW_OBJECT_DEFAULTS], ++ sepol_new_object_defaults="yes", ++ sepol_new_object_defaults="no", ++ [#include ]) ++ ++dnl check for filename trans rule, added in libsepol version ?? ++AC_CHECK_DECL([POLICYDB_VERSION_FILENAME_TRANS], ++ sepol_new_filename_trans="yes", ++ sepol_new_filename_trans="no", ++ [#include ]) ++ ++dnl check for user/role/type bounds, added in libsepol version ?? ++AC_CHECK_DECL([POLICYDB_VERSION_BOUNDARY], ++ sepol_new_bounds="yes", ++ sepol_new_bounds="no", ++ [#include ]) ++ + dnl check for permissive types, added in libsepol version 2.0.26 + AC_CHECK_DECL([TYPE_FLAGS_PERMISSIVE], + sepol_new_permissive_types="yes", +@@ -855,6 +885,21 @@ fi + if test ${sepol_new_permissive_types} == "yes"; then + AC_DEFINE(HAVE_SEPOL_PERMISSIVE_TYPES, 1, [if types can be marked as permissive]) + fi ++if test ${sepol_new_constraint_names} == "yes"; then ++ AC_DEFINE(HAVE_SEPOL_CONSTRAINT_NAMES, 1, [if source policy types/attributes are present]) ++fi ++if test ${sepol_new_default_type} == "yes"; then ++ AC_DEFINE(HAVE_SEPOL_DEFAULT_TYPE, 1, [if default_user rule present]) ++fi ++if test ${sepol_new_object_defaults} == "yes"; then ++ AC_DEFINE(HAVE_SEPOL_NEW_OBJECT_DEFAULTS, 1, [if default_user/role/range rules are present]) ++fi ++if test ${sepol_new_filename_trans} == "yes"; then ++ AC_DEFINE(HAVE_SEPOL_FILENAME_TRANS, 1, [if the filename transition rule present]) ++fi ++if test ${sepol_new_bounds} == "yes"; then ++ AC_DEFINE(HAVE_SEPOL_BOUNDARY, 1, [if bounds rules are present]) ++fi + if test ${sepol_new_user_role_mapping} == "yes"; then + AC_DEFINE(HAVE_SEPOL_USER_ROLE_MAPPING, 1, [if users and roles are mapped during policy expansion]) + fi +diff --git a/libapol/include/apol/Makefile.am b/libapol/include/apol/Makefile.am +index e398ff2..dd94452 100644 +--- a/libapol/include/apol/Makefile.am ++++ b/libapol/include/apol/Makefile.am +@@ -3,11 +3,13 @@ apoldir = $(includedir)/apol + apol_HEADERS = \ + avrule-query.h \ + bool-query.h \ ++ bounds-query.h \ + bst.h \ + class-perm-query.h \ + condrule-query.h \ + constraint-query.h \ + context-query.h \ ++ default-object-query.h \ + domain-trans-analysis.h \ + fscon-query.h \ + infoflow-analysis.h \ +diff --git a/libapol/include/apol/bounds-query.h b/libapol/include/apol/bounds-query.h +new file mode 100644 +index 0000000..5559ab4 +--- /dev/null ++++ b/libapol/include/apol/bounds-query.h +@@ -0,0 +1,177 @@ ++/** ++ * @file ++ * ++ * Routines to query policy capabilities in policy. ++ * ++ * @author Richard Haines richard_c_haines@btinternet.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef APOL_BOUNDS_QUERY_H ++#define APOL_BOUNDS_QUERY_H ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++#include "policy.h" ++#include "vector.h" ++#include ++ ++ /************ TYPEBOUNDS *************/ ++ typedef struct apol_typebounds_query apol_typebounds_query_t; ++/** ++ * Execute a query against all policy capabilities within the policy. ++ * ++ * @param p Policy within which to look up policy capabilities. ++ * @param t Structure containing parameters for query. If this is ++ * NULL then return all policy capabilities. ++ * @param v Reference to a vector of qpol_typebounds_t. The vector will be ++ * allocated by this function. The caller must call ++ * apol_vector_destroy() afterwards. This will be set to NULL upon no ++ * results or upon error. ++ * ++ * @return 0 on success (including none found), negative on error. ++ */ ++ extern int apol_typebounds_get_by_query(const apol_policy_t * p, apol_typebounds_query_t * t, apol_vector_t ** v); ++ ++/** ++ * Allocate and return a new typebounds query structure. All fields are ++ * initialized, such that running this blank query results in ++ * returning all policy capabilities within the policy. The caller must call ++ * apol_typebounds_query_destroy() upon the return value afterwards. ++ * ++ * @return An initialized typebounds query structure, or NULL upon error. ++ */ ++ extern apol_typebounds_query_t *apol_typebounds_query_create(void); ++ ++/** ++ * Deallocate all memory associated with the referenced typebounds query, ++ * and then set it to NULL. This function does nothing if the query ++ * is already NULL. ++ * ++ * @param t Reference to a typebounds query structure to destroy. ++ */ ++ extern void apol_typebounds_query_destroy(apol_typebounds_query_t ** t); ++ ++/** ++ * Set a typebounds query to return only policy capabilities that match this name. This function ++ * duplicates the incoming name. ++ * ++ * @param p Policy handler, to report errors. ++ * @param t typebounds query to set. ++ * @param name Limit query to only policy capabilities with this name, or ++ * NULL to unset this field. ++ * ++ * @return 0 on success, negative on error. ++ */ ++ extern int apol_typebounds_query_set_name(const apol_policy_t * p, apol_typebounds_query_t * t, const char *name); ++ ++/** ++ * Set a typebounds query to use regular expression searching for all of its ++ * fields. Strings will be treated as regexes instead of literals. ++ * Matching will occur against the policy capability name. ++ * ++ * @param p Policy handler, to report errors. ++ * @param t typebounds query to set. ++ * @param is_regex Non-zero to enable regex searching, 0 to disable. ++ * ++ * @return Always 0. ++ */ ++ extern int apol_typebounds_query_set_regex(const apol_policy_t * p, apol_typebounds_query_t * t, int is_regex); ++ ++ ++ /************ ROLEBOUNDS *************/ ++ typedef struct apol_rolebounds_query apol_rolebounds_query_t; ++/** ++ * Execute a query against all policy capabilities within the policy. ++ * ++ * @param p Policy within which to look up policy capabilities. ++ * @param t Structure containing parameters for query. If this is ++ * NULL then return all policy capabilities. ++ * @param v Reference to a vector of qpol_rolebounds_t. The vector will be ++ * allocated by this function. The caller must call ++ * apol_vector_destroy() afterwards. This will be set to NULL upon no ++ * results or upon error. ++ * ++ * @return 0 on success (including none found), negative on error. ++ */ ++ extern int apol_rolebounds_get_by_query(const apol_policy_t * p, apol_rolebounds_query_t * t, apol_vector_t ** v); ++ ++/** ++ * Allocate and return a new rolebounds query structure. All fields are ++ * initialized, such that running this blank query results in ++ * returning all policy capabilities within the policy. The caller must call ++ * apol_rolebounds_query_destroy() upon the return value afterwards. ++ * ++ * @return An initialized rolebounds query structure, or NULL upon error. ++ */ ++ extern apol_rolebounds_query_t *apol_rolebounds_query_create(void); ++ ++/** ++ * Deallocate all memory associated with the referenced rolebounds query, ++ * and then set it to NULL. This function does nothing if the query ++ * is already NULL. ++ * ++ * @param t Reference to a rolebounds query structure to destroy. ++ */ ++ extern void apol_rolebounds_query_destroy(apol_rolebounds_query_t ** t); ++ ++ /************ USERBOUNDS *************/ ++ typedef struct apol_userbounds_query apol_userbounds_query_t; ++/** ++ * Execute a query against all policy capabilities within the policy. ++ * ++ * @param p Policy within which to look up policy capabilities. ++ * @param t Structure containing parameters for query. If this is ++ * NULL then return all policy capabilities. ++ * @param v Reference to a vector of qpol_userbounds_t. The vector will be ++ * allocated by this function. The caller must call ++ * apol_vector_destroy() afterwards. This will be set to NULL upon no ++ * results or upon error. ++ * ++ * @return 0 on success (including none found), negative on error. ++ */ ++ extern int apol_userbounds_get_by_query(const apol_policy_t * p, apol_userbounds_query_t * t, apol_vector_t ** v); ++ ++/** ++ * Allocate and return a new userbounds query structure. All fields are ++ * initialized, such that running this blank query results in ++ * returning all policy capabilities within the policy. The caller must call ++ * apol_userbounds_query_destroy() upon the return value afterwards. ++ * ++ * @return An initialized userbounds query structure, or NULL upon error. ++ */ ++ extern apol_userbounds_query_t *apol_userbounds_query_create(void); ++ ++/** ++ * Deallocate all memory associated with the referenced userbounds query, ++ * and then set it to NULL. This function does nothing if the query ++ * is already NULL. ++ * ++ * @param t Reference to a userbounds query structure to destroy. ++ */ ++ extern void apol_userbounds_query_destroy(apol_userbounds_query_t ** t); ++ ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/libapol/include/apol/default-object-query.h b/libapol/include/apol/default-object-query.h +new file mode 100644 +index 0000000..d30e002 +--- /dev/null ++++ b/libapol/include/apol/default-object-query.h +@@ -0,0 +1,78 @@ ++/** ++ * @file ++ * ++ * Routines to query default objects in policy. ++ * ++ * @author Richard Haines richard_c_haines@btinternet.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef APOL_DEFAULT_OBJECT_QUERY_H ++#define APOL_DEFAULT_OBJECT_QUERY_H ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++#include "policy.h" ++#include "vector.h" ++#include ++ ++ typedef struct apol_default_object_query apol_default_object_query_t; ++/** ++ * Execute a query against all policy capabilities within the policy. ++ * ++ * @param p Policy within which to look up policy capabilities. ++ * @param t Structure containing parameters for query. If this is ++ * NULL then return all policy capabilities. ++ * @param v Reference to a vector of qpol_default_object_t. The vector will be ++ * allocated by this function. The caller must call ++ * apol_vector_destroy() afterwards. This will be set to NULL upon no ++ * results or upon error. ++ * ++ * @return 0 on success (including none found), negative on error. ++ */ ++ extern int apol_default_object_get_by_query(const apol_policy_t * p, apol_default_object_query_t * t, apol_vector_t ** v); ++ ++/** ++ * Allocate and return a new default_object query structure. All fields are ++ * initialized, such that running this blank query results in ++ * returning all policy capabilities within the policy. The caller must call ++ * apol_default_object_query_destroy() upon the return value afterwards. ++ * ++ * @return An initialized default_object query structure, or NULL upon error. ++ */ ++ extern apol_default_object_query_t *apol_default_object_query_create(void); ++ ++/** ++ * Deallocate all memory associated with the referenced default_object query, ++ * and then set it to NULL. This function does nothing if the query ++ * is already NULL. ++ * ++ * @param t Reference to a default_object query structure to destroy. ++ */ ++ extern void apol_default_object_query_destroy(apol_default_object_query_t ** t); ++ ++ ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/libapol/include/apol/ftrule-query.h b/libapol/include/apol/ftrule-query.h +index aee3ad0..276aab9 100644 +--- a/libapol/include/apol/ftrule-query.h ++++ b/libapol/include/apol/ftrule-query.h +@@ -130,7 +130,19 @@ extern "C" + * + * @return 0 on success, negative on error. + */ +- extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename); ++ extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *type); ++ ++/** ++ * Set a filename trans query to the filename. ++ * ++ * @param p Policy handler, to report errors. ++ * @param r FT rule query to set. ++ * @param is_any Non-zero to use source symbol for source or default ++ * field, 0 to keep source as only source. ++ * ++ * @return Always 0. ++ */ ++ extern int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename); + + /** + * Set at filename_trans query to return rules with this object (non-common) +diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h +index 665e4cb..f1a5c29 100644 +--- a/libapol/include/apol/policy-query.h ++++ b/libapol/include/apol/policy-query.h +@@ -66,6 +66,8 @@ extern "C" + #include "context-query.h" + #include "permissive-query.h" + #include "polcap-query.h" ++#include "bounds-query.h" ++#include "default-object-query.h" + + #include "avrule-query.h" + #include "terule-query.h" +diff --git a/libapol/include/apol/policy.h b/libapol/include/apol/policy.h +index 7b26af8..143153d 100644 +--- a/libapol/include/apol/policy.h ++++ b/libapol/include/apol/policy.h +@@ -91,6 +91,15 @@ extern "C" + extern int apol_policy_get_policy_type(const apol_policy_t * policy); + + /** ++ * Given a policy, return the handle_unknown flag. ++ * ++ * @param policy Policy to check. ++ * ++ * @return The policy handle_unknown flag, or < 0 upon error. ++ */ ++ extern int apol_policy_get_policy_handle_unknown(const apol_policy_t * policy); ++ ++/** + * Given a policy, return a pointer to the underlying qpol_policy. + * This is needed, for example, to access details of particulary qpol + * components. +diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am +index baaa4f6..22c80cf 100644 +--- a/libapol/src/Makefile.am ++++ b/libapol/src/Makefile.am +@@ -14,11 +14,13 @@ AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS@ @PROFILELDFLAGS@ + libapol_a_SOURCES = \ + avrule-query.c \ + bool-query.c \ ++ bounds-query.c \ + bst.c \ + class-perm-query.c \ + condrule-query.c \ + constraint-query.c \ + context-query.c \ ++ default-object-query.c \ + domain-trans-analysis.c domain-trans-analysis-internal.h \ + fscon-query.c \ + infoflow-analysis.c infoflow-analysis-internal.h \ +diff --git a/libapol/src/bounds-query.c b/libapol/src/bounds-query.c +new file mode 100644 +index 0000000..06662f4 +--- /dev/null ++++ b/libapol/src/bounds-query.c +@@ -0,0 +1,216 @@ ++/** ++ * @file ++ * ++ * Provides a way for setools to make queries about policy capabilities ++ * within a policy. The caller obtains a query object, ++ * fills in its parameters, and then runs the query; it obtains a ++ * vector of results. Searches are conjunctive -- all fields of the ++ * search query must match for a datum to be added to the results ++ * query. ++ * ++ * @author Richard Haines richard_c_haines@btinternet.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#include "policy-query-internal.h" ++ ++#include ++ ++ /************ TYPEBOUNDS *************/ ++struct apol_typebounds_query ++{ ++ char *name; ++ unsigned int flags; ++ regex_t *regex; ++}; ++ ++int apol_typebounds_get_by_query(const apol_policy_t * p, apol_typebounds_query_t * q, apol_vector_t ** v) ++{ ++ qpol_iterator_t *iter; ++ int retval = -1; ++ ++ *v = NULL; ++ if (qpol_policy_get_typebounds_iter(p->p, &iter) < 0) { ++ return -1; ++ } ++ if ((*v = apol_vector_create(NULL)) == NULL) { ++ ERR(p, "%s", strerror(errno)); ++ goto cleanup; ++ } ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ const qpol_typebounds_t *typebounds; ++ if (qpol_iterator_get_item(iter, (void **)&typebounds) < 0) { ++ goto cleanup; ++ } ++ if (q != NULL) { ++ if (apol_compare_typebounds(p, typebounds, q->name, ++ q->flags, &(q->regex)) == 1) { ++ if (apol_vector_append(*v, (void *)typebounds)) { ++ ERR(p, "%s", strerror(ENOMEM)); ++ goto cleanup; ++ } ++ } ++ } ++ } ++ ++ retval = 0; ++cleanup: ++ if (retval != 0) { ++ apol_vector_destroy(v); ++ } ++ qpol_iterator_destroy(&iter); ++ return retval; ++} ++ ++apol_typebounds_query_t *apol_typebounds_query_create(void) ++{ ++ return calloc(1, sizeof(apol_typebounds_query_t)); ++} ++ ++void apol_typebounds_query_destroy(apol_typebounds_query_t ** q) ++{ ++ if (*q != NULL) { ++ free((*q)->name); ++ apol_regex_destroy(&(*q)->regex); ++ free(*q); ++ *q = NULL; ++ } ++} ++ ++int apol_typebounds_query_set_name(const apol_policy_t * p, apol_typebounds_query_t * q, const char *name) ++{ ++ return apol_query_set(p, &q->name, &q->regex, name); ++} ++ ++int apol_typebounds_query_set_regex(const apol_policy_t * p, apol_typebounds_query_t * q, int is_regex) ++{ ++ return apol_query_set_regex(p, &q->flags, is_regex); ++} ++ ++ ++ /************ ROLEBOUNDS *************/ ++struct apol_rolebounds_query ++{ ++ char *name; ++}; ++ ++int apol_rolebounds_get_by_query(const apol_policy_t * p, apol_rolebounds_query_t * q, apol_vector_t ** v) ++{ ++ qpol_iterator_t *iter; ++ int retval = -1; ++ ++ *v = NULL; ++ if (qpol_policy_get_rolebounds_iter(p->p, &iter) < 0) { ++ return -1; ++ } ++ if ((*v = apol_vector_create(NULL)) == NULL) { ++ ERR(p, "%s", strerror(errno)); ++ goto cleanup; ++ } ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ const qpol_rolebounds_t *rolebounds; ++ if (qpol_iterator_get_item(iter, (void **)&rolebounds) < 0) { ++ goto cleanup; ++ } ++ if (q != NULL) { ++ if (apol_vector_append(*v, (void *)rolebounds)) { ++ ERR(p, "%s", strerror(ENOMEM)); ++ goto cleanup; ++ } ++ } ++ } ++ ++ retval = 0; ++cleanup: ++ if (retval != 0) { ++ apol_vector_destroy(v); ++ } ++ qpol_iterator_destroy(&iter); ++ return retval; ++} ++ ++apol_rolebounds_query_t *apol_rolebounds_query_create(void) ++{ ++ return calloc(1, sizeof(apol_rolebounds_query_t)); ++} ++ ++void apol_rolebounds_query_destroy(apol_rolebounds_query_t ** q) ++{ ++ if (*q != NULL) { ++ free((*q)->name); ++ free(*q); ++ *q = NULL; ++ } ++} ++ ++ ++ /************ USERBOUNDS *************/ ++struct apol_userbounds_query ++{ ++ char *name; ++}; ++ ++int apol_userbounds_get_by_query(const apol_policy_t * p, apol_userbounds_query_t * q, apol_vector_t ** v) ++{ ++ qpol_iterator_t *iter; ++ int retval = -1; ++ ++ *v = NULL; ++ if (qpol_policy_get_userbounds_iter(p->p, &iter) < 0) { ++ return -1; ++ } ++ if ((*v = apol_vector_create(NULL)) == NULL) { ++ ERR(p, "%s", strerror(errno)); ++ goto cleanup; ++ } ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ const qpol_userbounds_t *userbounds; ++ if (qpol_iterator_get_item(iter, (void **)&userbounds) < 0) { ++ goto cleanup; ++ } ++ if (q != NULL) { ++ if (apol_vector_append(*v, (void *)userbounds)) { ++ ERR(p, "%s", strerror(ENOMEM)); ++ goto cleanup; ++ } ++ } ++ } ++ ++ retval = 0; ++cleanup: ++ if (retval != 0) { ++ apol_vector_destroy(v); ++ } ++ qpol_iterator_destroy(&iter); ++ return retval; ++} ++ ++apol_userbounds_query_t *apol_userbounds_query_create(void) ++{ ++ return calloc(1, sizeof(apol_userbounds_query_t)); ++} ++ ++void apol_userbounds_query_destroy(apol_userbounds_query_t ** q) ++{ ++ if (*q != NULL) { ++ free((*q)->name); ++ free(*q); ++ *q = NULL; ++ } ++} ++ +diff --git a/libapol/src/default-object-query.c b/libapol/src/default-object-query.c +new file mode 100644 +index 0000000..3724e69 +--- /dev/null ++++ b/libapol/src/default-object-query.c +@@ -0,0 +1,87 @@ ++/** ++ * @file ++ * ++ * Provides a way for setools to make queries about policy capabilities ++ * within a policy. The caller obtains a query object, ++ * fills in its parameters, and then runs the query; it obtains a ++ * vector of results. Searches are conjunctive -- all fields of the ++ * search query must match for a datum to be added to the results ++ * query. ++ * ++ * @author Richard Haines richard_c_haines@btinternet.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#include "policy-query-internal.h" ++ ++#include ++ ++struct apol_default_object_query ++{ ++ char *name; ++}; ++ ++int apol_default_object_get_by_query(const apol_policy_t * p, apol_default_object_query_t * q, apol_vector_t ** v) ++{ ++ qpol_iterator_t *iter; ++ int retval = -1; ++ ++ *v = NULL; ++ if (qpol_policy_get_default_object_iter(p->p, &iter) < 0) { ++ return -1; ++ } ++ if ((*v = apol_vector_create(NULL)) == NULL) { ++ ERR(p, "%s", strerror(errno)); ++ goto cleanup; ++ } ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ const qpol_default_object_t *default_object; ++ if (qpol_iterator_get_item(iter, (void **)&default_object) < 0) { ++ goto cleanup; ++ } ++ if (q != NULL) { ++ if (apol_vector_append(*v, (void *)default_object)) { ++ ERR(p, "%s", strerror(ENOMEM)); ++ goto cleanup; ++ } ++ } ++ } ++ ++ retval = 0; ++cleanup: ++ if (retval != 0) { ++ apol_vector_destroy(v); ++ } ++ qpol_iterator_destroy(&iter); ++ return retval; ++} ++ ++apol_default_object_query_t *apol_default_object_query_create(void) ++{ ++ return calloc(1, sizeof(apol_default_object_query_t)); ++} ++ ++void apol_default_object_query_destroy(apol_default_object_query_t ** q) ++{ ++ if (*q != NULL) { ++ free((*q)->name); ++ free(*q); ++ *q = NULL; ++ } ++} ++ +diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c +index 50c6c7a..aeebc25 100644 +--- a/libapol/src/ftrule-query.c ++++ b/libapol/src/ftrule-query.c +@@ -215,10 +215,10 @@ void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** t) + } + } + +-int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect) ++int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect) + { + apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_SOURCE_INDIRECT); +- return apol_query_set(p, &t->source, NULL, filename); ++ return apol_query_set(p, &t->source, NULL, type); + } + + //TODO is the equivilent terule_query_set_{source,target}_compoenent needed? +diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map +index 7657a2d..8741bf4 100644 +--- a/libapol/src/libapol.map ++++ b/libapol/src/libapol.map +@@ -83,5 +83,9 @@ VERS_4.1{ + VERS_4.2{ + global: + apol_permissive_*; ++ apol_typebounds_*; ++ apol_rolebounds_*; ++ apol_userbounds_*; + apol_polcap_*; ++ apol_default_object_*; + } VERS_4.1; +diff --git a/libapol/src/policy-query-internal.h b/libapol/src/policy-query-internal.h +index 657c815..d7e57e0 100644 +--- a/libapol/src/policy-query-internal.h ++++ b/libapol/src/policy-query-internal.h +@@ -228,6 +228,25 @@ extern "C" + regex_t ** type_regex); + + /** ++ * Determines if a (partial) typebounds query matches a qpol_typebounds_t, ++ * by name. ++ * ++ * @param p Policy within which to look up types. ++ * @param type typebounds datum to compare against. ++ * @param name Source target from which to compare. ++ * @param flags If APOL_QUERY_REGEX bit is set, treat name as a ++ * regular expression. ++ * @param regex If using regexp comparison, the compiled regular ++ * expression to use; the pointer will be allocated space if regexp is ++ * legal. If NULL, then compile the regexp pattern given by name and ++ * cache it here. ++ * ++ * @return 1 If comparison succeeds, 0 if not; < 0 on error. ++ */ ++ int apol_compare_typebounds(const apol_policy_t * p, const qpol_typebounds_t * typebounds, const char *name, unsigned int flags, ++ regex_t ** type_regex); ++ ++/** + * Determines if a boolean is used within a particual conditional. + * + * @param p Policy within which to look up types. +diff --git a/libapol/src/policy-query.c b/libapol/src/policy-query.c +index 18152fb..5ce52a2 100644 +--- a/libapol/src/policy-query.c ++++ b/libapol/src/policy-query.c +@@ -188,6 +188,29 @@ int apol_compare_polcap(const apol_policy_t * p, const qpol_polcap_t * polcap, c + return compval; + } + ++int apol_compare_typebounds(const apol_policy_t * p, const qpol_typebounds_t * typebounds, const char *name, unsigned int flags, ++ regex_t ** typebounds_regex) ++{ ++ const char *typebounds_parent_name = NULL; ++ const char *typebounds_child_name = NULL; ++ ++ int compval = 0; ++ ++ qpol_typebounds_get_parent_name(p->p, typebounds, &typebounds_parent_name); ++ qpol_typebounds_get_child_name(p->p, typebounds, &typebounds_child_name); ++ ++ if (typebounds_parent_name != NULL) { ++ compval = apol_compare(p, typebounds_parent_name, name, flags, typebounds_regex); ++ } ++ if (typebounds_child_name != NULL && compval == 0) { ++ compval = apol_compare(p, typebounds_child_name, name, flags, typebounds_regex); ++ return compval; ++ } else { ++ return compval; ++ } ++ return 0; ++} ++ + int apol_compare_cond_expr(const apol_policy_t * p, const qpol_cond_t * cond, const char *name, unsigned int flags, + regex_t ** bool_regex) + { +diff --git a/libapol/src/policy.c b/libapol/src/policy.c +index 95ab7cd..f253db9 100644 +--- a/libapol/src/policy.c ++++ b/libapol/src/policy.c +@@ -155,6 +155,15 @@ int apol_policy_get_policy_type(const apol_policy_t * policy) + return policy->policy_type; + } + ++int apol_policy_get_policy_handle_unknown(const apol_policy_t * p) ++{ ++ unsigned int handle_unknown; ++ if (qpol_policy_get_policy_handle_unknown(p->p, &handle_unknown) < 0) { ++ return -1; ++ } ++ return handle_unknown; ++} ++ + qpol_policy_t *apol_policy_get_qpol(const apol_policy_t * policy) + { + if (policy == NULL) { +diff --git a/libapol/swig/apol.i b/libapol/swig/apol.i +index ae1262d..8a4a195 100644 +--- a/libapol/swig/apol.i ++++ b/libapol/swig/apol.i +@@ -256,7 +256,7 @@ uint8_t apol_str_to_protocol(const char *protocol_str); + } + %} + %extend apol_ip_t { +- apol_ip_t(const char *str) { ++ apol_ip(const char *str) { + apol_ip_t *ip = NULL; + BEGIN_EXCEPTION + ip = calloc(1, sizeof(*ip)); +@@ -274,7 +274,7 @@ uint8_t apol_str_to_protocol(const char *protocol_str); + fail: + return ip; + }; +- ~apol_ip_t() { ++ ~apol_ip() { + free(self); + }; + int get_protocol() { +@@ -303,31 +303,35 @@ char *apol_file_find_path(const char *file_name); + %} + typedef struct apol_vector {} apol_vector_t; + %extend apol_vector_t { +- apol_vector_t() { ++ apol_vector() { + return apol_vector_create(NULL); + }; +- apol_vector_t(qpol_iterator_t *iter) { ++ apol_vector(qpol_iterator_t *iter) { + return apol_vector_create_from_iter(iter, NULL); + }; +- apol_vector_t(apol_vector_t *v) { ++ apol_vector(apol_vector_t *v) { + return apol_vector_create_from_vector(v, NULL, NULL, NULL); + }; +- apol_vector_t(apol_vector_t *a, apol_vector_t *b) { ++ apol_vector(apol_vector_t *a, apol_vector_t *b) { + return apol_vector_create_from_intersection(a, b, NULL, NULL); + }; +- size_t get_size() { ++ %rename(get_size) wrap_get_size; ++ size_t wrap_get_size() { + return apol_vector_get_size(self); + }; +- size_t get_capacity() { ++ %rename(get_capacity) wrap_get_capacity; ++ size_t wrap_get_capacity() { + return apol_vector_get_capacity(self); + }; +- void *get_element(size_t i) { ++ %rename(get_element) wrap_get_element; ++ void *wrap_get_element(size_t i) { + return apol_vector_get_element(self, i); + }; +- ~apol_vector_t() { ++ ~apol_vector() { + apol_vector_destroy(&self); + }; +- void append(void *x) { ++ %rename(append) wrap_append; ++ void wrap_append(void *x) { + BEGIN_EXCEPTION + if (apol_vector_append(self, x)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -336,7 +340,8 @@ typedef struct apol_vector {} apol_vector_t; + fail: + return; + }; +- void append_unique(void *x) { ++ %rename(append_unique) wrap_append_unique; ++ void wrap_append_unique(void *x) { + BEGIN_EXCEPTION + if (apol_vector_append_unique(self, x, NULL, NULL)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -345,7 +350,8 @@ typedef struct apol_vector {} apol_vector_t; + fail: + return; + }; +- void cat(apol_vector_t *src) { ++ %rename(cat) wrap_cat; ++ void wrap_cat(apol_vector_t *src) { + BEGIN_EXCEPTION + if (apol_vector_cat(self, src)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -354,7 +360,8 @@ typedef struct apol_vector {} apol_vector_t; + fail: + return; + }; +- void remove(size_t idx) { ++ %rename(remove) wrap_remove; ++ void wrap_remove(size_t idx) { + BEGIN_EXCEPTION + if (apol_vector_remove(self, idx)) { + SWIG_exception(SWIG_RuntimeError, "Error removing vector element"); +@@ -363,10 +370,12 @@ typedef struct apol_vector {} apol_vector_t; + fail: + return; + }; +- void sort() { ++ %rename(sort) wrap_sort; ++ void wrap_sort() { + apol_vector_sort(self, NULL, NULL); + }; +- void sort_uniquify() { ++ %rename(sort_uniquify) wrap_sort_uniquify; ++ void wrap_sort_uniquify() { + apol_vector_sort_uniquify(self, NULL, NULL); + }; + }; +@@ -379,13 +388,13 @@ typedef struct apol_vector {} apol_vector_t; + %} + typedef struct apol_string_vector {} apol_string_vector_t; + %extend apol_string_vector_t { +- apol_string_vector_t() { ++ apol_string_vector() { + return (apol_string_vector_t*)apol_vector_create(free); + }; +- apol_string_vector_t(apol_string_vector_t *v) { ++ apol_string_vector(apol_string_vector_t *v) { + return (apol_string_vector_t*)apol_vector_create_from_vector((apol_vector_t*)v, apol_str_strdup, NULL, free); + }; +- apol_string_vector_t(apol_string_vector_t *a, apol_string_vector_t *b) { ++ apol_string_vector(apol_string_vector_t *a, apol_string_vector_t *b) { + return (apol_string_vector_t*)apol_vector_create_from_intersection((apol_vector_t*)a, (apol_vector_t*)b, apol_str_strcmp, NULL); + }; + size_t get_size() { +@@ -397,7 +406,7 @@ typedef struct apol_string_vector {} apol_string_vector_t; + char *get_element(size_t i) { + return (char*)apol_vector_get_element((apol_vector_t*)self, i); + }; +- ~apol_string_vector_t() { ++ ~apol_string_vector() { + apol_vector_destroy((apol_vector_t**)&self); + }; + size_t get_index(char *str) { +@@ -462,7 +471,7 @@ typedef struct apol_string_vector {} apol_string_vector_t; + } apol_policy_path_type_e; + typedef struct apol_policy_path {} apol_policy_path_t; + %extend apol_policy_path_t { +- apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) { ++ apol_policy_path(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create(type, primary, (apol_vector_t*)modules)) == NULL) { +@@ -472,7 +481,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- apol_policy_path_t(char *path) { ++ apol_policy_path(char *path) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create_from_file(path)) == NULL) { +@@ -482,7 +491,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- apol_policy_path_t(char *str, int unused) { ++ apol_policy_path(char *str, int unused) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create_from_string(str)) == NULL) { +@@ -492,7 +501,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- apol_policy_path_t(apol_policy_path_t *in) { ++ apol_policy_path(apol_policy_path_t *in) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create_from_policy_path(in)) == NULL) { +@@ -502,20 +511,24 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- ~apol_policy_path_t() { ++ ~apol_policy_path() { + apol_policy_path_destroy(&self); + }; +- apol_policy_path_type_e get_type() { ++ %rename(get_type) wrap_get_type; ++ apol_policy_path_type_e wrap_get_type() { + return apol_policy_path_get_type(self); + }; +- const char *get_primary() { ++ %rename(get_primary) wrap_get_primary; ++ const char *wrap_get_primary() { + return apol_policy_path_get_primary(self); + }; +- const apol_string_vector_t *get_modules() { ++ %rename(get_modules) wrap_get_modules; ++ const apol_string_vector_t *wrap_get_modules() { + return (apol_string_vector_t*)apol_policy_path_get_modules(self); + }; + %newobject to_string(); +- char *to_string() { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string() { + char *str; + BEGIN_EXCEPTION + str = apol_policy_path_to_string(self); +@@ -526,7 +539,8 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return str; + }; +- void to_file(char *path) { ++ %rename(to_file) wrap_to_file; ++ void wrap_to_file(char *path) { + BEGIN_EXCEPTION + if (apol_policy_path_to_file(self, path)) { + SWIG_exception(SWIG_RuntimeError, "Input/outpet error"); +@@ -549,7 +563,7 @@ typedef struct apol_policy {} apol_policy_t; + #define APOL_PERMMAP_BOTH (APOL_PERMMAP_READ | APOL_PERMMAP_WRITE) + #define APOL_PERMMAP_NONE 0x10 + %extend apol_policy_t { +- apol_policy_t(apol_policy_path_t *path, int options = 0) { ++ apol_policy(apol_policy_path_t *path, int options = 0) { + apol_policy_t *p; + BEGIN_EXCEPTION + p = apol_policy_create_from_policy_path(path, options, apol_swig_message_callback, apol_swig_message_callback_arg); +@@ -564,20 +578,30 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return p; + }; +- ~apol_policy_t() { ++ ~apol_policy() { + apol_policy_destroy(&self); + }; +- int get_policy_type() { ++ %rename(get_policy_type) wrap_get_policy_type; ++ int wrap_get_policy_type() { + return apol_policy_get_policy_type(self); + }; +- qpol_policy_t *get_qpol() { ++ ++ %rename(get_policy_handle_unknown) wrap_get_policy_handle_unknown; ++ int wrap_get_policy_handle_unknown() { ++ return apol_policy_get_policy_handle_unknown(self); ++ }; ++ ++ %rename(get_qpol) wrap_get_qpol; ++ qpol_policy_t *wrap_get_qpol() { + return apol_policy_get_qpol(self); + }; +- int is_mls() { ++ %rename(is_mls) wrap_is_mls; ++ int wrap_is_mls() { + return apol_policy_is_mls(self); + }; + %newobject get_version_type_mls_str(); +- char *get_version_type_mls_str() { ++ %rename(get_version_type_mls_str) wrap_get_version_type_mls_str; ++ char *wrap_get_version_type_mls_str() { + char *str; + BEGIN_EXCEPTION + str = apol_policy_get_version_type_mls_str(self); +@@ -588,7 +612,8 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return str; + }; +- void open_permmap(const char *path) { ++ %rename(open_permmap) wrap_open_permmap; ++ void wrap_open_permmap(const char *path) { + BEGIN_EXCEPTION + if (apol_policy_open_permmap(self, path) < 0) { + SWIG_exception(SWIG_RuntimeError, "Error loading permission map"); +@@ -597,7 +622,8 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return; + }; +- void save_permmap(const char *path) { ++ %rename(save_permmap) wrap_save_permmap; ++ void wrap_save_permmap(const char *path) { + BEGIN_EXCEPTION + if (apol_policy_save_permmap(self, path)) { + SWIG_exception(SWIG_RuntimeError, "Could not save permission map"); +@@ -626,7 +652,8 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return dir; + }; +- void set_permmap(const char *class_name, const char *perm_name, int direction, int weight) { ++ %rename(set_permmap) wrap_set_permmap; ++ void wrap_set_permmap(const char *class_name, const char *perm_name, int direction, int weight) { + BEGIN_EXCEPTION + if (apol_policy_set_permmap(self, class_name, perm_name, direction, weight)) { + SWIG_exception(SWIG_RuntimeError, "Could not set permission mapping"); +@@ -635,7 +662,8 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return; + }; +- void build_domain_trans_table() { ++ %rename(build_domain_trans_table) wrap_build_domain_trans_table; ++ void wrap_build_domain_trans_table() { + BEGIN_EXCEPTION + if (apol_policy_build_domain_trans_table(self)) { + SWIG_exception(SWIG_RuntimeError, "Could not build domain transition table"); +@@ -644,7 +672,8 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return; + }; +- void reset_domain_trans_table() { ++ %rename(reset_domain_trans_table) wrap_reset_domain_trans_table; ++ void wrap_reset_domain_trans_table() { + apol_policy_reset_domain_trans_table(self); + } + }; +@@ -652,7 +681,7 @@ typedef struct apol_policy {} apol_policy_t; + /* apol type query */ + typedef struct apol_type_query {} apol_type_query_t; + %extend apol_type_query_t { +- apol_type_query_t() { ++ apol_type_query() { + apol_type_query_t *tq; + BEGIN_EXCEPTION + tq = apol_type_query_create(); +@@ -663,7 +692,7 @@ typedef struct apol_type_query {} apol_type_query_t; + fail: + return tq; + }; +- ~apol_type_query_t() { ++ ~apol_type_query() { + apol_type_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -677,7 +706,8 @@ typedef struct apol_type_query {} apol_type_query_t; + fail: + return v; + }; +- void set_type(apol_policy_t *p, char *name) { ++ %rename(set_type) wrap_set_type; ++ void wrap_set_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_type_query_set_type(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -686,7 +716,8 @@ typedef struct apol_type_query {} apol_type_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_type_query_set_regex(p, self, regex); + }; + }; +@@ -694,7 +725,7 @@ typedef struct apol_type_query {} apol_type_query_t; + /* apol attribute query */ + typedef struct apol_attr_query {} apol_attr_query_t; + %extend apol_attr_query_t { +- apol_attr_query_t() { ++ apol_attr_query() { + apol_attr_query_t *aq; + BEGIN_EXCEPTION + aq = apol_attr_query_create(); +@@ -705,7 +736,7 @@ typedef struct apol_attr_query {} apol_attr_query_t; + fail: + return aq; + }; +- ~apol_attr_query_t() { ++ ~apol_attr_query() { + apol_attr_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -719,7 +750,8 @@ typedef struct apol_attr_query {} apol_attr_query_t; + fail: + return v; + }; +- void set_attr(apol_policy_t *p, char *name) { ++ %rename(set_attr) wrap_set_attr; ++ void wrap_set_attr(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_attr_query_set_attr(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -728,7 +760,8 @@ typedef struct apol_attr_query {} apol_attr_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_attr_query_set_regex(p, self, regex); + }; + }; +@@ -736,7 +769,7 @@ typedef struct apol_attr_query {} apol_attr_query_t; + /* apol role query */ + typedef struct apol_role_query {} apol_role_query_t; + %extend apol_role_query_t { +- apol_role_query_t() { ++ apol_role_query() { + apol_role_query_t *rq; + BEGIN_EXCEPTION + rq = apol_role_query_create(); +@@ -747,7 +780,7 @@ typedef struct apol_role_query {} apol_role_query_t; + fail: + return rq; + }; +- ~apol_role_query_t() { ++ ~apol_role_query() { + apol_role_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -761,7 +794,8 @@ typedef struct apol_role_query {} apol_role_query_t; + fail: + return v; + }; +- void set_role(apol_policy_t *p, char *name) { ++ %rename(set_role) wrap_set_role; ++ void wrap_set_role(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_role_query_set_role(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -770,7 +804,8 @@ typedef struct apol_role_query {} apol_role_query_t; + fail: + return; + }; +- void set_type(apol_policy_t *p, char *name) { ++ %rename(set_type) wrap_set_type; ++ void wrap_set_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_role_query_set_type(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -779,7 +814,8 @@ typedef struct apol_role_query {} apol_role_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_role_query_set_regex(p, self, regex); + }; + }; +@@ -788,7 +824,7 @@ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t); + /* apol class query */ + typedef struct apol_class_query {} apol_class_query_t; + %extend apol_class_query_t { +- apol_class_query_t() { ++ apol_class_query() { + apol_class_query_t *cq; + BEGIN_EXCEPTION + cq = apol_class_query_create(); +@@ -799,7 +835,7 @@ typedef struct apol_class_query {} apol_class_query_t; + fail: + return cq; + }; +- ~apol_class_query_t() { ++ ~apol_class_query() { + apol_class_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -813,7 +849,8 @@ typedef struct apol_class_query {} apol_class_query_t; + fail: + return v; + }; +- void set_class(apol_policy_t *p, char *name) { ++ %rename(set_class) wrap_set_class; ++ void wrap_set_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_class_query_set_class(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -822,7 +859,8 @@ typedef struct apol_class_query {} apol_class_query_t; + fail: + return; + }; +- void set_common(apol_policy_t *p, char *name) { ++ %rename(set_common) wrap_set_common; ++ void wrap_set_common(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_class_query_set_common(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -831,7 +869,8 @@ typedef struct apol_class_query {} apol_class_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_class_query_set_regex(p, self, regex); + }; + }; +@@ -839,7 +878,7 @@ typedef struct apol_class_query {} apol_class_query_t; + /* apol common query */ + typedef struct apol_common_query {} apol_common_query_t; + %extend apol_common_query_t { +- apol_common_query_t() { ++ apol_common_query() { + apol_common_query_t *cq; + BEGIN_EXCEPTION + cq = apol_common_query_create(); +@@ -850,7 +889,7 @@ typedef struct apol_common_query {} apol_common_query_t; + fail: + return cq; + }; +- ~apol_common_query_t() { ++ ~apol_common_query() { + apol_common_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -864,7 +903,8 @@ typedef struct apol_common_query {} apol_common_query_t; + fail: + return v; + }; +- void set_common(apol_policy_t *p, char *name) { ++ %rename(set_common) wrap_set_common; ++ void wrap_set_common(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_common_query_set_common(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -873,7 +913,8 @@ typedef struct apol_common_query {} apol_common_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_common_query_set_regex(p, self, regex); + }; + }; +@@ -881,7 +922,7 @@ typedef struct apol_common_query {} apol_common_query_t; + /* apol perm query */ + typedef struct apol_perm_query {} apol_perm_query_t; + %extend apol_perm_query_t { +- apol_perm_query_t() { ++ apol_perm_query() { + apol_perm_query_t *pq; + BEGIN_EXCEPTION + pq = apol_perm_query_create(); +@@ -892,7 +933,7 @@ typedef struct apol_perm_query {} apol_perm_query_t; + fail: + return pq; + }; +- ~apol_perm_query_t() { ++ ~apol_perm_query() { + apol_perm_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -906,7 +947,8 @@ typedef struct apol_perm_query {} apol_perm_query_t; + fail: + return (apol_string_vector_t*)v; + }; +- void set_perm(apol_policy_t *p, char *name) { ++ %rename(set_perm) wrap_set_perm; ++ void wrap_set_perm(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_perm_query_set_perm(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -915,7 +957,8 @@ typedef struct apol_perm_query {} apol_perm_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_perm_query_set_regex(p, self, regex); + }; + }; +@@ -923,7 +966,7 @@ typedef struct apol_perm_query {} apol_perm_query_t; + /* apol bool query */ + typedef struct apol_bool_query {} apol_bool_query_t; + %extend apol_bool_query_t { +- apol_bool_query_t() { ++ apol_bool_query() { + apol_bool_query_t *bq; + BEGIN_EXCEPTION + bq = apol_bool_query_create(); +@@ -934,7 +977,7 @@ typedef struct apol_bool_query {} apol_bool_query_t; + fail: + return bq; + }; +- ~apol_bool_query_t() { ++ ~apol_bool_query() { + apol_bool_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -948,7 +991,8 @@ typedef struct apol_bool_query {} apol_bool_query_t; + fail: + return v; + }; +- void set_bool(apol_policy_t *p, char *name) { ++ %rename(set_bool) wrap_set_bool; ++ void wrap_set_bool(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_bool_query_set_bool(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -957,7 +1001,8 @@ typedef struct apol_bool_query {} apol_bool_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_bool_query_set_regex(p, self, regex); + }; + }; +@@ -965,7 +1010,7 @@ typedef struct apol_bool_query {} apol_bool_query_t; + /* apol mls level */ + typedef struct apol_mls_level {} apol_mls_level_t; + %extend apol_mls_level_t { +- apol_mls_level_t() { ++ apol_mls_level() { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create(); +@@ -976,7 +1021,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_mls_level_t *in) { ++ apol_mls_level(apol_mls_level_t *in) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_mls_level(in); +@@ -987,7 +1032,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_policy_t *p, const char *str) { ++ apol_mls_level(apol_policy_t *p, const char *str) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_string(p, str); +@@ -998,7 +1043,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(const char *str) { ++ apol_mls_level(const char *str) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_literal(str); +@@ -1009,7 +1054,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_policy_t *p, qpol_mls_level_t *qml) { ++ apol_mls_level(apol_policy_t *p, qpol_mls_level_t *qml) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_qpol_mls_level(p, qml); +@@ -1020,7 +1065,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_policy_t *p, qpol_level_t *ql) { ++ apol_mls_level(apol_policy_t *p, qpol_level_t *ql) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_qpol_level_datum(p, ql); +@@ -1031,10 +1076,11 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- ~apol_mls_level_t() { ++ ~apol_mls_level() { + apol_mls_level_destroy(&self); + }; +- void set_sens(apol_policy_t *p, char *sens) { ++ %rename(set_sens) wrap_set_sens; ++ void wrap_set_sens(apol_policy_t *p, char *sens) { + BEGIN_EXCEPTION + if (apol_mls_level_set_sens(p, self, sens)) { + SWIG_exception(SWIG_RuntimeError, "Could not set level sensitivity"); +@@ -1043,10 +1089,12 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return; + }; +- const char *get_sens() { ++ %rename(get_sens) wrap_get_sens; ++ const char *wrap_get_sens() { + return apol_mls_level_get_sens(self); + }; +- void append_cats(apol_policy_t *p, char *cats) { ++ %rename(append_cats) wrap_append_cats; ++ void wrap_append_cats(apol_policy_t *p, char *cats) { + BEGIN_EXCEPTION + if (apol_mls_level_append_cats(p, self, cats)) { + SWIG_exception(SWIG_RuntimeError, "Could not append level category"); +@@ -1055,10 +1103,12 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return; + }; +- const apol_string_vector_t *get_cats() { ++ %rename(get_cats) wrap_get_cats; ++ const apol_string_vector_t *wrap_get_cats() { + return (apol_string_vector_t *) apol_mls_level_get_cats(self); + }; +- int validate(apol_policy_t *p) { ++ %rename(validate) wrap_validate; ++ int wrap_validate(apol_policy_t *p) { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_mls_level_validate(p, self); +@@ -1070,7 +1120,8 @@ typedef struct apol_mls_level {} apol_mls_level_t; + return ret; + } + %newobject render(apol_policy_t*); +- char *render(apol_policy_t *p) { ++ %rename(render) wrap_render; ++ char *wrap_render(apol_policy_t *p) { + char *str; + BEGIN_EXCEPTION + str = apol_mls_level_render(p, self); +@@ -1081,7 +1132,8 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return str; + }; +- int convert(apol_policy_t *p) { ++ %rename(convert) wrap_convert; ++ int wrap_convert(apol_policy_t *p) { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_mls_level_convert(p, self); +@@ -1092,7 +1144,8 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return ret; + } +- int is_literal() { ++ %rename(is_literal) wrap_is_literal; ++ int wrap_is_literal() { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_mls_level_is_literal(self); +@@ -1128,7 +1181,7 @@ int apol_mls_cats_compare(apol_policy_t * p, const char *cat1, const char *cat2) + #endif + typedef struct apol_mls_range {} apol_mls_range_t; + %extend apol_mls_range_t { +- apol_mls_range_t() { ++ apol_mls_range() { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create(); +@@ -1139,7 +1192,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(apol_mls_range_t *in) { ++ apol_mls_range(apol_mls_range_t *in) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_mls_range(in); +@@ -1150,7 +1203,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(apol_policy_t *p, const char *s) { ++ apol_mls_range(apol_policy_t *p, const char *s) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_string(p, s); +@@ -1161,7 +1214,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(const char *s) { ++ apol_mls_range(const char *s) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_literal(s); +@@ -1172,7 +1225,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(apol_policy_t *p, qpol_mls_range_t *in) { ++ apol_mls_range(apol_policy_t *p, qpol_mls_range_t *in) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_qpol_mls_range(p, in); +@@ -1183,10 +1236,11 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- ~apol_mls_range_t() { ++ ~apol_mls_range() { + apol_mls_range_destroy(&self); + }; +- void set_low(apol_policy_t *p, apol_mls_level_t *lvl) { ++ %rename(set_low) wrap_set_low; ++ void wrap_set_low(apol_policy_t *p, apol_mls_level_t *lvl) { + BEGIN_EXCEPTION + if (apol_mls_range_set_low(p, self, lvl)) { + SWIG_exception(SWIG_RuntimeError, "Could not set low level"); +@@ -1195,7 +1249,8 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return; + }; +- void set_high(apol_policy_t *p, apol_mls_level_t *lvl) { ++ %rename(set_high) wrap_set_high; ++ void wrap_set_high(apol_policy_t *p, apol_mls_level_t *lvl) { + BEGIN_EXCEPTION + if (apol_mls_range_set_high(p, self, lvl)) { + SWIG_exception(SWIG_RuntimeError, "Could not set high level"); +@@ -1204,14 +1259,17 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return; + }; +- const apol_mls_level_t *get_low() { ++ %rename(get_low) wrap_get_low; ++ const apol_mls_level_t *wrap_get_low() { + return apol_mls_range_get_low(self); + } +- const apol_mls_level_t *get_high() { ++ %rename(get_high) wrap_get_high; ++ const apol_mls_level_t *wrap_get_high() { + return apol_mls_range_get_high(self); + } + %newobject render(apol_policy_t*); +- char *render(apol_policy_t *p) { ++ %rename(render) wrap_render; ++ char *wrap_render(apol_policy_t *p) { + char *str; + BEGIN_EXCEPTION + str = apol_mls_range_render(p, self); +@@ -1223,7 +1281,8 @@ typedef struct apol_mls_range {} apol_mls_range_t; + return str; + }; + %newobject get_levels(apol_policy_t*); +- apol_vector_t *get_levels(apol_policy_t *p) { ++ %rename(get_levels) wrap_get_levels; ++ apol_vector_t *wrap_get_levels(apol_policy_t *p) { + apol_vector_t *v; + BEGIN_EXCEPTION + v = apol_mls_range_get_levels(p, self); +@@ -1234,7 +1293,8 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return v; + }; +- int validate(apol_policy_t *p) { ++ %rename(validate) wrap_validate; ++ int wrap_validate(apol_policy_t *p) { + int ret = apol_mls_range_validate(p, self); + BEGIN_EXCEPTION + if (ret < 0) { +@@ -1244,7 +1304,8 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return ret; + } +- int is_literal() { ++ %rename(is_literal) wrap_is_literal; ++ int wrap_is_literal() { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_mls_range_is_literal(self); +@@ -1255,7 +1316,8 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return ret; + } +- int convert(apol_policy_t *p) { ++ %rename(convert) wrap_convert; ++ int wrap_convert(apol_policy_t *p) { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_mls_range_convert(p, self); +@@ -1278,7 +1340,7 @@ int apol_mls_range_contain_subrange(apol_policy_t * p, const apol_mls_range_t * + /* apol level query */ + typedef struct apol_level_query {} apol_level_query_t; + %extend apol_level_query_t { +- apol_level_query_t() { ++ apol_level_query() { + apol_level_query_t * alq; + BEGIN_EXCEPTION + alq = apol_level_query_create(); +@@ -1289,7 +1351,7 @@ typedef struct apol_level_query {} apol_level_query_t; + fail: + return alq; + }; +- ~apol_level_query_t() { ++ ~apol_level_query() { + apol_level_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1303,7 +1365,8 @@ typedef struct apol_level_query {} apol_level_query_t; + fail: + return v; + }; +- void set_sens(apol_policy_t *p, char *name) { ++ %rename(set_sens) wrap_set_sens; ++ void wrap_set_sens(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_level_query_set_sens(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1312,7 +1375,8 @@ typedef struct apol_level_query {} apol_level_query_t; + fail: + return; + }; +- void set_cat(apol_policy_t *p, char *name) { ++ %rename(set_cat) wrap_set_cat; ++ void wrap_set_cat(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_level_query_set_cat(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1321,7 +1385,8 @@ typedef struct apol_level_query {} apol_level_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_level_query_set_regex(p, self, regex); + }; + }; +@@ -1329,7 +1394,7 @@ typedef struct apol_level_query {} apol_level_query_t; + /* apol cat query */ + typedef struct apol_cat_query {} apol_cat_query_t; + %extend apol_cat_query_t { +- apol_cat_query_t() { ++ apol_cat_query() { + apol_cat_query_t * acq; + BEGIN_EXCEPTION + acq = apol_cat_query_create(); +@@ -1340,7 +1405,7 @@ typedef struct apol_cat_query {} apol_cat_query_t; + fail: + return acq; + }; +- ~apol_cat_query_t() { ++ ~apol_cat_query() { + apol_cat_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -1354,7 +1419,8 @@ typedef struct apol_cat_query {} apol_cat_query_t; + fail: + return v; + }; +- void set_cat(apol_policy_t *p, char *name) { ++ %rename(set_cat) wrap_set_cat; ++ void wrap_set_cat(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_cat_query_set_cat(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1363,7 +1429,8 @@ typedef struct apol_cat_query {} apol_cat_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_cat_query_set_regex(p, self, regex); + }; + }; +@@ -1379,7 +1446,7 @@ typedef struct apol_cat_query {} apol_cat_query_t; + #endif + typedef struct apol_user_query {} apol_user_query_t; + %extend apol_user_query_t { +- apol_user_query_t() { ++ apol_user_query() { + apol_user_query_t *auq; + BEGIN_EXCEPTION + auq = apol_user_query_create(); +@@ -1390,7 +1457,7 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return auq; + }; +- ~apol_user_query_t() { ++ ~apol_user_query() { + apol_user_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1404,7 +1471,8 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return v; + }; +- void set_user(apol_policy_t *p, char *name) { ++ %rename(set_user) wrap_set_user; ++ void wrap_set_user(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_user_query_set_user(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1413,7 +1481,8 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return; + }; +- void set_role(apol_policy_t *p, char *name) { ++ %rename(set_role) wrap_set_role; ++ void wrap_set_role(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_user_query_set_role(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1422,7 +1491,8 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return; + }; +- void set_default_level(apol_policy_t *p, apol_mls_level_t *lvl) { ++ %rename(set_default_level) wrap_set_default_level; ++ void wrap_set_default_level(apol_policy_t *p, apol_mls_level_t *lvl) { + BEGIN_EXCEPTION + if (apol_user_query_set_default_level(p, self, lvl)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1431,7 +1501,8 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return; + }; +- void set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) { ++ %rename(set_range) wrap_set_range; ++ void wrap_set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) { + BEGIN_EXCEPTION + if (apol_user_query_set_range(p, self, rng, range_match)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1440,7 +1511,8 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_user_query_set_regex(p, self, regex); + }; + }; +@@ -1448,7 +1520,7 @@ typedef struct apol_user_query {} apol_user_query_t; + /* apol context */ + typedef struct apol_context {} apol_context_t; + %extend apol_context_t { +- apol_context_t() { ++ apol_context() { + apol_context_t *ctx; + BEGIN_EXCEPTION + ctx = apol_context_create(); +@@ -1459,7 +1531,7 @@ typedef struct apol_context {} apol_context_t; + fail: + return ctx; + }; +- apol_context_t(apol_policy_t *p, qpol_context_t *in) { ++ apol_context(apol_policy_t *p, qpol_context_t *in) { + apol_context_t *ctx; + BEGIN_EXCEPTION + ctx = apol_context_create_from_qpol_context(p, in); +@@ -1470,7 +1542,7 @@ typedef struct apol_context {} apol_context_t; + fail: + return ctx; + }; +- apol_context_t(const char *str) { ++ apol_context(const char *str) { + apol_context_t *ctx; + BEGIN_EXCEPTION + ctx = apol_context_create_from_literal(str); +@@ -1481,10 +1553,11 @@ typedef struct apol_context {} apol_context_t; + fail: + return ctx; + }; +- ~apol_context_t() { ++ ~apol_context() { + apol_context_destroy(&self); + }; +- void set_user(apol_policy_t *p, char *name) { ++ %rename(set_user) wrap_set_user; ++ void wrap_set_user(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_context_set_user(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1493,10 +1566,12 @@ typedef struct apol_context {} apol_context_t; + fail: + return; + }; +- const char *get_user() { ++ %rename(get_user) wrap_get_user; ++ const char *wrap_get_user() { + return apol_context_get_user(self); + }; +- void set_role(apol_policy_t *p, char *name) { ++ %rename(set_role) wrap_set_role; ++ void wrap_set_role(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_context_set_role(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1505,10 +1580,12 @@ typedef struct apol_context {} apol_context_t; + fail: + return; + }; +- const char *get_role() { ++ %rename(get_role) wrap_get_role; ++ const char *wrap_get_role() { + return apol_context_get_role(self); + }; +- void set_type(apol_policy_t *p, char *name) { ++ %rename(set_type) wrap_set_type; ++ void wrap_set_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_context_set_type(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1517,10 +1594,12 @@ typedef struct apol_context {} apol_context_t; + fail: + return; + }; +- const char *get_type() { ++ %rename(get_type) wrap_get_type; ++ const char *wrap_get_type() { + return apol_context_get_type(self); + }; +- void set_range(apol_policy_t *p, apol_mls_range_t *rng) { ++ %rename(set_range) wrap_set_range; ++ void wrap_set_range(apol_policy_t *p, apol_mls_range_t *rng) { + BEGIN_EXCEPTION + if (apol_context_set_range(p, self, rng)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1529,10 +1608,12 @@ typedef struct apol_context {} apol_context_t; + fail: + return; + }; +- const apol_mls_range_t *get_range() { ++ %rename(get_range) wrap_get_range; ++ const apol_mls_range_t *wrap_get_range() { + return apol_context_get_range(self); + }; +- int validate(apol_policy_t *p) { ++ %rename(validate) wrap_validate; ++ int wrap_validate(apol_policy_t *p) { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_context_validate(p, self); +@@ -1543,7 +1624,8 @@ typedef struct apol_context {} apol_context_t; + fail: + return ret; + } +- int validate_partial(apol_policy_t *p) { ++ %rename(validate_partial) wrap_validate_partial; ++ int wrap_validate_partial(apol_policy_t *p) { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_context_validate_partial(p, self); +@@ -1555,7 +1637,8 @@ typedef struct apol_context {} apol_context_t; + return ret; + } + %newobject render(apol_policy_t*); +- char *render(apol_policy_t *p) { ++ %rename(render) wrap_render; ++ char *wrap_render(apol_policy_t *p) { + char *str; + BEGIN_EXCEPTION + str = apol_context_render(p, self); +@@ -1566,7 +1649,8 @@ typedef struct apol_context {} apol_context_t; + fail: + return str; + }; +- int convert(apol_policy_t *p) { ++ %rename(convert) wrap_convert; ++ int wrap_convert(apol_policy_t *p) { + int ret = -1; + BEGIN_EXCEPTION + ret = apol_context_convert(p, self); +@@ -1583,7 +1667,7 @@ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_contex + /* apol constraint query */ + typedef struct apol_constraint_query {} apol_constraint_query_t; + %extend apol_constraint_query_t { +- apol_constraint_query_t() { ++ apol_constraint_query() { + apol_constraint_query_t *acq; + BEGIN_EXCEPTION + acq = apol_constraint_query_create(); +@@ -1594,7 +1678,7 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + fail: + return acq; + }; +- ~apol_constraint_query_t() { ++ ~apol_constraint_query() { + apol_constraint_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1608,7 +1692,8 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + fail: + return v; + }; +- void set_class(apol_policy_t *p, char *name) { ++ %rename(set_class) wrap_set_class; ++ void wrap_set_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_constraint_query_set_class(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1617,7 +1702,8 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + fail: + return; + } +- void set_perm(apol_policy_t *p, char *name) { ++ %rename(set_perm) wrap_set_perm; ++ void wrap_set_perm(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_constraint_query_set_perm(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1626,7 +1712,8 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + fail: + return; + } +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_constraint_query_set_regex(p, self, regex); + }; + }; +@@ -1634,7 +1721,7 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + /* apol validatetrans query */ + typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + %extend apol_validatetrans_query_t { +- apol_validatetrans_query_t() { ++ apol_validatetrans_query() { + apol_validatetrans_query_t *avq; + BEGIN_EXCEPTION + avq = apol_validatetrans_query_create(); +@@ -1645,7 +1732,7 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + fail: + return avq; + }; +- ~apol_validatetrans_query_t() { ++ ~apol_validatetrans_query() { + apol_validatetrans_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1659,7 +1746,8 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + fail: + return v; + }; +- void set_class(apol_policy_t *p, char *name) { ++ %rename(set_class) wrap_set_class; ++ void wrap_set_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_validatetrans_query_set_class(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1668,7 +1756,8 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + fail: + return; + } +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_validatetrans_query_set_regex(p, self, regex); + }; + }; +@@ -1684,7 +1773,7 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + #endif + typedef struct apol_genfscon_query {} apol_genfscon_query_t; + %extend apol_genfscon_query_t { +- apol_genfscon_query_t() { ++ apol_genfscon_query() { + apol_genfscon_query_t *agq; + BEGIN_EXCEPTION + agq = apol_genfscon_query_create(); +@@ -1695,7 +1784,7 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t; + fail: + return agq; + }; +- ~apol_genfscon_query_t() { ++ ~apol_genfscon_query() { + apol_genfscon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1709,7 +1798,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t; + fail: + return v; + }; +- void set_filesystem(apol_policy_t *p, char *fs) { ++ %rename(set_filesystem) wrap_set_filesystem; ++ void wrap_set_filesystem(apol_policy_t *p, char *fs) { + BEGIN_EXCEPTION + if (apol_genfscon_query_set_filesystem(p, self, fs)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1718,7 +1808,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t; + fail: + return; + }; +- void set_path(apol_policy_t *p, char *path) { ++ %rename(set_path) wrap_set_path; ++ void wrap_set_path(apol_policy_t *p, char *path) { + BEGIN_EXCEPTION + if (apol_genfscon_query_set_path(p, self, path)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1727,7 +1818,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t; + fail: + return; + }; +- void set_objclass(apol_policy_t *p, int objclass) { ++ %rename(set_objclass) wrap_set_objclass; ++ void wrap_set_objclass(apol_policy_t *p, int objclass) { + BEGIN_EXCEPTION + if (apol_genfscon_query_set_objclass(p, self, objclass)) { + SWIG_exception(SWIG_RuntimeError, "Could not set object class for genfscon query"); +@@ -1736,7 +1828,8 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t; + fail: + return; + }; +- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_context) wrap_set_context; ++ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_genfscon_query_set_context(p, self, ctx, range_match); + }; + }; +@@ -1746,7 +1839,7 @@ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon); + /* apol fs_use query */ + typedef struct apol_fs_use_query {} apol_fs_use_query_t; + %extend apol_fs_use_query_t { +- apol_fs_use_query_t() { ++ apol_fs_use_query() { + apol_fs_use_query_t *afq; + BEGIN_EXCEPTION + afq = apol_fs_use_query_create(); +@@ -1757,7 +1850,7 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t; + fail: + return afq; + }; +- ~apol_fs_use_query_t() { ++ ~apol_fs_use_query() { + apol_fs_use_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1771,7 +1864,8 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t; + fail: + return v; + }; +- void set_filesystem(apol_policy_t *p, char *fs) { ++ %rename(set_filesystem) wrap_set_filesystem; ++ void wrap_set_filesystem(apol_policy_t *p, char *fs) { + BEGIN_EXCEPTION + if (apol_fs_use_query_set_filesystem(p, self, fs)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1780,7 +1874,8 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t; + fail: + return; + }; +- void set_behavior(apol_policy_t *p, int behavior) { ++ %rename(set_behavior) wrap_set_behavior; ++ void wrap_set_behavior(apol_policy_t *p, int behavior) { + BEGIN_EXCEPTION + if (apol_fs_use_query_set_behavior(p, self, behavior)) { + SWIG_exception(SWIG_RuntimeError, "Could not set behavior for fs_use query"); +@@ -1789,7 +1884,8 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t; + fail: + return; + }; +- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_context) wrap_set_context; ++ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_fs_use_query_set_context(p, self, ctx, range_match); + }; + }; +@@ -1799,7 +1895,7 @@ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse); + /* apol initial sid query */ + typedef struct apol_isid_query {} apol_isid_query_t; + %extend apol_isid_query_t { +- apol_isid_query_t() { ++ apol_isid_query() { + apol_isid_query_t *aiq; + BEGIN_EXCEPTION + aiq = apol_isid_query_create(); +@@ -1810,7 +1906,7 @@ typedef struct apol_isid_query {} apol_isid_query_t; + fail: + return aiq; + }; +- ~apol_isid_query_t() { ++ ~apol_isid_query() { + apol_isid_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1824,7 +1920,8 @@ typedef struct apol_isid_query {} apol_isid_query_t; + fail: + return v; + }; +- void set_name(apol_policy_t *p, char *name) { ++ %rename(set_name) wrap_set_name; ++ void wrap_set_name(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_isid_query_set_name(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1833,7 +1930,8 @@ typedef struct apol_isid_query {} apol_isid_query_t; + fail: + return; + }; +- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_context) wrap_set_context; ++ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_isid_query_set_context(p, self, ctx, range_match); + }; + }; +@@ -1841,7 +1939,7 @@ typedef struct apol_isid_query {} apol_isid_query_t; + /* apol portcon query */ + typedef struct apol_portcon_query {} apol_portcon_query_t; + %extend apol_portcon_query_t { +- apol_portcon_query_t() { ++ apol_portcon_query() { + apol_portcon_query_t *apq; + BEGIN_EXCEPTION + apq = apol_portcon_query_create(); +@@ -1852,7 +1950,7 @@ typedef struct apol_portcon_query {} apol_portcon_query_t; + fail: + return apq; + }; +- ~apol_portcon_query_t() { ++ ~apol_portcon_query() { + apol_portcon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1866,16 +1964,20 @@ typedef struct apol_portcon_query {} apol_portcon_query_t; + fail: + return v; + }; +- void set_protocol(apol_policy_t *p, int protocol) { ++ %rename(set_protocol) wrap_set_protocol; ++ void wrap_set_protocol(apol_policy_t *p, int protocol) { + apol_portcon_query_set_protocol(p, self, protocol); + }; +- void set_low(apol_policy_t *p, int port) { ++ %rename(set_low) wrap_set_low; ++ void wrap_set_low(apol_policy_t *p, int port) { + apol_portcon_query_set_low(p, self, port); + }; +- void set_high(apol_policy_t *p, int port) { ++ %rename(set_high) wrap_set_high; ++ void wrap_set_high(apol_policy_t *p, int port) { + apol_portcon_query_set_high(p, self, port); + }; +- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_context) wrap_set_context; ++ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_portcon_query_set_context(p, self, ctx, range_match); + }; + }; +@@ -1884,8 +1986,9 @@ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon); + + /* apol netifcon query */ + typedef struct apol_netifcon_query {} apol_netifcon_query_t; ++%rename(apol_netifcon_query_set_msg_context) apol_netifcon_query_set_msg_context; + %extend apol_netifcon_query_t { +- apol_netifcon_query_t() { ++ apol_netifcon_query() { + apol_netifcon_query_t *anq; + BEGIN_EXCEPTION + anq = apol_netifcon_query_create(); +@@ -1896,7 +1999,7 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t; + fail: + return anq; + }; +- ~apol_netifcon_query_t() { ++ ~apol_netifcon_query() { + apol_netifcon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1910,7 +2013,8 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t; + fail: + return v; + }; +- void set_device(apol_policy_t *p, char *name) { ++ %rename(set_device) wrap_set_device; ++ void wrap_set_device(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_netifcon_query_set_device(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -1919,10 +2023,12 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t; + fail: + return; + }; +- void set_if_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_if_context) wrap_set_if_context; ++ void wrap_set_if_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_netifcon_query_set_if_context(p, self, ctx, range_match); + }; +- void set_msg_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_msg_context) wrap_set_msg_context; ++ void wrap_set_msg_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_netifcon_query_set_msg_context(p, self, ctx, range_match); + }; + }; +@@ -1932,7 +2038,7 @@ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon); + /* apol nodecon query */ + typedef struct apol_nodecon_query {} apol_nodecon_query_t; + %extend apol_nodecon_query_t { +- apol_nodecon_query_t() { ++ apol_nodecon_query() { + apol_nodecon_query_t *anq; + BEGIN_EXCEPTION + anq = apol_nodecon_query_create(); +@@ -1943,7 +2049,7 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t; + fail: + return anq; + }; +- ~apol_nodecon_query_t() { ++ ~apol_nodecon_query() { + apol_nodecon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1957,7 +2063,8 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t; + fail: + return v; + }; +- void set_protocol(apol_policy_t *p, int protocol) { ++ %rename(set_protocol) wrap_set_protocol; ++ void wrap_set_protocol(apol_policy_t *p, int protocol) { + BEGIN_EXCEPTION + if (apol_nodecon_query_set_protocol(p, self, protocol)) { + SWIG_exception(SWIG_RuntimeError, "Could not set protocol for nodecon query"); +@@ -2002,7 +2109,8 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t; + fail: + return; + }; +- void set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { ++ %rename(set_context) wrap_set_context; ++ void wrap_set_context(apol_policy_t *p, apol_context_t *ctx, int range_match) { + apol_nodecon_query_set_context(p, self, ctx, range_match); + }; + }; +@@ -2012,7 +2120,7 @@ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon); + /* apol avrule query */ + typedef struct apol_avrule_query {} apol_avrule_query_t; + %extend apol_avrule_query_t { +- apol_avrule_query_t() { ++ apol_avrule_query() { + apol_avrule_query_t *avq; + BEGIN_EXCEPTION + avq = apol_avrule_query_create(); +@@ -2023,7 +2131,7 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return avq; + }; +- ~apol_avrule_query_t() { ++ ~apol_avrule_query() { + apol_avrule_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2048,10 +2156,12 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return v; + }; +- void set_rules(apol_policy_t *p, int rules) { ++ %rename(set_rules) wrap_set_rules; ++ void wrap_set_rules(apol_policy_t *p, int rules) { + apol_avrule_query_set_rules(p, self, rules); + }; +- void set_source(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_source) wrap_set_source; ++ void wrap_set_source(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_avrule_query_set_source(p, self, name, indirect)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source for avrule query"); +@@ -2060,7 +2170,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void set_source_component(apol_policy_t *p, int component) { ++ %rename(set_source_component) wrap_set_source_component; ++ void wrap_set_source_component(apol_policy_t *p, int component) { + BEGIN_EXCEPTION + if (apol_avrule_query_set_source_component(p, self, component)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source component for avrule query"); +@@ -2069,7 +2180,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void set_target(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_target) wrap_set_target; ++ void wrap_set_target(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_avrule_query_set_target(p, self, name, indirect)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target for avrule query"); +@@ -2078,7 +2190,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void set_target_component(apol_policy_t *p, int component) { ++ %rename(set_target_component) wrap_set_target_component; ++ void wrap_set_target_component(apol_policy_t *p, int component) { + BEGIN_EXCEPTION + if (apol_avrule_query_set_target_component(p, self, component)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target component for avrule query"); +@@ -2087,7 +2200,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void append_class(apol_policy_t *p, char *name) { ++ %rename(append_class) wrap_append_class; ++ void wrap_append_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_avrule_query_append_class(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append class to avrule query"); +@@ -2096,7 +2210,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void append_perm(apol_policy_t *p, char *name) { ++ %rename(append_perm) wrap_append_perm; ++ void wrap_append_perm(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_avrule_query_append_perm(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append permission to avrule query"); +@@ -2105,7 +2220,8 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void set_bool(apol_policy_t *p, char *name) { ++ %rename(set_bool) wrap_set_bool; ++ void wrap_set_bool(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_avrule_query_set_bool(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set boolean for avrule query"); +@@ -2114,16 +2230,20 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return; + }; +- void set_enabled(apol_policy_t *p, int enabled) { ++ %rename(set_enabled) wrap_set_enabled; ++ void wrap_set_enabled(apol_policy_t *p, int enabled) { + apol_avrule_query_set_enabled(p, self, enabled); + }; +- void set_all_perms(apol_policy_t *p, int all_perms) { ++ %rename(set_all_perms) wrap_set_all_perms; ++ void wrap_set_all_perms(apol_policy_t *p, int all_perms) { + apol_avrule_query_set_all_perms(p, self, all_perms); + }; +- void set_source_any(apol_policy_t *p, int is_any) { ++ %rename(set_source_any) wrap_set_source_any; ++ void wrap_set_source_any(apol_policy_t *p, int is_any) { + apol_avrule_query_set_source_any(p, self, is_any); + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_avrule_query_set_regex(p, self, regex); + }; + }; +@@ -2163,7 +2283,7 @@ char *apol_syn_avrule_render(apol_policy_t * policy, qpol_syn_avrule_t * rule); + /* apol terule query */ + typedef struct apol_terule_query {} apol_terule_query_t; + %extend apol_terule_query_t { +- apol_terule_query_t() { ++ apol_terule_query() { + apol_terule_query_t *atq; + BEGIN_EXCEPTION + atq = apol_terule_query_create(); +@@ -2174,7 +2294,7 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return atq; + }; +- ~apol_terule_query_t() { ++ ~apol_terule_query() { + apol_terule_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2199,10 +2319,12 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return v; + }; +- void set_rules(apol_policy_t *p, int rules) { ++ %rename(set_rules) wrap_set_rules; ++ void wrap_set_rules(apol_policy_t *p, int rules) { + apol_terule_query_set_rules(p, self, rules); + }; +- void set_source(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_source) wrap_set_source; ++ void wrap_set_source(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_terule_query_set_source(p, self, name, indirect)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source for terule query"); +@@ -2211,7 +2333,8 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void set_source_component(apol_policy_t *p, int component) { ++ %rename(set_source_component) wrap_set_source_component; ++ void wrap_set_source_component(apol_policy_t *p, int component) { + BEGIN_EXCEPTION + if (apol_terule_query_set_source_component(p, self, component)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source component for terule query"); +@@ -2220,7 +2343,8 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void set_target(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_target) wrap_set_target; ++ void wrap_set_target(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_terule_query_set_target(p, self, name, indirect)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target for terule query"); +@@ -2229,7 +2353,8 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void set_target_component(apol_policy_t *p, int component) { ++ %rename(set_target_component) wrap_set_target_component; ++ void wrap_set_target_component(apol_policy_t *p, int component) { + BEGIN_EXCEPTION + if (apol_terule_query_set_target_component(p, self, component)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target component for terule query"); +@@ -2238,7 +2363,8 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void append_class(apol_policy_t *p, char *name) { ++ %rename(append_class) wrap_append_class; ++ void wrap_append_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_terule_query_append_class(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append class to terule query"); +@@ -2247,7 +2373,8 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void set_default(apol_policy_t *p, char *name) { ++ %rename(set_default) wrap_set_default; ++ void wrap_set_default(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_terule_query_set_default(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set default for terule query"); +@@ -2256,7 +2383,8 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void set_bool(apol_policy_t *p, char *name) { ++ %rename(set_bool) wrap_set_bool; ++ void wrap_set_bool(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_terule_query_set_bool(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set boolean for terule query"); +@@ -2265,13 +2393,16 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return; + }; +- void set_enabled(apol_policy_t *p, int enabled) { ++ %rename(set_enabled) wrap_set_enabled; ++ void wrap_set_enabled(apol_policy_t *p, int enabled) { + apol_terule_query_set_enabled(p, self, enabled); + }; +- void set_source_any(apol_policy_t *p, int is_any) { ++ %rename(set_source_any) wrap_set_source_any; ++ void wrap_set_source_any(apol_policy_t *p, int is_any) { + apol_terule_query_set_source_any(p, self, is_any); + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_terule_query_set_regex(p, self, regex); + }; + }; +@@ -2287,7 +2418,7 @@ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t + /* apol cond rule query */ + typedef struct apol_cond_query {} apol_cond_query_t; + %extend apol_cond_query_t { +- apol_cond_query_t() { ++ apol_cond_query() { + apol_cond_query_t *acq; + BEGIN_EXCEPTION + acq = apol_cond_query_create(); +@@ -2298,7 +2429,7 @@ typedef struct apol_cond_query {} apol_cond_query_t; + fail: + return acq; + }; +- ~apol_cond_query_t() { ++ ~apol_cond_query() { + apol_cond_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2312,7 +2443,8 @@ typedef struct apol_cond_query {} apol_cond_query_t; + fail: + return v; + }; +- void set_bool(apol_policy_t *p, char *name) { ++ %rename(set_bool) wrap_set_bool; ++ void wrap_set_bool(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_cond_query_set_bool(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set boolean for condiional query"); +@@ -2321,7 +2453,8 @@ typedef struct apol_cond_query {} apol_cond_query_t; + fail: + return; + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_cond_query_set_regex(p, self, regex); + }; + }; +@@ -2331,7 +2464,7 @@ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond); + /* apol role allow query */ + typedef struct apol_role_allow_query {} apol_role_allow_query_t; + %extend apol_role_allow_query_t { +- apol_role_allow_query_t() { ++ apol_role_allow_query() { + apol_role_allow_query_t *arq; + BEGIN_EXCEPTION + arq = apol_role_allow_query_create(); +@@ -2342,7 +2475,7 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t; + fail: + return arq; + }; +- ~apol_role_allow_query_t() { ++ ~apol_role_allow_query() { + apol_role_allow_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2356,7 +2489,8 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t; + fail: + return v; + }; +- void set_source(apol_policy_t *p, char *name) { ++ %rename(set_source) wrap_set_source; ++ void wrap_set_source(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_role_allow_query_set_source(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2365,7 +2499,8 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t; + fail: + return; + }; +- void set_target(apol_policy_t *p, char *name) { ++ %rename(set_target) wrap_set_target; ++ void wrap_set_target(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_role_allow_query_set_target(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2374,10 +2509,12 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t; + fail: + return; + }; +- void set_source_any(apol_policy_t *p, int is_any) { ++ %rename(set_source_any) wrap_set_source_any; ++ void wrap_set_source_any(apol_policy_t *p, int is_any) { + apol_role_allow_query_set_source_any(p, self, is_any); + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_role_allow_query_set_regex(p, self, regex); + }; + }; +@@ -2387,7 +2524,7 @@ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule); + /* apol role transition rule query */ + typedef struct apol_role_trans_query {} apol_role_trans_query_t; + %extend apol_role_trans_query_t { +- apol_role_trans_query_t() { ++ apol_role_trans_query() { + apol_role_trans_query_t *arq; + BEGIN_EXCEPTION + arq = apol_role_trans_query_create(); +@@ -2398,7 +2535,7 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t; + fail: + return arq; + }; +- ~apol_role_trans_query_t() { ++ ~apol_role_trans_query() { + apol_role_trans_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2412,7 +2549,8 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t; + fail: + return v; + }; +- void set_source(apol_policy_t *p, char *name) { ++ %rename(set_source) wrap_set_source; ++ void wrap_set_source(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_role_trans_query_set_source(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2421,7 +2559,8 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t; + fail: + return; + }; +- void set_target(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_target) wrap_set_target; ++ void wrap_set_target(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_role_trans_query_set_target(p, self, name, indirect)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2430,7 +2569,8 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t; + fail: + return; + }; +- void set_default(apol_policy_t *p, char *name) { ++ %rename(set_default) wrap_set_default; ++ void wrap_set_default(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_role_trans_query_set_default(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2439,10 +2579,12 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t; + fail: + return; + }; +- void set_source_any(apol_policy_t *p, int is_any) { ++ %rename(set_source_any) wrap_set_source_any; ++ void wrap_set_source_any(apol_policy_t *p, int is_any) { + apol_role_trans_query_set_source_any(p, self, is_any); + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_role_trans_query_set_regex(p, self, regex); + }; + }; +@@ -2452,7 +2594,7 @@ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule); + /* apol range transition rule query */ + typedef struct apol_range_trans_query {} apol_range_trans_query_t; + %extend apol_range_trans_query_t { +- apol_range_trans_query_t() { ++ apol_range_trans_query() { + apol_range_trans_query_t *arq; + BEGIN_EXCEPTION + arq = apol_range_trans_query_create(); +@@ -2463,7 +2605,7 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return arq; + }; +- ~apol_range_trans_query_t() { ++ ~apol_range_trans_query() { + apol_range_trans_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2477,7 +2619,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return v; + }; +- void set_source(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_source) wrap_set_source; ++ void wrap_set_source(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_range_trans_query_set_source(p, self, name, indirect)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2486,7 +2629,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return; + }; +- void set_target(apol_policy_t *p, char *name, int indirect) { ++ %rename(set_target) wrap_set_target; ++ void wrap_set_target(apol_policy_t *p, char *name, int indirect) { + BEGIN_EXCEPTION + if (apol_range_trans_query_set_target(p, self, name, indirect)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2495,7 +2639,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return; + }; +- void append_class(apol_policy_t *p, char *name) { ++ %rename(append_class) wrap_append_class; ++ void wrap_append_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_range_trans_query_append_class(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append class to range transition query"); +@@ -2504,7 +2649,8 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return; + }; +- void set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) { ++ %rename(set_range) wrap_set_range; ++ void wrap_set_range(apol_policy_t *p, apol_mls_range_t *rng, int range_match) { + BEGIN_EXCEPTION + if (apol_range_trans_query_set_range(p, self, rng, range_match)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2513,16 +2659,336 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return; + }; +- void set_source_any(apol_policy_t *p, int is_any) { ++ %rename(set_source_any) wrap_set_source_any; ++ void wrap_set_source_any(apol_policy_t *p, int is_any) { + apol_range_trans_query_set_source_any(p, self, is_any); + }; +- void set_regex(apol_policy_t *p, int regex) { ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { + apol_range_trans_query_set_regex(p, self, regex); + }; + }; + %newobject apol_range_trans_render(apol_policy_t*, qpol_range_trans_t*); + char *apol_range_trans_render(apol_policy_t * policy, qpol_range_trans_t * rule); + ++/* apol filename transition rule query */ ++typedef struct apol_filename_trans_query {} apol_filename_trans_query_t; ++%extend apol_filename_trans_query_t { ++ apol_filename_trans_query() { ++ apol_filename_trans_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_filename_trans_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_filename_trans_query() { ++ apol_filename_trans_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_filename_trans_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run filename transition query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++ %rename(set_source) wrap_set_source; ++ void wrap_set_source(apol_policy_t *p, char *name, int indirect) { ++ BEGIN_EXCEPTION ++ if (apol_filename_trans_query_set_source(p, self, name, indirect)) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ %rename(set_target) wrap_set_target; ++ void wrap_set_target(apol_policy_t *p, char *name, int indirect) { ++ BEGIN_EXCEPTION ++ if (apol_filename_trans_query_set_target(p, self, name, indirect)) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ %rename(append_class) wrap_append_class; ++ void wrap_append_class(apol_policy_t *p, char *name) { ++ BEGIN_EXCEPTION ++ if (apol_filename_trans_query_append_class(p, self, name)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not append class to filename transition query"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ ++ %rename(set_default) wrap_set_default; ++ void wrap_set_default(apol_policy_t *p, char *name) { ++ BEGIN_EXCEPTION ++ if (apol_filename_trans_query_set_default(p, self, name)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not set default for filename transition query"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ ++ void set_filename(apol_policy_t *p, char *filename) { ++ BEGIN_EXCEPTION ++ if (apol_filename_trans_query_set_name(p, self, filename)) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ ++ %rename(set_source_any) wrap_set_source_any; ++ void wrap_set_source_any(apol_policy_t *p, int is_any) { ++ apol_filename_trans_query_set_source_any(p, self, is_any); ++ }; ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { ++ apol_filename_trans_query_set_regex(p, self, regex); ++ }; ++}; ++%newobject apol_filename_trans_render(apol_policy_t*, qpol_filename_trans_t*); ++char *apol_filename_trans_render(apol_policy_t * policy, qpol_filename_trans_t * rule); ++ ++/* apol permissive query */ ++typedef struct apol_permissive_query {} apol_permissive_query_t; ++%extend apol_permissive_query_t { ++ apol_permissive_query() { ++ apol_permissive_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_permissive_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_permissive_query() { ++ apol_permissive_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_permissive_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run permissive query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++ ++ %rename(set_name) wrap_set_name; ++ void wrap_set_name(apol_policy_t *p, char *name) { ++ BEGIN_EXCEPTION ++ if (apol_permissive_query_set_name(p, self, name)) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { ++ apol_permissive_query_set_regex(p, self, regex); ++ }; ++}; ++ ++/* apol polcap query */ ++typedef struct apol_polcap_query {} apol_polcap_query_t; ++%extend apol_polcap_query_t { ++ apol_polcap_query() { ++ apol_polcap_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_polcap_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_polcap_query() { ++ apol_polcap_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_polcap_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run polcap query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++ ++ %rename(set_name) wrap_set_name; ++ void wrap_set_name(apol_policy_t *p, char *name) { ++ BEGIN_EXCEPTION ++ if (apol_polcap_query_set_name(p, self, name)) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { ++ apol_polcap_query_set_regex(p, self, regex); ++ }; ++}; ++ ++/* apol typebounds query */ ++typedef struct apol_typebounds_query {} apol_typebounds_query_t; ++%extend apol_typebounds_query_t { ++ apol_typebounds_query() { ++ apol_typebounds_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_typebounds_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_typebounds_query() { ++ apol_typebounds_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_typebounds_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run typebounds query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++ %rename(set_name) wrap_set_name; ++ void wrap_set_name(apol_policy_t *p, char *name) { ++ BEGIN_EXCEPTION ++ if (apol_typebounds_query_set_name(p, self, name)) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return; ++ }; ++ %rename(set_regex) wrap_set_regex; ++ void wrap_set_regex(apol_policy_t *p, int regex) { ++ apol_typebounds_query_set_regex(p, self, regex); ++ }; ++}; ++ ++/* apol rolebounds query */ ++typedef struct apol_rolebounds_query {} apol_rolebounds_query_t; ++%extend apol_rolebounds_query_t { ++ apol_rolebounds_query() { ++ apol_rolebounds_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_rolebounds_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_rolebounds_query() { ++ apol_rolebounds_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_rolebounds_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run rolebounds query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++}; ++ ++/* apol userbounds query */ ++typedef struct apol_userbounds_query {} apol_userbounds_query_t; ++%extend apol_userbounds_query_t { ++ apol_userbounds_query() { ++ apol_userbounds_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_userbounds_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_userbounds_query() { ++ apol_userbounds_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_userbounds_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run userbounds query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++}; ++ ++/* apol default_object query */ ++typedef struct apol_default_object_query {} apol_default_object_query_t; ++%extend apol_default_object_query_t { ++ apol_default_object_query() { ++ apol_default_object_query_t *arq; ++ BEGIN_EXCEPTION ++ arq = apol_default_object_query_create(); ++ if (!arq) { ++ SWIG_exception(SWIG_MemoryError, "Out of memory"); ++ } ++ END_EXCEPTION ++ fail: ++ return arq; ++ }; ++ ~apol_default_object_query() { ++ apol_default_object_query_destroy(&self); ++ }; ++ %newobject run(apol_policy_t*); ++ apol_vector_t *run(apol_policy_t *p) { ++ apol_vector_t *v; ++ BEGIN_EXCEPTION ++ if (apol_default_object_get_by_query(p, self, &v)) { ++ SWIG_exception(SWIG_RuntimeError, "Could not run default object query"); ++ } ++ END_EXCEPTION ++ fail: ++ return v; ++ }; ++}; ++ + /* domain transition analysis */ + #define APOL_DOMAIN_TRANS_DIRECTION_FORWARD 0x01 + #define APOL_DOMAIN_TRANS_DIRECTION_REVERSE 0x02 +@@ -2531,7 +2997,7 @@ char *apol_range_trans_render(apol_policy_t * policy, qpol_range_trans_t * rule) + #define APOL_DOMAIN_TRANS_SEARCH_BOTH (APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID) + typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + %extend apol_domain_trans_analysis_t { +- apol_domain_trans_analysis_t() { ++ apol_domain_trans_analysis() { + apol_domain_trans_analysis_t *dta; + BEGIN_EXCEPTION + dta = apol_domain_trans_analysis_create(); +@@ -2542,10 +3008,11 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return dta; + }; +- ~apol_domain_trans_analysis_t() { ++ ~apol_domain_trans_analysis() { + apol_domain_trans_analysis_destroy(&self); + }; +- void set_direction(apol_policy_t *p, int direction) { ++ %rename(set_direction) wrap_set_direction; ++ void wrap_set_direction(apol_policy_t *p, int direction) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_set_direction(p, self, (unsigned char)direction)) { + SWIG_exception(SWIG_RuntimeError, "Could not set direction for domain transition analysis"); +@@ -2554,7 +3021,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return; + }; +- void set_valid(apol_policy_t *p, int valid) { ++ %rename(set_valid) wrap_set_valid; ++ void wrap_set_valid(apol_policy_t *p, int valid) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_set_valid(p, self, (unsigned char)valid)) { + SWIG_exception(SWIG_RuntimeError, "Could not set valid flag for domain transition analysis"); +@@ -2563,7 +3031,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return; + }; +- void set_start_type(apol_policy_t *p, char *name) { ++ %rename(set_start_type) wrap_set_start_type; ++ void wrap_set_start_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_set_start_type(p, self, name)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2572,7 +3041,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return; + }; +- void set_result_regex(apol_policy_t *p, char *regex) { ++ %rename(set_result_regex) wrap_set_result_regex; ++ void wrap_set_result_regex(apol_policy_t *p, char *regex) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_set_result_regex(p, self, regex)) { + SWIG_exception(SWIG_MemoryError, "Out of memory"); +@@ -2581,7 +3051,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return; + }; +- void append_access_type(apol_policy_t *p, char *name) { ++ %rename(append_access_type) wrap_append_access_type; ++ void wrap_append_access_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_append_access_type(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append access type for domain transition analysis"); +@@ -2590,7 +3061,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return; + }; +- void append_class(apol_policy_t *p, char *class_name) { ++ %rename(append_class) wrap_append_class; ++ void wrap_append_class(apol_policy_t *p, char *class_name) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_append_class(p, self, class_name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append access class for domain transition analysis"); +@@ -2599,7 +3071,8 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return; + }; +- void append_perm(apol_policy_t *p, char *perm_name) { ++ %rename(append_perm) wrap_append_perm; ++ void wrap_append_perm(apol_policy_t *p, char *perm_name) { + BEGIN_EXCEPTION + if (apol_domain_trans_analysis_append_perm(p, self, perm_name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append access permission for domain transition analysis"); +@@ -2622,7 +3095,7 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + }; + typedef struct apol_domain_trans_result {} apol_domain_trans_result_t; + %extend apol_domain_trans_result_t { +- apol_domain_trans_result_t(apol_domain_trans_result_t *in) { ++ apol_domain_trans_result(apol_domain_trans_result_t *in) { + apol_domain_trans_result_t *dtr; + BEGIN_EXCEPTION + dtr = apol_domain_trans_result_create_from_domain_trans_result(in); +@@ -2633,37 +3106,46 @@ typedef struct apol_domain_trans_result {} apol_domain_trans_result_t; + fail: + return dtr; + }; +- ~apol_domain_trans_result_t() { ++ ~apol_domain_trans_result() { + apol_domain_trans_result_destroy(&self); + }; +- const qpol_type_t *get_start_type() { ++ %rename(get_start_type) wrap_get_start_type; ++ const qpol_type_t *wrap_get_start_type() { + return apol_domain_trans_result_get_start_type(self); + }; +- const qpol_type_t *get_entrypoint_type() { ++ %rename(get_entrypoint_type) wrap_get_entrypoint_type; ++ const qpol_type_t *wrap_get_entrypoint_type() { + return apol_domain_trans_result_get_entrypoint_type(self); + }; +- const qpol_type_t *get_end_type() { ++ %rename(get_end_type) wrap_get_end_type; ++ const qpol_type_t *wrap_get_end_type() { + return apol_domain_trans_result_get_end_type(self); + }; + int get_is_valid() { + return apol_domain_trans_result_is_trans_valid(self); + }; +- const apol_vector_t *get_proc_trans_rules() { ++ %rename(get_proc_trans_rules) wrap_get_proc_trans_rules; ++ const apol_vector_t *wrap_get_proc_trans_rules() { + return apol_domain_trans_result_get_proc_trans_rules(self); + }; +- const apol_vector_t *get_entrypoint_rules() { ++ %rename(get_entrypoint_rules) wrap_get_entrypoint_rules; ++ const apol_vector_t *wrap_get_entrypoint_rules() { + return apol_domain_trans_result_get_entrypoint_rules(self); + }; +- const apol_vector_t *get_exec_rules() { ++ %rename(get_exec_rules) wrap_get_exec_rules; ++ const apol_vector_t *wrap_get_exec_rules() { + return apol_domain_trans_result_get_exec_rules(self); + }; +- const apol_vector_t *get_setexec_rules() { ++ %rename(get_setexec_rules) wrap_get_setexec_rules; ++ const apol_vector_t *wrap_get_setexec_rules() { + return apol_domain_trans_result_get_setexec_rules(self); + }; +- const apol_vector_t *get_type_trans_rules() { ++ %rename(get_type_trans_rules) wrap_get_type_trans_rules; ++ const apol_vector_t *wrap_get_type_trans_rules() { + return apol_domain_trans_result_get_type_trans_rules(self); + }; +- const apol_vector_t *get_access_rules() { ++ %rename(get_access_rules) wrap_get_access_rules; ++ const apol_vector_t *wrap_get_access_rules() { + return apol_domain_trans_result_get_access_rules(self); + }; + }; +@@ -2705,14 +3187,14 @@ int apol_domain_trans_table_verify_trans(apol_policy_t * policy, qpol_type_t * s + %} + typedef struct apol_infoflow {} apol_infoflow_t; + %extend apol_infoflow_t { +- apol_infoflow_t() { ++ apol_infoflow() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_t() { ++ ~apol_infoflow() { + apol_infoflow_destroy(&self); + }; + %newobject extract_graph(); +@@ -2730,7 +3212,7 @@ typedef struct apol_infoflow {} apol_infoflow_t; + }; + typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + %extend apol_infoflow_analysis_t { +- apol_infoflow_analysis_t() { ++ apol_infoflow_analysis() { + apol_infoflow_analysis_t *aia; + BEGIN_EXCEPTION + aia = apol_infoflow_analysis_create(); +@@ -2741,7 +3223,7 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return aia; + }; +- ~apol_infoflow_analysis_t() { ++ ~apol_infoflow_analysis() { + apol_infoflow_analysis_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2763,7 +3245,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + apol_infoflow_destroy(&ai); + return NULL; + }; +- void set_mode(apol_policy_t *p, int mode) { ++ %rename(set_mode) wrap_set_mode; ++ void wrap_set_mode(apol_policy_t *p, int mode) { + BEGIN_EXCEPTION + if (apol_infoflow_analysis_set_mode(p, self, (unsigned int)mode)) { + SWIG_exception(SWIG_RuntimeError, "Could not set mode for information flow analysis"); +@@ -2772,7 +3255,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return; + }; +- void set_dir(apol_policy_t *p, int direction) { ++ %rename(set_dir) wrap_set_dir; ++ void wrap_set_dir(apol_policy_t *p, int direction) { + BEGIN_EXCEPTION + if (apol_infoflow_analysis_set_dir(p, self, (unsigned int)direction)) { + SWIG_exception(SWIG_RuntimeError, "Could not set direction for information flow analysis"); +@@ -2781,7 +3265,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return; + }; +- void set_type(apol_policy_t *p, char *name) { ++ %rename(set_type) wrap_set_type; ++ void wrap_set_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_infoflow_analysis_set_type(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set type for information flow analysis"); +@@ -2790,7 +3275,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return; + }; +- void append_intermediate(apol_policy_t *p, char *name) { ++ %rename(append_intermediate) wrap_append_intermediate; ++ void wrap_append_intermediate(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_infoflow_analysis_append_intermediate(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append intermediate type for information flow analysis"); +@@ -2799,7 +3285,8 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return; + }; +- void append_class_perm(apol_policy_t *p, char *class_name, char *perm_name) { ++ %rename(append_class_perm) wrap_append_class_perm; ++ void wrap_append_class_perm(apol_policy_t *p, char *class_name, char *perm_name) { + BEGIN_EXCEPTION + if (apol_infoflow_analysis_append_class_perm(p, self, class_name, perm_name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append class and permission for information flow analysis"); +@@ -2808,10 +3295,12 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return; + }; +- void set_min_weight(apol_policy_t *p, int weight) { ++ %rename(set_min_weight) wrap_set_min_weight; ++ void wrap_set_min_weight(apol_policy_t *p, int weight) { + apol_infoflow_analysis_set_min_weight(p, self, weight); + }; +- void set_result_regex(apol_policy_t *p, char *regex) { ++ %rename(set_result_regex) wrap_set_result_regex; ++ void wrap_set_result_regex(apol_policy_t *p, char *regex) { + BEGIN_EXCEPTION + if (apol_infoflow_analysis_set_result_regex(p, self, regex)) { + SWIG_exception(SWIG_RuntimeError, "Could not set result regular expression for information flow analysis"); +@@ -2823,14 +3312,14 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + }; + typedef struct apol_infoflow_graph {} apol_infoflow_graph_t; + %extend apol_infoflow_graph_t { +- apol_infoflow_graph_t() { ++ apol_infoflow_graph() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_graph_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_graph_t() { ++ ~apol_infoflow_graph() { + apol_infoflow_graph_destroy(&self); + }; + %newobject do_more(apol_policy_t*, char*); +@@ -2867,30 +3356,35 @@ typedef struct apol_infoflow_graph {} apol_infoflow_graph_t; + }; + typedef struct apol_infoflow_result {} apol_infoflow_result_t; + %extend apol_infoflow_result_t { +- apol_infoflow_result_t() { ++ apol_infoflow_result() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_result_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_result_t() { ++ ~apol_infoflow_result() { + /* no op - vector will destroy */ + return; + }; +- int get_dir() { ++ %rename(get_dir) wrap_get_dir; ++ int wrap_get_dir() { + return (int)apol_infoflow_result_get_dir(self); + }; +- const qpol_type_t *get_start_type() { ++ %rename(get_start_type) wrap_get_start_type; ++ const qpol_type_t *wrap_get_start_type() { + return apol_infoflow_result_get_start_type(self); + }; +- const qpol_type_t *get_end_type() { ++ %rename(get_end_type) wrap_get_end_type; ++ const qpol_type_t *wrap_get_end_type() { + return apol_infoflow_result_get_end_type(self); + }; +- int get_length() { ++ %rename(get_length) wrap_get_length; ++ int wrap_get_length() { + return (int) apol_infoflow_result_get_length(self); + } +- const apol_vector_t *get_steps() { ++ %rename(get_steps) wrap_get_steps; ++ const apol_vector_t *wrap_get_steps() { + return apol_infoflow_result_get_steps(self); + }; + }; +@@ -2901,27 +3395,31 @@ typedef struct apol_infoflow_result {} apol_infoflow_result_t; + %} + typedef struct apol_infoflow_step {} apol_infoflow_step_t; + %extend apol_infoflow_step_t { +- apol_infoflow_step_t() { ++ apol_infoflow_step() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_step_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_step_t() { ++ ~apol_infoflow_step() { + /* no op */ + return; + }; +- const qpol_type_t *get_start_type() { ++ %rename(get_start_type) wrap_get_start_type; ++ const qpol_type_t *wrap_get_start_type() { + return apol_infoflow_step_get_start_type(self); + }; +- const qpol_type_t *get_end_type() { ++ %rename(get_end_type) wrap_get_end_type; ++ const qpol_type_t *wrap_get_end_type() { + return apol_infoflow_step_get_end_type(self); + }; +- int get_weight() { ++ %rename(get_weight) wrap_get_weight; ++ int wrap_get_weight() { + return apol_infoflow_step_get_weight(self); + }; +- const apol_vector_t *get_rules() { ++ %rename(get_rules) wrap_get_rules; ++ const apol_vector_t *wrap_get_rules() { + return apol_infoflow_step_get_rules(self); + }; + }; +@@ -2938,7 +3436,7 @@ typedef struct apol_infoflow_step {} apol_infoflow_step_t; + #define APOL_RELABEL_DIR_SUBJECT 0x04 + typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + %extend apol_relabel_analysis_t { +- apol_relabel_analysis_t() { ++ apol_relabel_analysis() { + apol_relabel_analysis_t *ara; + BEGIN_EXCEPTION + ara = apol_relabel_analysis_create(); +@@ -2949,7 +3447,7 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return ara; + }; +- ~apol_relabel_analysis_t() { ++ ~apol_relabel_analysis() { + apol_relabel_analysis_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2963,7 +3461,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return v; + }; +- void set_dir(apol_policy_t *p, int direction) { ++ %rename(set_dir) wrap_set_dir; ++ void wrap_set_dir(apol_policy_t *p, int direction) { + BEGIN_EXCEPTION + if (apol_relabel_analysis_set_dir(p, self, (unsigned int)direction)) { + SWIG_exception(SWIG_RuntimeError, "Could not set direction for relabel analysis"); +@@ -2972,7 +3471,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return; + }; +- void set_type(apol_policy_t *p, char *name) { ++ %rename(set_type) wrap_set_type; ++ void wrap_set_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_relabel_analysis_set_type(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set type for relabel analysis"); +@@ -2981,7 +3481,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return; + }; +- void append_class(apol_policy_t *p, char *name) { ++ %rename(append_class) wrap_append_class; ++ void wrap_append_class(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_relabel_analysis_append_class(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append class to relabel analysis"); +@@ -2990,7 +3491,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return; + }; +- void append_subject(apol_policy_t *p, char *name) { ++ %rename(append_subject) wrap_append_subject; ++ void wrap_append_subject(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_relabel_analysis_append_subject(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not append subject to relabel analysis"); +@@ -2999,7 +3501,8 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return; + }; +- void set_result_regex(apol_policy_t *p, char *regex) { ++ %rename(set_result_regex) wrap_set_result_regex; ++ void wrap_set_result_regex(apol_policy_t *p, char *regex) { + BEGIN_EXCEPTION + if (apol_relabel_analysis_set_result_regex(p, self, regex)) { + SWIG_exception(SWIG_RuntimeError, "Could not set result regular expression for relabel analysis"); +@@ -3011,27 +3514,31 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + }; + typedef struct apol_relabel_result {} apol_relabel_result_t; + %extend apol_relabel_result_t { +- apol_relabel_result_t() { ++ apol_relabel_result() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_relabel_result_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_relabel_result_t() { ++ ~apol_relabel_result() { + /* no op - vector will destroy */ + return; + }; +- const apol_vector_t *get_to() { ++ %rename(get_to) wrap_get_to; ++ const apol_vector_t *wrap_get_to() { + return apol_relabel_result_get_to(self); + }; +- const apol_vector_t *get_from() { ++ %rename(get_from) wrap_get_from; ++ const apol_vector_t *wrap_get_from() { + return apol_relabel_result_get_from(self); + }; +- const apol_vector_t *get_both() { ++ %rename(get_both) wrap_get_both; ++ const apol_vector_t *wrap_get_both() { + return apol_relabel_result_get_both(self); + }; +- const qpol_type_t *get_result_type() { ++ %rename(get_result_type) wrap_get_result_type; ++ const qpol_type_t *wrap_get_result_type() { + return apol_relabel_result_get_result_type(self); + }; + }; +@@ -3042,24 +3549,27 @@ typedef struct apol_relabel_result {} apol_relabel_result_t; + %} + typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t; + %extend apol_relabel_result_pair_t { +- apol_relabel_result_pair_t() { ++ apol_relabel_result_pair() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_relabel_result_pair_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_relabel_result_pair_t() { ++ ~apol_relabel_result_pair() { + /* no op - owned and free()'d by apol_relabel_result_t */ + return; + }; +- const qpol_avrule_t *get_ruleA() { ++ %rename(get_ruleA) wrap_get_ruleA; ++ const qpol_avrule_t *wrap_get_ruleA() { + return apol_relabel_result_pair_get_ruleA(self); + }; +- const qpol_avrule_t *get_ruleB() { ++ %rename(get_ruleB) wrap_get_ruleB; ++ const qpol_avrule_t *wrap_get_ruleB() { + return apol_relabel_result_pair_get_ruleB(self); + }; +- const qpol_type_t *get_intermediate_type() { ++ %rename(get_intermediate_type) wrap_get_intermediate_type; ++ const qpol_type_t *wrap_get_intermediate_type() { + return apol_relabel_result_pair_get_intermediate_type(self); + }; + }; +@@ -3084,7 +3594,7 @@ typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t; + #define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000 + typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + %extend apol_types_relation_analysis_t { +- apol_types_relation_analysis_t() { ++ apol_types_relation_analysis() { + apol_types_relation_analysis_t *atr; + BEGIN_EXCEPTION + atr = apol_types_relation_analysis_create(); +@@ -3095,7 +3605,7 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + fail: + return atr; + }; +- ~apol_types_relation_analysis_t() { ++ ~apol_types_relation_analysis() { + apol_types_relation_analysis_destroy(&self); + } + %newobject run(apol_policy_t*); +@@ -3109,7 +3619,8 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + fail: + return res; + }; +- void set_first_type(apol_policy_t *p, char *name) { ++ %rename(set_first_type) wrap_set_first_type; ++ void wrap_set_first_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_types_relation_analysis_set_first_type(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set first type for types relation analysis"); +@@ -3118,7 +3629,8 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + fail: + return; + }; +- void set_other_type(apol_policy_t *p, char *name) { ++ %rename(set_other_type) wrap_set_other_type; ++ void wrap_set_other_type(apol_policy_t *p, char *name) { + BEGIN_EXCEPTION + if (apol_types_relation_analysis_set_other_type(p, self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set other type for types relation analysis"); +@@ -3127,7 +3639,8 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + fail: + return; + }; +- void set_analyses(apol_policy_t *p, int analyses) { ++ %rename(set_analyses) wrap_set_analyses; ++ void wrap_set_analyses(apol_policy_t *p, int analyses) { + BEGIN_EXCEPTION + if (apol_types_relation_analysis_set_analyses(p, self, (unsigned int)analyses)) { + SWIG_exception(SWIG_RuntimeError, "Could not set analyses to run for types relation analysis"); +@@ -3139,76 +3652,92 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + }; + typedef struct apol_types_relation_result {} apol_types_relation_result_t; + %extend apol_types_relation_result_t { +- apol_types_relation_result_t() { ++ apol_types_relation_result() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_types_relation_result_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_types_relation_result_t() { ++ ~apol_types_relation_result() { + apol_types_relation_result_destroy(&self); + }; +- const apol_vector_t *get_attributes() { ++ %rename(get_attributes) wrap_get_attributes; ++ const apol_vector_t *wrap_get_attributes() { + return apol_types_relation_result_get_attributes(self); + }; +- const apol_vector_t *get_roles() { ++ %rename(get_roles) wrap_get_roles; ++ const apol_vector_t *wrap_get_roles() { + return apol_types_relation_result_get_roles(self); + }; +- const apol_vector_t *get_users() { ++ %rename(get_users) wrap_get_users; ++ const apol_vector_t *wrap_get_users() { + return apol_types_relation_result_get_users(self); + }; +- const apol_vector_t *get_similar_first() { ++ %rename(get_similar_first) wrap_get_similar_first; ++ const apol_vector_t *wrap_get_similar_first() { + return apol_types_relation_result_get_similar_first(self); + }; +- const apol_vector_t *get_similar_other() { ++ %rename(get_similar_other) wrap_get_similar_other; ++ const apol_vector_t *wrap_get_similar_other() { + return apol_types_relation_result_get_similar_other(self); + }; +- const apol_vector_t *get_dissimilar_first() { ++ %rename(get_dissimilar_first) wrap_get_dissimilar_first; ++ const apol_vector_t *wrap_get_dissimilar_first() { + return apol_types_relation_result_get_dissimilar_first(self); + }; +- const apol_vector_t *get_dissimilar_other() { ++ %rename(get_dissimilar_other) wrap_get_dissimilar_other; ++ const apol_vector_t *wrap_get_dissimilar_other() { + return apol_types_relation_result_get_dissimilar_other(self); + }; +- const apol_vector_t *get_allowrules() { ++ %rename(get_allowrules) wrap_get_allowrules; ++ const apol_vector_t *wrap_get_allowrules() { + return apol_types_relation_result_get_allowrules(self); + }; +- const apol_vector_t *get_typerules() { ++ %rename(get_typerules) wrap_get_typerules; ++ const apol_vector_t *wrap_get_typerules() { + return apol_types_relation_result_get_typerules(self); + }; +- const apol_vector_t *get_directflows() { ++ %rename(get_directflows) wrap_get_directflows; ++ const apol_vector_t *wrap_get_directflows() { + return apol_types_relation_result_get_directflows(self); + }; +- const apol_vector_t *get_transflowsAB() { ++ %rename(get_transflowsAB) wrap_get_transflowsAB; ++ const apol_vector_t *wrap_get_transflowsAB() { + return apol_types_relation_result_get_transflowsAB(self); + }; +- const apol_vector_t *get_transflowsBA() { ++ %rename(get_transflowsBA) wrap_get_transflowsBA; ++ const apol_vector_t *wrap_get_transflowsBA() { + return apol_types_relation_result_get_transflowsBA(self); + }; +- const apol_vector_t*get_domainsAB() { ++ %rename(get_domainsAB) wrap_get_domainsAB; ++ const apol_vector_t*wrap_get_domainsAB() { + return apol_types_relation_result_get_domainsAB(self); + }; +- const apol_vector_t*get_domainsBA() { ++ %rename(get_domainsBA) wrap_get_domainsBA; ++ const apol_vector_t*wrap_get_domainsBA() { + return apol_types_relation_result_get_domainsBA(self); + }; + }; + typedef struct apol_types_relation_access {} apol_types_relation_access_t; + %extend apol_types_relation_access_t { +- apol_types_relation_access_t() { ++ apol_types_relation_access() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_types_relation_access_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_types_relation_access_t() { ++ ~apol_types_relation_access() { + /* no op - vector will destroy */ + return; + }; +- const qpol_type_t *get_type() { ++ %rename(get_type) wrap_get_type; ++ const qpol_type_t *wrap_get_type() { + return apol_types_relation_access_get_type(self); + }; +- const apol_vector_t *get_rules() { ++ %rename(get_rules) wrap_get_rules; ++ const apol_vector_t *wrap_get_rules() { + return apol_types_relation_access_get_rules(self); + }; + }; +diff --git a/libpoldiff/swig/poldiff.i b/libpoldiff/swig/poldiff.i +index 29767a8..addbb21 100644 +--- a/libpoldiff/swig/poldiff.i ++++ b/libpoldiff/swig/poldiff.i +@@ -273,7 +273,7 @@ typedef enum poldiff_form + %} + typedef struct poldiff_stats {} poldiff_stats_t; + %extend poldiff_stats_t { +- poldiff_stats_t() { ++ poldiff_stats() { + poldiff_stats_t *s; + BEGIN_EXCEPTION + s = poldiff_stats_create(); +@@ -284,7 +284,7 @@ typedef struct poldiff_stats {} poldiff_stats_t; + fail: + return s; + }; +- ~poldiff_stats_t() { ++ ~poldiff_stats() { + poldiff_stats_destroy(&self); + }; + size_t get_stat(poldiff_form_e form) { +@@ -348,7 +348,7 @@ unsigned long to_ulong(void *x); + #endif + typedef struct poldiff {} poldiff_t; + %extend poldiff_t { +- poldiff_t(apol_policy_t *op, apol_policy_t *mp) { ++ poldiff(apol_policy_t *op, apol_policy_t *mp) { + poldiff_t *p; + BEGIN_EXCEPTION + p = poldiff_create(op, mp, poldiff_swig_message_callback, poldiff_swig_message_callback_arg); +@@ -360,10 +360,11 @@ typedef struct poldiff {} poldiff_t; + fail: + return NULL; + }; +- ~poldiff_t() { ++ ~poldiff() { + poldiff_destroy(&self); + }; +- void run(uint32_t flags) { ++ %rename(run) wrap_run; ++ void wrap_run(uint32_t flags) { + BEGIN_EXCEPTION + if (poldiff_run(self, flags)) { + SWIG_exception(SWIG_RuntimeError, "Could not run diff"); +@@ -372,11 +373,13 @@ typedef struct poldiff {} poldiff_t; + fail: + return; + }; +- int is_run(uint32_t flags) { ++ %rename(is_run) wrap_is_run; ++ int wrap_is_run(uint32_t flags) { + return poldiff_is_run(self, flags); + }; + %newobject get_stats(uint32_t); +- poldiff_stats_t *get_stats(uint32_t flags) { ++ %rename(get_stats) wrap_get_stats; ++ poldiff_stats_t *wrap_get_stats(uint32_t flags) { + poldiff_stats_t *s = NULL; + BEGIN_EXCEPTION + s = poldiff_stats_create(); +@@ -392,7 +395,8 @@ typedef struct poldiff {} poldiff_t; + poldiff_stats_destroy(&s); + return NULL; + }; +- void enable_line_numbers() { ++ %rename(enable_line_numbers) wrap_enable_line_numbers; ++ void wrap_enable_line_numbers() { + BEGIN_EXCEPTION + if (poldiff_enable_line_numbers(self)) { + SWIG_exception(SWIG_RuntimeError, "Could not enable line numbers"); +@@ -401,67 +405,88 @@ typedef struct poldiff {} poldiff_t; + fail: + return; + }; +- const apol_vector_t *get_attrib_vector() { ++ %rename(get_attrib_vector) wrap_get_attrib_vector; ++ const apol_vector_t *wrap_get_attrib_vector() { + return poldiff_get_attrib_vector(self); + }; +- const apol_vector_t *get_avrule_vector_allow() { ++ %rename(get_avrule_vector_allow) wrap_get_avrule_vector_allow; ++ const apol_vector_t *wrap_get_avrule_vector_allow() { + return poldiff_get_avrule_vector_allow(self); + }; +- const apol_vector_t *get_avrule_vector_auditallow() { ++ %rename(get_avrule_vector_auditallow) wrap_get_avrule_vector_auditallow; ++ const apol_vector_t *wrap_get_avrule_vector_auditallow() { + return poldiff_get_avrule_vector_auditallow(self); + }; +- const apol_vector_t *get_avrule_vector_dontaudit() { ++ %rename(get_avrule_vector_dontaudit) wrap_get_avrule_vector_dontaudit; ++ const apol_vector_t *wrap_get_avrule_vector_dontaudit() { + return poldiff_get_avrule_vector_dontaudit(self); + }; +- const apol_vector_t *get_avrule_vector_neverallow() { ++ %rename(get_avrule_vector_neverallow) wrap_get_avrule_vector_neverallow; ++ const apol_vector_t *wrap_get_avrule_vector_neverallow() { + return poldiff_get_avrule_vector_neverallow(self); + }; +- const apol_vector_t *get_bool_vector() { ++ %rename(get_bool_vector) wrap_get_bool_vector; ++ const apol_vector_t *wrap_get_bool_vector() { + return poldiff_get_bool_vector(self); + }; +- const apol_vector_t *get_cat_vector() { ++ %rename(get_cat_vector) wrap_get_cat_vector; ++ const apol_vector_t *wrap_get_cat_vector() { + return poldiff_get_cat_vector(self); + }; +- const apol_vector_t *get_class_vector() { ++ %rename(get_class_vector) wrap_get_class_vector; ++ const apol_vector_t *wrap_get_class_vector() { + return poldiff_get_class_vector(self); + }; +- const apol_vector_t *get_common_vector() { ++ %rename(get_common_vector) wrap_get_common_vector; ++ const apol_vector_t *wrap_get_common_vector() { + return poldiff_get_common_vector(self); + }; +- const apol_vector_t *get_level_vector() { ++ %rename(get_level_vector) wrap_get_level_vector; ++ const apol_vector_t *wrap_get_level_vector() { + return poldiff_get_level_vector(self); + }; +- const apol_vector_t *get_range_trans_vector() { ++ %rename(get_range_trans_vector) wrap_get_range_trans_vector; ++ const apol_vector_t *wrap_get_range_trans_vector() { + return poldiff_get_range_trans_vector(self); + }; +- const apol_vector_t *get_role_allow_vector() { ++ %rename(get_role_allow_vector) wrap_get_role_allow_vector; ++ const apol_vector_t *wrap_get_role_allow_vector() { + return poldiff_get_role_allow_vector(self); + }; +- const apol_vector_t *get_role_trans_vector() { ++ %rename(get_role_trans_vector) wrap_get_role_trans_vector; ++ const apol_vector_t *wrap_get_role_trans_vector() { + return poldiff_get_role_trans_vector(self); + }; +- const apol_vector_t *get_role_vector() { ++ %rename(get_role_vector) wrap_get_role_vector; ++ const apol_vector_t *wrap_get_role_vector() { + return poldiff_get_role_vector(self); + }; +- const apol_vector_t *get_terule_vector_change() { ++ %rename(get_terule_vector_change) wrap_get_terule_vector_change; ++ const apol_vector_t *wrap_get_terule_vector_change() { + return poldiff_get_terule_vector_change(self); + }; +- const apol_vector_t *get_terule_vector_member() { ++ %rename(get_terule_vector_member) wrap_get_terule_vector_member; ++ const apol_vector_t *wrap_get_terule_vector_member() { + return poldiff_get_terule_vector_member(self); + }; +- const apol_vector_t *get_terule_vector_trans() { ++ %rename(get_terule_vector_trans) wrap_get_terule_vector_trans; ++ const apol_vector_t *wrap_get_terule_vector_trans() { + return poldiff_get_terule_vector_trans(self); + }; +- const apol_vector_t *get_type_vector() { ++ %rename(get_type_vector) wrap_get_type_vector; ++ const apol_vector_t *wrap_get_type_vector() { + return poldiff_get_type_vector(self); + }; +- const apol_vector_t *get_user_vector() { ++ %rename(get_user_vector) wrap_get_user_vector; ++ const apol_vector_t *wrap_get_user_vector() { + return poldiff_get_user_vector(self); + }; +- const apol_vector_t *get_type_remap_entries() { ++ %rename(get_type_remap_entries) wrap_get_type_remap_entries; ++ const apol_vector_t *wrap_get_type_remap_entries() { + return poldiff_type_remap_get_entries(self); + }; +- void type_remap_create(apol_string_vector_t *orig_types, apol_string_vector_t *mod_types) { ++ %rename(type_remap_create) wrap_type_remap_create; ++ void wrap_type_remap_create(apol_string_vector_t *orig_types, apol_string_vector_t *mod_types) { + BEGIN_EXCEPTION + if (poldiff_type_remap_create(self, (apol_vector_t*)orig_types, (apol_vector_t*)mod_types)) { + SWIG_exception(SWIG_RuntimeError, "Could not remap types"); +@@ -478,19 +503,20 @@ typedef struct poldiff {} poldiff_t; + /* attribute diff */ + typedef struct poldiff_attrib {} poldiff_attrib_t; + %extend poldiff_attrib_t { +- poldiff_attrib_t () { ++ poldiff_attrib () { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_attrib_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_attrib_t() { ++ ~poldiff_attrib() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_attrib_to_string(p, self); +@@ -501,16 +527,20 @@ typedef struct poldiff_attrib {} poldiff_attrib_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_attrib_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_attrib_get_form(self); + }; +- const apol_string_vector_t *get_added_types() { ++ %rename(get_added_types) wrap_get_added_types; ++ const apol_string_vector_t *wrap_get_added_types() { + return (apol_string_vector_t*)poldiff_attrib_get_added_types(self); + }; +- const apol_string_vector_t *get_removed_types() { ++ %rename(get_removed_types) wrap_get_removed_types; ++ const apol_string_vector_t *wrap_get_removed_types() { + return (apol_string_vector_t*)poldiff_attrib_get_removed_types(self); + }; + }; +@@ -523,19 +553,20 @@ typedef struct poldiff_attrib {} poldiff_attrib_t; + /* av rule diff */ + typedef struct poldiff_avrule {} poldiff_avrule_t; + %extend poldiff_avrule_t { +- poldiff_avrule_t() { ++ poldiff_avrule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_avrule_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_avrule_t() { ++ ~poldiff_avrule() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_avrule_to_string(p, self); +@@ -546,22 +577,28 @@ typedef struct poldiff_avrule {} poldiff_avrule_t; + fail: + return str; + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_avrule_get_form(self); + }; +- uint32_t get_rule_type() { ++ %rename(get_rule_type) wrap_get_rule_type; ++ uint32_t wrap_get_rule_type() { + return poldiff_avrule_get_rule_type(self); + }; +- const char *get_source_type() { ++ %rename(get_source_type) wrap_get_source_type; ++ const char *wrap_get_source_type() { + return poldiff_avrule_get_source_type(self); + }; +- const char *get_target_type() { ++ %rename(get_target_type) wrap_get_target_type; ++ const char *wrap_get_target_type() { + return poldiff_avrule_get_target_type(self); + }; +- const char *get_object_class() { ++ %rename(get_object_class) wrap_get_object_class; ++ const char *wrap_get_object_class() { + return poldiff_avrule_get_object_class(self); + }; +- const qpol_cond_t *get_cond(poldiff_t *p) { ++ %rename(get_cond) wrap_get_cond; ++ const qpol_cond_t *wrap_get_cond(poldiff_t *p) { + const qpol_cond_t *cond; + uint32_t which_list; + const apol_policy_t *which_pol; +@@ -582,20 +619,25 @@ typedef struct poldiff_avrule {} poldiff_avrule_t; + poldiff_avrule_get_cond(p, self, &cond, &which_list, &which_pol); + return which_pol; + }; +- const apol_string_vector_t *get_unmodified_perms() { ++ %rename(get_unmodified_perms) wrap_get_unmodified_perms; ++ const apol_string_vector_t *wrap_get_unmodified_perms() { + return (apol_string_vector_t*)poldiff_avrule_get_unmodified_perms(self); + }; +- const apol_string_vector_t *get_added_perms() { ++ %rename(get_added_perms) wrap_get_added_perms; ++ const apol_string_vector_t *wrap_get_added_perms() { + return (apol_string_vector_t*)poldiff_avrule_get_added_perms(self); + }; +- const apol_string_vector_t *get_removed_perms() { ++ %rename(get_removed_perms) wrap_get_removed_perms; ++ const apol_string_vector_t *wrap_get_removed_perms() { + return (apol_string_vector_t*)poldiff_avrule_get_removed_perms(self); + }; +- const apol_vector_t *get_orig_line_numbers() { ++ %rename(get_orig_line_numbers) wrap_get_orig_line_numbers; ++ const apol_vector_t *wrap_get_orig_line_numbers() { + return poldiff_avrule_get_orig_line_numbers(self); + }; + %newobject get_orig_line_numbers_for_perm(poldiff_t*, char*); +- apol_vector_t *get_orig_line_numbers_for_perm(poldiff_t *p, char *perm) { ++ %rename(get_orig_line_numbers_for_perm) wrap_get_orig_line_numbers_for_perm; ++ apol_vector_t *wrap_get_orig_line_numbers_for_perm(poldiff_t *p, char *perm) { + apol_vector_t *v; + BEGIN_EXCEPTION + v = poldiff_avrule_get_orig_line_numbers_for_perm(p, self, perm); +@@ -606,11 +648,13 @@ typedef struct poldiff_avrule {} poldiff_avrule_t; + fail: + return v; + }; +- const apol_vector_t *get_mod_line_numbers() { ++ %rename(get_mod_line_numbers) wrap_get_mod_line_numbers; ++ const apol_vector_t *wrap_get_mod_line_numbers() { + return poldiff_avrule_get_mod_line_numbers(self); + }; + %newobject get_mod_line_numbers_for_perm(poldiff_t*, char*); +- apol_vector_t *get_mod_line_numbers_for_perm(poldiff_t *p, char *perm) { ++ %rename(get_mod_line_numbers_for_perm) wrap_get_mod_line_numbers_for_perm; ++ apol_vector_t *wrap_get_mod_line_numbers_for_perm(poldiff_t *p, char *perm) { + apol_vector_t *v; + BEGIN_EXCEPTION + v = poldiff_avrule_get_mod_line_numbers_for_perm(p, self, perm); +@@ -631,19 +675,20 @@ typedef struct poldiff_avrule {} poldiff_avrule_t; + /* boolean diff */ + typedef struct poldiff_bool {} poldiff_bool_t; + %extend poldiff_bool_t { +- poldiff_bool_t() { ++ poldiff_bool() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_bool_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_bool_t() { ++ ~poldiff_bool() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_bool_to_string(p, self); +@@ -654,10 +699,12 @@ typedef struct poldiff_bool {} poldiff_bool_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_bool_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_bool_get_form(self); + }; + }; +@@ -670,19 +717,20 @@ typedef struct poldiff_bool {} poldiff_bool_t; + /* category diff */ + typedef struct poldiff_cat {} poldiff_cat_t; + %extend poldiff_cat_t { +- poldiff_cat_t() { ++ poldiff_cat() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_cat_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_cat_t() { ++ ~poldiff_cat() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_cat_to_string(p, self); +@@ -693,10 +741,12 @@ typedef struct poldiff_cat {} poldiff_cat_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_cat_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_cat_get_form(self); + }; + }; +@@ -709,19 +759,20 @@ typedef struct poldiff_cat {} poldiff_cat_t; + /* class diff */ + typedef struct poldiff_class {} poldiff_class_t; + %extend poldiff_class_t { +- poldiff_class_t() { ++ poldiff_class() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_class_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_class_t() { ++ ~poldiff_class() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_class_to_string(p, self); +@@ -732,16 +783,20 @@ typedef struct poldiff_class {} poldiff_class_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_class_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_class_get_form(self); + }; +- const apol_string_vector_t *get_added_perms() { ++ %rename(get_added_perms) wrap_get_added_perms; ++ const apol_string_vector_t *wrap_get_added_perms() { + return (apol_string_vector_t*)poldiff_class_get_added_perms(self); + }; +- const apol_string_vector_t *get_removed_perms() { ++ %rename(get_removed_perms) wrap_get_removed_perms; ++ const apol_string_vector_t *wrap_get_removed_perms() { + return (apol_string_vector_t*)poldiff_class_get_removed_perms(self); + }; + }; +@@ -754,19 +809,20 @@ typedef struct poldiff_class {} poldiff_class_t; + /* common diff */ + typedef struct poldiff_common {} poldiff_common_t; + %extend poldiff_common_t { +- poldiff_common_t() { ++ poldiff_common() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_common_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_common_t() { ++ ~poldiff_common() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_common_to_string(p, self); +@@ -777,16 +833,20 @@ typedef struct poldiff_common {} poldiff_common_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_common_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_common_get_form(self); + }; +- const apol_string_vector_t *get_added_perms() { ++ %rename(get_added_perms) wrap_get_added_perms; ++ const apol_string_vector_t *wrap_get_added_perms() { + return (apol_string_vector_t*)poldiff_common_get_added_perms(self); + }; +- const apol_string_vector_t *get_removed_perms() { ++ %rename(get_removed_perms) wrap_get_removed_perms; ++ const apol_string_vector_t *wrap_get_removed_perms() { + return (apol_string_vector_t*)poldiff_common_get_removed_perms(self); + }; + }; +@@ -799,19 +859,20 @@ typedef struct poldiff_common {} poldiff_common_t; + /* level diff */ + typedef struct poldiff_level {} poldiff_level_t; + %extend poldiff_level_t { +- poldiff_level_t() { ++ poldiff_level() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_level_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_level_t() { ++ ~poldiff_level() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_level_to_string(p, self); +@@ -823,7 +884,8 @@ typedef struct poldiff_level {} poldiff_level_t; + return str; + }; + %newobject to_string_brief(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string_brief) wrap_to_string_brief; ++ char *wrap_to_string_brief(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_level_to_string_brief(p, self); +@@ -834,19 +896,24 @@ typedef struct poldiff_level {} poldiff_level_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_level_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_level_get_form(self); + }; +- const apol_string_vector_t *get_unmodified_cats() { ++ %rename(get_unmodified_cats) wrap_get_unmodified_cats; ++ const apol_string_vector_t *wrap_get_unmodified_cats() { + return (apol_string_vector_t*)poldiff_level_get_unmodified_cats(self); + }; +- const apol_string_vector_t *get_added_cats() { ++ %rename(get_added_cats) wrap_get_added_cats; ++ const apol_string_vector_t *wrap_get_added_cats() { + return (apol_string_vector_t*)poldiff_level_get_added_cats(self); + }; +- const apol_string_vector_t *get_removed_cats() { ++ %rename(get_removed_cats) wrap_get_removed_cats; ++ const apol_string_vector_t *wrap_get_removed_cats() { + return (apol_string_vector_t*)poldiff_level_get_removed_cats(self); + }; + }; +@@ -859,14 +926,14 @@ typedef struct poldiff_level {} poldiff_level_t; + /* range diff */ + typedef struct poldiff_range {} poldiff_range_t; + %extend poldiff_range_t { +- poldiff_range_t() { ++ poldiff_range() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_range_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_range_t() { ++ ~poldiff_range() { + /* no op */ + return; + }; +@@ -882,22 +949,28 @@ typedef struct poldiff_range {} poldiff_range_t; + fail: + return str; + }; +- const apol_vector_t *get_levels() { ++ %rename(get_levels) wrap_get_levels; ++ const apol_vector_t *wrap_get_levels() { + return poldiff_range_get_levels(self); + }; +- const apol_mls_range_t *get_original_range() { ++ %rename(get_original_range) wrap_get_original_range; ++ const apol_mls_range_t *wrap_get_original_range() { + return poldiff_range_get_original_range(self); + }; +- const apol_mls_range_t *get_modified_range() { ++ %rename(get_modified_range) wrap_get_modified_range; ++ const apol_mls_range_t *wrap_get_modified_range() { + return poldiff_range_get_modified_range(self); + }; +- const apol_string_vector_t *get_min_added_cats() { ++ %rename(get_min_added_cats) wrap_get_min_added_cats; ++ const apol_string_vector_t *wrap_get_min_added_cats() { + return (apol_string_vector_t*)poldiff_range_get_min_added_cats(self); + }; +- const apol_string_vector_t *get_min_removed_cats() { ++ %rename(get_min_removed_cats) wrap_get_min_removed_cats; ++ const apol_string_vector_t *wrap_get_min_removed_cats() { + return (apol_string_vector_t*)poldiff_range_get_min_removed_cats(self); + }; +- const apol_string_vector_t *get_min_unmodified_cats() { ++ %rename(get_min_unmodified_cats) wrap_get_min_unmodified_cats; ++ const apol_string_vector_t *wrap_get_min_unmodified_cats() { + return (apol_string_vector_t*)poldiff_range_get_min_unmodified_cats(self); + }; + }; +@@ -910,19 +983,20 @@ typedef struct poldiff_range {} poldiff_range_t; + /* range_transition rule diff */ + typedef struct poldiff_range_trans {} poldiff_range_trans_t; + %extend poldiff_range_trans_t { +- poldiff_range_trans_t() { ++ poldiff_range_trans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_range_trans_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_range_trans_t() { ++ ~poldiff_range_trans() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_range_trans_to_string(p, self); +@@ -933,19 +1007,24 @@ typedef struct poldiff_range_trans {} poldiff_range_trans_t; + fail: + return str; + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_range_trans_get_form(self); + }; +- const char *get_source_type() { ++ %rename(get_source_type) wrap_get_source_type; ++ const char *wrap_get_source_type() { + return poldiff_range_trans_get_source_type(self); + }; +- const char *get_target_type() { ++ %rename(get_target_type) wrap_get_target_type; ++ const char *wrap_get_target_type() { + return poldiff_range_trans_get_target_type(self); + }; +- const char *get_target_class() { ++ %rename(get_target_class) wrap_get_target_class; ++ const char *wrap_get_target_class() { + return poldiff_range_trans_get_target_class(self); + }; +- const poldiff_range_t *get_range() { ++ %rename(get_range) wrap_get_range; ++ const poldiff_range_t *wrap_get_range() { + return poldiff_range_trans_get_range(self); + }; + }; +@@ -958,19 +1037,20 @@ typedef struct poldiff_range_trans {} poldiff_range_trans_t; + /* role allow rule diff */ + typedef struct poldiff_role_allow {} poldiff_role_allow_t; + %extend poldiff_role_allow_t { +- poldiff_role_allow_t() { ++ poldiff_role_allow() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_role_allow_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_role_allow_t() { ++ ~poldiff_role_allow() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_role_allow_to_string(p, self); +@@ -981,19 +1061,24 @@ typedef struct poldiff_role_allow {} poldiff_role_allow_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_role_allow_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_role_allow_get_form(self); + }; +- const apol_string_vector_t *get_unmodified_roles() { ++ %rename(get_unmodified_roles) wrap_get_unmodified_roles; ++ const apol_string_vector_t *wrap_get_unmodified_roles() { + return (apol_string_vector_t*)poldiff_role_allow_get_unmodified_roles(self); + }; +- const apol_string_vector_t *get_added_roles() { ++ %rename(get_added_roles) wrap_get_added_roles; ++ const apol_string_vector_t *wrap_get_added_roles() { + return (apol_string_vector_t*)poldiff_role_allow_get_added_roles(self); + }; +- const apol_string_vector_t *get_removed_roles() { ++ %rename(get_removed_roles) wrap_get_removed_roles; ++ const apol_string_vector_t *wrap_get_removed_roles() { + return (apol_string_vector_t*)poldiff_role_allow_get_removed_roles(self); + }; + }; +@@ -1006,19 +1091,20 @@ typedef struct poldiff_role_allow {} poldiff_role_allow_t; + /* role_transition rule diff */ + typedef struct poldiff_role_trans {} poldiff_role_trans_t; + %extend poldiff_role_trans_t { +- poldiff_role_trans_t() { ++ poldiff_role_trans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_role_trans_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_role_trans_t() { ++ ~poldiff_role_trans() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_role_trans_to_string(p, self); +@@ -1029,19 +1115,24 @@ typedef struct poldiff_role_trans {} poldiff_role_trans_t; + fail: + return str; + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_role_trans_get_form(self); + }; +- const char *get_source_role() { ++ %rename(get_source_role) wrap_get_source_role; ++ const char *wrap_get_source_role() { + return poldiff_role_trans_get_source_role(self); + }; +- const char *get_target_type() { ++ %rename(get_target_type) wrap_get_target_type; ++ const char *wrap_get_target_type() { + return poldiff_role_trans_get_target_type(self); + }; +- const char *get_original_default() { ++ %rename(get_original_default) wrap_get_original_default; ++ const char *wrap_get_original_default() { + return poldiff_role_trans_get_original_default(self); + }; +- const char *get_modified_default() { ++ %rename(get_modified_default) wrap_get_modified_default; ++ const char *wrap_get_modified_default() { + return poldiff_role_trans_get_modified_default(self); + }; + }; +@@ -1054,19 +1145,20 @@ typedef struct poldiff_role_trans {} poldiff_role_trans_t; + /* role diff */ + typedef struct poldiff_role {} poldiff_role_t; + %extend poldiff_role_t { +- poldiff_role_t() { ++ poldiff_role() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_role_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_role_t() { ++ ~poldiff_role() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_role_to_string(p, self); +@@ -1077,16 +1169,20 @@ typedef struct poldiff_role {} poldiff_role_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_role_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_role_get_form(self); + }; +- const apol_string_vector_t *get_added_types() { ++ %rename(get_added_types) wrap_get_added_types; ++ const apol_string_vector_t *wrap_get_added_types() { + return (apol_string_vector_t*)poldiff_role_get_added_types(self); + }; +- const apol_string_vector_t *get_removed_types() { ++ %rename(get_removed_types) wrap_get_removed_types; ++ const apol_string_vector_t *wrap_get_removed_types() { + return (apol_string_vector_t*)poldiff_role_get_removed_types(self); + }; + }; +@@ -1099,19 +1195,20 @@ typedef struct poldiff_role {} poldiff_role_t; + /* te rule diff */ + typedef struct poldiff_terule {} poldiff_terule_t; + %extend poldiff_terule_t { +- poldiff_terule_t() { ++ poldiff_terule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_terule_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_terule_t() { ++ ~poldiff_terule() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_terule_to_string(p, self); +@@ -1122,22 +1219,28 @@ typedef struct poldiff_terule {} poldiff_terule_t; + fail: + return str; + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_terule_get_form(self); + }; +- uint32_t get_rule_type() { ++ %rename(get_rule_type) wrap_get_rule_type; ++ uint32_t wrap_get_rule_type() { + return poldiff_terule_get_rule_type(self); + }; +- const char *get_source_type() { ++ %rename(get_source_type) wrap_get_source_type; ++ const char *wrap_get_source_type() { + return poldiff_terule_get_source_type(self); + }; +- const char *get_target_type() { ++ %rename(get_target_type) wrap_get_target_type; ++ const char *wrap_get_target_type() { + return poldiff_terule_get_target_type(self); + }; +- const char *get_object_class() { ++ %rename(get_object_class) wrap_get_object_class; ++ const char *wrap_get_object_class() { + return poldiff_terule_get_object_class(self); + }; +- const qpol_cond_t *get_cond(poldiff_t *p) { ++ %rename(get_cond) wrap_get_cond; ++ const qpol_cond_t *wrap_get_cond(poldiff_t *p) { + const qpol_cond_t *cond; + uint32_t which_list; + const apol_policy_t *which_pol; +@@ -1158,16 +1261,20 @@ typedef struct poldiff_terule {} poldiff_terule_t; + poldiff_terule_get_cond(p, self, &cond, &which_list, &which_pol); + return which_pol; + }; +- const char *get_original_default() { ++ %rename(get_original_default) wrap_get_original_default; ++ const char *wrap_get_original_default() { + return poldiff_terule_get_original_default(self); + }; +- const char *get_modified_default() { ++ %rename(get_modified_default) wrap_get_modified_default; ++ const char *wrap_get_modified_default() { + return poldiff_terule_get_modified_default(self); + }; +- const apol_vector_t *get_orig_line_numbers() { ++ %rename(get_orig_line_numbers) wrap_get_orig_line_numbers; ++ const apol_vector_t *wrap_get_orig_line_numbers() { + return poldiff_terule_get_orig_line_numbers(self); + }; +- const apol_vector_t *get_mod_line_numbers() { ++ %rename(get_mod_line_numbers) wrap_get_mod_line_numbers; ++ const apol_vector_t *wrap_get_mod_line_numbers() { + return poldiff_terule_get_mod_line_numbers(self); + }; + }; +@@ -1180,19 +1287,20 @@ typedef struct poldiff_terule {} poldiff_terule_t; + /* type diff */ + typedef struct poldiff_type {} poldiff_type_t; + %extend poldiff_type_t { +- poldiff_type_t() { ++ poldiff_type() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_type_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_type_t() { ++ ~poldiff_type() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_type_to_string(p, self); +@@ -1203,16 +1311,20 @@ typedef struct poldiff_type {} poldiff_type_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_type_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_type_get_form(self); + }; +- const apol_string_vector_t *get_added_attribs() { ++ %rename(get_added_attribs) wrap_get_added_attribs; ++ const apol_string_vector_t *wrap_get_added_attribs() { + return (apol_string_vector_t*)poldiff_type_get_added_attribs(self); + }; +- const apol_string_vector_t *get_removed_attribs() { ++ %rename(get_removed_attribs) wrap_get_removed_attribs; ++ const apol_string_vector_t *wrap_get_removed_attribs() { + return (apol_string_vector_t*)poldiff_type_get_removed_attribs(self); + }; + }; +@@ -1225,19 +1337,20 @@ typedef struct poldiff_type {} poldiff_type_t; + /* user diff */ + typedef struct poldiff_user {} poldiff_user_t; + %extend poldiff_user_t { +- poldiff_user_t() { ++ poldiff_user() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_user_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_user_t() { ++ ~poldiff_user() { + /* no op */ + return; + }; + %newobject to_string(poldiff_t*); +- char *to_string(poldiff_t *p) { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string(poldiff_t *p) { + char *str; + BEGIN_EXCEPTION + str = poldiff_user_to_string(p, self); +@@ -1248,28 +1361,36 @@ typedef struct poldiff_user {} poldiff_user_t; + fail: + return str; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return poldiff_user_get_name(self); + }; +- poldiff_form_e get_form() { ++ %rename(get_form) wrap_get_form; ++ poldiff_form_e wrap_get_form() { + return poldiff_user_get_form(self); + }; +- const apol_string_vector_t *get_unmodified_roles() { ++ %rename(get_unmodified_roles) wrap_get_unmodified_roles; ++ const apol_string_vector_t *wrap_get_unmodified_roles() { + return (apol_string_vector_t*)poldiff_user_get_unmodified_roles(self); + }; +- const apol_string_vector_t *get_added_roles() { ++ %rename(get_added_roles) wrap_get_added_roles; ++ const apol_string_vector_t *wrap_get_added_roles() { + return (apol_string_vector_t*)poldiff_user_get_added_roles(self); + }; +- const apol_string_vector_t *get_removed_roles() { ++ %rename(get_removed_roles) wrap_get_removed_roles; ++ const apol_string_vector_t *wrap_get_removed_roles() { + return (apol_string_vector_t*)poldiff_user_get_removed_roles(self); + }; +- const poldiff_level_t *get_original_dfltlevel() { ++ %rename(get_original_dfltlevel) wrap_get_original_dfltlevel; ++ const poldiff_level_t *wrap_get_original_dfltlevel() { + return poldiff_user_get_original_dfltlevel(self); + }; +- const poldiff_level_t *get_modified_dfltlevel() { ++ %rename(get_modified_dfltlevel) wrap_get_modified_dfltlevel; ++ const poldiff_level_t *wrap_get_modified_dfltlevel() { + return poldiff_user_get_modified_dfltlevel(self); + }; +- const poldiff_range_t *get_range() { ++ %rename(get_range) wrap_get_range; ++ const poldiff_range_t *wrap_get_range() { + return poldiff_user_get_range(self); + }; + }; +@@ -1282,19 +1403,20 @@ typedef struct poldiff_user {} poldiff_user_t; + /* type remap */ + typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t; + %extend poldiff_type_remap_entry_t { +- poldiff_type_remap_entry_t() { ++ poldiff_type_remap_entry() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create poldiff_type_remap_entry_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~poldiff_type_remap_entry_t() { ++ ~poldiff_type_remap_entry() { + /* no op */ + return; + }; + %newobject get_original_types(poldiff_t*); +- apol_string_vector_t *get_original_types(poldiff_t *p) { ++ %rename(get_original_types) wrap_get_original_types; ++ apol_string_vector_t *wrap_get_original_types(poldiff_t *p) { + apol_vector_t *v; + BEGIN_EXCEPTION + v = poldiff_type_remap_entry_get_original_types(p, self); +@@ -1306,7 +1428,8 @@ typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t; + return (apol_string_vector_t*)v; + }; + %newobject get_modified_types(poldiff_t*); +- apol_string_vector_t *get_modified_types(poldiff_t *p) { ++ %rename(get_modified_types) wrap_get_modified_types; ++ apol_string_vector_t *wrap_get_modified_types(poldiff_t *p) { + apol_vector_t *v; + BEGIN_EXCEPTION + v = poldiff_type_remap_entry_get_modified_types(p, self); +@@ -1317,13 +1440,16 @@ typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t; + fail: + return (apol_string_vector_t*)v; + }; +- int get_is_inferred() { ++ %rename(get_is_inferred) wrap_get_is_inferred; ++ int wrap_get_is_inferred() { + return poldiff_type_remap_entry_get_is_inferred(self); + }; +- int get_is_enabled() { ++ %rename(get_is_enabled) wrap_get_is_enabled; ++ int wrap_get_is_enabled() { + return poldiff_type_remap_entry_get_is_enabled(self); + }; +- void set_enabled(int enable) { ++ %rename(set_enabled) wrap_set_enabled; ++ void wrap_set_enabled(int enable) { + poldiff_type_remap_entry_set_enabled(self, enable); + }; + }; +diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am +index 9b570e1..cfd4b12 100644 +--- a/libqpol/include/qpol/Makefile.am ++++ b/libqpol/include/qpol/Makefile.am +@@ -7,6 +7,7 @@ qpol_HEADERS = \ + cond_query.h \ + constraint_query.h \ + context_query.h \ ++ default_object_query.h \ + fs_use_query.h \ + genfscon_query.h \ + isid_query.h \ +@@ -17,6 +18,7 @@ qpol_HEADERS = \ + netifcon_query.h \ + nodecon_query.h \ + permissive_query.h \ ++ bounds_query.h \ + polcap_query.h \ + policy.h \ + policy_extend.h \ +diff --git a/libqpol/include/qpol/bounds_query.h b/libqpol/include/qpol/bounds_query.h +new file mode 100644 +index 0000000..da5e525 +--- /dev/null ++++ b/libqpol/include/qpol/bounds_query.h +@@ -0,0 +1,162 @@ ++/** ++ * @file ++ * Defines the public interface for searching and iterating over the permissive types. ++ * ++ * @author Richard Haines richard_c_haines@btinternet.com ++ * ++ * Copyright (C) 2006-2009 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef QPOL_BOUNDS_QUERY_H ++#define QPOL_BOUNDS_QUERY_H ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++#include ++#include ++#include ++#include ++ ++ ++ /************ TYPEBOUNDS *************/ ++ typedef struct qpol_typebounds qpol_typebounds_t; ++ ++/** ++ * Get an iterator for the typebounds types in a policy. ++ * @param policy The policy from which to create the iterator. ++ * @param iter Iterator over items of type qpol_isid_t returned. ++ * The caller is responsible for calling qpol_iterator_destroy ++ * to free memory used by this iterator. ++ * It is important to note that this iterator is only valid as long ++ * as the policy is unmodified. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *iter will be NULL. ++ */ ++ extern int qpol_policy_get_typebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter); ++ ++ ++/** ++ * Get the name which identifies a typebounds type from its datum. ++ * @param policy The policy with which the type bounds type is associated. ++ * @param datum typebounds datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_typebounds_get_parent_name(const qpol_policy_t *policy, const qpol_typebounds_t *datum, const char **name); ++ ++/** ++ * Get the name which identifies a typebounds type from its datum. ++ * @param policy The policy with which the type bounds type is associated. ++ * @param datum typebounds datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_typebounds_get_child_name(const qpol_policy_t *policy, const qpol_typebounds_t *datum, const char **name); ++ ++ /************ ROLEBOUNDS *************/ ++ typedef struct qpol_rolebounds qpol_rolebounds_t; ++ ++/** ++ * Get an iterator for the rolebounds types in a policy. ++ * @param policy The policy from which to create the iterator. ++ * @param iter Iterator over items of type qpol_isid_t returned. ++ * The caller is responsible for calling qpol_iterator_destroy ++ * to free memory used by this iterator. ++ * It is important to note that this iterator is only valid as long ++ * as the policy is unmodified. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *iter will be NULL. ++ */ ++ extern int qpol_policy_get_rolebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter); ++ ++ ++/** ++ * Get the name which identifies a rolebounds type from its datum. ++ * @param policy The policy with which the type bounds type is associated. ++ * @param datum rolebounds datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_rolebounds_get_parent_name(const qpol_policy_t *policy, const qpol_rolebounds_t *datum, const char **name); ++ ++/** ++ * Get the name which identifies a rolebounds type from its datum. ++ * @param policy The policy with which the type bounds type is associated. ++ * @param datum rolebounds datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_rolebounds_get_child_name(const qpol_policy_t *policy, const qpol_rolebounds_t *datum, const char **name); ++ ++ /************ USERBOUNDS *************/ ++ typedef struct qpol_userbounds qpol_userbounds_t; ++ ++/** ++ * Get an iterator for the userbounds types in a policy. ++ * @param policy The policy from which to create the iterator. ++ * @param iter Iterator over items of type qpol_isid_t returned. ++ * The caller is responsible for calling qpol_iterator_destroy ++ * to free memory used by this iterator. ++ * It is important to note that this iterator is only valid as long ++ * as the policy is unmodified. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *iter will be NULL. ++ */ ++ extern int qpol_policy_get_userbounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter); ++ ++ ++/** ++ * Get the name which identifies a userbounds type from its datum. ++ * @param policy The policy with which the type bounds type is associated. ++ * @param datum userbounds datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_userbounds_get_parent_name(const qpol_policy_t *policy, const qpol_userbounds_t *datum, const char **name); ++ ++/** ++ * Get the name which identifies a userbounds type from its datum. ++ * @param policy The policy with which the type bounds type is associated. ++ * @param datum userbounds datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_userbounds_get_child_name(const qpol_policy_t *policy, const qpol_userbounds_t *datum, const char **name); ++ ++ ++ ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* QPOL_BOUNDS_QUERY_H */ +diff --git a/libqpol/include/qpol/default_object_query.h b/libqpol/include/qpol/default_object_query.h +new file mode 100644 +index 0000000..e077287 +--- /dev/null ++++ b/libqpol/include/qpol/default_object_query.h +@@ -0,0 +1,113 @@ ++/** ++ * @file ++ * Defines the public interface for searching and iterating over default objects. ++ * ++ * @author Richard Haines richard_c_haines@btinternet.com ++ * ++ * Copyright (C) 2006-2009 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef QPOL_DEFAULT_OBJECT_QUERY_H ++#define QPOL_DEFAULT_OBJECT_QUERY_H ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++#include ++#include ++#include ++#include ++ ++ ++ typedef struct qpol_default_object qpol_default_object_t; ++ ++/** ++ * Get an iterator for the default_object types in a policy. ++ * @param policy The policy from which to create the iterator. ++ * @param iter Iterator over items of type qpol_isid_t returned. ++ * The caller is responsible for calling qpol_iterator_destroy ++ * to free memory used by this iterator. ++ * It is important to note that this iterator is only valid as long ++ * as the policy is unmodified. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *iter will be NULL. ++ */ ++ extern int qpol_policy_get_default_object_iter(const qpol_policy_t *policy, qpol_iterator_t **iter); ++ ++/** ++ * Get the name which identifies a default_object class from its datum. ++ * @param policy The policy with which class is associated. ++ * @param datum default_object datum for which to get the name. Must be non-NULL. ++ * @param name Pointer to the string in which to store the name. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *name will be NULL. ++ */ ++ extern int qpol_default_object_get_class(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **name); ++ ++/** ++ * Get the value of a default user source/dest from its datum. ++ * @param policy The policy with which the default object is associated. ++ * @param datum default_object datum for which to get the value. Must be non-NULL. ++ * @param default Pointer to the value in which to store the default. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *default will be 0. ++ */ ++ extern int qpol_default_object_get_user_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value); ++ ++/** ++ * Get the value of a default role source/dest from its datum. ++ * @param policy The policy with which the default object type is associated. ++ * @param datum default_object datum for which to get the value. Must be non-NULL. ++ * @param default Pointer to the value in which to store the default. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *default will be 0. ++ */ ++ extern int qpol_default_object_get_role_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value); ++ ++/** ++ * Get the value of a default type source/dest from its datum. ++ * @param policy The policy with which the default object type is associated. ++ * @param datum default_object datum for which to get the value. Must be non-NULL. ++ * @param default Pointer to the value in which to store the default. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *default will be 0. ++ */ ++ extern int qpol_default_object_get_type_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value); ++ ++/** ++ * Get the value of a default range source/dest from its datum. ++ * @param policy The policy with which the default object type is associated. ++ * @param datum default_object datum for which to get the value. Must be non-NULL. ++ * @param default Pointer to the value in which to store the default. ++ * Must be non-NULL. The caller should not free the string. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *default will be 0. ++ */ ++ extern int qpol_default_object_get_range_default(const qpol_policy_t *policy, const qpol_default_object_t *datum, const char **value); ++ ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h +index bf85718..4e01cdb 100644 +--- a/libqpol/include/qpol/policy.h ++++ b/libqpol/include/qpol/policy.h +@@ -52,6 +52,8 @@ extern "C" + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -117,7 +119,18 @@ extern "C" + /** The policy source may be displayed. */ + QPOL_CAP_SOURCE, + /** The policy supports and was loaded with neverallow rules. */ +- QPOL_CAP_NEVERALLOW ++ QPOL_CAP_NEVERALLOW, ++ /** The policy supports bounds rules. */ ++ QPOL_CAP_BOUNDS, ++ /** The policy supports default object rules. */ ++ QPOL_CAP_DEFAULT_OBJECTS, ++ QPOL_CAP_DEFAULT_TYPE, ++ /** The policy supports permissive types. */ ++ QPOL_CAP_PERMISSIVE, ++ /** The policy supports filename type_transition rules. */ ++ QPOL_CAP_FILENAME_TRANS, ++ /** The policy supports role transition rules. */ ++ QPOL_CAP_ROLETRANS + } qpol_capability_e; + + /** +@@ -255,6 +268,15 @@ extern "C" + */ + extern int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e cap); + ++/** ++ * Get the handle_unknown classes/perms flag for the policy. ++ * @param policy The policy for which to get the version. ++ * @param handle_unknown Pointer to the integer to set to the version number. ++ * @return Returns 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *handle_unknown will be 0. ++ */ ++ extern int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned int *handle_unknown); ++ + #ifdef __cplusplus + } + #endif +diff --git a/libqpol/include/qpol/rbacrule_query.h b/libqpol/include/qpol/rbacrule_query.h +index 342e597..cb26600 100644 +--- a/libqpol/include/qpol/rbacrule_query.h ++++ b/libqpol/include/qpol/rbacrule_query.h +@@ -112,6 +112,17 @@ extern "C" + const qpol_type_t ** target); + + /** ++ * Get the object class from a role transition rule. ++ * @param rule The rule from which to get the object class. ++ * @param obj_class Pointer in which to store the object class. ++ * The caller should not free this pointer. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *target will be NULL. ++ */ ++ extern int qpol_role_trans_get_object_class(const qpol_policy_t * policy, const qpol_role_trans_t * rule, ++ const qpol_class_t ** obj_class); ++ ++/** + * Get the default role from a role transition rule. + * @param policy The policy from which the rule comes. + * @param rule The rule from which to get the default role. +diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am +index 0889a61..77213f4 100644 +--- a/libqpol/src/Makefile.am ++++ b/libqpol/src/Makefile.am +@@ -21,6 +21,7 @@ libqpol_a_SOURCES = \ + cond_query.c \ + constraint_query.c \ + context_query.c \ ++ default_object_query.c \ + expand.c \ + expand.h \ + fs_use_query.c \ +@@ -35,6 +36,7 @@ libqpol_a_SOURCES = \ + netifcon_query.c \ + nodecon_query.c \ + permissive_query.c \ ++ bounds_query.c \ + polcap_query.c \ + policy.c \ + policy_define.c policy_define.h \ +diff --git a/libqpol/src/bounds_query.c b/libqpol/src/bounds_query.c +new file mode 100644 +index 0000000..c3eb020 +--- /dev/null ++++ b/libqpol/src/bounds_query.c +@@ -0,0 +1,332 @@ ++/** ++* @file ++* Defines the public interface for searching and iterating over the permissive types. ++* ++* @author Richard Haines richard_c_haines@btinternet.com ++* ++* Copyright (C) 2006-2007 Tresys Technology, LLC ++* ++* This library is free software; you can redistribute it and/or ++* modify it under the terms of the GNU Lesser General Public ++* License as published by the Free Software Foundation; either ++* version 2.1 of the License, or (at your option) any later version. ++* ++* This library is distributed in the hope that it will be useful, ++* but WITHOUT ANY WARRANTY; without even the implied warranty of ++* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++* Lesser General Public License for more details. ++* ++* You should have received a copy of the GNU Lesser General Public ++* License along with this library; if not, write to the Free Software ++* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "qpol_internal.h" ++#include "iterator_internal.h" ++ ++ /************ TYPEBOUNDS *************/ ++int qpol_typebounds_get_parent_name(const qpol_policy_t *policy, const qpol_typebounds_t * datum, const char **name) ++{ ++ type_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ /* The bounds rules started in ver 24 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (type_datum_t *)datum; ++ ++ /* This will be zero if not a typebounds statement */ ++ if (internal_datum->flavor == TYPE_TYPE && internal_datum->bounds != 0) { ++ *name = db->p_type_val_to_name[internal_datum->bounds - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_typebounds_get_child_name(const qpol_policy_t *policy, const qpol_typebounds_t * datum, const char **name) ++{ ++ type_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ /* The bounds rules started in ver 24 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (type_datum_t *)datum; ++ ++ if (internal_datum->flavor == TYPE_TYPE && internal_datum->bounds != 0) { ++ *name = db->p_type_val_to_name[internal_datum->s.value - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++/* As type bounds are in types use these, however will need to calc number of bounds manually in top.tcl*/ ++int qpol_policy_get_typebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter) ++{ ++ policydb_t *db; ++ int error = 0; ++ hash_state_t *hs = NULL; ++ ++ if (policy == NULL || iter == NULL) { ++ if (iter != NULL) ++ *iter = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++/* ++ struct type_datum *type; ++ size_t i; ++ int count = 0; ++ ++ for (i = 0; i < db->p_types.nprim - 1; i++) { ++ type = db->type_val_to_struct[i]; ++ if (type->flavor == TYPE_TYPE && type->bounds != 0) { ++ printf("PARENT DOMAIN: %s\n", db->p_type_val_to_name[type->bounds - 1]); ++ printf("CHILD NAME: %s\n", db->p_type_val_to_name[type->s.value - 1]); ++ count++; ++ } ++ } ++ printf("Type Bounds count: %d\n", count); ++*/ ++ hs = calloc(1, sizeof(hash_state_t)); ++ if (hs == NULL) { ++ error = errno; ++ ERR(policy, "%s", strerror(ENOMEM)); ++ errno = error; ++ return STATUS_ERR; ++ } ++ hs->table = &db->p_types.table; ++ hs->node = (*(hs->table))->htable[0]; ++ ++ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur, ++ hash_state_next, hash_state_end, hash_state_size, free, iter)) { ++ free(hs); ++ return STATUS_ERR; ++ } ++ ++ if (hs->node == NULL) ++ hash_state_next(*iter); ++ ++ return STATUS_SUCCESS; ++} ++ ++ /************ ROLEBOUNDS *************/ ++int qpol_rolebounds_get_parent_name(const qpol_policy_t *policy, const qpol_rolebounds_t * datum, const char **name) ++{ ++ role_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ /* The bounds rules started in ver 24 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (role_datum_t *)datum; ++ ++ /* This will be zero if not a rolebounds statement */ ++ if (internal_datum->flavor == ROLE_ROLE && internal_datum->bounds != 0) { ++ *name = db->p_role_val_to_name[internal_datum->bounds - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_rolebounds_get_child_name(const qpol_policy_t *policy, const qpol_rolebounds_t * datum, const char **name) ++{ ++ role_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ /* The bounds rules started in ver 24 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (role_datum_t *)datum; ++ ++ if (internal_datum->flavor == ROLE_ROLE && internal_datum->bounds != 0) { ++ *name = db->p_role_val_to_name[internal_datum->s.value - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++/* As rolebounds are in roles use these, however will need to calc number of bounds manually in top.tcl*/ ++int qpol_policy_get_rolebounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter) ++{ ++ policydb_t *db; ++ int error = 0; ++ hash_state_t *hs = NULL; ++ ++ if (policy == NULL || iter == NULL) { ++ if (iter != NULL) ++ *iter = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ++ hs = calloc(1, sizeof(hash_state_t)); ++ if (hs == NULL) { ++ error = errno; ++ ERR(policy, "%s", strerror(ENOMEM)); ++ errno = error; ++ return STATUS_ERR; ++ } ++ hs->table = &db->p_roles.table; ++ hs->node = (*(hs->table))->htable[0]; ++ ++ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur, ++ hash_state_next, hash_state_end, hash_state_size, free, iter)) { ++ free(hs); ++ return STATUS_ERR; ++ } ++ ++ if (hs->node == NULL) ++ hash_state_next(*iter); ++ ++ return STATUS_SUCCESS; ++} ++ ++ /************ USERBOUNDS *************/ ++int qpol_userbounds_get_parent_name(const qpol_policy_t *policy, const qpol_userbounds_t * datum, const char **name) ++{ ++ user_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ /* The bounds rules started in ver 24 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (user_datum_t *)datum; ++ ++ /* This will be zero if not a userbounds statement */ ++ if (internal_datum->bounds != 0) { ++ *name = db->p_user_val_to_name[internal_datum->bounds - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_userbounds_get_child_name(const qpol_policy_t *policy, const qpol_userbounds_t * datum, const char **name) ++{ ++ user_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ /* The bounds rules started in ver 24 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_BOUNDS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (user_datum_t *)datum; ++ ++ if (internal_datum->bounds != 0) { ++ *name = db->p_user_val_to_name[internal_datum->s.value - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++/* As userbounds are in users use these, however will need to calc number of bounds manually in top.tcl*/ ++int qpol_policy_get_userbounds_iter(const qpol_policy_t *policy, qpol_iterator_t **iter) ++{ ++ policydb_t *db; ++ int error = 0; ++ hash_state_t *hs = NULL; ++ ++ if (policy == NULL || iter == NULL) { ++ if (iter != NULL) ++ *iter = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ++ hs = calloc(1, sizeof(hash_state_t)); ++ if (hs == NULL) { ++ error = errno; ++ ERR(policy, "%s", strerror(ENOMEM)); ++ errno = error; ++ return STATUS_ERR; ++ } ++ hs->table = &db->p_users.table; ++ hs->node = (*(hs->table))->htable[0]; ++ ++ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur, ++ hash_state_next, hash_state_end, hash_state_size, free, iter)) { ++ free(hs); ++ return STATUS_ERR; ++ } ++ ++ if (hs->node == NULL) ++ hash_state_next(*iter); ++ ++ return STATUS_SUCCESS; ++} ++ +diff --git a/libqpol/src/constraint_query.c b/libqpol/src/constraint_query.c +index 1545ad7..28111b7 100644 +--- a/libqpol/src/constraint_query.c ++++ b/libqpol/src/constraint_query.c +@@ -778,9 +778,16 @@ int qpol_constraint_expr_node_get_names_iter(const qpol_policy_t * policy, const + errno = ENOMEM; + return STATUS_ERR; + } ++ ++ int policy_version; ++ if (qpol_policy_get_policy_version(policy, &policy_version)) ++ return STATUS_ERR; ++ + if (internal_expr->attr & QPOL_CEXPR_SYM_TYPE) { +- if (policy_type == QPOL_POLICY_KERNEL_BINARY) { ++ if (policy_type == QPOL_POLICY_KERNEL_BINARY && policy_version <= 28) { + cns->inc = &(internal_expr->names); ++ } else if (policy_type == QPOL_POLICY_KERNEL_BINARY && policy_version > 28) { ++ cns->inc = &(internal_expr->type_names->types); + } else { + cns->inc = &(internal_expr->type_names->types); + cns->sub = &(internal_expr->type_names->negset); +diff --git a/libqpol/src/default_object_query.c b/libqpol/src/default_object_query.c +new file mode 100644 +index 0000000..4143674 +--- /dev/null ++++ b/libqpol/src/default_object_query.c +@@ -0,0 +1,281 @@ ++/** ++* @file ++* Defines the public interface for searching and iterating over default objects. ++* ++* @author Richard Haines richard_c_haines@btinternet.com ++* ++* Copyright (C) 2006-2007 Tresys Technology, LLC ++* ++* This library is free software; you can redistribute it and/or ++* modify it under the terms of the GNU Lesser General Public ++* License as published by the Free Software Foundation; either ++* version 2.1 of the License, or (at your option) any later version. ++* ++* This library is distributed in the hope that it will be useful, ++* but WITHOUT ANY WARRANTY; without even the implied warranty of ++* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++* Lesser General Public License for more details. ++* ++* You should have received a copy of the GNU Lesser General Public ++* License along with this library; if not, write to the Free Software ++* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "qpol_internal.h" ++#include "iterator_internal.h" ++ ++int qpol_default_object_get_class(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **name) ++{ ++ class_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || name == NULL) { ++ if (name != NULL) ++ *name = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *name = NULL; ++ ++ db = &policy->p->p; ++ internal_datum = (class_datum_t *)datum; ++ ++ /* These will be zero if no default_objects set */ ++ if (internal_datum->default_user || internal_datum->default_role || ++ internal_datum->default_type || ++ internal_datum->default_range) { ++ *name = db->p_class_val_to_name[internal_datum->s.value - 1]; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_default_object_get_user_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value) ++{ ++ class_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || value == NULL) { ++ if (value != NULL) ++ *value = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *value = NULL; ++ ++ /* The user default started in ver 27 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_OBJECTS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (class_datum_t *)datum; ++ ++ if (internal_datum->default_user == DEFAULT_SOURCE) { ++ *value = "source"; ++ } else if (internal_datum->default_user == DEFAULT_TARGET) { ++ *value = "target"; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_default_object_get_role_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value) ++{ ++ class_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || value == NULL) { ++ if (value != NULL) ++ *value = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *value = NULL; ++ ++ /* The role default started in ver 27 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_OBJECTS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (class_datum_t *)datum; ++ ++ if (internal_datum->default_role == DEFAULT_SOURCE) { ++ *value = "source"; ++ } else if (internal_datum->default_role == DEFAULT_TARGET) { ++ *value = "target"; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_default_object_get_type_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value) ++{ ++ class_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || value == NULL) { ++ if (value != NULL) ++ *value = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *value = NULL; ++ ++ /* The type default started in ver 28 */ ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_TYPE)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (class_datum_t *)datum; ++ ++ if (internal_datum->default_type == DEFAULT_SOURCE) { ++ *value = "source"; ++ } else if (internal_datum->default_type == DEFAULT_TARGET) { ++ *value = "target"; ++ } ++ return STATUS_SUCCESS; ++} ++ ++int qpol_default_object_get_range_default(const qpol_policy_t *policy, const qpol_default_object_t * datum, const char **value) ++{ ++ class_datum_t *internal_datum = NULL; ++ policydb_t *db = NULL; ++ ++ if (policy == NULL || datum == NULL || value == NULL) { ++ if (value != NULL) ++ *value = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ *value = NULL; ++ ++ /* The range default started in ver 27 */ ++ int policy_version; ++ if (!qpol_policy_has_capability(policy, QPOL_CAP_DEFAULT_OBJECTS)) ++ return STATUS_SUCCESS; ++ ++ db = &policy->p->p; ++ internal_datum = (class_datum_t *)datum; ++ ++ switch (internal_datum->default_range) { ++ case DEFAULT_SOURCE_LOW: ++ *value = "source low"; ++ break; ++ case DEFAULT_SOURCE_HIGH: ++ *value = "source high"; ++ break; ++ case DEFAULT_SOURCE_LOW_HIGH: ++ *value = "source low_high"; ++ break; ++ case DEFAULT_TARGET_LOW: ++ *value = "target low"; ++ break; ++ case DEFAULT_TARGET_HIGH: ++ *value = "target high"; ++ break; ++ case DEFAULT_TARGET_LOW_HIGH: ++ *value = "target low_high"; ++ break; ++ default: ++ break; ++ } ++ return STATUS_SUCCESS; ++} ++ ++/* As default objects are in classes use these, however will need to calc number of default objects manually in top.tcl*/ ++int qpol_policy_get_default_object_iter(const qpol_policy_t *policy, qpol_iterator_t **iter) ++{ ++ policydb_t *db; ++ int error = 0; ++ hash_state_t *hs = NULL; ++ ++ if (policy == NULL || iter == NULL) { ++ if (iter != NULL) ++ *iter = NULL; ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++/* ++ class_datum_t *cladatum; ++ sepol_security_class_t tclass; ++ char *class; ++ ++ for (tclass = 1; tclass <= db->p_classes.nprim; tclass++) { ++ cladatum = db->class_val_to_struct[tclass - 1]; ++ class = db->p_class_val_to_name[tclass - 1]; ++ ++ if (cladatum->default_user == DEFAULT_SOURCE) { ++ printf("default_user %s source;\n", class); ++ } else if (cladatum->default_user == DEFAULT_TARGET) { ++ printf("default_user %s target;\n", class); ++ } ++ ++ if (cladatum->default_role == DEFAULT_SOURCE) { ++ printf("default_role %s source;\n", class); ++ } else if (cladatum->default_role == DEFAULT_TARGET) { ++ printf("default_role %s target;\n", class); ++ } ++ ++ if (cladatum->default_type == DEFAULT_SOURCE) { ++ printf("default_type %s source;\n", class); ++ } else if (cladatum->default_type == DEFAULT_TARGET) { ++ printf("default_type %s target;\n", class); ++ } ++ ++ switch (cladatum->default_range) { ++ case DEFAULT_SOURCE_LOW: ++ printf("default_range %s source low;\n", class); ++ break; ++ case DEFAULT_SOURCE_HIGH: ++ printf("default_range %s source high;\n", class); ++ break; ++ case DEFAULT_SOURCE_LOW_HIGH: ++ printf("default_range %s source low_high;\n", class); ++ break; ++ case DEFAULT_TARGET_LOW: ++ printf("default_range %s target low;\n", class); ++ break; ++ case DEFAULT_TARGET_HIGH: ++ printf("default_range %s target high;\n", class); ++ break; ++ case DEFAULT_TARGET_LOW_HIGH: ++ printf("default_range %s target low_high;\n", class); ++ break; ++ default: ++ break; ++ } ++ } ++*/ ++ hs = calloc(1, sizeof(hash_state_t)); ++ if (hs == NULL) { ++ error = errno; ++ ERR(policy, "%s", strerror(ENOMEM)); ++ errno = error; ++ return STATUS_ERR; ++ } ++ hs->table = &db->p_classes.table; ++ hs->node = (*(hs->table))->htable[0]; ++ ++ if (qpol_iterator_create(policy, (void *)hs, hash_state_get_cur, ++ hash_state_next, hash_state_end, hash_state_size, free, iter)) { ++ free(hs); ++ return STATUS_ERR; ++ } ++ ++ if (hs->node == NULL) ++ hash_state_next(*iter); ++ ++ return STATUS_SUCCESS; ++} +diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map +index 6973cca..1e80308 100644 +--- a/libqpol/src/libqpol.map ++++ b/libqpol/src/libqpol.map +@@ -63,12 +63,17 @@ VERS_1.3 { + VERS_1.4 { + global: + qpol_type_get_ispermissive; ++ qpol_type_get_parent_name; + } VERS_1.3; + + VERS_1.5 { + global: + qpol_policy_permissive_*; + qpol_permissive_*; ++ qpol_typebounds_*; ++ qpol_rolebounds_*; ++ qpol_userbounds_*; + qpol_policy_polcap_*; + qpol_polcap_*; ++ qpol_default_object_*; + } VERS_1.4; +diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c +index b06e285..b00d97e 100644 +--- a/libqpol/src/module_compiler.c ++++ b/libqpol/src/module_compiler.c +@@ -14,6 +14,7 @@ + * the Free Software Foundation, version 2. + */ + ++/* Required for SETools libqpol services */ + #include + + #include +@@ -28,21 +29,19 @@ + #include "queue.h" + #include "module_compiler.h" + +-union stack_item_u +-{ ++union stack_item_u { + avrule_block_t *avrule; + cond_list_t *cond_list; + }; + +-typedef struct scope_stack +-{ ++typedef struct scope_stack { + union stack_item_u u; +- int type; /* for above union: 1 = avrule block, 2 = conditional */ +- avrule_decl_t *decl; /* if in an avrule block, which +- * declaration is current */ ++ int type; /* for above union: 1 = avrule block, 2 = conditional */ ++ avrule_decl_t *decl; /* if in an avrule block, which ++ * declaration is current */ + avrule_t *last_avrule; +- int in_else; /* if in an avrule block, within ELSE branch */ +- int require_given; /* 1 if this block had at least one require */ ++ int in_else; /* if in an avrule block, within ELSE branch */ ++ int require_given; /* 1 if this block had at least one require */ + struct scope_stack *parent, *child; + } scope_stack_t; + +@@ -65,7 +64,8 @@ int define_policy(int pass, int module_header_given) + + if (module_header_given) { + if (policydbp->policy_type != POLICY_MOD) { +- yyerror("Module specification found while not building a policy module.\n"); ++ yyerror ++ ("Module specification found while not building a policy module.\n"); + return -1; + } + +@@ -79,14 +79,17 @@ int define_policy(int pass, int module_header_given) + return -1; + } + policydbp->name = id; +- if ((policydbp->version = queue_remove(id_queue)) == NULL) { +- yyerror("Expected a module version but none was found."); ++ if ((policydbp->version = ++ queue_remove(id_queue)) == NULL) { ++ yyerror ++ ("Expected a module version but none was found."); + return -1; + } + } + } else { + if (policydbp->policy_type == POLICY_MOD) { +- yyerror("Building a policy module, but no module specification found.\n"); ++ yyerror ++ ("Building a policy module, but no module specification found.\n"); + return -1; + } + } +@@ -98,7 +101,8 @@ int define_policy(int pass, int module_header_given) + while (stack_top != NULL) { + pop_stack(); + } +- if (push_stack(1, policydbp->global, policydbp->global->branch_list) == -1) { ++ if (push_stack(1, policydbp->global, policydbp->global->branch_list) == ++ -1) { + return -1; + } + last_block = policydbp->global; +@@ -127,7 +131,9 @@ static int is_declaration_allowed(void) + * For duplicate declarations return -2. For all else, including out + * of memory, return -3. Note that dest_value and datum_value might + * not be restricted pointers. */ +-int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value) ++int declare_symbol(uint32_t symbol_type, ++ hashtab_key_t key, hashtab_datum_t datum, ++ uint32_t * dest_value, uint32_t * datum_value) + { + avrule_decl_t *decl = stack_top->decl; + int retval; +@@ -136,14 +142,17 @@ int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu + if (!is_declaration_allowed()) { + return -1; + } +- retval = symtab_insert(policydbp, symbol_type, key, datum, SCOPE_DECL, decl->decl_id, dest_value); ++ retval = symtab_insert(policydbp, symbol_type, key, datum, ++ SCOPE_DECL, decl->decl_id, dest_value); + if (retval == 1 && dest_value) { +- symtab_datum_t *s = (symtab_datum_t *) hashtab_search(policydbp->symtab[symbol_type].table, +- key); ++ symtab_datum_t *s = ++ (symtab_datum_t *) hashtab_search(policydbp-> ++ symtab[symbol_type].table, ++ key); + assert(s != NULL); +- ++ + if (symbol_type == SYM_LEVELS) { +- *dest_value = ((level_datum_t *) s)->level->sens; ++ *dest_value = ((level_datum_t *)s)->level->sens; + } else { + *dest_value = s->value; + } +@@ -151,35 +160,38 @@ int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu + return -2; + } else if (retval < 0) { + return -3; +- } else { /* fall through possible if retval is 0 */ ++ } else { /* fall through possible if retval is 0 */ + } + if (datum_value != NULL) { +- if (ebitmap_set_bit(decl->declared.scope + symbol_type, *datum_value - 1, 1)) { ++ if (ebitmap_set_bit(decl->declared.scope + symbol_type, ++ *datum_value - 1, 1)) { + return -3; + } + } + return retval; + } + +-static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t * role) ++static int role_implicit_bounds(hashtab_t roles_tab, ++ char *role_id, role_datum_t *role) + { + role_datum_t *bounds; + char *bounds_id, *delim; + + delim = strrchr(role_id, '.'); + if (!delim) +- return 0; /* no implicit boundary */ ++ return 0; /* no implicit boundary */ + + bounds_id = strdup(role_id); + if (!bounds_id) { + yyerror("out of memory"); + return -1; + } +- bounds_id[(size_t) (delim - role_id)] = '\0'; ++ bounds_id[(size_t)(delim - role_id)] = '\0'; + + bounds = hashtab_search(roles_tab, bounds_id); + if (!bounds) { +- yyerror2("role %s doesn't exist, is implicit bounds of %s", bounds_id, role_id); ++ yyerror2("role %s doesn't exist, is implicit bounds of %s", ++ bounds_id, role_id); + return -1; + } + +@@ -187,7 +199,8 @@ static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t + role->bounds = bounds->s.value; + else if (role->bounds != bounds->s.value) { + yyerror2("role %s has inconsistent bounds %s/%s", +- role_id, bounds_id, policydbp->p_role_val_to_name[role->bounds - 1]); ++ role_id, bounds_id, ++ policydbp->p_role_val_to_name[role->bounds - 1]); + return -1; + } + free(bounds_id); +@@ -195,7 +208,7 @@ static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t + return 0; + } + +-role_datum_t *declare_role(void) ++role_datum_t *declare_role(unsigned char isattr) + { + char *id = queue_remove(id_queue), *dest_id = NULL; + role_datum_t *role = NULL, *dest_role = NULL; +@@ -212,8 +225,10 @@ role_datum_t *declare_role(void) + return NULL; + } + role_datum_init(role); +- +- retval = declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value, &value); ++ role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE; ++ retval = ++ declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value, ++ &value); + if (retval == 0) { + role->s.value = value; + if ((dest_id = strdup(id)) == NULL) { +@@ -238,13 +253,16 @@ role_datum_t *declare_role(void) + } + dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id); + if (dest_role == NULL) { +- if ((dest_role = (role_datum_t *) malloc(sizeof(*dest_role))) == NULL) { ++ if ((dest_role = ++ (role_datum_t *) malloc(sizeof(*dest_role))) == ++ NULL) { + yyerror("Out of memory!"); + free(dest_id); + return NULL; + } + role_datum_init(dest_role); + dest_role->s.value = value; ++ dest_role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE; + if (role_implicit_bounds(roles_tab, dest_id, dest_role)) { + free(dest_id); + role_datum_destroy(dest_role); +@@ -266,30 +284,31 @@ role_datum_t *declare_role(void) + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return NULL; +- } ++ yyerror("Out of memory!"); ++ return NULL; ++ } + case -2:{ +- yyerror("duplicate declaration of role"); +- return NULL; +- } ++ yyerror("duplicate declaration of role"); ++ return NULL; ++ } + case -1:{ +- yyerror("could not declare role here"); +- return NULL; +- } +- case 0:{ +- if (ebitmap_set_bit(&dest_role->dominates, role->s.value - 1, 1)) { +- yyerror("out of memory"); ++ yyerror("could not declare role here"); + return NULL; + } +- return dest_role; +- } ++ case 0:{ ++ if (ebitmap_set_bit ++ (&dest_role->dominates, role->s.value - 1, 1)) { ++ yyerror("out of memory"); ++ return NULL; ++ } ++ return dest_role; ++ } + case 1:{ +- return dest_role; /* role already declared for this block */ +- } ++ return dest_role; /* role already declared for this block */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -306,7 +325,8 @@ type_datum_t *declare_type(unsigned char primary, unsigned char isattr) + return NULL; + } + if (strcmp(id, "self") == 0) { +- yyerror("'self' is a reserved type name and may not be declared."); ++ yyerror ++ ("'self' is a reserved type name and may not be declared."); + free(id); + return NULL; + } +@@ -334,46 +354,48 @@ type_datum_t *declare_type(unsigned char primary, unsigned char isattr) + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return NULL; +- } ++ yyerror("Out of memory!"); ++ return NULL; ++ } + case -2:{ +- yyerror2("duplicate declaration of type/attribute"); +- return NULL; +- } ++ yyerror2("duplicate declaration of type/attribute"); ++ return NULL; ++ } + case -1:{ +- yyerror("could not declare type/attribute here"); +- return NULL; +- } ++ yyerror("could not declare type/attribute here"); ++ return NULL; ++ } + case 0: + case 1:{ +- return typdatum; +- } ++ return typdatum; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +-static int user_implicit_bounds(hashtab_t users_tab, char *user_id, user_datum_t * user) ++static int user_implicit_bounds(hashtab_t users_tab, ++ char *user_id, user_datum_t *user) + { + user_datum_t *bounds; + char *bounds_id, *delim; + + delim = strrchr(user_id, '.'); + if (!delim) +- return 0; /* no implicit boundary */ ++ return 0; /* no implicit boundary */ + + bounds_id = strdup(user_id); + if (!bounds_id) { + yyerror("out of memory"); + return -1; + } +- bounds_id[(size_t) (delim - user_id)] = '\0'; ++ bounds_id[(size_t)(delim - user_id)] = '\0'; + + bounds = hashtab_search(users_tab, bounds_id); + if (!bounds) { +- yyerror2("user %s doesn't exist, is implicit bounds of %s", bounds_id, user_id); ++ yyerror2("user %s doesn't exist, is implicit bounds of %s", ++ bounds_id, user_id); + return -1; + } + +@@ -381,7 +403,8 @@ static int user_implicit_bounds(hashtab_t users_tab, char *user_id, user_datum_t + user->bounds = bounds->s.value; + else if (user->bounds != bounds->s.value) { + yyerror2("user %s has inconsistent bounds %s/%s", +- user_id, bounds_id, policydbp->p_role_val_to_name[user->bounds - 1]); ++ user_id, bounds_id, ++ policydbp->p_role_val_to_name[user->bounds - 1]); + return -1; + } + free(bounds_id); +@@ -407,7 +430,9 @@ user_datum_t *declare_user(void) + } + user_datum_init(user); + +- retval = declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value, &value); ++ retval = ++ declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value, ++ &value); + + if (retval == 0) { + user->s.value = value; +@@ -433,7 +458,9 @@ user_datum_t *declare_user(void) + } + dest_user = (user_datum_t *) hashtab_search(users_tab, dest_id); + if (dest_user == NULL) { +- if ((dest_user = (user_datum_t *) malloc(sizeof(*dest_user))) == NULL) { ++ if ((dest_user = ++ (user_datum_t *) malloc(sizeof(*dest_user))) == ++ NULL) { + yyerror("Out of memory!"); + free(dest_id); + return NULL; +@@ -461,26 +488,26 @@ user_datum_t *declare_user(void) + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return NULL; +- } ++ yyerror("Out of memory!"); ++ return NULL; ++ } + case -2:{ +- yyerror("duplicate declaration of user"); +- return NULL; +- } ++ yyerror("duplicate declaration of user"); ++ return NULL; ++ } + case -1:{ +- yyerror("could not declare user here"); +- return NULL; +- } ++ yyerror("could not declare user here"); ++ return NULL; ++ } + case 0:{ +- return dest_user; +- } ++ return dest_user; ++ } + case 1:{ +- return dest_user; /* user already declared for this block */ +- } ++ return dest_user; /* user already declared for this block */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -530,6 +557,55 @@ type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr) + return dest_typdatum; + } + ++/* Return a role_datum_t for the local avrule_decl with the given ID. ++ * If it does not exist, create one with the same value as 'value'. ++ * This function assumes that the ID is within scope. c.f., ++ * is_id_in_scope(). ++ * ++ * NOTE: this function usurps ownership of id afterwards. The caller ++ * shall not reference it nor free() it afterwards. ++ */ ++role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr) ++{ ++ role_datum_t *dest_roledatum; ++ hashtab_t roles_tab; ++ ++ assert(stack_top->type == 1); ++ ++ if (stack_top->parent == NULL) { ++ /* in global, so use global symbol table */ ++ roles_tab = policydbp->p_roles.table; ++ } else { ++ roles_tab = stack_top->decl->p_roles.table; ++ } ++ ++ dest_roledatum = hashtab_search(roles_tab, id); ++ if (!dest_roledatum) { ++ dest_roledatum = (role_datum_t *)malloc(sizeof(role_datum_t)); ++ if (dest_roledatum == NULL) { ++ free(id); ++ return NULL; ++ } ++ ++ role_datum_init(dest_roledatum); ++ dest_roledatum->s.value = value; ++ dest_roledatum->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE; ++ ++ if (hashtab_insert(roles_tab, id, dest_roledatum)) { ++ free(id); ++ role_datum_destroy(dest_roledatum); ++ free(dest_roledatum); ++ return NULL; ++ } ++ } else { ++ free(id); ++ if (dest_roledatum->flavor != isattr ? ROLE_ATTRIB : ROLE_ROLE) ++ return NULL; ++ } ++ ++ return dest_roledatum; ++} ++ + /* Given the current parse stack, returns 1 if a requirement would be + * allowed here or 0 if not. For example, the ELSE branch may never + * have its own requirements. +@@ -550,7 +626,9 @@ static int is_require_allowed(void) + * return -3.. Note that dest_value and datum_value might not be + * restricted pointers. + */ +-int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value) ++int require_symbol(uint32_t symbol_type, ++ hashtab_key_t key, hashtab_datum_t datum, ++ uint32_t * dest_value, uint32_t * datum_value) + { + avrule_decl_t *decl = stack_top->decl; + int retval; +@@ -559,14 +637,17 @@ int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu + if (!is_require_allowed()) { + return -1; + } +- retval = symtab_insert(policydbp, symbol_type, key, datum, SCOPE_REQ, decl->decl_id, dest_value); ++ retval = symtab_insert(policydbp, symbol_type, key, datum, ++ SCOPE_REQ, decl->decl_id, dest_value); + if (retval == 1) { +- symtab_datum_t *s = (symtab_datum_t *) hashtab_search(policydbp->symtab[symbol_type].table, +- key); ++ symtab_datum_t *s = ++ (symtab_datum_t *) hashtab_search(policydbp-> ++ symtab[symbol_type].table, ++ key); + assert(s != NULL); +- ++ + if (symbol_type == SYM_LEVELS) { +- *dest_value = ((level_datum_t *) s)->level->sens; ++ *dest_value = ((level_datum_t *)s)->level->sens; + } else { + *dest_value = s->value; + } +@@ -578,11 +659,17 @@ int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu + if (symbol_type == SYM_TYPES) { + /* check that previous symbol has same + * type/attribute-ness */ +- unsigned char new_isattr = ((type_datum_t *) datum)->flavor; +- type_datum_t *old_datum = (type_datum_t *) hashtab_search(policydbp->symtab[SYM_TYPES].table, key); ++ unsigned char new_isattr = ++ ((type_datum_t *) datum)->flavor; ++ type_datum_t *old_datum = ++ (type_datum_t *) hashtab_search(policydbp-> ++ symtab ++ [SYM_TYPES]. ++ table, key); + assert(old_datum != NULL); + unsigned char old_isattr = old_datum->flavor; +- prev_declaration_ok = (old_isattr == new_isattr ? 1 : 0); ++ prev_declaration_ok = ++ (old_isattr == new_isattr ? 1 : 0); + } else { + prev_declaration_ok = 1; + } +@@ -600,10 +687,11 @@ int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datu + } + } else if (retval < 0) { + return -3; +- } else { /* fall through possible if retval is 0 or 1 */ ++ } else { /* fall through possible if retval is 0 or 1 */ + } + if (datum_value != NULL) { +- if (ebitmap_set_bit(decl->required.scope + symbol_type, *datum_value - 1, 1)) { ++ if (ebitmap_set_bit(decl->required.scope + symbol_type, ++ *datum_value - 1, 1)) { + return -3; + } + } +@@ -632,13 +720,15 @@ int add_perm_to_class(uint32_t perm_value, uint32_t class_value) + } + scope->class_perms_len = class_value; + } +- if (ebitmap_set_bit(scope->class_perms_map + class_value - 1, perm_value - 1, 1)) { ++ if (ebitmap_set_bit(scope->class_perms_map + class_value - 1, ++ perm_value - 1, 1)) { + return -1; + } + return 0; + } + +-static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused))) ++static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p ++ __attribute__ ((unused))) + { + if (key) + free(key); +@@ -676,48 +766,53 @@ int require_class(int pass) + return -1; + } + +- if ((datum = calloc(1, sizeof(*datum))) == NULL || symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) { ++ if ((datum = calloc(1, sizeof(*datum))) == NULL || ++ symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) { + yyerror("Out of memory!"); + goto cleanup; + } +- ret = require_symbol(SYM_CLASSES, class_id, datum, &datum->s.value, &datum->s.value); ++ ret = ++ require_symbol(SYM_CLASSES, class_id, datum, &datum->s.value, ++ &datum->s.value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- free(class_id); +- class_datum_destroy(datum); +- goto cleanup; +- } ++ yyerror("Out of memory!"); ++ free(class_id); ++ class_datum_destroy(datum); ++ goto cleanup; ++ } + case -2:{ +- yyerror("duplicate declaration of class"); +- free(class_id); +- class_datum_destroy(datum); +- goto cleanup; +- } ++ yyerror("duplicate declaration of class"); ++ free(class_id); ++ class_datum_destroy(datum); ++ goto cleanup; ++ } + case -1:{ +- yyerror("could not require class here"); +- free(class_id); +- class_datum_destroy(datum); +- goto cleanup; +- } +- case 0:{ +- /* a new class was added; reindex everything */ +- if (policydb_index_classes(policydbp)) { +- yyerror("Out of memory!"); ++ yyerror("could not require class here"); ++ free(class_id); ++ class_datum_destroy(datum); + goto cleanup; + } +- break; +- } ++ case 0:{ ++ /* a new class was added; reindex everything */ ++ if (policydb_index_classes(policydbp)) { ++ yyerror("Out of memory!"); ++ goto cleanup; ++ } ++ break; ++ } + case 1:{ +- class_datum_destroy(datum); +- datum = hashtab_search(policydbp->p_classes.table, class_id); +- assert(datum); /* the class datum should have existed */ +- free(class_id); +- break; +- } ++ class_datum_destroy(datum); ++ datum = ++ hashtab_search(policydbp->p_classes.table, ++ class_id); ++ assert(datum); /* the class datum should have existed */ ++ free(class_id); ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + + /* now add each of the permissions to this class's requirements */ +@@ -727,14 +822,18 @@ int require_class(int pass) + /* Is the permission already in the table? */ + perm = hashtab_search(datum->permissions.table, perm_id); + if (!perm && datum->comdatum) +- perm = hashtab_search(datum->comdatum->permissions.table, perm_id); ++ perm = ++ hashtab_search(datum->comdatum->permissions.table, ++ perm_id); + if (perm) { + /* Yes, drop the name. */ + free(perm_id); + } else { + /* No - allocate and insert an entry for it. */ + if (policydbp->policy_type == POLICY_BASE) { +- yyerror2("Base policy - require of permission %s without prior declaration.", perm_id); ++ yyerror2 ++ ("Base policy - require of permission %s without prior declaration.", ++ perm_id); + free(perm_id); + goto cleanup; + } +@@ -745,7 +844,9 @@ int require_class(int pass) + goto cleanup; + } + memset(perm, 0, sizeof(*perm)); +- ret = hashtab_insert(datum->permissions.table, perm_id, perm); ++ ret = ++ hashtab_insert(datum->permissions.table, perm_id, ++ perm); + if (ret) { + yyerror("Out of memory!"); + free(perm_id); +@@ -769,7 +870,7 @@ int require_class(int pass) + return -1; + } + +-int require_role(int pass) ++static int require_role_or_attribute(int pass, unsigned char isattr) + { + char *id = queue_remove(id_queue); + role_datum_t *role = NULL; +@@ -788,7 +889,10 @@ int require_role(int pass) + return -1; + } + role_datum_init(role); +- retval = require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &role->s.value, &role->s.value); ++ role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE; ++ retval = ++ require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, ++ &role->s.value, &role->s.value); + if (retval != 0) { + free(id); + role_datum_destroy(role); +@@ -796,34 +900,45 @@ int require_role(int pass) + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return -1; +- } ++ yyerror("Out of memory!"); ++ return -1; ++ } + case -2:{ +- yyerror("duplicate declaration of role"); +- return -1; +- } ++ yyerror("duplicate declaration of role"); ++ return -1; ++ } + case -1:{ +- yyerror("could not require role here"); +- return -1; +- } +- case 0:{ +- /* all roles dominate themselves */ +- if (ebitmap_set_bit(&role->dominates, role->s.value - 1, 1)) { +- yyerror("Out of memory"); ++ yyerror("could not require role here"); + return -1; + } +- return 0; +- } ++ case 0:{ ++ /* all roles dominate themselves */ ++ if (ebitmap_set_bit ++ (&role->dominates, role->s.value - 1, 1)) { ++ yyerror("Out of memory"); ++ return -1; ++ } ++ return 0; ++ } + case 1:{ +- return 0; /* role already required */ +- } ++ return 0; /* role already required */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + ++int require_role(int pass) ++{ ++ return require_role_or_attribute(pass, 0); ++} ++ ++int require_attribute_role(int pass) ++{ ++ return require_role_or_attribute(pass, 1); ++} ++ + static int require_type_or_attribute(int pass, unsigned char isattr) + { + char *id = queue_remove(id_queue); +@@ -845,33 +960,35 @@ static int require_type_or_attribute(int pass, unsigned char isattr) + type_datum_init(type); + type->primary = 1; + type->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE; +- retval = require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type, &type->s.value, &type->s.value); ++ retval = ++ require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type, ++ &type->s.value, &type->s.value); + if (retval != 0) { + free(id); + free(type); + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return -1; +- } ++ yyerror("Out of memory!"); ++ return -1; ++ } + case -2:{ +- yyerror("duplicate declaration of type/attribute"); +- return -1; +- } ++ yyerror("duplicate declaration of type/attribute"); ++ return -1; ++ } + case -1:{ +- yyerror("could not require type/attribute here"); +- return -1; +- } ++ yyerror("could not require type/attribute here"); ++ return -1; ++ } + case 0:{ +- return 0; +- } ++ return 0; ++ } + case 1:{ +- return 0; /* type already required */ +- } ++ return 0; /* type already required */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -904,37 +1021,39 @@ int require_user(int pass) + return -1; + } + user_datum_init(user); +- retval = require_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &user->s.value, &user->s.value); ++ retval = ++ require_symbol(SYM_USERS, id, (hashtab_datum_t *) user, ++ &user->s.value, &user->s.value); + if (retval != 0) { + free(id); + user_datum_destroy(user); + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return -1; +- } ++ yyerror("Out of memory!"); ++ return -1; ++ } + case -2:{ +- yyerror("duplicate declaration of user"); +- return -1; +- } ++ yyerror("duplicate declaration of user"); ++ return -1; ++ } + case -1:{ +- yyerror("could not require user here"); +- return -1; +- } ++ yyerror("could not require user here"); ++ return -1; ++ } + case 0:{ +- return 0; +- } ++ return 0; ++ } + case 1:{ +- return 0; /* user already required */ +- } ++ return 0; /* user already required */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +-int require_bool(int pass) ++static int require_bool_tunable(int pass, int is_tunable) + { + char *id = queue_remove(id_queue); + cond_bool_datum_t *booldatum = NULL; +@@ -952,35 +1071,49 @@ int require_bool(int pass) + yyerror("Out of memory!"); + return -1; + } +- retval = require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, &booldatum->s.value, &booldatum->s.value); ++ if (is_tunable) ++ booldatum->flags |= COND_BOOL_FLAGS_TUNABLE; ++ retval = ++ require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, ++ &booldatum->s.value, &booldatum->s.value); + if (retval != 0) { + cond_destroy_bool(id, booldatum, NULL); + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return -1; +- } ++ yyerror("Out of memory!"); ++ return -1; ++ } + case -2:{ +- yyerror("duplicate declaration of boolean"); +- return -1; +- } ++ yyerror("duplicate declaration of boolean"); ++ return -1; ++ } + case -1:{ +- yyerror("could not require boolean here"); +- return -1; +- } ++ yyerror("could not require boolean here"); ++ return -1; ++ } + case 0:{ +- return 0; +- } ++ return 0; ++ } + case 1:{ +- return 0; /* boolean already required */ +- } ++ return 0; /* boolean already required */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + ++int require_bool(int pass) ++{ ++ return require_bool_tunable(pass, 0); ++} ++ ++int require_tunable(int pass) ++{ ++ return require_bool_tunable(pass, 1); ++} ++ + int require_sens(int pass) + { + char *id = queue_remove(id_queue); +@@ -1010,7 +1143,8 @@ int require_sens(int pass) + return -1; + } + mls_level_init(level->level); +- retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, &level->level->sens, &level->level->sens); ++ retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, ++ &level->level->sens, &level->level->sens); + if (retval != 0) { + free(id); + mls_level_destroy(level->level); +@@ -1020,26 +1154,26 @@ int require_sens(int pass) + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return -1; +- } ++ yyerror("Out of memory!"); ++ return -1; ++ } + case -2:{ +- yyerror("duplicate declaration of sensitivity"); +- return -1; +- } ++ yyerror("duplicate declaration of sensitivity"); ++ return -1; ++ } + case -1:{ +- yyerror("could not require sensitivity here"); +- return -1; +- } ++ yyerror("could not require sensitivity here"); ++ return -1; ++ } + case 0:{ +- return 0; +- } ++ return 0; ++ } + case 1:{ +- return 0; /* sensitivity already required */ +- } ++ return 0; /* sensitivity already required */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -1064,7 +1198,8 @@ int require_cat(int pass) + } + cat_datum_init(cat); + +- retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, &cat->s.value, &cat->s.value); ++ retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, ++ &cat->s.value, &cat->s.value); + if (retval != 0) { + free(id); + cat_datum_destroy(cat); +@@ -1072,26 +1207,26 @@ int require_cat(int pass) + } + switch (retval) { + case -3:{ +- yyerror("Out of memory!"); +- return -1; +- } ++ yyerror("Out of memory!"); ++ return -1; ++ } + case -2:{ +- yyerror("duplicate declaration of category"); +- return -1; +- } ++ yyerror("duplicate declaration of category"); ++ return -1; ++ } + case -1:{ +- yyerror("could not require category here"); +- return -1; +- } ++ yyerror("could not require category here"); ++ return -1; ++ } + case 0:{ +- return 0; +- } ++ return 0; ++ } + case 1:{ +- return 0; /* category already required */ +- } ++ return 0; /* category already required */ ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -1099,7 +1234,7 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) + { + int i; + if (stack == NULL) { +- return 0; /* no matching scope found */ ++ return 0; /* no matching scope found */ + } + if (stack->type == 1) { + avrule_decl_t *decl = stack->decl; +@@ -1119,33 +1254,40 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) + + int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id) + { +- scope_datum_t *scope = (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].table, id); ++ scope_datum_t *scope = ++ (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type]. ++ table, id); + if (scope == NULL) { +- return 1; /* id is not known, so return success */ ++ return 1; /* id is not known, so return success */ + } + return is_scope_in_stack(scope, stack_top); + } + +-static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, scope_index_t * scope) ++static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, ++ scope_index_t * scope) + { + if (class_value > scope->class_perms_len) { + return 1; + } +- if (ebitmap_get_bit(scope->class_perms_map + class_value - 1, perm_value - 1)) { ++ if (ebitmap_get_bit(scope->class_perms_map + class_value - 1, ++ perm_value - 1)) { + return 1; + } + return 0; + } + +-static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, scope_stack_t * stack) ++static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, ++ scope_stack_t * stack) + { + if (stack == NULL) { +- return 0; /* no matching scope found */ ++ return 0; /* no matching scope found */ + } + if (stack->type == 1) { + avrule_decl_t *decl = stack->decl; +- if (is_perm_in_scope_index(perm_value, class_value, &decl->required) +- || is_perm_in_scope_index(perm_value, class_value, &decl->declared)) { ++ if (is_perm_in_scope_index ++ (perm_value, class_value, &decl->required) ++ || is_perm_in_scope_index(perm_value, class_value, ++ &decl->declared)) { + return 1; + } + } else { +@@ -1159,17 +1301,20 @@ static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, scope_sta + + int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id) + { +- class_datum_t *cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, +- class_id); ++ class_datum_t *cladatum = ++ (class_datum_t *) hashtab_search(policydbp->p_classes.table, ++ class_id); + perm_datum_t *perdatum; + if (cladatum == NULL) { + return 1; + } +- perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table, perm_id); ++ perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table, ++ perm_id); + if (perdatum == NULL) { + return 1; + } +- return is_perm_in_stack(perdatum->s.value, cladatum->s.value, stack_top); ++ return is_perm_in_stack(perdatum->s.value, cladatum->s.value, ++ stack_top); + } + + cond_list_t *get_current_cond_list(cond_list_t * cond) +@@ -1188,19 +1333,23 @@ void append_cond_list(cond_list_t * cond) + { + cond_list_t *old_cond = get_current_cond_list(cond); + avrule_t *tmp; +- assert(old_cond != NULL); /* probably out of memory */ ++ assert(old_cond != NULL); /* probably out of memory */ + if (old_cond->avtrue_list == NULL) { + old_cond->avtrue_list = cond->avtrue_list; + } else { +- for (tmp = old_cond->avtrue_list; tmp->next != NULL; tmp = tmp->next) ; ++ for (tmp = old_cond->avtrue_list; tmp->next != NULL; ++ tmp = tmp->next) ; + tmp->next = cond->avtrue_list; + } + if (old_cond->avfalse_list == NULL) { + old_cond->avfalse_list = cond->avfalse_list; + } else { +- for (tmp = old_cond->avfalse_list; tmp->next != NULL; tmp = tmp->next) ; ++ for (tmp = old_cond->avfalse_list; tmp->next != NULL; ++ tmp = tmp->next) ; + tmp->next = cond->avfalse_list; + } ++ ++ old_cond->flags |= cond->flags; + } + + void append_avrule(avrule_t * avrule) +@@ -1276,7 +1425,8 @@ int begin_optional(int pass) + avrule_decl_t *decl; + if (pass == 1) { + /* allocate a new avrule block for this optional block */ +- if ((block = avrule_block_create()) == NULL || (decl = avrule_decl_create(next_decl_id)) == NULL) { ++ if ((block = avrule_block_create()) == NULL || ++ (decl = avrule_decl_create(next_decl_id)) == NULL) { + goto cleanup; + } + block->flags |= AVRULE_OPTIONAL; +@@ -1285,7 +1435,9 @@ int begin_optional(int pass) + } else { + /* select the next block from the chain built during pass 1 */ + block = last_block->next; +- assert(block != NULL && block->branch_list != NULL && block->branch_list->decl_id == next_decl_id); ++ assert(block != NULL && ++ block->branch_list != NULL && ++ block->branch_list->decl_id == next_decl_id); + decl = block->branch_list; + } + if (push_stack(1, block, decl) == -1) { +@@ -1324,7 +1476,8 @@ int begin_optional_else(int pass) + /* pick the (hopefully last) declaration of this + avrule block, built from pass 1 */ + decl = stack_top->decl->next; +- assert(decl != NULL && decl->next == NULL && decl->decl_id == next_decl_id); ++ assert(decl != NULL && ++ decl->next == NULL && decl->decl_id == next_decl_id); + } + stack_top->in_else = 1; + stack_top->decl = decl; +@@ -1353,21 +1506,26 @@ static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack) + } + /* now copy class permissions */ + if (src_scope->class_perms_len > dest_scope->class_perms_len) { +- ebitmap_t *new_map = realloc(dest_scope->class_perms_map, +- src_scope->class_perms_len * sizeof(*new_map)); ++ ebitmap_t *new_map = ++ realloc(dest_scope->class_perms_map, ++ src_scope->class_perms_len * ++ sizeof(*new_map)); + if (new_map == NULL) { + yyerror("Out of memory!"); + return -1; + } + dest_scope->class_perms_map = new_map; +- for (i = dest_scope->class_perms_len; i < src_scope->class_perms_len; i++) { ++ for (i = dest_scope->class_perms_len; ++ i < src_scope->class_perms_len; i++) { + ebitmap_init(dest_scope->class_perms_map + i); + } +- dest_scope->class_perms_len = src_scope->class_perms_len; ++ dest_scope->class_perms_len = ++ src_scope->class_perms_len; + } + for (i = 0; i < src_scope->class_perms_len; i++) { + ebitmap_t *src_bitmap = &src_scope->class_perms_map[i]; +- ebitmap_t *dest_bitmap = &dest_scope->class_perms_map[i]; ++ ebitmap_t *dest_bitmap = ++ &dest_scope->class_perms_map[i]; + if (ebitmap_union(dest_bitmap, src_bitmap)) { + yyerror("Out of memory!"); + return -1; +@@ -1394,7 +1552,8 @@ int end_avrule_block(int pass) + return 0; + } + if (!stack_top->in_else && !stack_top->require_given) { +- if (policydbp->policy_type == POLICY_BASE && stack_top->parent != NULL) { ++ if (policydbp->policy_type == POLICY_BASE ++ && stack_top->parent != NULL) { + /* if this is base no require should be in the global block */ + return 0; + } else { +@@ -1418,14 +1577,14 @@ static int push_stack(int stack_type, ...) + va_start(ap, stack_type); + switch (s->type = stack_type) { + case 1:{ +- s->u.avrule = va_arg(ap, avrule_block_t *); +- s->decl = va_arg(ap, avrule_decl_t *); +- break; +- } ++ s->u.avrule = va_arg(ap, avrule_block_t *); ++ s->decl = va_arg(ap, avrule_decl_t *); ++ break; ++ } + case 2:{ +- s->u.cond_list = va_arg(ap, cond_list_t *); +- break; +- } ++ s->u.cond_list = va_arg(ap, cond_list_t *); ++ break; ++ } + default: + /* invalid stack type given */ + assert(0); +diff --git a/libqpol/src/module_compiler.h b/libqpol/src/module_compiler.h +index d46dca6..b9c0526 100644 +--- a/libqpol/src/module_compiler.h ++++ b/libqpol/src/module_compiler.h +@@ -17,6 +17,7 @@ + #ifndef MODULE_COMPILER_H + #define MODULE_COMPILER_H + ++/* Required for SETools libqpol services */ + #ifdef __cplusplus + extern "C" + { +@@ -36,18 +37,23 @@ int define_policy(int pass, int module_header_given); + * needs to free() the datum), -1 if declarations not allowed, -2 for + * duplicate declarations, -3 for all else. + */ +-int declare_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value); ++int declare_symbol(uint32_t symbol_type, ++ hashtab_key_t key, hashtab_datum_t datum, ++ uint32_t * dest_value, uint32_t * datum_value); + +-role_datum_t *declare_role(void); ++role_datum_t *declare_role(unsigned char isattr); + type_datum_t *declare_type(unsigned char primary, unsigned char isattr); + user_datum_t *declare_user(void); + + type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr); ++role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr); + + /* Add a symbol to the current avrule_block's require section. Note + * that a module may not both declare and require the same symbol. + * Returns 0 on success, -1 on error. */ +-int require_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_t datum, uint32_t * dest_value, uint32_t * datum_value); ++int require_symbol(uint32_t symbol_type, ++ hashtab_key_t key, hashtab_datum_t datum, ++ uint32_t * dest_value, uint32_t * datum_value); + + /* Enable a permission for a class within the current avrule_decl. + * Return 0 on success, -1 if out of memory. */ +@@ -60,8 +66,10 @@ int require_class(int pass); + int require_role(int pass); + int require_type(int pass); + int require_attribute(int pass); ++int require_attribute_role(int pass); + int require_user(int pass); + int require_bool(int pass); ++int require_tunable(int pass); + int require_sens(int pass); + int require_cat(int pass); + +diff --git a/libqpol/src/policy.c b/libqpol/src/policy.c +index 7180556..717c079 100644 +--- a/libqpol/src/policy.c ++++ b/libqpol/src/policy.c +@@ -412,6 +412,45 @@ static int infer_policy_version(qpol_policy_t * policy) + } + qpol_iterator_destroy(&iter); + ++/* Check each version change from 29 to 24 */ ++/* If this is available then just set version 29 */ ++#ifdef HAVE_SEPOL_CONSTRAINT_NAMES ++ db->policyvers = 29; ++ return STATUS_SUCCESS; ++#endif ++ ++/* ++ * These will remove the rules from policy_define.c if libsepol ++ * does not have the support listed in policydb.h. The earlier code ++ * checked for at least one rule before enabling - this patch does not ++ * as if in policydb.h then must be capable of being built. ++ */ ++#ifdef HAVE_SEPOL_DEFAULT_TYPE ++ db->policyvers = 28; ++ return STATUS_SUCCESS; ++#endif ++ ++#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS ++ db->policyvers = 27; ++ return STATUS_SUCCESS; ++#endif ++ ++/* This seems to be in place already ?? ++#ifdef HAVE_SEPOL_ROLETRANS ++ db->policyvers = 26; ++ return STATUS_SUCCESS; ++#endif */ ++ ++#ifdef HAVE_SEPOL_FILENAME_TRANS ++ db->policyvers = 25; ++ return STATUS_SUCCESS; ++#endif ++ ++#ifdef HAVE_SEPOL_BOUNDARY ++ db->policyvers = 24; ++ return STATUS_SUCCESS; ++#endif ++ + #if defined(HAVE_SEPOL_PERMISSIVE_TYPES) || defined(HAVE_SEPOL_POLICYCAPS) + ebitmap_node_t *node = NULL; + unsigned int i = 0; +@@ -1466,6 +1505,25 @@ int qpol_policy_get_policy_version(const qpol_policy_t * policy, unsigned int *v + return STATUS_SUCCESS; + } + ++int qpol_policy_get_policy_handle_unknown(const qpol_policy_t * policy, unsigned int *handle_unknown) ++{ ++ policydb_t *db; ++ ++ if (handle_unknown != NULL) ++ *handle_unknown = 0; ++ ++ if (policy == NULL || handle_unknown == NULL) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ *handle_unknown = db->handle_unknown; ++ ++ return STATUS_SUCCESS; ++} ++ + int qpol_policy_get_type(const qpol_policy_t * policy, int *type) + { + if (!policy || !type) { +@@ -1534,6 +1592,55 @@ int qpol_policy_has_capability(const qpol_policy_t * policy, qpol_capability_e c + return 1; + break; + } ++ case QPOL_CAP_BOUNDS: ++ { ++ if (version >= 24 && policy->type != QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ if (version >= 9 && policy->type == QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ break; ++ } ++ case QPOL_CAP_PERMISSIVE: ++ { ++ if (version >= 23 && policy->type != QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ if (version >= 8 && policy->type == QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ break; ++ } ++ case QPOL_CAP_FILENAME_TRANS: ++ { ++ if (version >= 25 && policy->type != QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ if (version >= 11 && policy->type == QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ break; ++ } ++ case QPOL_CAP_ROLETRANS: ++ { ++ if (version >= 26 && policy->type != QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ if (version >= 12 && policy->type == QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ break; ++ } ++ /* This indicates the user, role and range - types were ate 28/16 */ ++ case QPOL_CAP_DEFAULT_OBJECTS: ++ { ++ if (version >= 27 && policy->type != QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ if (version >= 15 && policy->type == QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ break; ++ } ++ case QPOL_CAP_DEFAULT_TYPE: ++ { ++ if (version >= 28 && policy->type != QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ if (version >= 16 && policy->type == QPOL_POLICY_MODULE_BINARY) ++ return 1; ++ break; ++ } + case QPOL_CAP_RULES_LOADED: + { + if (!(policy->options & QPOL_POLICY_OPTION_NO_RULES)) +diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c +index fad6b60..15f70ba 100644 +--- a/libqpol/src/policy_define.c ++++ b/libqpol/src/policy_define.c +@@ -3,6 +3,8 @@ + * + * This file is based upon checkpolicy/policy_define.c from NSA's SVN + * repository. It has been modified to support older policy formats. ++ * The older format just seems to be PSID support (see ++ * int define_fs_use(int behavior). + */ + + /* +@@ -33,7 +35,7 @@ + */ + + /* FLASK */ +- ++/* Required for SETools libqpol */ + #include + + #include +@@ -54,6 +56,7 @@ + #include + #include + #include ++/* Required for SETools libqpol */ + #ifdef HAVE_SEPOL_POLICYCAPS + #include + #endif +@@ -62,15 +65,15 @@ + #endif + + #include "queue.h" ++/* Required for SETools libqpol - Removed #include "checkpolicy.h"*/ + #include ++ + #include "module_compiler.h" + #include "policy_define.h" + + policydb_t *policydbp; + queue_t id_queue = 0; + unsigned int pass; +-static int load_rules; +-static unsigned int num_rules = 0; + char *curfile = 0; + int mlspol = 0; + +@@ -82,12 +85,15 @@ extern int yywarn(char *msg); + extern int yyerror(char *msg); + + #define ERRORMSG_LEN 255 +-static char errormsg[ERRORMSG_LEN + 1] = { 0 }; ++static char errormsg[ERRORMSG_LEN + 1] = {0}; + + static int id_has_dot(char *id); +-static int parse_security_context(context_struct_t * c); ++static int parse_security_context(context_struct_t *c); + + /* initialize all of the state variables for the scanner/parser */ ++/* Modified for SETools libqpol */ ++static int load_rules; ++static unsigned int num_rules = 0; + void init_parser(int pass_number, int do_rules) + { + policydb_lineno = 1; +@@ -107,6 +113,7 @@ void yyerror2(char *fmt, ...) + va_end(ap); + } + ++/* Required for SETools libqpol */ + int define_mls(void) + { + mlspol = 1; +@@ -115,6 +122,7 @@ int define_mls(void) + return 0; + } + ++/* Required for SETools libqpol */ + /* Add a rule onto an avtab hash table only if it does not already + * exist. (Note that the avtab is discarded afterwards; it will be + * regenerated during expansion.) Return 1 if rule was added (or +@@ -135,11 +143,13 @@ static int insert_check_type_rule(avrule_t * rule, avtab_t * avtab, cond_av_list + #endif + + ret = expand_rule(NULL, policydbp, rule, avtab, list, other, 0); ++ + if (ret < 0) { + yyerror("Failed on expanding rule"); + } + return ret; + } ++ + int insert_separator(int push) + { + int error; +@@ -217,24 +227,24 @@ int define_class(void) + ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto bad; +- } ++ yyerror("Out of memory!"); ++ goto bad; ++ } + case -2:{ +- yyerror2("duplicate declaration of class %s", id); +- goto bad; +- } ++ yyerror2("duplicate declaration of class %s", id); ++ goto bad; ++ } + case -1:{ +- yyerror("could not declare class here"); +- goto bad; +- } ++ yyerror("could not declare class here"); ++ goto bad; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + datum->s.value = value; + return 0; +@@ -282,12 +292,13 @@ int define_permissive(void) + rc = -1; + goto out; + } ++/* Required for SETools libqpol */ + #ifdef HAVE_SEPOL_PERMISSIVE_TYPES + t->flags |= TYPE_FLAGS_PERMISSIVE; + #else + yyerror("This version of SETools does not have permissive types enabled."); + #endif +- out: ++out: + free(type); + return rc; + } +@@ -308,6 +319,7 @@ int define_polcap(void) + yyerror("no capability name for policycap definition?"); + goto bad; + } ++/* Required for SETools libqpol */ + #ifdef HAVE_SEPOL_POLICYCAPS + /* Check for valid cap name -> number mapping */ + capnum = sepol_polcap_getnum(id); +@@ -384,6 +396,178 @@ int define_initial_sid(void) + return -1; + } + ++static int read_classes(ebitmap_t *e_classes) ++{ ++ char *id; ++ class_datum_t *cladatum; ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (ebitmap_set_bit(e_classes, cladatum->s.value - 1, TRUE)) { ++ yyerror("Out of memory"); ++ return -1; ++ } ++ free(id); ++ } ++ return 0; ++} ++ ++int define_default_user(int which) ++{ ++ char *id; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++/* Required for SETools libqpol */ ++#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS ++ class_datum_t *cladatum; ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_user && cladatum->default_user != which) { ++ yyerror2("conflicting default user information for class %s", id); ++ return -1; ++ } ++ cladatum->default_user = which; ++ free(id); ++ } ++ ++ return 0; ++#else ++ yyerror("This version of SETools does not have default_user enabled."); ++#endif ++} ++ ++int define_default_role(int which) ++{ ++ char *id; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++/* Required for SETools libqpol */ ++#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS ++ class_datum_t *cladatum; ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_role && cladatum->default_role != which) { ++ yyerror2("conflicting default role information for class %s", id); ++ return -1; ++ } ++ cladatum->default_role = which; ++ free(id); ++ } ++ ++ return 0; ++#else ++ yyerror("This version of SETools does not have default_role enabled."); ++#endif ++} ++ ++int define_default_type(int which) ++{ ++ char *id; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++/* Required for SETools libqpol */ ++#ifdef HAVE_SEPOL_DEFAULT_TYPE ++ class_datum_t *cladatum; ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_type && cladatum->default_type != which) { ++ yyerror2("conflicting default type information for class %s", id); ++ return -1; ++ } ++ cladatum->default_type = which; ++ free(id); ++ } ++ ++ return 0; ++#else ++ yyerror("This version of SETools does not have default_type enabled."); ++#endif ++} ++ ++int define_default_range(int which) ++{ ++ char *id; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++/* Required for SETools libqpol */ ++#ifdef HAVE_SEPOL_NEW_OBJECT_DEFAULTS ++ class_datum_t *cladatum; ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_range && cladatum->default_range != which) { ++ yyerror2("conflicting default range information for class %s", id); ++ return -1; ++ } ++ cladatum->default_range = which; ++ free(id); ++ } ++ ++ return 0; ++#else ++ yyerror("This version of SETools does not have default_range enabled."); ++#endif ++} ++ + int define_common_perms(void) + { + char *id = 0, *perm = 0; +@@ -413,7 +597,8 @@ int define_common_perms(void) + goto bad; + } + memset(comdatum, 0, sizeof(common_datum_t)); +- ret = hashtab_insert(policydbp->p_commons.table, (hashtab_key_t) id, (hashtab_datum_t) comdatum); ++ ret = hashtab_insert(policydbp->p_commons.table, ++ (hashtab_key_t) id, (hashtab_datum_t) comdatum); + + if (ret == SEPOL_EEXIST) { + yyerror("duplicate common definition"); +@@ -439,13 +624,17 @@ int define_common_perms(void) + perdatum->s.value = comdatum->permissions.nprim + 1; + + if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) { +- yyerror("too many permissions to fit in an access vector"); ++ yyerror ++ ("too many permissions to fit in an access vector"); + goto bad_perm; + } +- ret = hashtab_insert(comdatum->permissions.table, (hashtab_key_t) perm, (hashtab_datum_t) perdatum); ++ ret = hashtab_insert(comdatum->permissions.table, ++ (hashtab_key_t) perm, ++ (hashtab_datum_t) perdatum); + + if (ret == SEPOL_EEXIST) { +- yyerror2("duplicate permission %s in common %s", perm, id); ++ yyerror2("duplicate permission %s in common %s", perm, ++ id); + goto bad_perm; + } + if (ret == SEPOL_ENOMEM) { +@@ -491,7 +680,8 @@ int define_av_perms(int inherits) + yyerror("no tclass name for av perm definition?"); + return -1; + } +- cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, (hashtab_key_t) id); ++ cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, ++ (hashtab_key_t) id); + if (!cladatum) { + yyerror2("class %s is not defined", id); + goto bad; +@@ -509,10 +699,14 @@ int define_av_perms(int inherits) + if (inherits) { + id = (char *)queue_remove(id_queue); + if (!id) { +- yyerror("no inherits name for access vector definition?"); ++ yyerror ++ ("no inherits name for access vector definition?"); + return -1; + } +- comdatum = (common_datum_t *) hashtab_search(policydbp->p_commons.table, (hashtab_key_t) id); ++ comdatum = ++ (common_datum_t *) hashtab_search(policydbp->p_commons. ++ table, ++ (hashtab_key_t) id); + + if (!comdatum) { + yyerror2("common %s is not defined", id); +@@ -537,7 +731,8 @@ int define_av_perms(int inherits) + perdatum->s.value = ++cladatum->permissions.nprim; + + if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) { +- yyerror("too many permissions to fit in an access vector"); ++ yyerror ++ ("too many permissions to fit in an access vector"); + goto bad; + } + if (inherits) { +@@ -546,13 +741,19 @@ int define_av_perms(int inherits) + * common permissions exist in the same + * name space. + */ +- perdatum2 = (perm_datum_t *) hashtab_search(cladatum->comdatum->permissions.table, (hashtab_key_t) id); ++ perdatum2 = ++ (perm_datum_t *) hashtab_search(cladatum->comdatum-> ++ permissions.table, ++ (hashtab_key_t) id); + if (perdatum2) { +- yyerror2("permission %s conflicts with an " "inherited permission", id); ++ yyerror2("permission %s conflicts with an " ++ "inherited permission", id); + goto bad; + } + } +- ret = hashtab_insert(cladatum->permissions.table, (hashtab_key_t) id, (hashtab_datum_t) perdatum); ++ ret = hashtab_insert(cladatum->permissions.table, ++ (hashtab_key_t) id, ++ (hashtab_datum_t) perdatum); + + if (ret == SEPOL_EEXIST) { + yyerror2("duplicate permission %s", id); +@@ -584,7 +785,7 @@ int define_sens(void) + mls_level_t *level = 0; + level_datum_t *datum = 0, *aliasdatum = 0; + int ret; +- uint32_t value; /* dummy variable -- its value is never used */ ++ uint32_t value; /* dummy variable -- its value is never used */ + + if (!mlspol) { + yyerror("sensitivity definition in non-MLS configuration"); +@@ -612,8 +813,8 @@ int define_sens(void) + goto bad; + } + mls_level_init(level); +- level->sens = 0; /* actual value set in define_dominance */ +- ebitmap_init(&level->cat); /* actual value set in define_level */ ++ level->sens = 0; /* actual value set in define_dominance */ ++ ebitmap_init(&level->cat); /* actual value set in define_level */ + + datum = (level_datum_t *) malloc(sizeof(level_datum_t)); + if (!datum) { +@@ -627,24 +828,24 @@ int define_sens(void) + ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto bad; +- } ++ yyerror("Out of memory!"); ++ goto bad; ++ } + case -2:{ +- yyerror("duplicate declaration of sensitivity level"); +- goto bad; +- } ++ yyerror("duplicate declaration of sensitivity level"); ++ goto bad; ++ } + case -1:{ +- yyerror("could not declare sensitivity level here"); +- goto bad; +- } ++ yyerror("could not declare sensitivity level here"); ++ goto bad; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + + while ((id = queue_remove(id_queue))) { +@@ -664,24 +865,26 @@ int define_sens(void) + ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto bad_alias; +- } ++ yyerror("Out of memory!"); ++ goto bad_alias; ++ } + case -2:{ +- yyerror("duplicate declaration of sensitivity alias"); +- goto bad_alias; +- } ++ yyerror ++ ("duplicate declaration of sensitivity alias"); ++ goto bad_alias; ++ } + case -1:{ +- yyerror("could not declare sensitivity alias here"); +- goto bad_alias; +- } ++ yyerror ++ ("could not declare sensitivity alias here"); ++ goto bad_alias; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -727,14 +930,18 @@ int define_dominance(void) + + order = 0; + while ((id = (char *)queue_remove(id_queue))) { +- datum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id); ++ datum = ++ (level_datum_t *) hashtab_search(policydbp->p_levels.table, ++ (hashtab_key_t) id); + if (!datum) { +- yyerror2("unknown sensitivity %s used in dominance " "definition", id); ++ yyerror2("unknown sensitivity %s used in dominance " ++ "definition", id); + free(id); + return -1; + } + if (datum->level->sens != 0) { +- yyerror2("sensitivity %s occurs multiply in dominance " "definition", id); ++ yyerror2("sensitivity %s occurs multiply in dominance " ++ "definition", id); + free(id); + return -1; + } +@@ -745,7 +952,8 @@ int define_dominance(void) + } + + if (order != policydbp->p_levels.nprim) { +- yyerror("all sensitivities must be specified in dominance definition"); ++ yyerror ++ ("all sensitivities must be specified in dominance definition"); + return -1; + } + return 0; +@@ -789,24 +997,24 @@ int define_category(void) + ret = declare_symbol(SYM_CATS, id, datum, &value, &value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto bad; +- } ++ yyerror("Out of memory!"); ++ goto bad; ++ } + case -2:{ +- yyerror("duplicate declaration of category"); +- goto bad; +- } ++ yyerror("duplicate declaration of category"); ++ goto bad; ++ } + case -1:{ +- yyerror("could not declare category here"); +- goto bad; +- } ++ yyerror("could not declare category here"); ++ goto bad; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + datum->s.value = value; + +@@ -824,27 +1032,31 @@ int define_category(void) + aliasdatum->isalias = TRUE; + aliasdatum->s.value = datum->s.value; + +- ret = declare_symbol(SYM_CATS, id, aliasdatum, NULL, &datum->s.value); ++ ret = ++ declare_symbol(SYM_CATS, id, aliasdatum, NULL, ++ &datum->s.value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto bad_alias; +- } ++ yyerror("Out of memory!"); ++ goto bad_alias; ++ } + case -2:{ +- yyerror("duplicate declaration of category aliases"); +- goto bad_alias; +- } ++ yyerror ++ ("duplicate declaration of category aliases"); ++ goto bad_alias; ++ } + case -1:{ +- yyerror("could not declare category aliases here"); +- goto bad_alias; +- } ++ yyerror ++ ("could not declare category aliases here"); ++ goto bad_alias; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + +@@ -911,14 +1123,16 @@ int define_level(void) + yyerror("no level name for level definition?"); + return -1; + } +- levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id); ++ levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, ++ (hashtab_key_t) id); + if (!levdatum) { + yyerror2("unknown sensitivity %s used in level definition", id); + free(id); + return -1; + } + if (ebitmap_length(&levdatum->level->cat)) { +- yyerror2("sensitivity %s used in multiple level definitions", id); ++ yyerror2("sensitivity %s used in multiple level definitions", ++ id); + free(id); + return -1; + } +@@ -936,16 +1150,22 @@ int define_level(void) + + *(id_end++) = '\0'; + +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) +- id_start); ++ cdatum = ++ (cat_datum_t *) hashtab_search(policydbp->p_cats. ++ table, ++ (hashtab_key_t) ++ id_start); + if (!cdatum) { + yyerror2("unknown category %s", id_start); + free(id); + return -1; + } + range_start = cdatum->s.value - 1; +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) +- id_end); ++ cdatum = ++ (cat_datum_t *) hashtab_search(policydbp->p_cats. ++ table, ++ (hashtab_key_t) ++ id_end); + if (!cdatum) { + yyerror2("unknown category %s", id_end); + free(id); +@@ -959,7 +1179,10 @@ int define_level(void) + return -1; + } + } else { +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id); ++ cdatum = ++ (cat_datum_t *) hashtab_search(policydbp->p_cats. ++ table, ++ (hashtab_key_t) id); + range_start = range_end = cdatum->s.value - 1; + } + +@@ -974,7 +1197,8 @@ int define_level(void) + free(id); + } + +- if (hashtab_map(policydbp->p_levels.table, clone_level, levdatum->level)) { ++ if (hashtab_map ++ (policydbp->p_levels.table, clone_level, levdatum->level)) { + yyerror("out of memory"); + return -1; + } +@@ -1003,7 +1227,8 @@ static int add_aliases_to_type(type_datum_t * type) + while ((id = queue_remove(id_queue))) { + if (id_has_dot(id)) { + free(id); +- yyerror("type alias identifiers may not contain periods"); ++ yyerror ++ ("type alias identifiers may not contain periods"); + return -1; + } + aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t)); +@@ -1015,39 +1240,40 @@ static int add_aliases_to_type(type_datum_t * type) + memset(aliasdatum, 0, sizeof(type_datum_t)); + aliasdatum->s.value = type->s.value; + +- ret = declare_symbol(SYM_TYPES, id, aliasdatum, NULL, &aliasdatum->s.value); ++ ret = declare_symbol(SYM_TYPES, id, aliasdatum, ++ NULL, &aliasdatum->s.value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto cleanup; +- } ++ yyerror("Out of memory!"); ++ goto cleanup; ++ } + case -2:{ +- yyerror2("duplicate declaration of alias %s", id); +- goto cleanup; +- } ++ yyerror2("duplicate declaration of alias %s", ++ id); ++ goto cleanup; ++ } + case -1:{ +- yyerror("could not declare alias here"); +- goto cleanup; +- } +- case 0: +- break; ++ yyerror("could not declare alias here"); ++ goto cleanup; ++ } ++ case 0: break; + case 1:{ +- /* ret == 1 means the alias was required and therefore already +- * has a value. Set it up as an alias with a different primary. */ +- type_datum_destroy(aliasdatum); +- free(aliasdatum); ++ /* ret == 1 means the alias was required and therefore already ++ * has a value. Set it up as an alias with a different primary. */ ++ type_datum_destroy(aliasdatum); ++ free(aliasdatum); + +- aliasdatum = hashtab_search(policydbp->symtab[SYM_TYPES].table, id); +- assert(aliasdatum); ++ aliasdatum = hashtab_search(policydbp->symtab[SYM_TYPES].table, id); ++ assert(aliasdatum); + +- aliasdatum->primary = type->s.value; +- aliasdatum->flavor = TYPE_ALIAS; ++ aliasdatum->primary = type->s.value; ++ aliasdatum->flavor = TYPE_ALIAS; + +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + } + return 0; +@@ -1082,11 +1308,11 @@ int define_typealias(void) + } + t = hashtab_search(policydbp->p_types.table, id); + if (!t || t->flavor == TYPE_ATTRIB) { +- yyerror2("unknown type %s, or it was already declared as an " "attribute", id); ++ yyerror2("unknown type %s, or it was already declared as an " ++ "attribute", id); + free(id); + return -1; + } +- free(id); + return add_aliases_to_type(t); + } + +@@ -1118,7 +1344,6 @@ int define_typeattribute(void) + free(id); + return -1; + } +- free(id); + + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_TYPES, id)) { +@@ -1191,7 +1416,8 @@ static int define_typebounds_helper(char *bounds_id, char *type_id) + else if (type->bounds != bounds->s.value) { + yyerror2("type %s has inconsistent master {%s,%s}", + type_id, +- policydbp->p_type_val_to_name[type->bounds - 1], policydbp->p_type_val_to_name[bounds->s.value - 1]); ++ policydbp->p_type_val_to_name[type->bounds - 1], ++ policydbp->p_type_val_to_name[bounds->s.value - 1]); + return -1; + } + +@@ -1200,15 +1426,18 @@ static int define_typebounds_helper(char *bounds_id, char *type_id) + + int define_typebounds(void) + { +- char *bounds, *id; ++ char *id; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } ++/* Required for SETools libqpol */ ++#ifdef HAVE_SEPOL_BOUNDARY ++ char *bounds; + +- bounds = (char *)queue_remove(id_queue); ++ bounds = (char *) queue_remove(id_queue); + if (!bounds) { + yyerror("no type name for typebounds definition?"); + return -1; +@@ -1222,13 +1451,15 @@ int define_typebounds(void) + free(bounds); + + return 0; ++#else ++ yyerror("This version of SETools does not have typebounds enabled."); ++#endif + } + + int define_type(int alias) + { + char *id; + type_datum_t *datum, *attr; +- int newattr = 0; + + if (pass == 2) { + /* +@@ -1241,7 +1472,7 @@ int define_type(int alias) + + if ((delim = strrchr(id, '.')) + && (bounds = strdup(id))) { +- bounds[(size_t) (delim - id)] = '\0'; ++ bounds[(size_t)(delim - id)] = '\0'; + + if (define_typebounds_helper(bounds, id)) + return -1; +@@ -1281,8 +1512,6 @@ int define_type(int alias) + /* treat it as a fatal error */ + yyerror2("attribute %s is not declared", id); + return -1; +- } else { +- newattr = 0; + } + + if (attr->flavor != TYPE_ATTRIB) { +@@ -1304,8 +1533,7 @@ int define_type(int alias) + return 0; + } + +-struct val_to_name +-{ ++struct val_to_name { + unsigned int val; + char *name; + }; +@@ -1379,7 +1607,6 @@ int define_compute_type_helper(int which, avrule_t ** rule) + { + char *id; + type_datum_t *datum; +- class_datum_t *cladatum; + ebitmap_t tclasses; + ebitmap_node_t *node; + avrule_t *avrule; +@@ -1397,32 +1624,17 @@ int define_compute_type_helper(int which, avrule_t ** rule) + + while ((id = queue_remove(id_queue))) { + if (set_types(&avrule->stypes, id, &add, 0)) +- return -1; ++ goto bad; + } + add = 1; + while ((id = queue_remove(id_queue))) { + if (set_types(&avrule->ttypes, id, &add, 0)) +- return -1; ++ goto bad; + } + + ebitmap_init(&tclasses); +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- goto bad; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s", id); +- goto bad; +- } +- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) { +- yyerror("Out of memory"); +- goto bad; +- } +- free(id); +- } ++ if (read_classes(&tclasses)) ++ goto bad; + + id = (char *)queue_remove(id_queue); + if (!id) { +@@ -1434,22 +1646,22 @@ int define_compute_type_helper(int which, avrule_t ** rule) + free(id); + goto bad; + } +- datum = (type_datum_t *) hashtab_search(policydbp->p_types.table, (hashtab_key_t) id); ++ datum = (type_datum_t *) hashtab_search(policydbp->p_types.table, ++ (hashtab_key_t) id); + if (!datum || datum->flavor == TYPE_ATTRIB) { + yyerror2("unknown type %s", id); + goto bad; + } +- free(id); + + ebitmap_for_each_bit(&tclasses, node, i) { + if (ebitmap_node_get_bit(node, i)) { + perm = malloc(sizeof(class_perm_node_t)); + if (!perm) { + yyerror("out of memory"); +- return -1; ++ goto bad; + } + class_perm_node_init(perm); +- perm->class = i + 1; ++ perm->tclass = i + 1; + perm->data = datum->s.value; + perm->next = avrule->perms; + avrule->perms = perm; +@@ -1472,7 +1684,7 @@ int define_compute_type(int which) + avrule_t *avrule; + int retval; + +- if (pass == 1 || (num_rules && !load_rules)) { ++ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + while ((id = queue_remove(id_queue))) + free(id); + while ((id = queue_remove(id_queue))) +@@ -1519,7 +1731,7 @@ avrule_t *define_cond_compute_type(int which) + char *id; + avrule_t *avrule; + +- if (pass == 1 || (num_rules && !load_rules)) { ++ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + while ((id = queue_remove(id_queue))) + free(id); + while ((id = queue_remove(id_queue))) +@@ -1539,7 +1751,7 @@ avrule_t *define_cond_compute_type(int which) + return avrule; + } + +-int define_bool(void) ++int define_bool_tunable(int is_tunable) + { + char *id, *bool_value; + cond_bool_datum_t *datum; +@@ -1569,27 +1781,29 @@ int define_bool(void) + return -1; + } + memset(datum, 0, sizeof(cond_bool_datum_t)); ++ if (is_tunable) ++ datum->flags |= COND_BOOL_FLAGS_TUNABLE; + ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto cleanup; +- } ++ yyerror("Out of memory!"); ++ goto cleanup; ++ } + case -2:{ +- yyerror2("duplicate declaration of boolean %s", id); +- goto cleanup; +- } ++ yyerror2("duplicate declaration of boolean %s", id); ++ goto cleanup; ++ } + case -1:{ +- yyerror("could not declare boolean here"); +- goto cleanup; +- } ++ yyerror("could not declare boolean here"); ++ goto cleanup; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + datum->s.value = value; + +@@ -1601,7 +1815,6 @@ int define_bool(void) + } + + datum->state = (int)(bool_value[0] == 'T') ? 1 : 0; +- free(bool_value); + return 0; + cleanup: + cond_destroy_bool(id, datum, NULL); +@@ -1610,7 +1823,7 @@ int define_bool(void) + + avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl) + { +- if (pass == 1 || (num_rules && !load_rules)) { ++ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + /* return something so we get through pass 1 */ + return (avrule_t *) 1; + } +@@ -1649,7 +1862,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule) + avrule->line = policydb_lineno; + + while ((id = queue_remove(id_queue))) { +- if (set_types(&avrule->stypes, id, &add, which == AVRULE_NEVERALLOW ? 1 : 0)) { ++ if (set_types ++ (&avrule->stypes, id, &add, ++ which == AVRULE_NEVERALLOW ? 1 : 0)) { + ret = -1; + goto out; + } +@@ -1661,45 +1876,32 @@ int define_te_avtab_helper(int which, avrule_t ** rule) + avrule->flags |= RULE_SELF; + continue; + } +- if (set_types(&avrule->ttypes, id, &add, which == AVRULE_NEVERALLOW ? 1 : 0)) { ++ if (set_types ++ (&avrule->ttypes, id, &add, ++ which == AVRULE_NEVERALLOW ? 1 : 0)) { + ret = -1; + goto out; + } + } + + ebitmap_init(&tclasses); +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- ret = -1; +- goto out; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s used in rule", id); +- ret = -1; +- goto out; +- } +- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) { +- yyerror("Out of memory"); +- ret = -1; +- goto out; +- } +- free(id); +- } ++ ret = read_classes(&tclasses); ++ if (ret) ++ goto out; + + perms = NULL; + ebitmap_for_each_bit(&tclasses, node, i) { + if (!ebitmap_node_get_bit(node, i)) + continue; +- cur_perms = (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); ++ cur_perms = ++ (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); + if (!cur_perms) { + yyerror("out of memory"); + ret = -1; + goto out; + } + class_perm_node_init(cur_perms); +- cur_perms->class = i + 1; ++ cur_perms->tclass = i + 1; + if (!perms) + perms = cur_perms; + if (tail) +@@ -1728,21 +1930,29 @@ int define_te_avtab_helper(int which, avrule_t ** rule) + goto next; + } + +- perdatum = hashtab_search(cladatum->permissions.table, id); ++ perdatum = ++ hashtab_search(cladatum->permissions.table, id); + if (!perdatum) { + if (cladatum->comdatum) { +- perdatum = hashtab_search(cladatum->comdatum->permissions.table, id); ++ perdatum = ++ hashtab_search(cladatum->comdatum-> ++ permissions.table, ++ id); + } + } + if (!perdatum) { + if (!suppress) + yyerror2("permission %s is not defined" +- " for class %s", id, policydbp->p_class_val_to_name[i]); ++ " for class %s", id, ++ policydbp->p_class_val_to_name[i]); + continue; +- } else if (!is_perm_in_scope(id, policydbp->p_class_val_to_name[i])) { ++ } else ++ if (!is_perm_in_scope ++ (id, policydbp->p_class_val_to_name[i])) { + if (!suppress) { + yyerror2("permission %s of class %s is" +- " not within scope", id, policydbp->p_class_val_to_name[i]); ++ " not within scope", id, ++ policydbp->p_class_val_to_name[i]); + } + continue; + } else { +@@ -1765,70 +1975,216 @@ int define_te_avtab_helper(int which, avrule_t ** rule) + + } + +-avrule_t *define_cond_te_avtab(int which) ++avrule_t *define_cond_te_avtab(int which) ++{ ++ char *id; ++ avrule_t *avrule; ++ int i; ++ ++ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ ++ for (i = 0; i < 4; i++) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ } ++ return (avrule_t *) 1; /* any non-NULL value */ ++ } ++ ++ num_rules++; ++ ++ if (define_te_avtab_helper(which, &avrule)) ++ return COND_ERR; ++ ++ return avrule; ++} ++ ++int define_te_avtab(int which) ++{ ++ char *id; ++ avrule_t *avrule; ++ int i; ++ ++ if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ ++ for (i = 0; i < 4; i++) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ } ++ return 0; ++ } ++ ++ num_rules++; ++ ++ if (define_te_avtab_helper(which, &avrule)) ++ return -1; ++ ++ /* append this avrule to the end of the current rules list */ ++ append_avrule(avrule); ++ return 0; ++} ++ ++/* The role-types rule is no longer used to declare regular role or ++ * role attribute, but solely aimed for declaring role-types associations. ++ */ ++int define_role_types(void) ++{ ++ role_datum_t *role; ++ char *id; ++ int add = 1; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++ ++ id = (char *)queue_remove(id_queue); ++ if (!id) { ++ yyerror("no role name for role-types rule?"); ++ return -1; ++ } ++ ++ if (!is_id_in_scope(SYM_ROLES, id)) { ++ yyerror2("role %s is not within scope", id); ++ free(id); ++ return -1; ++ } ++ ++ role = hashtab_search(policydbp->p_roles.table, id); ++ if (!role) { ++ yyerror2("unknown role %s", id); ++ free(id); ++ return -1; ++ } ++ ++ while ((id = queue_remove(id_queue))) { ++ if (set_types(&role->types, id, &add, 0)) ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int define_attrib_role(void) + { +- char *id; +- avrule_t *avrule; +- int i; +- +- if (pass == 1 || (num_rules && !load_rules)) { +- for (i = 0; i < 4; i++) { +- while ((id = queue_remove(id_queue))) +- free(id); +- } +- return (avrule_t *) 1; /* any non-NULL value */ ++ if (pass == 2) { ++ free(queue_remove(id_queue)); ++ return 0; + } + +- num_rules++; +- +- if (define_te_avtab_helper(which, &avrule)) +- return COND_ERR; ++ /* Declare a role attribute */ ++ if (declare_role(TRUE) == NULL) ++ return -1; + +- return avrule; ++ return 0; + } + +-int define_te_avtab(int which) ++int define_role_attr(void) + { + char *id; +- avrule_t *avrule; +- int i; ++ role_datum_t *r, *attr; + +- if (pass == 1 || (num_rules && !load_rules)) { +- for (i = 0; i < 4; i++) { +- while ((id = queue_remove(id_queue))) +- free(id); +- } ++ if (pass == 2) { ++ while ((id = queue_remove(id_queue))) ++ free(id); + return 0; + } ++ ++ /* Declare a regular role */ ++ if ((r = declare_role(FALSE)) == NULL) ++ return -1; + +- num_rules++; ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_ROLES, id)) { ++ yyerror2("attribute %s is not within scope", id); ++ free(id); ++ return -1; ++ } ++ attr = hashtab_search(policydbp->p_roles.table, id); ++ if (!attr) { ++ /* treat it as a fatal error */ ++ yyerror2("role attribute %s is not declared", id); ++ free(id); ++ return -1; ++ } + +- if (define_te_avtab_helper(which, &avrule)) +- return -1; ++ if (attr->flavor != ROLE_ATTRIB) { ++ yyerror2("%s is a regular role, not an attribute", id); ++ free(id); ++ return -1; ++ } ++ ++ if ((attr = get_local_role(id, attr->s.value, 1)) == NULL) { ++ yyerror("Out of memory!"); ++ return -1; ++ } ++ ++ if (ebitmap_set_bit(&attr->roles, (r->s.value - 1), TRUE)) { ++ yyerror("out of memory"); ++ return -1; ++ } ++ } + +- /* append this avrule to the end of the current rules list */ +- append_avrule(avrule); + return 0; + } + +-int define_role_types(void) ++int define_roleattribute(void) + { +- role_datum_t *role; + char *id; +- int add = 1; ++ role_datum_t *r, *attr; + +- if (pass == 1) { ++ if (pass == 2) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + +- if ((role = declare_role()) == NULL) { ++ id = (char *)queue_remove(id_queue); ++ if (!id) { ++ yyerror("no role name for roleattribute definition?"); ++ return -1; ++ } ++ ++ if (!is_id_in_scope(SYM_ROLES, id)) { ++ yyerror2("role %s is not within scope", id); ++ free(id); ++ return -1; ++ } ++ r = hashtab_search(policydbp->p_roles.table, id); ++ /* We support adding one role attribute into another */ ++ if (!r) { ++ yyerror2("unknown role %s", id); ++ free(id); + return -1; + } ++ + while ((id = queue_remove(id_queue))) { +- if (set_types(&role->types, id, &add, 0)) ++ if (!is_id_in_scope(SYM_ROLES, id)) { ++ yyerror2("attribute %s is not within scope", id); ++ free(id); ++ return -1; ++ } ++ attr = hashtab_search(policydbp->p_roles.table, id); ++ if (!attr) { ++ /* treat it as a fatal error */ ++ yyerror2("role attribute %s is not declared", id); ++ free(id); ++ return -1; ++ } ++ ++ if (attr->flavor != ROLE_ATTRIB) { ++ yyerror2("%s is a regular role, not an attribute", id); ++ free(id); ++ return -1; ++ } ++ ++ if ((attr = get_local_role(id, attr->s.value, 1)) == NULL) { ++ yyerror("Out of memory!"); ++ return -1; ++ } ++ ++ if (ebitmap_set_bit(&attr->roles, (r->s.value - 1), TRUE)) { ++ yyerror("out of memory"); + return -1; ++ } + } + + return 0; +@@ -1848,13 +2204,15 @@ role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2) + return NULL; + } + memset(new, 0, sizeof(role_datum_t)); +- new->s.value = 0; /* temporary role */ ++ new->s.value = 0; /* temporary role */ + if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) { + yyerror("out of memory"); ++ free(new); + return NULL; + } + if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) { + yyerror("out of memory"); ++ free(new); + return NULL; + } + if (!r1->s.value) { +@@ -1874,7 +2232,8 @@ role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2) + } + + /* This function eliminates the ordering dependency of role dominance rule */ +-static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum, void *arg) ++static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum, ++ void *arg) + { + role_datum_t *rdp = (role_datum_t *) arg; + role_datum_t *rdatum = (role_datum_t *) datum; +@@ -1896,12 +2255,14 @@ static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum, void + /* raise types and dominates from dominated role */ + ebitmap_for_each_bit(&rdp->dominates, node, i) { + if (ebitmap_node_get_bit(node, i)) +- if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) ++ if (ebitmap_set_bit ++ (&rdatum->dominates, i, TRUE)) + goto oom; + } + ebitmap_for_each_bit(&types, node, i) { + if (ebitmap_node_get_bit(node, i)) +- if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) ++ if (ebitmap_set_bit ++ (&rdatum->types.types, i, TRUE)) + goto oom; + } + ebitmap_destroy(&types); +@@ -1936,7 +2297,8 @@ role_datum_t *define_role_dom(role_datum_t * r) + free(role_id); + return NULL; + } +- role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, role_id); ++ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, ++ role_id); + if (!role) { + role = (role_datum_t *) malloc(sizeof(role_datum_t)); + if (!role) { +@@ -1945,27 +2307,31 @@ role_datum_t *define_role_dom(role_datum_t * r) + return NULL; + } + memset(role, 0, sizeof(role_datum_t)); +- ret = declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, (hashtab_datum_t) role, &role->s.value, &role->s.value); ++ ret = ++ declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, ++ (hashtab_datum_t) role, &role->s.value, ++ &role->s.value); + switch (ret) { + case -3:{ +- yyerror("Out of memory!"); +- goto cleanup; +- } ++ yyerror("Out of memory!"); ++ goto cleanup; ++ } + case -2:{ +- yyerror2("duplicate declaration of role %s", role_id); +- goto cleanup; +- } ++ yyerror2("duplicate declaration of role %s", ++ role_id); ++ goto cleanup; ++ } + case -1:{ +- yyerror("could not declare role here"); +- goto cleanup; +- } ++ yyerror("could not declare role here"); ++ goto cleanup; ++ } + case 0: + case 1:{ +- break; +- } ++ break; ++ } + default:{ +- assert(0); /* should never get here */ +- } ++ assert(0); /* should never get here */ ++ } + } + if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) { + yyerror("Out of memory!"); +@@ -1986,7 +2352,8 @@ role_datum_t *define_role_dom(role_datum_t * r) + } + ebitmap_for_each_bit(&types, node, i) { + if (ebitmap_node_get_bit(node, i)) +- if (ebitmap_set_bit(&role->types.types, i, TRUE)) ++ if (ebitmap_set_bit ++ (&role->types.types, i, TRUE)) + goto oom; + } + ebitmap_destroy(&types); +@@ -2000,7 +2367,8 @@ role_datum_t *define_role_dom(role_datum_t * r) + * Now go through all the roles and escalate this role's + * dominates and types if a role dominates this role. + */ +- hashtab_map(policydbp->p_roles.table, dominate_role_recheck, role); ++ hashtab_map(policydbp->p_roles.table, ++ dominate_role_recheck, role); + } + return role; + cleanup: +@@ -2013,7 +2381,8 @@ role_datum_t *define_role_dom(role_datum_t * r) + goto cleanup; + } + +-static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, void *p) ++static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, ++ void *p) + { + struct val_to_name *v = p; + role_datum_t *roldatum; +@@ -2076,17 +2445,18 @@ static int set_roles(role_set_t * set, char *id) + return 0; + } + +-int define_role_trans(void) ++int define_role_trans(int class_specified) + { + char *id; + role_datum_t *role; + role_set_t roles; + type_set_t types; +- ebitmap_t e_types, e_roles; +- ebitmap_node_t *tnode, *rnode; ++ class_datum_t *cladatum; ++ ebitmap_t e_types, e_roles, e_classes; ++ ebitmap_node_t *tnode, *rnode, *cnode; + struct role_trans *tr = NULL; + struct role_trans_rule *rule = NULL; +- unsigned int i, j; ++ unsigned int i, j, k; + int add = 1; + + if (pass == 1) { +@@ -2094,6 +2464,9 @@ int define_role_trans(void) + free(id); + while ((id = queue_remove(id_queue))) + free(id); ++ if (class_specified) ++ while ((id = queue_remove(id_queue))) ++ free(id); + id = queue_remove(id_queue); + free(id); + return 0; +@@ -2103,6 +2476,7 @@ int define_role_trans(void) + ebitmap_init(&e_roles); + type_set_init(&types); + ebitmap_init(&e_types); ++ ebitmap_init(&e_classes); + + while ((id = queue_remove(id_queue))) { + if (set_roles(&roles, id)) +@@ -2114,6 +2488,24 @@ int define_role_trans(void) + return -1; + } + ++ if (class_specified) { ++ if (read_classes(&e_classes)) ++ return -1; ++ } else { ++ cladatum = hashtab_search(policydbp->p_classes.table, ++ "process"); ++ if (!cladatum) { ++ yyerror2("could not find process class for " ++ "legacy role_transition statement"); ++ return -1; ++ } ++ ++ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) { ++ yyerror("out of memory"); ++ return -1; ++ } ++ } ++ + id = (char *)queue_remove(id_queue); + if (!id) { + yyerror("no new role in transition definition?"); +@@ -2129,9 +2521,14 @@ int define_role_trans(void) + yyerror2("unknown role %s used in transition definition", id); + goto bad; + } +- free(id); ++ ++ if (role->flavor != ROLE_ROLE) { ++ yyerror2("the new role %s must be a regular role", id); ++ goto bad; ++ } + + /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */ ++/* Required for SETools libqpol */ + #ifdef HAVE_SEPOL_ROLE_ATTRS + if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) + #elif HAVE_SEPOL_USER_ROLE_MAPPING +@@ -2150,26 +2547,37 @@ int define_role_trans(void) + ebitmap_for_each_bit(&e_types, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; +- +- for (tr = policydbp->role_tr; tr; tr = tr->next) { +- if (tr->role == (i + 1) && tr->type == (j + 1)) { +- yyerror2("duplicate role transition for (%s,%s)", +- role_val_to_name(i + 1), policydbp->p_type_val_to_name[j]); +- goto bad; ++ ebitmap_for_each_bit(&e_classes, cnode, k) { ++ if (!ebitmap_node_get_bit(cnode, k)) ++ continue; ++ for (tr = policydbp->role_tr; tr; ++ tr = tr->next) { ++ if (tr->role == (i + 1) && ++ tr->type == (j + 1) && ++ tr->tclass == (k + 1)) { ++ yyerror2("duplicate role " ++ "transition for " ++ "(%s,%s,%s)", ++ role_val_to_name(i+1), ++ policydbp->p_type_val_to_name[j], ++ policydbp->p_class_val_to_name[k]); ++ goto bad; ++ } + } +- } + +- tr = malloc(sizeof(struct role_trans)); +- if (!tr) { +- yyerror("out of memory"); +- return -1; ++ tr = malloc(sizeof(struct role_trans)); ++ if (!tr) { ++ yyerror("out of memory"); ++ return -1; ++ } ++ memset(tr, 0, sizeof(struct role_trans)); ++ tr->role = i + 1; ++ tr->type = j + 1; ++ tr->tclass = k + 1; ++ tr->new_role = role->s.value; ++ tr->next = policydbp->role_tr; ++ policydbp->role_tr = tr; + } +- memset(tr, 0, sizeof(struct role_trans)); +- tr->role = i + 1; +- tr->type = j + 1; +- tr->new_role = role->s.value; +- tr->next = policydbp->role_tr; +- policydbp->role_tr = tr; + } + } + /* Now add the real rule */ +@@ -2181,6 +2589,7 @@ int define_role_trans(void) + memset(rule, 0, sizeof(struct role_trans_rule)); + rule->roles = roles; + rule->types = types; ++ rule->classes = e_classes; + rule->new_role = role->s.value; + + append_role_trans(rule); +@@ -2215,13 +2624,17 @@ int define_role_allow(void) + role_allow_rule_init(ra); + + while ((id = queue_remove(id_queue))) { +- if (set_roles(&ra->roles, id)) ++ if (set_roles(&ra->roles, id)) { ++ free(ra); + return -1; ++ } + } + + while ((id = queue_remove(id_queue))) { +- if (set_roles(&ra->new_roles, id)) ++ if (set_roles(&ra->new_roles, id)) { ++ free(ra); + return -1; ++ } + } + + append_role_allow(ra); +@@ -2237,18 +2650,7 @@ avrule_t *define_cond_filename_trans(void) + + int define_filename_trans(void) + { +- char *id, *name = NULL; +- type_set_t stypes, ttypes; +- ebitmap_t e_stypes, e_ttypes; +- ebitmap_t e_tclasses; +- ebitmap_node_t *snode, *tnode, *cnode; +- filename_trans_t *ft; +- filename_trans_rule_t *ftr; +- class_datum_t *cladatum; +- type_datum_t *typdatum; +- uint32_t otype; +- unsigned int c, s, t; +- int add; ++ char *id; + + if (pass == 1) { + /* stype */ +@@ -2268,7 +2670,19 @@ int define_filename_trans(void) + free(id); + return 0; + } +- ++/* Required for SETools libqpol */ ++#ifdef HAVE_SEPOL_FILENAME_TRANS ++ char *name = NULL; ++ type_set_t stypes, ttypes; ++ ebitmap_t e_stypes, e_ttypes; ++ ebitmap_t e_tclasses; ++ ebitmap_node_t *snode, *tnode, *cnode; ++ filename_trans_t *ft; ++ filename_trans_rule_t *ftr; ++ type_datum_t *typdatum; ++ uint32_t otype; ++ unsigned int c, s, t; ++ int add; + + add = 1; + type_set_init(&stypes); +@@ -2285,23 +2699,8 @@ int define_filename_trans(void) + } + + ebitmap_init(&e_tclasses); +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- goto bad; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s", id); +- goto bad; +- } +- if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { +- yyerror("Out of memory"); +- goto bad; +- } +- free(id); +- } ++ if (read_classes(&e_tclasses)) ++ goto bad; + + id = (char *)queue_remove(id_queue); + if (!id) { +@@ -2360,8 +2759,7 @@ int define_filename_trans(void) + policydbp->p_class_val_to_name[c]); + goto bad; + } +- } +- ++ } + ft = malloc(sizeof(*ft)); + if (!ft) { + yyerror("out of memory"); +@@ -2383,7 +2781,6 @@ int define_filename_trans(void) + ft->otype = otype; + } + } +- + /* Now add the real rule since we didn't find any duplicates */ + ftr = malloc(sizeof(*ftr)); + if (!ftr) { +@@ -2410,6 +2807,9 @@ int define_filename_trans(void) + bad: + free(name); + return -1; ++#else ++ yyerror("This version of SETools does not have filename type_transition rules enabled."); ++#endif + } + + static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) +@@ -2433,7 +2833,8 @@ static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) + newe->op = e->op; + if (newe->expr_type == CEXPR_NAMES) { + if (newe->attr & CEXPR_TYPE) { +- if (type_set_cpy(newe->type_names, e->type_names)) ++ if (type_set_cpy ++ (newe->type_names, e->type_names)) + goto oom; + } else { + if (ebitmap_cpy(&newe->names, &e->names)) +@@ -2520,7 +2921,9 @@ int define_constraint(constraint_expr_t * expr) + free(id); + return -1; + } +- cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, (hashtab_key_t) id); ++ cladatum = ++ (class_datum_t *) hashtab_search(policydbp->p_classes.table, ++ (hashtab_key_t) id); + if (!cladatum) { + yyerror2("class %s is not defined", id); + ebitmap_destroy(&classmap); +@@ -2536,6 +2939,7 @@ int define_constraint(constraint_expr_t * expr) + node = malloc(sizeof(struct constraint_node)); + if (!node) { + yyerror("out of memory"); ++ free(node); + return -1; + } + memset(node, 0, sizeof(constraint_node_t)); +@@ -2547,6 +2951,7 @@ int define_constraint(constraint_expr_t * expr) + } + if (!node->expr) { + yyerror("out of memory"); ++ free(node); + return -1; + } + node->permissions = 0; +@@ -2563,22 +2968,33 @@ int define_constraint(constraint_expr_t * expr) + cladatum = policydbp->class_val_to_struct[i]; + node = cladatum->constraints; + +- perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table, (hashtab_key_t) +- id); ++ perdatum = ++ (perm_datum_t *) hashtab_search(cladatum-> ++ permissions. ++ table, ++ (hashtab_key_t) ++ id); + if (!perdatum) { + if (cladatum->comdatum) { +- perdatum = (perm_datum_t *) +- hashtab_search(cladatum->comdatum->permissions.table, (hashtab_key_t) +- id); ++ perdatum = ++ (perm_datum_t *) ++ hashtab_search(cladatum-> ++ comdatum-> ++ permissions. ++ table, ++ (hashtab_key_t) ++ id); + } + if (!perdatum) { +- yyerror2("permission %s is not" " defined", id); ++ yyerror2("permission %s is not" ++ " defined", id); + free(id); + ebitmap_destroy(&classmap); + return -1; + } + } +- node->permissions |= (1 << (perdatum->s.value - 1)); ++ node->permissions |= ++ (1 << (perdatum->s.value - 1)); + } + } + free(id); +@@ -2647,7 +3063,9 @@ int define_validatetrans(constraint_expr_t * expr) + free(id); + return -1; + } +- cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, (hashtab_key_t) id); ++ cladatum = ++ (class_datum_t *) hashtab_search(policydbp->p_classes.table, ++ (hashtab_key_t) id); + if (!cladatum) { + yyerror2("class %s is not defined", id); + ebitmap_destroy(&classmap); +@@ -2701,10 +3119,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) + while ((id = queue_remove(id_queue))) + free(id); + } +- return 1; /* any non-NULL value */ ++ return 1; /* any non-NULL value */ + } + +- if ((expr = malloc(sizeof(*expr))) == NULL || constraint_expr_init(expr) == -1) { ++ if ((expr = malloc(sizeof(*expr))) == NULL || ++ constraint_expr_init(expr) == -1) { + yyerror("out of memory"); + free(expr); + return 0; +@@ -2766,12 +3185,17 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) + while ((id = (char *)queue_remove(id_queue))) { + if (expr->attr & CEXPR_USER) { + if (!is_id_in_scope(SYM_USERS, id)) { +- yyerror2("user %s is not within scope", id); ++ yyerror2("user %s is not within scope", ++ id); + constraint_expr_destroy(expr); + return 0; + } +- user = (user_datum_t *) hashtab_search(policydbp->p_users.table, (hashtab_key_t) +- id); ++ user = ++ (user_datum_t *) hashtab_search(policydbp-> ++ p_users. ++ table, ++ (hashtab_key_t) ++ id); + if (!user) { + yyerror2("unknown user %s", id); + constraint_expr_destroy(expr); +@@ -2780,12 +3204,17 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) + val = user->s.value; + } else if (expr->attr & CEXPR_ROLE) { + if (!is_id_in_scope(SYM_ROLES, id)) { +- yyerror2("role %s is not within scope", id); ++ yyerror2("role %s is not within scope", ++ id); + constraint_expr_destroy(expr); + return 0; + } +- role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, (hashtab_key_t) +- id); ++ role = ++ (role_datum_t *) hashtab_search(policydbp-> ++ p_roles. ++ table, ++ (hashtab_key_t) ++ id); + if (!role) { + yyerror2("unknown role %s", id); + constraint_expr_destroy(expr); +@@ -2814,22 +3243,19 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) + ebitmap_destroy(&negset); + return (uintptr_t) expr; + default: +- yyerror("invalid constraint expression"); +- constraint_expr_destroy(expr); +- return 0; ++ break; + } + + yyerror("invalid constraint expression"); +- free(expr); ++ constraint_expr_destroy(expr); + return 0; + } + + int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f) + { + cond_expr_t *e; +- int depth, retval; ++ int depth; + cond_node_t cn, *cn_old; +- avrule_t *tmp, *last_tmp; + + /* expression cannot be NULL */ + if (!expr) { +@@ -2858,7 +3284,8 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f) + switch (e->expr_type) { + case COND_NOT: + if (depth < 0) { +- yyerror("illegal conditional expression; Bad NOT"); ++ yyerror ++ ("illegal conditional expression; Bad NOT"); + return -1; + } + break; +@@ -2868,14 +3295,16 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f) + case COND_EQ: + case COND_NEQ: + if (depth < 1) { +- yyerror("illegal conditional expression; Bad binary op"); ++ yyerror ++ ("illegal conditional expression; Bad binary op"); + return -1; + } + depth--; + break; + case COND_BOOL: + if (depth == (COND_EXPR_MAXDEPTH - 1)) { +- yyerror("conditional expression is like totally too deep"); ++ yyerror ++ ("conditional expression is like totally too deep"); + return -1; + } + depth++; +@@ -2908,11 +3337,14 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f) + return -1; + } + ++ /* Required for SETools libqpol */ ++ avrule_t *tmp, *last_tmp; ++ int retval; + /* verify te rules -- both true and false branches of conditional */ + tmp = cn.avtrue_list; + last_tmp = NULL; + while (tmp) { +- if (!tmp->specified & AVRULE_TRANSITION) ++ if (!(tmp->specified & AVRULE_TRANSITION)) + continue; + retval = insert_check_type_rule(tmp, &policydbp->te_cond_avtab, &cn_old->true_list, &cn_old->false_list); + switch (retval) { +@@ -2951,7 +3383,7 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f) + tmp = cn.avfalse_list; + last_tmp = NULL; + while (tmp) { +- if (!tmp->specified & AVRULE_TRANSITION) ++ if (!(tmp->specified & AVRULE_TRANSITION)) + continue; + retval = insert_check_type_rule(tmp, &policydbp->te_cond_avtab, &cn_old->false_list, &cn_old->true_list); + switch (retval) { +@@ -3053,7 +3485,8 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2) + e2 = e2->next; + } + if (!e1 || e1->next) { +- yyerror("illegal left side of conditional binary op expression"); ++ yyerror ++ ("illegal left side of conditional binary op expression"); + free(expr); + return NULL; + } +@@ -3066,7 +3499,8 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2) + e2 = e2->next; + } + if (!e1 || e1->next) { +- yyerror("illegal right side of conditional binary op expression"); ++ yyerror ++ ("illegal right side of conditional binary op expression"); + free(expr); + return NULL; + } +@@ -3086,9 +3520,13 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2) + free(expr); + return NULL; + } +- bool_var = (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.table, (hashtab_key_t) id); ++ bool_var = ++ (cond_bool_datum_t *) hashtab_search(policydbp->p_bools. ++ table, ++ (hashtab_key_t) id); + if (!bool_var) { +- yyerror2("unknown boolean %s in conditional expression", id); ++ yyerror2("unknown boolean %s in conditional expression", ++ id); + free(expr); + free(id); + return NULL; +@@ -3098,6 +3536,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2) + return expr; + default: + yyerror("illegal conditional expression"); ++ free(expr); + return NULL; + } + } +@@ -3156,14 +3595,16 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats + + *(id_end++) = '\0'; + +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) ++ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, ++ (hashtab_key_t) + id_start); + if (!cdatum) { + yyerror2("unknown category %s", id_start); + return -1; + } + range_start = cdatum->s.value - 1; +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id_end); ++ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, ++ (hashtab_key_t) id_end); + if (!cdatum) { + yyerror2("unknown category %s", id_end); + return -1; +@@ -3175,7 +3616,8 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats + return -1; + } + } else { +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id); ++ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, ++ (hashtab_key_t) id); + if (!cdatum) { + yyerror2("unknown category %s", id); + return -1; +@@ -3188,7 +3630,9 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats + uint32_t level_value = levdatum->level->sens - 1; + policydb_index_others(NULL, policydbp, 0); + yyerror2("category %s can not be associated " +- "with level %s", policydbp->p_cat_val_to_name[i], policydbp->p_sens_val_to_name[level_value]); ++ "with level %s", ++ policydbp->p_cat_val_to_name[i], ++ policydbp->p_sens_val_to_name[level_value]); + return -1; + } + if (ebitmap_set_bit(cats, i, TRUE)) { +@@ -3200,7 +3644,8 @@ static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats + return 0; + } + +-static int parse_semantic_categories(char *id, level_datum_t * levdatum, mls_semantic_cat_t ** cats) ++static int parse_semantic_categories(char *id, level_datum_t * levdatum, ++ mls_semantic_cat_t ** cats) + { + cat_datum_t *cdatum; + mls_semantic_cat_t *newcat; +@@ -3212,7 +3657,8 @@ static int parse_semantic_categories(char *id, level_datum_t * levdatum, mls_sem + + *(id_end++) = '\0'; + +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) ++ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, ++ (hashtab_key_t) + id_start); + if (!cdatum) { + yyerror2("unknown category %s", id_start); +@@ -3220,14 +3666,16 @@ static int parse_semantic_categories(char *id, level_datum_t * levdatum, mls_sem + } + range_start = cdatum->s.value; + +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id_end); ++ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, ++ (hashtab_key_t) id_end); + if (!cdatum) { + yyerror2("unknown category %s", id_end); + return -1; + } + range_end = cdatum->s.value; + } else { +- cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, (hashtab_key_t) id); ++ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, ++ (hashtab_key_t) id); + if (!cdatum) { + yyerror2("unknown category %s", id); + return -1; +@@ -3296,9 +3744,11 @@ int define_user(void) + } + + levdatum = (level_datum_t *) +- hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id); ++ hashtab_search(policydbp->p_levels.table, ++ (hashtab_key_t) id); + if (!levdatum) { +- yyerror2("unknown sensitivity %s used in user" " level definition", id); ++ yyerror2("unknown sensitivity %s used in user" ++ " level definition", id); + free(id); + return -1; + } +@@ -3307,7 +3757,8 @@ int define_user(void) + usrdatum->dfltlevel.sens = levdatum->level->sens; + + while ((id = queue_remove(id_queue))) { +- if (parse_semantic_categories(id, levdatum, &usrdatum->dfltlevel.cat)) { ++ if (parse_semantic_categories(id, levdatum, ++ &usrdatum->dfltlevel.cat)) { + free(id); + return -1; + } +@@ -3318,9 +3769,11 @@ int define_user(void) + + for (l = 0; l < 2; l++) { + levdatum = (level_datum_t *) +- hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id); ++ hashtab_search(policydbp->p_levels.table, ++ (hashtab_key_t) id); + if (!levdatum) { +- yyerror2("unknown sensitivity %s used in user" " range definition", id); ++ yyerror2("unknown sensitivity %s used in user" ++ " range definition", id); + free(id); + return -1; + } +@@ -3329,7 +3782,8 @@ int define_user(void) + usrdatum->range.level[l].sens = levdatum->level->sens; + + while ((id = queue_remove(id_queue))) { +- if (parse_semantic_categories(id, levdatum, &usrdatum->range.level[l].cat)) { ++ if (parse_semantic_categories(id, levdatum, ++ &usrdatum->range.level[l].cat)) { + free(id); + return -1; + } +@@ -3342,7 +3796,8 @@ int define_user(void) + } + + if (l == 0) { +- if (mls_semantic_level_cpy(&usrdatum->range.level[1], &usrdatum->range.level[0])) { ++ if (mls_semantic_level_cpy(&usrdatum->range.level[1], ++ &usrdatum->range.level[0])) { + yyerror("out of memory"); + return -1; + } +@@ -3362,11 +3817,11 @@ static int parse_security_context(context_struct_t * c) + + if (pass == 1) { + id = queue_remove(id_queue); +- free(id); /* user */ ++ free(id); /* user */ + id = queue_remove(id_queue); +- free(id); /* role */ ++ free(id); /* role */ + id = queue_remove(id_queue); +- free(id); /* type */ ++ free(id); /* type */ + if (mlspol) { + id = queue_remove(id_queue); + free(id); +@@ -3383,6 +3838,12 @@ static int parse_security_context(context_struct_t * c) + return 0; + } + ++ /* check context c to make sure ok to dereference c later */ ++ if (c == NULL) { ++ yyerror("null context pointer!"); ++ return -1; ++ } ++ + context_init(c); + + /* extract the user */ +@@ -3396,7 +3857,8 @@ static int parse_security_context(context_struct_t * c) + free(id); + goto bad; + } +- usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table, (hashtab_key_t) id); ++ usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table, ++ (hashtab_key_t) id); + if (!usrdatum) { + yyerror2("user %s is not defined", id); + free(id); +@@ -3418,7 +3880,8 @@ static int parse_security_context(context_struct_t * c) + free(id); + return -1; + } +- role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, (hashtab_key_t) id); ++ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, ++ (hashtab_key_t) id); + if (!role) { + yyerror2("role %s is not defined", id); + free(id); +@@ -3440,7 +3903,8 @@ static int parse_security_context(context_struct_t * c) + free(id); + return -1; + } +- typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table, (hashtab_key_t) id); ++ typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table, ++ (hashtab_key_t) id); + if (!typdatum || typdatum->flavor == TYPE_ATTRIB) { + yyerror2("type %s is not defined or is an attribute", id); + free(id); +@@ -3455,14 +3919,16 @@ static int parse_security_context(context_struct_t * c) + /* extract the low sensitivity */ + id = (char *)queue_head(id_queue); + if (!id) { +- yyerror("no sensitivity name for sid context" " definition?"); ++ yyerror("no sensitivity name for sid context" ++ " definition?"); + return -1; + } + + id = (char *)queue_remove(id_queue); + for (l = 0; l < 2; l++) { + levdatum = (level_datum_t *) +- hashtab_search(policydbp->p_levels.table, (hashtab_key_t) id); ++ hashtab_search(policydbp->p_levels.table, ++ (hashtab_key_t) id); + if (!levdatum) { + yyerror2("Sensitivity %s is not defined", id); + free(id); +@@ -3473,7 +3939,8 @@ static int parse_security_context(context_struct_t * c) + + /* extract low category set */ + while ((id = queue_remove(id_queue))) { +- if (parse_categories(id, levdatum, &c->range.level[l].cat)) { ++ if (parse_categories(id, levdatum, ++ &c->range.level[l].cat)) { + free(id); + return -1; + } +@@ -3488,7 +3955,8 @@ static int parse_security_context(context_struct_t * c) + + if (l == 0) { + c->range.level[1].sens = c->range.level[0].sens; +- if (ebitmap_cpy(&c->range.level[1].cat, &c->range.level[0].cat)) { ++ if (ebitmap_cpy(&c->range.level[1].cat, ++ &c->range.level[0].cat)) { + + yyerror("out of memory"); + goto bad; +@@ -3554,12 +4022,10 @@ int define_fs_context(unsigned int major, unsigned int minor) + { + ocontext_t *newc, *c, *head; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("fscon not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + parse_security_context(NULL); +@@ -3597,7 +4063,8 @@ int define_fs_context(unsigned int major, unsigned int minor) + + for (c = head; c; c = c->next) { + if (!strcmp(newc->u.name, c->u.name)) { +- yyerror2("duplicate entry for file system %s", newc->u.name); ++ yyerror2("duplicate entry for file system %s", ++ newc->u.name); + context_destroy(&newc->context[0]); + context_destroy(&newc->context[1]); + free(newc->u.name); +@@ -3617,17 +4084,13 @@ int define_pirq_context(unsigned int pirq) + ocontext_t *newc, *c, *l, *head; + char *id; + +-#ifndef SEPOL_TARGET_XEN +- yyerror("pirqcon not supported for target"); +- return -1; +-#else + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("pirqcon not supported for target"); + return -1; + } + + if (pass == 1) { +- id = (char *)queue_remove(id_queue); ++ id = (char *) queue_remove(id_queue); + free(id); + parse_security_context(NULL); + return 0; +@@ -3665,10 +4128,9 @@ int define_pirq_context(unsigned int pirq) + + return 0; + +- bad: ++bad: + free(newc); + return -1; +-#endif + } + + int define_iomem_context(unsigned long low, unsigned long high) +@@ -3676,10 +4138,6 @@ int define_iomem_context(unsigned long low, unsigned long high) + ocontext_t *newc, *c, *l, *head; + char *id; + +-#ifndef SEPOL_TARGET_XEN +- yyerror("iomemcon not supported for target"); +- return -1; +-#else + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("iomemcon not supported for target"); + return -1; +@@ -3699,7 +4157,7 @@ int define_iomem_context(unsigned long low, unsigned long high) + } + memset(newc, 0, sizeof(ocontext_t)); + +- newc->u.iomem.low_iomem = low; ++ newc->u.iomem.low_iomem = low; + newc->u.iomem.high_iomem = high; + + if (low > high) { +@@ -3720,7 +4178,9 @@ int define_iomem_context(unsigned long low, unsigned long high) + low2 = c->u.iomem.low_iomem; + high2 = c->u.iomem.high_iomem; + if (low <= high2 && low2 <= high) { +- yyerror2("iomemcon entry for 0x%x-0x%x overlaps with " "earlier entry 0x%x-0x%x", low, high, low2, high2); ++ yyerror2("iomemcon entry for 0x%x-0x%x overlaps with " ++ "earlier entry 0x%x-0x%x", low, high, ++ low2, high2); + goto bad; + } + } +@@ -3732,10 +4192,9 @@ int define_iomem_context(unsigned long low, unsigned long high) + + return 0; + +- bad: ++bad: + free(newc); + return -1; +-#endif + } + + int define_ioport_context(unsigned long low, unsigned long high) +@@ -3743,10 +4202,6 @@ int define_ioport_context(unsigned long low, unsigned long high) + ocontext_t *newc, *c, *l, *head; + char *id; + +-#ifndef SEPOL_TARGET_XEN +- yyerror("ioportcon not supported for target"); +- return -1; +-#else + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("ioportcon not supported for target"); + return -1; +@@ -3766,7 +4221,7 @@ int define_ioport_context(unsigned long low, unsigned long high) + } + memset(newc, 0, sizeof(ocontext_t)); + +- newc->u.ioport.low_ioport = low; ++ newc->u.ioport.low_ioport = low; + newc->u.ioport.high_ioport = high; + + if (low > high) { +@@ -3787,7 +4242,9 @@ int define_ioport_context(unsigned long low, unsigned long high) + low2 = c->u.ioport.low_ioport; + high2 = c->u.ioport.high_ioport; + if (low <= high2 && low2 <= high) { +- yyerror2("ioportcon entry for 0x%x-0x%x overlaps with" "earlier entry 0x%x-0x%x", low, high, low2, high2); ++ yyerror2("ioportcon entry for 0x%x-0x%x overlaps with" ++ "earlier entry 0x%x-0x%x", low, high, ++ low2, high2); + goto bad; + } + } +@@ -3799,10 +4256,9 @@ int define_ioport_context(unsigned long low, unsigned long high) + + return 0; + +- bad: ++bad: + free(newc); + return -1; +-#endif + } + + int define_pcidevice_context(unsigned long device) +@@ -3810,17 +4266,13 @@ int define_pcidevice_context(unsigned long device) + ocontext_t *newc, *c, *l, *head; + char *id; + +-#ifndef SEPOL_TARGET_XEN +- yyerror("pcidevicecon not supported for target"); +- return -1; +-#else + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("pcidevicecon not supported for target"); + return -1; + } + + if (pass == 1) { +- id = (char *)queue_remove(id_queue); ++ id = (char *) queue_remove(id_queue); + free(id); + parse_security_context(NULL); + return 0; +@@ -3846,7 +4298,8 @@ int define_pcidevice_context(unsigned long device) + + device2 = c->u.device; + if (device == device2) { +- yyerror2("duplicate pcidevicecon entry for 0x%x ", device); ++ yyerror2("duplicate pcidevicecon entry for 0x%x ", ++ device); + goto bad; + } + } +@@ -3858,10 +4311,9 @@ int define_pcidevice_context(unsigned long device) + + return 0; + +- bad: ++bad: + free(newc); + return -1; +-#endif + } + + int define_port_context(unsigned int low, unsigned int high) +@@ -3870,12 +4322,10 @@ int define_port_context(unsigned int low, unsigned int high) + unsigned int protocol; + char *id; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("portcon not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + id = (char *)queue_remove(id_queue); +@@ -3932,15 +4382,16 @@ int define_port_context(unsigned int low, unsigned int high) + if (protocol != prot2) + continue; + if (low == low2 && high == high2) { +- yyerror2("duplicate portcon entry for %s %d-%d ", id, low, high); ++ yyerror2("duplicate portcon entry for %s %d-%d ", id, ++ low, high); + goto bad; + } + if (low2 <= low && high2 >= high) { +- yyerror2("portcon entry for %s %d-%d hidden by earlier " "entry for %d-%d", id, low, high, low2, high2); ++ yyerror2("portcon entry for %s %d-%d hidden by earlier " ++ "entry for %d-%d", id, low, high, low2, high2); + goto bad; + } + } +- free(id); + + if (l) + l->next = newc; +@@ -3958,12 +4409,10 @@ int define_netif_context(void) + { + ocontext_t *newc, *c, *head; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("netifcon not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + free(queue_remove(id_queue)); +@@ -3999,7 +4448,8 @@ int define_netif_context(void) + + for (c = head; c; c = c->next) { + if (!strcmp(newc->u.name, c->u.name)) { +- yyerror2("duplicate entry for network interface %s", newc->u.name); ++ yyerror2("duplicate entry for network interface %s", ++ newc->u.name); + context_destroy(&newc->context[0]); + context_destroy(&newc->context[1]); + free(newc->u.name); +@@ -4014,18 +4464,16 @@ int define_netif_context(void) + } + + int define_ipv4_node_context() +-{ ++{ + char *id; + int rc = 0; + struct in_addr addr, mask; + ocontext_t *newc, *c, *l, *head; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("nodecon not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + free(queue_remove(id_queue)); +@@ -4097,7 +4545,7 @@ int define_ipv4_node_context() + else + policydbp->ocontexts[OCON_NODE] = newc; + rc = 0; +- out: ++out: + return rc; + } + +@@ -4108,12 +4556,10 @@ int define_ipv6_node_context(void) + struct in6_addr addr, mask; + ocontext_t *newc, *c, *l, *head; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("nodecon not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + free(queue_remove(id_queue)); +@@ -4162,8 +4608,14 @@ int define_ipv6_node_context(void) + } + + memset(newc, 0, sizeof(ocontext_t)); ++ ++#ifdef DARWIN ++ memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16); ++ memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16); ++#else + memcpy(&newc->u.node6.addr[0], &addr.s6_addr32[0], 16); + memcpy(&newc->u.node6.mask[0], &mask.s6_addr32[0], 16); ++#endif + + if (parse_security_context(&newc->context[0])) { + free(newc); +@@ -4195,15 +4647,14 @@ int define_fs_use(int behavior) + { + ocontext_t *newc, *c, *head; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("fsuse not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + free(queue_remove(id_queue)); ++ /* Required for SETools libqpol */ + if (behavior != SECURITY_FS_USE_PSIDS) + parse_security_context(NULL); + return 0; +@@ -4222,6 +4673,7 @@ int define_fs_use(int behavior) + return -1; + } + newc->v.behavior = behavior; ++ /* Required for SETools libqpol */ + if (newc->v.behavior != SECURITY_FS_USE_PSIDS) { + if (parse_security_context(&newc->context[0])) { + free(newc->u.name); +@@ -4235,7 +4687,8 @@ int define_fs_use(int behavior) + + for (c = head; c; c = c->next) { + if (!strcmp(newc->u.name, c->u.name)) { +- yyerror2("duplicate fs_use entry for filesystem type %s", newc->u.name); ++ yyerror2("duplicate fs_use entry for filesystem type %s", ++ newc->u.name); + context_destroy(&newc->context[0]); + free(newc->u.name); + free(newc); +@@ -4255,12 +4708,10 @@ int define_genfs_context_helper(char *fstype, int has_type) + char *type = NULL; + int len, len2; + +-#ifdef SEPOL_TARGET_XEN + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("genfs not supported for target"); + return -1; + } +-#endif + + if (pass == 1) { + free(fstype); +@@ -4271,7 +4722,8 @@ int define_genfs_context_helper(char *fstype, int has_type) + return 0; + } + +- for (genfs_p = NULL, genfs = policydbp->genfs; genfs; genfs_p = genfs, genfs = genfs->next) { ++ for (genfs_p = NULL, genfs = policydbp->genfs; ++ genfs; genfs_p = genfs, genfs = genfs->next) { + if (strcmp(fstype, genfs->fstype) <= 0) + break; + } +@@ -4290,9 +4742,6 @@ int define_genfs_context_helper(char *fstype, int has_type) + else + policydbp->genfs = newgenfs; + genfs = newgenfs; +- } else { +- free(fstype); +- fstype=NULL; + } + + newc = (ocontext_t *) malloc(sizeof(ocontext_t)); +@@ -4340,16 +4789,17 @@ int define_genfs_context_helper(char *fstype, int has_type) + goto fail; + } + } +- free(type); +- type = NULL; + if (parse_security_context(&newc->context[0])) + goto fail; + + head = genfs->head; + + for (p = NULL, c = head; c; p = c, c = c->next) { +- if (!strcmp(newc->u.name, c->u.name) && (!newc->v.sclass || !c->v.sclass || newc->v.sclass == c->v.sclass)) { +- yyerror2("duplicate entry for genfs entry (%s, %s)", fstype, newc->u.name); ++ if (!strcmp(newc->u.name, c->u.name) && ++ (!newc->v.sclass || !c->v.sclass ++ || newc->v.sclass == c->v.sclass)) { ++ yyerror2("duplicate entry for genfs entry (%s, %s)", ++ fstype, newc->u.name); + goto fail; + } + len = strlen(newc->u.name); +@@ -4434,29 +4884,21 @@ int define_range_trans(int class_specified) + } + + if (class_specified) { +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- goto out; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s", id); +- goto out; +- } +- +- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE); +- free(id); +- } ++ if (read_classes(&rule->tclasses)) ++ goto out; + } else { +- cladatum = hashtab_search(policydbp->p_classes.table, "process"); ++ cladatum = hashtab_search(policydbp->p_classes.table, ++ "process"); + if (!cladatum) { +- yyerror2("could not find process class for " "legacy range_transition statement"); ++ yyerror2("could not find process class for " ++ "legacy range_transition statement"); + goto out; + } + +- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE); ++ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) { ++ yyerror("out of memory"); ++ goto out; ++ } + } + + id = (char *)queue_remove(id_queue); +@@ -4467,7 +4909,8 @@ int define_range_trans(int class_specified) + for (l = 0; l < 2; l++) { + levdatum = hashtab_search(policydbp->p_levels.table, id); + if (!levdatum) { +- yyerror2("unknown level %s used in range_transition " "definition", id); ++ yyerror2("unknown level %s used in range_transition " ++ "definition", id); + free(id); + goto out; + } +@@ -4476,7 +4919,8 @@ int define_range_trans(int class_specified) + rule->trange.level[l].sens = levdatum->level->sens; + + while ((id = queue_remove(id_queue))) { +- if (parse_semantic_categories(id, levdatum, &rule->trange.level[l].cat)) { ++ if (parse_semantic_categories(id, levdatum, ++ &rule->trange.level[l].cat)) { + free(id); + goto out; + } +@@ -4488,7 +4932,8 @@ int define_range_trans(int class_specified) + break; + } + if (l == 0) { +- if (mls_semantic_level_cpy(&rule->trange.level[1], &rule->trange.level[0])) { ++ if (mls_semantic_level_cpy(&rule->trange.level[1], ++ &rule->trange.level[0])) { + yyerror("out of memory"); + goto out; + } +@@ -4497,8 +4942,9 @@ int define_range_trans(int class_specified) + append_range_trans(rule); + return 0; + +- out: ++out: + range_trans_rule_destroy(rule); ++ free(rule); + return -1; + } + +diff --git a/libqpol/src/policy_define.h b/libqpol/src/policy_define.h +index f273fed..14c1747 100644 +--- a/libqpol/src/policy_define.h ++++ b/libqpol/src/policy_define.h +@@ -19,24 +19,32 @@ + #define TRUE 1 + #define FALSE 0 + ++/* Used by SETools libqpol */ + /** parser used to support fs_use_psid declarations, so revert that bit + * of code here */ + #define SECURITY_FS_USE_PSIDS 6 ++/* Used by SETools to determine if source MLS or not */ ++int define_mls(void); + + avrule_t *define_cond_compute_type(int which); +-avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * stmt); ++avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt); + avrule_t *define_cond_te_avtab(int which); + avrule_t *define_cond_filename_trans(void); +-cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2); ++cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2); + int define_attrib(void); ++int define_attrib_role(void); + int define_av_perms(int inherits); +-int define_bool(void); ++int define_bool_tunable(int is_tunable); + int define_category(void); + int define_class(void); ++int define_default_user(int which); ++int define_default_role(int which); ++int define_default_type(int which); ++int define_default_range(int which); + int define_common_perms(void); + int define_compute_type(int which); +-int define_conditional(cond_expr_t * expr, avrule_t * t_list, avrule_t * f_list); +-int define_constraint(constraint_expr_t * expr); ++int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); ++int define_constraint(constraint_expr_t *expr); + int define_dominance(void); + int define_fs_context(unsigned int major, unsigned int minor); + int define_fs_use(int behavior); +@@ -46,7 +54,6 @@ int define_initial_sid(void); + int define_ipv4_node_context(void); + int define_ipv6_node_context(void); + int define_level(void); +-int define_mls(void); + int define_netif_context(void); + int define_permissive(void); + int define_polcap(void); +@@ -57,8 +64,10 @@ int define_ioport_context(unsigned long low, unsigned long high); + int define_pcidevice_context(unsigned long device); + int define_range_trans(int class_specified); + int define_role_allow(void); +-int define_role_trans(void); ++int define_role_trans(int class_specified); + int define_role_types(void); ++int define_role_attr(void); ++int define_roleattribute(void); + int define_filename_trans(void); + int define_sens(void); + int define_te_avtab(int which); +@@ -67,11 +76,11 @@ int define_typeattribute(void); + int define_typebounds(void); + int define_type(int alias); + int define_user(void); +-int define_validatetrans(constraint_expr_t * expr); +-int insert_id(char *id, int push); ++int define_validatetrans(constraint_expr_t *expr); ++int insert_id(char *id,int push); + int insert_separator(int push); +-role_datum_t *define_role_dom(role_datum_t * r); +-role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2); ++role_datum_t *define_role_dom(role_datum_t *r); ++role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); + uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2); + +-#endif /* _POLICY_DEFINE_H_ */ ++#endif /* _POLICY_DEFINE_H_ */ +diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c +index 5325a87..1417271 100644 +--- a/libqpol/src/policy_extend.c ++++ b/libqpol/src/policy_extend.c +@@ -843,7 +843,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_ + for (class_node = rule->perms; class_node; class_node = class_node->next) { + key.rule_type = rule->specified; + key.source_val = key.target_val = i + 1; +- key.class_val = class_node->class; ++ key.class_val = class_node->tclass; + key.cond = cond; + if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule)) + goto err; +@@ -856,7 +856,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_ + key.rule_type = rule->specified; + key.source_val = i + 1; + key.target_val = j + 1; +- key.class_val = class_node->class; ++ key.class_val = class_node->tclass; + key.cond = cond; + if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule)) + goto err; +diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y +index dc16c6f..357f3d8 100644 +--- a/libqpol/src/policy_parse.y ++++ b/libqpol/src/policy_parse.y +@@ -3,6 +3,8 @@ + * + * This file is based upon checkpolicy/policy_parse.y from NSA's SVN + * repository. It has been modified to support older policy formats. ++ * The older format just seems to be FSUSEPSID support (see fs_use_def ++ * entry. + */ + + /* +@@ -35,6 +37,7 @@ + /* FLASK */ + + %{ ++/* Add for SETools */ + #include + + #include +@@ -55,12 +58,16 @@ + #include + #include + #include ++/* Add for SETools libqpol */ + #ifdef HAVE_SEPOL_POLICYCAPS + #include + #endif + + #include "queue.h" ++ ++/* #include "checkpolicy.h" - Remove for setools and replace with: */ + #include ++ + #include "module_compiler.h" + #include "policy_define.h" + +@@ -74,6 +81,7 @@ extern int yyerror(char *msg); + + typedef int (* require_func_t)(); + ++/* Add for SETools libqpol */ + /* redefine input so we can read from a string */ + /* borrowed from O'Reilly lex and yacc pg 157 */ + extern char qpol_src_input[]; +@@ -107,6 +115,8 @@ extern char *qpol_src_inputlim;/* end of data */ + %token INHERITS + %token SID + %token ROLE ++%token ROLEATTRIBUTE ++%token ATTRIBUTE_ROLE + %token ROLES + %token TYPEALIAS + %token TYPEATTRIBUTE +@@ -116,6 +126,7 @@ extern char *qpol_src_inputlim;/* end of data */ + %token ALIAS + %token ATTRIBUTE + %token BOOL ++%token TUNABLE + %token IF + %token ELSE + %token TYPE_TRANSITION +@@ -156,6 +167,9 @@ extern char *qpol_src_inputlim;/* end of data */ + %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL + %token POLICYCAP + %token PERMISSIVE ++%token FILESYSTEM ++%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE ++%token LOW_HIGH LOW HIGH + + %left OR + %left XOR +@@ -170,7 +184,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } + classes initial_sids access_vectors + { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} +- opt_mls te_rbac users opt_constraints ++ opt_default_rules opt_mls te_rbac users opt_constraints + { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts +@@ -208,6 +222,46 @@ av_perms_def : CLASS identifier '{' identifier_list '}' + | CLASS identifier INHERITS identifier '{' identifier_list '}' + {if (define_av_perms(TRUE)) return -1;} + ; ++opt_default_rules : default_rules ++ | ++ ; ++default_rules : default_user_def ++ | default_role_def ++ | default_type_def ++ | default_range_def ++ | default_rules default_user_def ++ | default_rules default_role_def ++ | default_rules default_type_def ++ | default_rules default_range_def ++ ; ++default_user_def : DEFAULT_USER names SOURCE ';' ++ {if (define_default_user(DEFAULT_SOURCE)) return -1; } ++ | DEFAULT_USER names TARGET ';' ++ {if (define_default_user(DEFAULT_TARGET)) return -1; } ++ ; ++default_role_def : DEFAULT_ROLE names SOURCE ';' ++ {if (define_default_role(DEFAULT_SOURCE)) return -1; } ++ | DEFAULT_ROLE names TARGET ';' ++ {if (define_default_role(DEFAULT_TARGET)) return -1; } ++ ; ++default_type_def : DEFAULT_TYPE names SOURCE ';' ++ {if (define_default_type(DEFAULT_SOURCE)) return -1; } ++ | DEFAULT_TYPE names TARGET ';' ++ {if (define_default_type(DEFAULT_TARGET)) return -1; } ++ ; ++default_range_def : DEFAULT_RANGE names SOURCE LOW ';' ++ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } ++ | DEFAULT_RANGE names SOURCE HIGH ';' ++ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } ++ | DEFAULT_RANGE names SOURCE LOW_HIGH ';' ++ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } ++ | DEFAULT_RANGE names TARGET LOW ';' ++ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } ++ | DEFAULT_RANGE names TARGET HIGH ';' ++ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } ++ | DEFAULT_RANGE names TARGET LOW_HIGH ';' ++ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } ++ ; + opt_mls : mls + | + ; +@@ -216,8 +270,14 @@ mls : sensitivities dominance opt_categories levels mlspolicy + sensitivities : sensitivity_def + | sensitivities sensitivity_def + ; +-/* Need to call define_mls here, as we are working with files */ +-/* only, not command line options */ ++/*sensitivity_def : SENSITIVITY identifier alias_def ';' ++ {if (define_sens()) return -1;} ++ | SENSITIVITY identifier ';' ++ {if (define_sens()) return -1;} ++ ; ++The above has been replaced by: */ ++/* Needed for SETools to call define_mls here, as we are working */ ++/* with files only, not command line options */ + sensitivity_def : SENSITIVITY identifier alias_def ';' + {if (define_mls() | define_sens()) return -1;} + | SENSITIVITY identifier ';' +@@ -271,10 +331,13 @@ te_rbac_decl : te_decl + | policycap_def + | ';' + ; +-rbac_decl : role_type_def ++rbac_decl : attribute_role_def ++ | role_type_def + | role_dominance + | role_trans_def + | role_allow_def ++ | roleattribute_def ++ | role_attr_def + ; + te_decl : attribute_def + | type_def +@@ -282,6 +345,7 @@ te_decl : attribute_def + | typeattribute_def + | typebounds_def + | bool_def ++ | tunable_def + | transition_def + | range_trans_def + | te_avtab_def +@@ -308,8 +372,11 @@ opt_attr_list : ',' id_comma_list + | + ; + bool_def : BOOL identifier bool_val ';' +- {if (define_bool()) return -1;} ++ { if (define_bool_tunable(0)) return -1; } + ; ++tunable_def : TUNABLE identifier bool_val ';' ++ { if (define_bool_tunable(1)) return -1; } ++ ; + bool_val : CTRUE + { if (insert_id("T",0)) return -1; } + | CFALSE +@@ -364,7 +431,7 @@ cond_rule_def : cond_transition_def + cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' + { $$ = define_cond_filename_trans() ; + if ($$ == COND_ERR) return -1;} +- | TYPE_TRANSITION names names ':' names identifier ';' ++ | TYPE_TRANSITION names names ':' names identifier ';' + { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; + if ($$ == COND_ERR) return -1;} + | TYPE_MEMBER names names ':' names identifier ';' +@@ -399,6 +466,7 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' + { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); + if ($$ == COND_ERR) return -1; } + ; ++ ; + transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' + {if (define_filename_trans()) return -1; } + | TYPE_TRANSITION names names ':' names identifier ';' +@@ -434,15 +502,21 @@ dontaudit_def : DONTAUDIT names names ':' names names ';' + neverallow_def : NEVERALLOW names names ':' names names ';' + {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; } + ; ++attribute_role_def : ATTRIBUTE_ROLE identifier ';' ++ {if (define_attrib_role()) return -1; } ++ ; + role_type_def : ROLE identifier TYPES names ';' + {if (define_role_types()) return -1;} +- | ROLE identifier';' +- {if (define_role_types()) return -1;} ++ ; ++role_attr_def : ROLE identifier opt_attr_list ';' ++ {if (define_role_attr()) return -1;} + ; + role_dominance : DOMINANCE '{' roles '}' + ; + role_trans_def : ROLE_TRANSITION names names identifier ';' +- {if (define_role_trans()) return -1; } ++ {if (define_role_trans(0)) return -1; } ++ | ROLE_TRANSITION names names ':' names identifier ';' ++ {if (define_role_trans(1)) return -1;} + ; + role_allow_def : ALLOW names names ';' + {if (define_role_allow()) return -1; } +@@ -457,6 +531,9 @@ role_def : ROLE identifier_push ';' + | ROLE identifier_push '{' roles '}' + {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} + ; ++roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' ++ {if (define_roleattribute()) return -1;} ++ ; + opt_constraints : constraints + | + ; +@@ -662,7 +739,7 @@ opt_fs_uses : fs_uses + fs_uses : fs_use_def + | fs_uses fs_use_def + ; +-fs_use_def : FSUSEXATTR identifier security_context_def ';' ++fs_use_def : FSUSEXATTR filesystem security_context_def ';' + {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;} + | FSUSETASK identifier security_context_def ';' + {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;} +@@ -677,11 +754,11 @@ opt_genfs_contexts : genfs_contexts + genfs_contexts : genfs_context_def + | genfs_contexts genfs_context_def + ; +-genfs_context_def : GENFSCON identifier path '-' identifier security_context_def ++genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def + {if (define_genfs_context(1)) return -1;} +- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def ++ | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def + {if (define_genfs_context(1)) return -1;} +- | GENFSCON identifier path security_context_def ++ | GENFSCON filesystem path security_context_def + {if (define_genfs_context(0)) return -1;} + ; + ipv4_addr_def : IPV4_ADDR +@@ -755,6 +832,11 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } + identifier : IDENTIFIER + { if (insert_id(yytext,0)) return -1; } + ; ++filesystem : FILESYSTEM ++ { if (insert_id(yytext,0)) return -1; } ++ | IDENTIFIER ++ { if (insert_id(yytext,0)) return -1; } ++ ; + path : PATH + { if (insert_id(yytext,0)) return -1; } + ; +@@ -785,6 +867,8 @@ module_def : MODULE identifier version_identifier ';' + ; + version_identifier : VERSION_IDENTIFIER + { if (insert_id(yytext,0)) return -1; } ++ | number ++ { if (insert_id(yytext,0)) return -1; } + | ipv4_addr_def /* version can look like ipv4 address */ + ; + avrules_block : avrule_decls avrule_user_defs +@@ -813,8 +897,10 @@ require_class : CLASS identifier names + require_decl_def : ROLE { $$ = require_role; } + | TYPE { $$ = require_type; } + | ATTRIBUTE { $$ = require_attribute; } ++ | ATTRIBUTE_ROLE { $$ = require_attribute_role; } + | USER { $$ = require_user; } + | BOOL { $$ = require_bool; } ++ | TUNABLE { $$ = require_tunable; } + | SENSITIVITY { $$ = require_sens; } + | CATEGORY { $$ = require_cat; } + ; +diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l +index 30203cd..b4e3fe1 100644 +--- a/libqpol/src/policy_scan.l ++++ b/libqpol/src/policy_scan.l +@@ -3,6 +3,8 @@ + * + * This file is based upon checkpolicy/policy_scan.l fram NSA's SVN + * repository. It has been modified to support older policy formats. ++ * The older format just seems to be FSUSEPSID support (see fs_use_psid ++ * entry. + * + * Author : Stephen Smalley, + * +@@ -22,6 +24,7 @@ + + /* FLASK */ + ++/* Required for SETools libqpol services */ + %{ + #undef YY_INPUT + #define YY_INPUT(b, r, ms) (r = qpol_src_yyinput(b, ms)) +@@ -35,7 +38,12 @@ + + typedef int (* require_func_t)(); + ++/* For SETools libqpol services leave this as policy_parse.h */ ++/* #ifdef ANDROID */ + #include "policy_parse.h" ++/*#else ++#include "y.tab.h" ++#endif */ + + static char linebuf[2][255]; + static unsigned int lno = 0; +@@ -50,17 +58,16 @@ unsigned long policydb_lineno = 1; + + unsigned int policydb_errors = 0; + ++/* These are required for SETools libqpol services */ + /* redefine input so we can read from a string */ + /* borrowed from O'Reilly lex and yacc pg 157 */ + extern char qpol_src_input[]; + extern char *qpol_src_inputptr;/* current position in myinput */ + extern char *qpol_src_inputlim;/* end of data */ + int qpol_src_yyinput(char *buf, int max_size); +- + %} + +-%option nounput +-%option noyywrap ++%option noinput nounput noyywrap + + %array + letter [A-Za-z] +@@ -93,6 +100,10 @@ ROLE | + role { return(ROLE); } + ROLES | + roles { return(ROLES); } ++ROLEATTRIBUTE | ++roleattribute { return(ROLEATTRIBUTE);} ++ATTRIBUTE_ROLE | ++attribute_role { return(ATTRIBUTE_ROLE);} + TYPES | + types { return(TYPES); } + TYPEALIAS | +@@ -105,6 +116,8 @@ TYPE | + type { return(TYPE); } + BOOL | + bool { return(BOOL); } ++TUNABLE | ++tunable { return(TUNABLE); } + IF | + if { return(IF); } + ELSE | +@@ -234,9 +247,24 @@ policycap | + POLICYCAP { return(POLICYCAP); } + permissive | + PERMISSIVE { return(PERMISSIVE); } ++default_user | ++DEFAULT_USER { return(DEFAULT_USER); } ++default_role | ++DEFAULT_ROLE { return(DEFAULT_ROLE); } ++default_type | ++DEFAULT_TYPE { return(DEFAULT_TYPE); } ++default_range | ++DEFAULT_RANGE { return(DEFAULT_RANGE); } ++low-high | ++LOW-HIGH { return(LOW_HIGH); } ++high | ++HIGH { return(HIGH); } ++low | ++LOW { return(LOW); } + "/"({alnum}|[_\.\-/])* { return(PATH); } +-\"({alnum}|[_\.\-])+\" { return(FILENAME); } ++\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } + {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } ++{alnum}*{letter}{alnum}* { return(FILESYSTEM); } + {digit}+|0x{hexval}+ { return(NUMBER); } + {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } + {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } +@@ -304,6 +332,7 @@ void set_source_file(const char *name) + source_file[sizeof(source_file)-1] = '\0'; + } + ++/* Required for SETools libqpol services */ + int qpol_src_yyinput(char *buf, int max_size) + { + int n = max_size < (qpol_src_inputlim - qpol_src_inputptr) ? max_size : (qpol_src_inputlim - qpol_src_inputptr); +@@ -315,6 +344,7 @@ int qpol_src_yyinput(char *buf, int max_size) + return n; + } + ++/* Required for SETools libqpol services */ + void init_scanner(void) + { + yy_flush_buffer(YY_CURRENT_BUFFER); +diff --git a/libqpol/src/queue.c b/libqpol/src/queue.c +index 18667d5..45a510a 100644 +--- a/libqpol/src/queue.c ++++ b/libqpol/src/queue.c +@@ -6,6 +6,8 @@ + * Author : Stephen Smalley, + */ + ++/* No changes for SETools libqpol services - Just the header */ ++ + /* FLASK */ + + /* +@@ -144,7 +146,9 @@ int queue_map(queue_t q, int (*f) (queue_element_t, void *), void *vp) + return 0; + } + +-void queue_map_remove_on_error(queue_t q, int (*f) (queue_element_t, void *), void (*g) (queue_element_t, void *), void *vp) ++void queue_map_remove_on_error(queue_t q, ++ int (*f) (queue_element_t, void *), ++ void (*g) (queue_element_t, void *), void *vp) + { + queue_node_ptr_t p, last, temp; + int ret; +diff --git a/libqpol/src/queue.h b/libqpol/src/queue.h +index bca304b..dca1b2e 100644 +--- a/libqpol/src/queue.h ++++ b/libqpol/src/queue.h +@@ -6,6 +6,8 @@ + * Author : Stephen Smalley, + */ + ++/* No changes for SETools libqpol services - Just the header */ ++ + /* FLASK */ + + /* +@@ -21,14 +23,12 @@ typedef void *queue_element_t; + + typedef struct queue_node *queue_node_ptr_t; + +-typedef struct queue_node +-{ ++typedef struct queue_node { + queue_element_t element; + queue_node_ptr_t next; + } queue_node_t; + +-typedef struct queue_info +-{ ++typedef struct queue_info { + queue_node_ptr_t head; + queue_node_ptr_t tail; + } queue_info_t; +@@ -60,7 +60,9 @@ int queue_map(queue_t, int (*f) (queue_element_t, void *), void *); + then the element will be removed from the queue and the g + function will be applied to the element. + */ +-void queue_map_remove_on_error(queue_t, int (*f) (queue_element_t, void *), void (*g) (queue_element_t, void *), void *); ++void queue_map_remove_on_error(queue_t, ++ int (*f) (queue_element_t, void *), ++ void (*g) (queue_element_t, void *), void *); + + #endif + +diff --git a/libqpol/src/rbacrule_query.c b/libqpol/src/rbacrule_query.c +index 7f84459..28449b3 100644 +--- a/libqpol/src/rbacrule_query.c ++++ b/libqpol/src/rbacrule_query.c +@@ -334,6 +334,29 @@ int qpol_role_trans_get_target_type(const qpol_policy_t * policy, const qpol_rol + return STATUS_SUCCESS; + } + ++int qpol_role_trans_get_object_class(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_class_t ** obj_class) ++{ ++ policydb_t *db = NULL; ++ role_trans_t *rt = NULL; ++ ++ if (obj_class) { ++ *obj_class = NULL; ++ } ++ ++ if (!policy || !rule || !obj_class) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ rt = (role_trans_t *) rule; ++ ++ *obj_class = (qpol_class_t *) db->class_val_to_struct[rt->tclass - 1]; ++ ++ return STATUS_SUCCESS; ++} ++ + int qpol_role_trans_get_default_role(const qpol_policy_t * policy, const qpol_role_trans_t * rule, const qpol_role_t ** dflt) + { + policydb_t *db = NULL; +diff --git a/libqpol/src/syn_rule_query.c b/libqpol/src/syn_rule_query.c +index 3e63204..d7578f1 100644 +--- a/libqpol/src/syn_rule_query.c ++++ b/libqpol/src/syn_rule_query.c +@@ -67,7 +67,7 @@ static void *syn_rule_class_state_get_cur(const qpol_iterator_t * iter) + return NULL; + } + +- return db->class_val_to_struct[srcs->cur->class - 1]; ++ return db->class_val_to_struct[srcs->cur->tclass - 1]; + } + + static int syn_rule_class_state_next(qpol_iterator_t * iter) +@@ -465,10 +465,10 @@ int qpol_syn_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_syn_a + } + + for (node = internal_rule->perms; node; node = node->next) { +- for (i = 0; i < db->class_val_to_struct[node->class - 1]->permissions.nprim; i++) { ++ for (i = 0; i < db->class_val_to_struct[node->tclass - 1]->permissions.nprim; i++) { + if (!(node->data & (1 << i))) + continue; +- tmp = sepol_av_to_string(db, node->class, (sepol_access_vector_t) (1 << i)); ++ tmp = sepol_av_to_string(db, node->tclass, (sepol_access_vector_t) (1 << i)); + if (tmp) { + tmp++; /* remove prepended space */ + for (cur = 0; cur < perm_list_sz; cur++) +diff --git a/libqpol/swig/qpol.i b/libqpol/swig/qpol.i +index 45a2403..b604488 100644 +--- a/libqpol/swig/qpol.i ++++ b/libqpol/swig/qpol.i +@@ -228,7 +228,7 @@ SWIGEXPORT int Tqpol_Init(Tcl_Interp *interp) { + #define QPOL_MODULE_OTHER 2 + typedef struct qpol_module {} qpol_module_t; + %extend qpol_module_t { +- qpol_module_t(const char *path) { ++ qpol_module(const char *path) { + qpol_module_t *m; + BEGIN_EXCEPTION + if (qpol_module_create_from_file(path, &m)) { +@@ -239,10 +239,11 @@ typedef struct qpol_module {} qpol_module_t; + fail: + return NULL; + }; +- ~qpol_module_t() { ++ ~qpol_module() { + qpol_module_destroy(&self); + }; +- const char *get_path() { ++ %rename(get_path) wrap_get_path; ++ const char *wrap_get_path() { + const char *p; + BEGIN_EXCEPTION + if (qpol_module_get_path(self, &p)) { +@@ -253,7 +254,8 @@ typedef struct qpol_module {} qpol_module_t; + fail: + return NULL; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + const char *n; + BEGIN_EXCEPTION + if (qpol_module_get_name(self, &n)) { +@@ -264,7 +266,8 @@ typedef struct qpol_module {} qpol_module_t; + fail: + return NULL; + }; +- const char *get_version() { ++ %rename(get_version) wrap_get_version; ++ const char *wrap_get_version() { + const char *v; + BEGIN_EXCEPTION + if (qpol_module_get_version(self, &v)) { +@@ -275,7 +278,8 @@ typedef struct qpol_module {} qpol_module_t; + fail: + return NULL; + }; +- int get_type() { ++ %rename(get_type) wrap_get_type; ++ int wrap_get_type() { + int t; + BEGIN_EXCEPTION + if (qpol_module_get_type(self, &t)) { +@@ -285,7 +289,8 @@ typedef struct qpol_module {} qpol_module_t; + fail: + return t; + }; +- int get_enabled() { ++ %rename(get_enabled) wrap_get_enabled; ++ int wrap_get_enabled() { + int e; + BEGIN_EXCEPTION + if (qpol_module_get_enabled(self, &e)) { +@@ -295,7 +300,8 @@ typedef struct qpol_module {} qpol_module_t; + fail: + return e; + }; +- void set_enabled(int state) { ++ %rename(set_enabled) wrap_set_enabled; ++ void wrap_set_enabled(int state) { + BEGIN_EXCEPTION + if (qpol_module_set_enabled(self, state)) { + SWIG_exception(SWIG_RuntimeError, "Could not set module state"); +@@ -326,11 +332,18 @@ typedef enum qpol_capability + QPOL_CAP_MODULES, + QPOL_CAP_RULES_LOADED, + QPOL_CAP_SOURCE, +- QPOL_CAP_NEVERALLOW ++ QPOL_CAP_NEVERALLOW, ++ QPOL_CAP_POLCAPS, ++ QPOL_CAP_BOUNDS, ++ QPOL_CAP_DEFAULT_OBJECTS, ++ QPOL_CAP_DEFAULT_TYPE, ++ QPOL_CAP_PERMISSIVE, ++ QPOL_CAP_FILENAME_TRANS, ++ QPOL_CAP_ROLETRANS + } qpol_capability_e; + + %extend qpol_policy_t { +- qpol_policy_t(const char *path, const int options) { ++ qpol_policy(const char *path, const int options) { + qpol_policy_t *p; + BEGIN_EXCEPTION + if (qpol_policy_open_from_file(path, &p, qpol_swig_message_callback, qpol_swig_message_callback_arg, options) < 0) { +@@ -341,10 +354,11 @@ typedef enum qpol_capability + fail: + return NULL; + } +- ~qpol_policy_t() { ++ ~qpol_policy() { + qpol_policy_destroy(&self); + }; +- void reevaluate_conds() { ++ %rename(reevaluate_conds) wrap_reevaluate_conds; ++ void wrap_reevaluate_conds() { + BEGIN_EXCEPTION + if (qpol_policy_reevaluate_conds(self)) { + SWIG_exception(SWIG_ValueError, "Error evaluating conditional expressions"); +@@ -353,7 +367,8 @@ typedef enum qpol_capability + fail: + return; + }; +- void append_module(qpol_module_t *mod) { ++ %rename(append_module) wrap_append_module; ++ void wrap_append_module(qpol_module_t *mod) { + BEGIN_EXCEPTION + if (qpol_policy_append_module(self, mod)) { + SWIG_exception(SWIG_MemoryError, "Out of Memory"); +@@ -362,7 +377,8 @@ typedef enum qpol_capability + fail: + return; + }; +- void rebuild (const int options) { ++ %rename(rebuild) wrap_rebuild; ++ void wrap_rebuild (const int options) { + BEGIN_EXCEPTION + if (qpol_policy_rebuild(self, options)) { + SWIG_exception(SWIG_RuntimeError, "Failed rebuilding policy"); +@@ -376,15 +392,25 @@ typedef enum qpol_capability + (void)qpol_policy_get_policy_version(self, &v); /* only error is on null parameters neither can be here */ + return (int) v; + }; +- int get_type () { ++ ++ int get_handle_unknown () { ++ unsigned int h; ++ (void)qpol_policy_get_policy_handle_unknown(self, &h); ++ return (int) h; ++ }; ++ ++ %rename(get_type) wrap_get_type; ++ int wrap_get_type () { + int t; + (void)qpol_policy_get_type(self, &t); /* only error is on null parameters neither can be here */ + return t; + }; +- int has_capability (qpol_capability_e cap) { ++ %rename(has_capability) wrap_has_capability; ++ int wrap_has_capability (qpol_capability_e cap) { + return qpol_policy_has_capability(self, cap); + }; +- void build_syn_rule_table() { ++ %rename(build_syn_rule_table) wrap_build_syn_rule_table; ++ void wrap_build_syn_rule_table() { + BEGIN_EXCEPTION + if (qpol_policy_build_syn_rule_table(self)) { + SWIG_exception(SWIG_MemoryError, "Out of Memory"); +@@ -394,7 +420,8 @@ typedef enum qpol_capability + return; + }; + %newobject get_module_iter(); +- qpol_iterator_t *get_module_iter() { ++ %rename(get_module_iter) wrap_get_module_iter; ++ qpol_iterator_t *wrap_get_module_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_module_iter(self, &iter)) { +@@ -406,7 +433,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_type_iter(); +- qpol_iterator_t *get_type_iter() { ++ %rename(get_type_iter) wrap_get_type_iter; ++ qpol_iterator_t *wrap_get_type_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_type_iter(self, &iter)) { +@@ -418,7 +446,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_role_iter(); +- qpol_iterator_t *get_role_iter() { ++ %rename(get_role_iter) wrap_get_role_iter; ++ qpol_iterator_t *wrap_get_role_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_role_iter(self, &iter)) { +@@ -430,7 +459,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_level_iter(); +- qpol_iterator_t *get_level_iter() { ++ %rename(get_level_iter) wrap_get_level_iter; ++ qpol_iterator_t *wrap_get_level_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_level_iter(self, &iter)) { +@@ -442,7 +472,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_cat_iter(); +- qpol_iterator_t *get_cat_iter() { ++ %rename(get_cat_iter) wrap_get_cat_iter; ++ qpol_iterator_t *wrap_get_cat_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_cat_iter(self, &iter)) { +@@ -454,7 +485,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_user_iter(); +- qpol_iterator_t *get_user_iter() { ++ %rename(get_user_iter) wrap_get_user_iter; ++ qpol_iterator_t *wrap_get_user_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_user_iter(self, &iter)) { +@@ -466,7 +498,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_bool_iter(); +- qpol_iterator_t *get_bool_iter() { ++ %rename(get_bool_iter) wrap_get_bool_iter; ++ qpol_iterator_t *wrap_get_bool_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_bool_iter(self, &iter)) { +@@ -478,7 +511,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_class_iter(char*); +- qpol_iterator_t *get_class_iter(char *perm=NULL) { ++ %rename(get_class_iter) wrap_get_class_iter; ++ qpol_iterator_t *wrap_get_class_iter(char *perm=NULL) { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (perm) { +@@ -496,7 +530,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_common_iter(char*); +- qpol_iterator_t *get_common_iter(char *perm=NULL) { ++ %rename(get_common_iter) wrap_get_common_iter; ++ qpol_iterator_t *wrap_get_common_iter(char *perm=NULL) { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (perm) { +@@ -514,7 +549,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_fs_use_iter(); +- qpol_iterator_t *get_fs_use_iter() { ++ %rename(get_fs_use_iter) wrap_get_fs_use_iter; ++ qpol_iterator_t *wrap_get_fs_use_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_fs_use_iter(self, &iter)) { +@@ -526,7 +562,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_genfscon_iter(); +- qpol_iterator_t *get_genfscon_iter() { ++ %rename(get_genfscon_iter) wrap_get_genfscon_iter; ++ qpol_iterator_t *wrap_get_genfscon_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_genfscon_iter(self, &iter)) { +@@ -538,7 +575,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_isid_iter(); +- qpol_iterator_t *get_isid_iter() { ++ %rename(get_isid_iter) wrap_get_isid_iter; ++ qpol_iterator_t *wrap_get_isid_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_isid_iter(self, &iter)) { +@@ -550,7 +588,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_netifcon_iter(); +- qpol_iterator_t *get_netifcon_iter() { ++ %rename(get_netifcon_iter) wrap_get_netifcon_iter; ++ qpol_iterator_t *wrap_get_netifcon_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_netifcon_iter(self, &iter)) { +@@ -562,7 +601,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_nodecon_iter(); +- qpol_iterator_t *get_nodecon_iter() { ++ %rename(get_nodecon_iter) wrap_get_nodecon_iter; ++ qpol_iterator_t *wrap_get_nodecon_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_nodecon_iter(self, &iter)) { +@@ -574,7 +614,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_portcon_iter(); +- qpol_iterator_t *get_portcon_iter() { ++ %rename(get_portcon_iter) wrap_get_portcon_iter; ++ qpol_iterator_t *wrap_get_portcon_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_portcon_iter(self, &iter)) { +@@ -586,7 +627,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_constraint_iter(); +- qpol_iterator_t *get_constraint_iter() { ++ %rename(get_constraint_iter) wrap_get_constraint_iter; ++ qpol_iterator_t *wrap_get_constraint_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_constraint_iter(self, &iter)) { +@@ -598,7 +640,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_validatetrans_iter(); +- qpol_iterator_t *get_validatetrans_iter() { ++ %rename(get_validatetrans_iter) wrap_get_validatetrans_iter; ++ qpol_iterator_t *wrap_get_validatetrans_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_validatetrans_iter(self, &iter)) { +@@ -610,7 +653,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_role_allow_iter(); +- qpol_iterator_t *get_role_allow_iter() { ++ %rename(get_role_allow_iter) wrap_get_role_allow_iter; ++ qpol_iterator_t *wrap_get_role_allow_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_role_allow_iter(self, &iter)) { +@@ -622,7 +666,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_role_trans_iter(); +- qpol_iterator_t *get_role_trans_iter() { ++ %rename(get_role_trans_iter) wrap_get_role_trans_iter; ++ qpol_iterator_t *wrap_get_role_trans_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_role_trans_iter(self, &iter)) { +@@ -634,7 +679,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_range_trans_iter(); +- qpol_iterator_t *get_range_trans_iter() { ++ %rename(get_range_trans_iter) wrap_get_range_trans_iter; ++ qpol_iterator_t *wrap_get_range_trans_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_range_trans_iter(self, &iter)) { +@@ -646,7 +692,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_avrule_iter(int); +- qpol_iterator_t *get_avrule_iter(int rule_types) { ++ %rename(get_avrule_iter) wrap_get_avrule_iter; ++ qpol_iterator_t *wrap_get_avrule_iter(int rule_types) { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_avrule_iter(self, rule_types, &iter)) { +@@ -658,7 +705,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_terule_iter(int); +- qpol_iterator_t *get_terule_iter(int rule_types) { ++ %rename(get_terule_iter) wrap_get_terule_iter; ++ qpol_iterator_t *wrap_get_terule_iter(int rule_types) { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_terule_iter(self, rule_types, &iter)) { +@@ -670,7 +718,8 @@ typedef enum qpol_capability + return NULL; + }; + %newobject get_cond_iter(); +- qpol_iterator_t *get_cond_iter() { ++ %rename(get_cond_iter) wrap_get_cond_iter; ++ qpol_iterator_t *wrap_get_cond_iter() { + BEGIN_EXCEPTION + qpol_iterator_t *iter; + if (qpol_policy_get_cond_iter(self, &iter)) { +@@ -681,23 +730,76 @@ typedef enum qpol_capability + fail: + return NULL; + }; ++ %newobject get_filename_trans_iter(); ++ %rename(get_filename_trans_iter) wrap_get_filename_trans_iter; ++ qpol_iterator_t *wrap_get_filename_trans_iter() { ++ BEGIN_EXCEPTION ++ qpol_iterator_t *iter; ++ if (qpol_policy_get_filename_trans_iter(self, &iter)) { ++ SWIG_exception(SWIG_MemoryError, "Out of Memory"); ++ } ++ return iter; ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ %newobject get_permissive_iter(); ++ %rename(get_permissive_iter) wrap_get_permissive_iter; ++ qpol_iterator_t *wrap_get_permissive_iter() { ++ BEGIN_EXCEPTION ++ qpol_iterator_t *iter; ++ if (qpol_policy_get_permissive_iter(self, &iter)) { ++ SWIG_exception(SWIG_MemoryError, "Out of Memory"); ++ } ++ return iter; ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ %newobject get_typebounds_iter(); ++ %rename(get_typebounds_iter) wrap_get_typebounds_iter; ++ qpol_iterator_t *wrap_get_typebounds_iter() { ++ BEGIN_EXCEPTION ++ qpol_iterator_t *iter; ++ if (qpol_policy_get_typebounds_iter(self, &iter)) { ++ SWIG_exception(SWIG_MemoryError, "Out of Memory"); ++ } ++ return iter; ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ %newobject get_polcap_iter(); ++ %rename(get_polcap_iter) wrap_get_polcap_iter; ++ qpol_iterator_t *wrap_get_polcap_iter() { ++ BEGIN_EXCEPTION ++ qpol_iterator_t *iter; ++ if (qpol_policy_get_polcap_iter(self, &iter)) { ++ SWIG_exception(SWIG_MemoryError, "Out of Memory"); ++ } ++ return iter; ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; + }; + + /* qpol iterator */ + typedef struct qpol_iterator {} qpol_iterator_t; + %extend qpol_iterator_t { + /* user never directly creates, but SWIG expects a constructor */ +- qpol_iterator_t() { ++ qpol_iterator() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_TypeError, "User may not create iterators difectly"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_iterator_t() { ++ ~qpol_iterator() { + qpol_iterator_destroy(&self); + }; +- void *get_item() { ++ %rename(get_item) wrap_get_item; ++ void *wrap_get_item() { + BEGIN_EXCEPTION + void *i; + if (qpol_iterator_get_item(self, &i)) { +@@ -708,7 +810,8 @@ typedef struct qpol_iterator {} qpol_iterator_t; + fail: + return NULL; + }; +- void next() { ++ %rename(next) wrap_next; ++ void wrap_next() { + BEGIN_EXCEPTION + if (qpol_iterator_next(self)) { + SWIG_exception(SWIG_RuntimeError, "Error advancing iterator"); +@@ -717,10 +820,12 @@ typedef struct qpol_iterator {} qpol_iterator_t; + fail: + return; + }; +- int end() { ++ %rename(end) wrap_end; ++ int wrap_end() { + return qpol_iterator_end(self); + }; +- size_t get_size() { ++ %rename(get_size) wrap_get_size; ++ size_t wrap_get_size() { + BEGIN_EXCEPTION + size_t s; + if (qpol_iterator_get_size(self, &s)) { +@@ -736,7 +841,7 @@ typedef struct qpol_iterator {} qpol_iterator_t; + /* qpol type */ + typedef struct qpol_type {} qpol_type_t; + %extend qpol_type_t { +- qpol_type_t(qpol_policy_t *p, const char *name) { ++ qpol_type(qpol_policy_t *p, const char *name) { + BEGIN_EXCEPTION + const qpol_type_t *t; + if (qpol_policy_get_type_by_name(p, name, &t)) { +@@ -747,11 +852,12 @@ typedef struct qpol_type {} qpol_type_t; + fail: + return NULL; + }; +- ~qpol_type_t() { ++ ~qpol_type() { + /* no op */ + return; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + BEGIN_EXCEPTION + const char *name; + if (qpol_type_get_name(p, self, &name)) { +@@ -762,7 +868,8 @@ typedef struct qpol_type {} qpol_type_t; + fail: + return NULL; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_type_get_value(p, self, &v)) { +@@ -772,7 +879,8 @@ typedef struct qpol_type {} qpol_type_t; + fail: + return (int) v; + }; +- int get_isalias(qpol_policy_t *p) { ++ %rename(get_isalias) wrap_get_isalias; ++ int wrap_get_isalias(qpol_policy_t *p) { + unsigned char i; + BEGIN_EXCEPTION + if (qpol_type_get_isalias(p, self, &i)) { +@@ -782,7 +890,8 @@ typedef struct qpol_type {} qpol_type_t; + fail: + return (int)i; + }; +- int get_isattr(qpol_policy_t *p) { ++ %rename(get_isattr) wrap_get_isattr; ++ int wrap_get_isattr(qpol_policy_t *p) { + unsigned char i; + BEGIN_EXCEPTION + if (qpol_type_get_isattr(p, self, &i)) { +@@ -792,7 +901,8 @@ typedef struct qpol_type {} qpol_type_t; + fail: + return (int)i; + }; +- int get_ispermissive(qpol_policy_t *p) { ++ %rename(get_ispermissive) wrap_get_ispermissive; ++ int wrap_get_ispermissive(qpol_policy_t *p) { + unsigned char i; + BEGIN_EXCEPTION + if (qpol_type_get_ispermissive(p, self, &i)) { +@@ -803,7 +913,8 @@ typedef struct qpol_type {} qpol_type_t; + return (int)i; + }; + %newobject get_type_iter(qpol_policy_t*); +- qpol_iterator_t *get_type_iter(qpol_policy_t *p) { ++ %rename(get_type_iter) wrap_get_type_iter; ++ qpol_iterator_t *wrap_get_type_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + int retv = qpol_type_get_type_iter(p, self, &iter); +@@ -817,7 +928,8 @@ typedef struct qpol_type {} qpol_type_t; + return iter; + }; + %newobject get_attr_iter(qpol_policy_t*); +- qpol_iterator_t *get_attr_iter(qpol_policy_t *p) { ++ %rename(get_attr_iter) wrap_get_attr_iter; ++ qpol_iterator_t *wrap_get_attr_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + int retv = qpol_type_get_attr_iter(p, self, &iter); +@@ -831,7 +943,8 @@ typedef struct qpol_type {} qpol_type_t; + return iter; + }; + %newobject get_alias_iter(qpol_policy_t*); +- qpol_iterator_t *get_alias_iter(qpol_policy_t *p) { ++ %rename(get_alias_iter) wrap_get_alias_iter; ++ qpol_iterator_t *wrap_get_alias_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_type_get_alias_iter(p, self, &iter)) { +@@ -841,6 +954,18 @@ typedef struct qpol_type {} qpol_type_t; + fail: + return iter; + }; ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { ++ BEGIN_EXCEPTION ++ const char *name; ++ if (qpol_permissive_get_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get permissive type name"); ++ } ++ return name; ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; + }; + %inline %{ + qpol_type_t *qpol_type_from_void(void *x) { +@@ -851,7 +976,7 @@ typedef struct qpol_type {} qpol_type_t; + /* qpol role */ + typedef struct qpol_role {} qpol_role_t; + %extend qpol_role_t { +- qpol_role_t(qpol_policy_t *p, const char *name) { ++ qpol_role(qpol_policy_t *p, const char *name) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_policy_get_role_by_name(p, name, &r)) { +@@ -862,11 +987,12 @@ typedef struct qpol_role {} qpol_role_t; + fail: + return NULL; + }; +- ~qpol_role_t() { ++ ~qpol_role() { + /* no op */ + return; + }; +- int get_value (qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value (qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_role_get_value(p, self, &v)) { +@@ -876,7 +1002,8 @@ typedef struct qpol_role {} qpol_role_t; + fail: + return (int) v; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_role_get_name(p, self, &name)) { +@@ -888,7 +1015,8 @@ typedef struct qpol_role {} qpol_role_t; + return NULL; + }; + %newobject get_type_iter(qpol_policy_t*); +- qpol_iterator_t *get_type_iter(qpol_policy_t *p) { ++ %rename(get_type_iter) wrap_get_type_iter; ++ qpol_iterator_t *wrap_get_type_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_role_get_type_iter(p, self, &iter)) { +@@ -899,7 +1027,8 @@ typedef struct qpol_role {} qpol_role_t; + return iter; + }; + %newobject get_dominate_iter(qpol_policy_t*); +- qpol_iterator_t *get_dominate_iter(qpol_policy_t *p) { ++ %rename(get_dominate_iter) wrap_get_dominate_iter; ++ qpol_iterator_t *wrap_get_dominate_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_role_get_dominate_iter(p, self, &iter)) { +@@ -919,7 +1048,7 @@ typedef struct qpol_role {} qpol_role_t; + /* qpol level */ + typedef struct qpol_level {} qpol_level_t; + %extend qpol_level_t { +- qpol_level_t(qpol_policy_t *p, const char *name) { ++ qpol_level(qpol_policy_t *p, const char *name) { + const qpol_level_t *l; + BEGIN_EXCEPTION + if (qpol_policy_get_level_by_name(p, name, &l)) { +@@ -930,11 +1059,12 @@ typedef struct qpol_level {} qpol_level_t; + fail: + return NULL; + }; +- ~qpol_level_t() { ++ ~qpol_level() { + /* no op */ + return; + }; +- int get_isalias(qpol_policy_t *p) { ++ %rename(get_isalias) wrap_get_isalias; ++ int wrap_get_isalias(qpol_policy_t *p) { + unsigned char i; + BEGIN_EXCEPTION + if (qpol_level_get_isalias(p, self, &i)) { +@@ -944,7 +1074,8 @@ typedef struct qpol_level {} qpol_level_t; + fail: + return (int)i; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_level_get_value(p, self, &v)) { +@@ -954,7 +1085,8 @@ typedef struct qpol_level {} qpol_level_t; + fail: + return (int) v; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_level_get_name(p, self, &name)) { +@@ -966,7 +1098,8 @@ typedef struct qpol_level {} qpol_level_t; + return NULL; + }; + %newobject get_cat_iter(qpol_policy_t*); +- qpol_iterator_t *get_cat_iter(qpol_policy_t *p) { ++ %rename(get_cat_iter) wrap_get_cat_iter; ++ qpol_iterator_t *wrap_get_cat_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_level_get_cat_iter(p, self, &iter)) { +@@ -977,7 +1110,8 @@ typedef struct qpol_level {} qpol_level_t; + return iter; + }; + %newobject get_alias_iter(qpol_policy_t*); +- qpol_iterator_t *get_alias_iter(qpol_policy_t *p) { ++ %rename(get_alias_iter) wrap_get_alias_iter; ++ qpol_iterator_t *wrap_get_alias_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_level_get_alias_iter(p, self, &iter)) { +@@ -997,7 +1131,7 @@ typedef struct qpol_level {} qpol_level_t; + /* qpol cat */ + typedef struct qpol_cat {} qpol_cat_t; + %extend qpol_cat_t { +- qpol_cat_t(qpol_policy_t *p, const char *name) { ++ qpol_cat(qpol_policy_t *p, const char *name) { + const qpol_cat_t *c; + BEGIN_EXCEPTION + if (qpol_policy_get_cat_by_name(p, name, &c)) { +@@ -1008,11 +1142,12 @@ typedef struct qpol_cat {} qpol_cat_t; + fail: + return NULL; + }; +- ~qpol_cat_t() { ++ ~qpol_cat() { + /* no op */ + return; + }; +- int get_isalias(qpol_policy_t *p) { ++ %rename(get_isalias) wrap_get_isalias; ++ int wrap_get_isalias(qpol_policy_t *p) { + unsigned char i; + BEGIN_EXCEPTION + if (qpol_cat_get_isalias(p, self, &i)) { +@@ -1022,7 +1157,8 @@ typedef struct qpol_cat {} qpol_cat_t; + fail: + return (int)i; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_cat_get_value(p, self, &v)) { +@@ -1032,7 +1168,8 @@ typedef struct qpol_cat {} qpol_cat_t; + fail: + return (int) v; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_cat_get_name(p, self, &name)) { +@@ -1044,7 +1181,8 @@ typedef struct qpol_cat {} qpol_cat_t; + return NULL; + }; + %newobject get_alias_iter(qpol_policy_t*); +- qpol_iterator_t *get_alias_iter(qpol_policy_t *p) { ++ %rename(get_alias_iter) wrap_get_alias_iter; ++ qpol_iterator_t *wrap_get_alias_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_cat_get_alias_iter(p, self, &iter)) { +@@ -1064,18 +1202,19 @@ typedef struct qpol_cat {} qpol_cat_t; + /* qpol mls range */ + typedef struct qpol_mls_range {} qpol_mls_range_t; + %extend qpol_mls_range_t { +- qpol_mls_range_t() { ++ qpol_mls_range() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_mls_range_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~qpol_mls_range_t() { ++ ~qpol_mls_range() { + /* no op */ + return; + }; +- const qpol_mls_level_t *get_high_level(qpol_policy_t *p) { ++ %rename(get_high_level) wrap_get_high_level; ++ const qpol_mls_level_t *wrap_get_high_level(qpol_policy_t *p) { + const qpol_mls_level_t *l; + BEGIN_EXCEPTION + if (qpol_mls_range_get_high_level(p, self, &l)) { +@@ -1085,7 +1224,8 @@ typedef struct qpol_mls_range {} qpol_mls_range_t; + fail: + return l; + }; +- const qpol_mls_level_t *get_low_level(qpol_policy_t *p) { ++ %rename(get_low_level) wrap_get_low_level; ++ const qpol_mls_level_t *wrap_get_low_level(qpol_policy_t *p) { + const qpol_mls_level_t *l; + BEGIN_EXCEPTION + if (qpol_mls_range_get_low_level(p, self, &l)) { +@@ -1105,18 +1245,19 @@ typedef struct qpol_mls_range {} qpol_mls_range_t; + /* qpol mls level */ + typedef struct qpol_mls_level {} qpol_mls_level_t; + %extend qpol_mls_level_t { +- qpol_mls_level_t() { ++ qpol_mls_level() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_mls_level_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~qpol_mls_level_t() { ++ ~qpol_mls_level() { + /* no op */ + return; + }; +- const char *get_sens_name(qpol_policy_t *p) { ++ %rename(get_sens_name) wrap_get_sens_name; ++ const char *wrap_get_sens_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_mls_level_get_sens_name(p, self, &name)) { +@@ -1127,7 +1268,8 @@ typedef struct qpol_mls_level {} qpol_mls_level_t; + return name; + }; + %newobject get_cat_iter(qpol_policy_t*); +- qpol_iterator_t *get_cat_iter(qpol_policy_t *p) { ++ %rename(get_cat_iter) wrap_get_cat_iter; ++ qpol_iterator_t *wrap_get_cat_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_mls_level_get_cat_iter(p, self, &iter)) { +@@ -1147,7 +1289,7 @@ typedef struct qpol_mls_level {} qpol_mls_level_t; + /* qpol user */ + typedef struct qpol_user {} qpol_user_t; + %extend qpol_user_t { +- qpol_user_t(qpol_policy_t *p, const char *name) { ++ qpol_user(qpol_policy_t *p, const char *name) { + const qpol_user_t *u; + BEGIN_EXCEPTION + if (qpol_policy_get_user_by_name(p, name, &u)) { +@@ -1158,11 +1300,12 @@ typedef struct qpol_user {} qpol_user_t; + fail: + return NULL; + }; +- ~qpol_user_t() { ++ ~qpol_user() { + /* no op */ + return; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_user_get_value(p, self, &v)) { +@@ -1173,7 +1316,8 @@ typedef struct qpol_user {} qpol_user_t; + return (int) v; + }; + %newobject get_role_iter(qpol_policy_t*); +- qpol_iterator_t *get_role_iter(qpol_policy_t *p) { ++ %rename(get_role_iter) wrap_get_role_iter; ++ qpol_iterator_t *wrap_get_role_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_user_get_role_iter(p, self, &iter)) { +@@ -1183,7 +1327,8 @@ typedef struct qpol_user {} qpol_user_t; + fail: + return iter; + }; +- const qpol_mls_range_t *get_range(qpol_policy_t *p) { ++ %rename(get_range) wrap_get_range; ++ const qpol_mls_range_t *wrap_get_range(qpol_policy_t *p) { + const qpol_mls_range_t *r; + BEGIN_EXCEPTION + if (qpol_user_get_range(p, self, &r)) { +@@ -1193,7 +1338,8 @@ typedef struct qpol_user {} qpol_user_t; + fail: + return r; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_user_get_name(p, self, &name)) { +@@ -1203,7 +1349,8 @@ typedef struct qpol_user {} qpol_user_t; + fail: + return name; + }; +- const qpol_mls_level_t *get_dfltlevel(qpol_policy_t *p) { ++ %rename(get_dfltlevel) wrap_get_dfltlevel; ++ const qpol_mls_level_t *wrap_get_dfltlevel(qpol_policy_t *p) { + const qpol_mls_level_t *l; + BEGIN_EXCEPTION + if (qpol_user_get_dfltlevel(p, self, &l)) { +@@ -1223,7 +1370,7 @@ typedef struct qpol_user {} qpol_user_t; + /* qpol bool */ + typedef struct qpol_bool {} qpol_bool_t; + %extend qpol_bool_t { +- qpol_bool_t(qpol_policy_t *p, const char *name) { ++ qpol_bool(qpol_policy_t *p, const char *name) { + qpol_bool_t *b; + BEGIN_EXCEPTION + if (qpol_policy_get_bool_by_name(p, name, &b)) { +@@ -1233,11 +1380,12 @@ typedef struct qpol_bool {} qpol_bool_t; + fail: + return b; + }; +- ~qpol_bool_t() { ++ ~qpol_bool() { + /* no op */ + return; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_bool_get_value(p, self, &v)) { +@@ -1247,7 +1395,8 @@ typedef struct qpol_bool {} qpol_bool_t; + fail: + return (int) v; + }; +- int get_state(qpol_policy_t *p) { ++ %rename(get_state) wrap_get_state; ++ int wrap_get_state(qpol_policy_t *p) { + int s; + BEGIN_EXCEPTION + if (qpol_bool_get_state(p, self, &s)) { +@@ -1257,7 +1406,8 @@ typedef struct qpol_bool {} qpol_bool_t; + fail: + return s; + }; +- void set_state(qpol_policy_t *p, int state) { ++ %rename(set_state) wrap_set_state; ++ void wrap_set_state(qpol_policy_t *p, int state) { + BEGIN_EXCEPTION + if (qpol_bool_set_state(p, self, state)) { + SWIG_exception(SWIG_RuntimeError, "Error setting boolean state"); +@@ -1266,7 +1416,8 @@ typedef struct qpol_bool {} qpol_bool_t; + fail: + return; + }; +- void set_state_no_eval(qpol_policy_t *p, int state) { ++ %rename(set_state_no_eval) wrap_set_state_no_eval; ++ void wrap_set_state_no_eval(qpol_policy_t *p, int state) { + BEGIN_EXCEPTION + if (qpol_bool_set_state_no_eval(p, self, state)) { + SWIG_exception(SWIG_RuntimeError, "Error setting boolean state"); +@@ -1275,7 +1426,8 @@ typedef struct qpol_bool {} qpol_bool_t; + fail: + return; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_bool_get_name(p, self, &name)) { +@@ -1295,18 +1447,18 @@ typedef struct qpol_bool {} qpol_bool_t; + /* qpol context */ + typedef struct qpol_context {} qpol_context_t; + %extend qpol_context_t { +- qpol_context_t() { ++ qpol_context() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_context_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_context_t() { ++ ~qpol_context() { + /* no op */ + return; + }; +- const qpol_user_t *get_user(qpol_policy_t *p) { ++ const qpol_user_t *wrap_get_user(qpol_policy_t *p) { + const qpol_user_t *u; + BEGIN_EXCEPTION + if (qpol_context_get_user(p, self, &u)) { +@@ -1316,7 +1468,7 @@ typedef struct qpol_context {} qpol_context_t; + fail: + return u; + }; +- const qpol_role_t *get_role(qpol_policy_t *p) { ++ const qpol_role_t *wrap_get_role(qpol_policy_t *p) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_context_get_role(p, self, &r)) { +@@ -1326,7 +1478,7 @@ typedef struct qpol_context {} qpol_context_t; + fail: + return r; + }; +- const qpol_type_t *get_type(qpol_policy_t *p) { ++ const qpol_type_t *wrap_get_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_context_get_type(p, self, &t)) { +@@ -1336,7 +1488,7 @@ typedef struct qpol_context {} qpol_context_t; + fail: + return t; + }; +- const qpol_mls_range_t *get_range(qpol_policy_t *p) { ++ const qpol_mls_range_t *wrap_get_range(qpol_policy_t *p) { + const qpol_mls_range_t *r; + BEGIN_EXCEPTION + if (qpol_context_get_range(p, self, &r)) { +@@ -1356,7 +1508,7 @@ typedef struct qpol_context {} qpol_context_t; + /* qpol class */ + typedef struct qpol_class {} qpol_class_t; + %extend qpol_class_t { +- qpol_class_t(qpol_policy_t *p, const char *name) { ++ qpol_class(qpol_policy_t *p, const char *name) { + const qpol_class_t *c; + BEGIN_EXCEPTION + if (qpol_policy_get_class_by_name(p, name, &c)) { +@@ -1366,11 +1518,12 @@ typedef struct qpol_class {} qpol_class_t; + fail: + return (qpol_class_t*)c; + }; +- ~qpol_class_t() { ++ ~qpol_class() { + /* no op */ + return; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_class_get_value(p, self, &v)) { +@@ -1380,7 +1533,8 @@ typedef struct qpol_class {} qpol_class_t; + fail: + return (int) v; + }; +- const qpol_common_t *get_common(qpol_policy_t *p) { ++ %rename(get_common) wrap_get_common; ++ const qpol_common_t *wrap_get_common(qpol_policy_t *p) { + const qpol_common_t *c; + BEGIN_EXCEPTION + if(qpol_class_get_common(p, self, &c)) { +@@ -1391,7 +1545,8 @@ typedef struct qpol_class {} qpol_class_t; + return c; + }; + %newobject get_perm_iter(qpol_policy_t*); +- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) { ++ %rename(get_perm_iter) wrap_get_perm_iter; ++ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if(qpol_class_get_perm_iter(p, self, &iter)) { +@@ -1402,7 +1557,8 @@ typedef struct qpol_class {} qpol_class_t; + return iter; + }; + %newobject get_constraint_iter(qpol_policy_t*); +- qpol_iterator_t *get_constraint_iter(qpol_policy_t *p) { ++ %rename(get_constraint_iter) wrap_get_constraint_iter; ++ qpol_iterator_t *wrap_get_constraint_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if(qpol_class_get_constraint_iter(p, self, &iter)) { +@@ -1413,7 +1569,8 @@ typedef struct qpol_class {} qpol_class_t; + return iter; + }; + %newobject get_validatetrans_iter(qpol_policy_t*); +- qpol_iterator_t *get_validatetrans_iter(qpol_policy_t *p) { ++ %rename(get_validatetrans_iter) wrap_get_validatetrans_iter; ++ qpol_iterator_t *wrap_get_validatetrans_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if(qpol_class_get_validatetrans_iter(p, self, &iter)) { +@@ -1423,7 +1580,8 @@ typedef struct qpol_class {} qpol_class_t; + fail: + return iter; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_class_get_name(p, self, &name)) { +@@ -1443,7 +1601,7 @@ typedef struct qpol_class {} qpol_class_t; + /* qpol common */ + typedef struct qpol_common {} qpol_common_t; + %extend qpol_common_t { +- qpol_common_t(qpol_policy_t *p, const char *name) { ++ qpol_common(qpol_policy_t *p, const char *name) { + const qpol_common_t *c; + BEGIN_EXCEPTION + if (qpol_policy_get_common_by_name(p, name, &c)) { +@@ -1453,11 +1611,12 @@ typedef struct qpol_common {} qpol_common_t; + fail: + return (qpol_common_t*)c; + }; +- ~qpol_common_t() { ++ ~qpol_common() { + /* no op */ + return; + }; +- int get_value(qpol_policy_t *p) { ++ %rename(get_value) wrap_get_value; ++ int wrap_get_value(qpol_policy_t *p) { + uint32_t v; + BEGIN_EXCEPTION + if (qpol_common_get_value(p, self, &v)) { +@@ -1468,7 +1627,8 @@ typedef struct qpol_common {} qpol_common_t; + return (int) v; + }; + %newobject get_perm_iter(qpol_policy_t*); +- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) { ++ %rename(get_perm_iter) wrap_get_perm_iter; ++ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if(qpol_common_get_perm_iter(p, self, &iter)) { +@@ -1478,7 +1638,8 @@ typedef struct qpol_common {} qpol_common_t; + fail: + return iter; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_common_get_name(p, self, &name)) { +@@ -1516,7 +1677,7 @@ typedef struct qpol_common {} qpol_common_t; + #endif + typedef struct qpol_fs_use {} qpol_fs_use_t; + %extend qpol_fs_use_t { +- qpol_fs_use_t(qpol_policy_t *p, const char *name) { ++ qpol_fs_use(qpol_policy_t *p, const char *name) { + const qpol_fs_use_t *f; + BEGIN_EXCEPTION + if (qpol_policy_get_fs_use_by_name(p, name, &f)) { +@@ -1526,11 +1687,12 @@ typedef struct qpol_fs_use {} qpol_fs_use_t; + fail: + return (qpol_fs_use_t*)f; + }; +- ~qpol_fs_use_t() { ++ ~qpol_fs_use() { + /* no op */ + return; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_fs_use_get_name(p, self, &name)) { +@@ -1540,7 +1702,8 @@ typedef struct qpol_fs_use {} qpol_fs_use_t; + fail: + return name; + }; +- int get_behavior(qpol_policy_t *p) { ++ %rename(get_behavior) wrap_get_behavior; ++ int wrap_get_behavior(qpol_policy_t *p) { + uint32_t behav; + BEGIN_EXCEPTION + if (qpol_fs_use_get_behavior(p, self, &behav)) { +@@ -1550,7 +1713,8 @@ typedef struct qpol_fs_use {} qpol_fs_use_t; + fail: + return (int) behav; + }; +- const qpol_context_t *get_context(qpol_policy_t *p) { ++ %rename(get_context) wrap_get_context; ++ const qpol_context_t *wrap_get_context(qpol_policy_t *p) { + uint32_t behav; + const qpol_context_t *ctx = NULL; + BEGIN_EXCEPTION +@@ -1594,7 +1758,7 @@ typedef struct qpol_fs_use {} qpol_fs_use_t; + #endif + typedef struct qpol_genfscon {} qpol_genfscon_t; + %extend qpol_genfscon_t { +- qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) { ++ qpol_genfscon(qpol_policy_t *p, const char *name, const char *path) { + qpol_genfscon_t *g; + BEGIN_EXCEPTION + if (qpol_policy_get_genfscon_by_name(p, name, path, &g)) { +@@ -1604,10 +1768,11 @@ typedef struct qpol_genfscon {} qpol_genfscon_t; + fail: + return g; + }; +- ~qpol_genfscon_t() { ++ ~qpol_genfscon() { + free(self); + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_genfscon_get_name(p, self, &name)) { +@@ -1617,7 +1782,8 @@ typedef struct qpol_genfscon {} qpol_genfscon_t; + fail: + return name; + }; +- const char *get_path(qpol_policy_t *p) { ++ %rename(get_path) wrap_get_path; ++ const char *wrap_get_path(qpol_policy_t *p) { + const char *path; + BEGIN_EXCEPTION + if (qpol_genfscon_get_path(p, self, &path)) { +@@ -1627,7 +1793,8 @@ typedef struct qpol_genfscon {} qpol_genfscon_t; + fail: + return path; + }; +- int get_class(qpol_policy_t *p) { ++ %rename(get_class) wrap_get_class; ++ int wrap_get_class(qpol_policy_t *p) { + uint32_t cls; + BEGIN_EXCEPTION + if (qpol_genfscon_get_class(p, self, &cls)) { +@@ -1637,7 +1804,8 @@ typedef struct qpol_genfscon {} qpol_genfscon_t; + fail: + return (int) cls; + }; +- const qpol_context_t *get_context(qpol_policy_t *p) { ++ %rename(get_context) wrap_get_context; ++ const qpol_context_t *wrap_get_context(qpol_policy_t *p) { + const qpol_context_t *ctx; + BEGIN_EXCEPTION + if (qpol_genfscon_get_context(p, self, &ctx)) { +@@ -1657,7 +1825,7 @@ typedef struct qpol_genfscon {} qpol_genfscon_t; + /* qpol isid */ + typedef struct qpol_isid {} qpol_isid_t; + %extend qpol_isid_t { +- qpol_isid_t(qpol_policy_t *p, const char *name) { ++ qpol_isid(qpol_policy_t *p, const char *name) { + const qpol_isid_t *i; + BEGIN_EXCEPTION + if (qpol_policy_get_isid_by_name(p, name, &i)) { +@@ -1667,11 +1835,12 @@ typedef struct qpol_isid {} qpol_isid_t; + fail: + return (qpol_isid_t*)i; + }; +- ~qpol_isid_t() { ++ ~qpol_isid() { + /* no op */ + return; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_isid_get_name(p, self, &name)) { +@@ -1681,7 +1850,8 @@ typedef struct qpol_isid {} qpol_isid_t; + fail: + return name; + }; +- const qpol_context_t *get_context(qpol_policy_t *p) { ++ %rename(get_context) wrap_get_context; ++ const qpol_context_t *wrap_get_context(qpol_policy_t *p) { + const qpol_context_t *ctx; + BEGIN_EXCEPTION + if (qpol_isid_get_context(p, self, &ctx)) { +@@ -1701,7 +1871,7 @@ typedef struct qpol_isid {} qpol_isid_t; + /* qpol netifcon */ + typedef struct qpol_netifcon {} qpol_netifcon_t; + %extend qpol_netifcon_t { +- qpol_netifcon_t(qpol_policy_t *p, const char *name) { ++ qpol_netifcon(qpol_policy_t *p, const char *name) { + const qpol_netifcon_t *n; + BEGIN_EXCEPTION + if (qpol_policy_get_netifcon_by_name(p, name, &n)) { +@@ -1711,11 +1881,12 @@ typedef struct qpol_netifcon {} qpol_netifcon_t; + fail: + return (qpol_netifcon_t*)n; + }; +- ~qpol_netifcon_t() { ++ ~qpol_netifcon() { + /* no op */ + return; + }; +- const char *get_name(qpol_policy_t *p) { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { + const char *name; + BEGIN_EXCEPTION + if (qpol_netifcon_get_name(p, self, &name)) { +@@ -1725,7 +1896,8 @@ typedef struct qpol_netifcon {} qpol_netifcon_t; + fail: + return name; + }; +- const qpol_context_t *get_msg_con(qpol_policy_t *p) { ++ %rename(get_msg_con) wrap_get_msg_con; ++ const qpol_context_t *wrap_get_msg_con(qpol_policy_t *p) { + const qpol_context_t *ctx; + BEGIN_EXCEPTION + if (qpol_netifcon_get_msg_con(p, self, &ctx)) { +@@ -1735,7 +1907,8 @@ typedef struct qpol_netifcon {} qpol_netifcon_t; + fail: + return ctx; + }; +- const qpol_context_t *get_if_con(qpol_policy_t *p) { ++ %rename(get_if_con) wrap_get_if_con; ++ const qpol_context_t *wrap_get_if_con(qpol_policy_t *p) { + const qpol_context_t *ctx; + BEGIN_EXCEPTION + if (qpol_netifcon_get_if_con(p, self, &ctx)) { +@@ -1757,7 +1930,7 @@ typedef struct qpol_netifcon {} qpol_netifcon_t; + #define QPOL_IPV6 1 + typedef struct qpol_nodecon {} qpol_nodecon_t; + %extend qpol_nodecon_t { +- qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) { ++ qpol_nodecon(qpol_policy_t *p, int addr[4], int mask[4], int protocol) { + uint32_t a[4], m[4]; + qpol_nodecon_t *n; + BEGIN_EXCEPTION +@@ -1772,10 +1945,11 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + fail: + return n; + } +- ~qpol_nodecon_t() { ++ ~qpol_nodecon() { + free(self); + }; +- uint32_t *get_addr(qpol_policy_t *p) { ++ %rename(get_addr) wrap_get_addr; ++ uint32_t *wrap_get_addr(qpol_policy_t *p) { + uint32_t *a; + BEGIN_EXCEPTION + unsigned char proto; /* currently dropped; stores the protocol - call get_protocol() */ +@@ -1786,7 +1960,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + fail: + return a; + }; +- uint32_t *get_mask(qpol_policy_t *p) { ++ %rename(get_mask) wrap_get_mask; ++ uint32_t *wrap_get_mask(qpol_policy_t *p) { + uint32_t *m; + BEGIN_EXCEPTION + unsigned char proto; /* currently dropped; stores the protocol - call get_protocol() */ +@@ -1797,7 +1972,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + fail: + return m; + }; +- int get_protocol(qpol_policy_t *p) { ++ %rename(get_protocol) wrap_get_protocol; ++ int wrap_get_protocol(qpol_policy_t *p) { + unsigned char proto; + BEGIN_EXCEPTION + if (qpol_nodecon_get_protocol(p, self, &proto)) { +@@ -1807,7 +1983,8 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + fail: + return proto; + }; +- const qpol_context_t *get_context(qpol_policy_t *p) { ++ %rename(get_context) wrap_get_context; ++ const qpol_context_t *wrap_get_context(qpol_policy_t *p) { + const qpol_context_t *ctx; + BEGIN_EXCEPTION + if (qpol_nodecon_get_context(p, self, &ctx)) { +@@ -1830,7 +2007,7 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + #define IPPROTO_UDP 17 + typedef struct qpol_portcon {} qpol_portcon_t; + %extend qpol_portcon_t { +- qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) { ++ qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) { + const qpol_portcon_t *qp; + BEGIN_EXCEPTION + if (qpol_policy_get_portcon_by_port(p, low, high, protocol, &qp)) { +@@ -1840,11 +2017,12 @@ typedef struct qpol_portcon {} qpol_portcon_t; + fail: + return (qpol_portcon_t*)qp; + }; +- ~qpol_portcon_t() { ++ ~qpol_portcon() { + /* no op */ + return; + }; +- uint16_t get_low_port(qpol_policy_t *p) { ++ %rename(get_low_port) wrap_get_low_port; ++ uint16_t wrap_get_low_port(qpol_policy_t *p) { + uint16_t port = 0; + BEGIN_EXCEPTION + if(qpol_portcon_get_low_port(p, self, &port)) { +@@ -1854,7 +2032,8 @@ typedef struct qpol_portcon {} qpol_portcon_t; + fail: + return port; + }; +- uint16_t get_high_port(qpol_policy_t *p) { ++ %rename(get_high_port) wrap_get_high_port; ++ uint16_t wrap_get_high_port(qpol_policy_t *p) { + uint16_t port = 0; + BEGIN_EXCEPTION + if(qpol_portcon_get_high_port(p, self, &port)) { +@@ -1864,7 +2043,8 @@ typedef struct qpol_portcon {} qpol_portcon_t; + fail: + return port; + }; +- uint8_t get_protocol(qpol_policy_t *p) { ++ %rename(get_protocol) wrap_get_protocol; ++ uint8_t wrap_get_protocol(qpol_policy_t *p) { + uint8_t proto = 0; + BEGIN_EXCEPTION + if (qpol_portcon_get_protocol(p, self, &proto)) { +@@ -1874,7 +2054,8 @@ typedef struct qpol_portcon {} qpol_portcon_t; + fail: + return proto; + }; +- const qpol_context_t *get_context(qpol_policy_t *p) { ++ %rename(get_context) wrap_get_context; ++ const qpol_context_t *wrap_get_context(qpol_policy_t *p) { + const qpol_context_t *ctx; + BEGIN_EXCEPTION + if (qpol_portcon_get_context(p, self, &ctx)) { +@@ -1894,17 +2075,18 @@ typedef struct qpol_portcon {} qpol_portcon_t; + /* qpol constraint */ + typedef struct qpol_constraint {} qpol_constraint_t; + %extend qpol_constraint_t { +- qpol_constraint_t() { ++ qpol_constraint() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_constraint_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_constraint_t() { ++ ~qpol_constraint() { + free(self); + }; +- const qpol_class_t *get_class(qpol_policy_t *p) { ++ %rename(get_class) wrap_get_class; ++ const qpol_class_t *wrap_get_class(qpol_policy_t *p) { + const qpol_class_t *cls; + BEGIN_EXCEPTION + if (qpol_constraint_get_class(p, self, &cls)) { +@@ -1915,7 +2097,8 @@ typedef struct qpol_constraint {} qpol_constraint_t; + return cls; + }; + %newobject get_perm_iter(qpol_policy_t*); +- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) { ++ %rename(get_perm_iter) wrap_get_perm_iter; ++ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_constraint_get_perm_iter(p, self, &iter)) { +@@ -1926,7 +2109,8 @@ typedef struct qpol_constraint {} qpol_constraint_t; + return iter; + }; + %newobject get_expr_iter(qpol_policy_t*); +- qpol_iterator_t *get_expr_iter(qpol_policy_t *p) { ++ %rename(get_expr_iter) wrap_get_expr_iter; ++ qpol_iterator_t *wrap_get_expr_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_constraint_get_expr_iter(p, self, &iter)) { +@@ -1946,17 +2130,18 @@ typedef struct qpol_constraint {} qpol_constraint_t; + /* qpol validatetrans */ + typedef struct qpol_validatetrans {} qpol_validatetrans_t; + %extend qpol_validatetrans_t { +- qpol_validatetrans_t() { ++ qpol_validatetrans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_validatetrans_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_validatetrans_t() { ++ ~qpol_validatetrans() { + free(self); + }; +- const qpol_class_t *get_class(qpol_policy_t *p) { ++ %rename(get_class) wrap_get_class; ++ const qpol_class_t *wrap_get_class(qpol_policy_t *p) { + const qpol_class_t *cls; + BEGIN_EXCEPTION + if (qpol_validatetrans_get_class(p, self, &cls)) { +@@ -1967,7 +2152,8 @@ typedef struct qpol_validatetrans {} qpol_validatetrans_t; + return cls; + }; + %newobject get_expr_iter(qpol_policy_t*); +- qpol_iterator_t *get_expr_iter(qpol_policy_t *p) { ++ %rename(get_expr_iter) wrap_get_expr_iter; ++ qpol_iterator_t *wrap_get_expr_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_validatetrans_get_expr_iter(p, self, &iter)) { +@@ -2011,18 +2197,19 @@ typedef struct qpol_validatetrans {} qpol_validatetrans_t; + #define QPOL_CEXPR_OP_INCOMP 5 + typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t; + %extend qpol_constraint_expr_node_t { +- qpol_constraint_expr_node_t() { ++ qpol_constraint_expr_node() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_constraint_expr_node_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_constraint_expr_node_t() { ++ ~qpol_constraint_expr_node() { + /* no op */ + return; + }; +- int get_expr_type(qpol_policy_t *p) { ++ %rename(get_expr_type) wrap_get_expr_type; ++ int wrap_get_expr_type(qpol_policy_t *p) { + uint32_t et; + BEGIN_EXCEPTION + if (qpol_constraint_expr_node_get_expr_type(p, self, &et)) { +@@ -2032,7 +2219,8 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t; + fail: + return (int) et; + }; +- int get_sym_type(qpol_policy_t *p) { ++ %rename(get_sym_type) wrap_get_sym_type; ++ int wrap_get_sym_type(qpol_policy_t *p) { + uint32_t st; + BEGIN_EXCEPTION + if (qpol_constraint_expr_node_get_sym_type(p, self, &st)) { +@@ -2042,7 +2230,8 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t; + fail: + return (int) st; + }; +- int get_op(qpol_policy_t *p) { ++ %rename(get_op) wrap_get_op; ++ int wrap_get_op(qpol_policy_t *p) { + uint32_t op; + BEGIN_EXCEPTION + if (qpol_constraint_expr_node_get_op(p, self, &op)) { +@@ -2053,7 +2242,8 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t; + return (int) op; + }; + %newobject get_names_iter(qpol_policy_t*); +- qpol_iterator_t *get_names_iter(qpol_policy_t *p) { ++ %rename(get_names_iter) wrap_get_names_iter; ++ qpol_iterator_t *wrap_get_names_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_constraint_expr_node_get_names_iter(p, self, &iter)) { +@@ -2073,18 +2263,19 @@ typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t; + /* qpol role allow */ + typedef struct qpol_role_allow {} qpol_role_allow_t; + %extend qpol_role_allow_t { +- qpol_role_allow_t() { ++ qpol_role_allow() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_role_allow_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_role_allow_t() { ++ ~qpol_role_allow() { + /* no op */ + return; + }; +- const qpol_role_t *get_source_role(qpol_policy_t *p) { ++ %rename(get_source_role) wrap_get_source_role; ++ const qpol_role_t *wrap_get_source_role(qpol_policy_t *p) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_role_allow_get_source_role(p, self, &r)) { +@@ -2094,7 +2285,8 @@ typedef struct qpol_role_allow {} qpol_role_allow_t; + fail: + return r; + }; +- const qpol_role_t *get_target_role(qpol_policy_t *p) { ++ %rename(get_target_role) wrap_get_target_role; ++ const qpol_role_t *wrap_get_target_role(qpol_policy_t *p) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_role_allow_get_target_role(p, self, &r)) { +@@ -2114,18 +2306,19 @@ typedef struct qpol_role_allow {} qpol_role_allow_t; + /* qpol role trans */ + typedef struct qpol_role_trans {} qpol_role_trans_t; + %extend qpol_role_trans_t { +- qpol_role_trans_t() { ++ qpol_role_trans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_role_trans_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_role_trans_t() { ++ ~qpol_role_trans() { + /* no op */ + return; + }; +- const qpol_role_t *get_source_role(qpol_policy_t *p) { ++ %rename(get_source_role) wrap_get_source_role; ++ const qpol_role_t *wrap_get_source_role(qpol_policy_t *p) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_role_trans_get_source_role(p, self, &r)) { +@@ -2135,7 +2328,8 @@ typedef struct qpol_role_trans {} qpol_role_trans_t; + fail: + return r; + }; +- const qpol_type_t *get_target_type(qpol_policy_t *p) { ++ %rename(get_target_type) wrap_get_target_type; ++ const qpol_type_t *wrap_get_target_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_role_trans_get_target_type(p, self, &t)) { +@@ -2145,7 +2339,19 @@ typedef struct qpol_role_trans {} qpol_role_trans_t; + fail: + return t; + }; +- const qpol_role_t *get_default_role(qpol_policy_t *p) { ++ %rename(get_object_class) wrap_get_object_class; ++ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) { ++ const qpol_class_t *c; ++ BEGIN_EXCEPTION ++ if (qpol_role_trans_get_object_class(p, self, &c)) { ++ SWIG_exception(SWIG_ValueError, "Could not get class for role_transition rule"); ++ } ++ END_EXCEPTION ++ fail: ++ return c; ++ }; ++ %rename(get_default_role) wrap_get_default_role; ++ const qpol_role_t *wrap_get_default_role(qpol_policy_t *p) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_role_trans_get_default_role(p, self, &r)) { +@@ -2165,18 +2371,19 @@ typedef struct qpol_role_trans {} qpol_role_trans_t; + /* qpol range trans */ + typedef struct qpol_range_trans {} qpol_range_trans_t; + %extend qpol_range_trans_t { +- qpol_range_trans_t() { ++ qpol_range_trans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_range_trans_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_range_trans_t() { ++ ~qpol_range_trans() { + /* no op */ + return; + }; +- const qpol_type_t *get_source_type (qpol_policy_t *p) { ++ %rename(get_source_type) wrap_get_source_type; ++ const qpol_type_t *wrap_get_source_type (qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_range_trans_get_source_type(p, self, &t)) { +@@ -2186,7 +2393,8 @@ typedef struct qpol_range_trans {} qpol_range_trans_t; + fail: + return t; + }; +- const qpol_type_t *get_target_type (qpol_policy_t *p) { ++ %rename(get_target_type) wrap_get_target_type; ++ const qpol_type_t *wrap_get_target_type (qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_range_trans_get_target_type(p, self, &t)) { +@@ -2195,7 +2403,8 @@ typedef struct qpol_range_trans {} qpol_range_trans_t; + fail: + return t; + }; +- const qpol_class_t *get_target_class(qpol_policy_t *p) { ++ %rename(get_target_class) wrap_get_target_class; ++ const qpol_class_t *wrap_get_target_class(qpol_policy_t *p) { + const qpol_class_t *cls; + BEGIN_EXCEPTION + if (qpol_range_trans_get_target_class(p, self, &cls)) { +@@ -2204,7 +2413,8 @@ typedef struct qpol_range_trans {} qpol_range_trans_t; + fail: + return cls; + }; +- const qpol_mls_range_t *get_range(qpol_policy_t *p) { ++ %rename(get_range) wrap_get_range; ++ const qpol_mls_range_t *wrap_get_range(qpol_policy_t *p) { + const qpol_mls_range_t *r; + BEGIN_EXCEPTION + if (qpol_range_trans_get_range(p, self, &r)) { +@@ -2228,18 +2438,19 @@ typedef struct qpol_range_trans {} qpol_range_trans_t; + #define QPOL_RULE_DONTAUDIT 4 + typedef struct qpol_avrule {} qpol_avrule_t; + %extend qpol_avrule_t { +- qpol_avrule_t() { ++ qpol_avrule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_avrule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_avrule_t() { ++ ~qpol_avrule() { + /* no op */ + return; + }; +- int get_rule_type(qpol_policy_t *p) { ++ %rename(get_rule_type) wrap_get_rule_type; ++ int wrap_get_rule_type(qpol_policy_t *p) { + uint32_t rt; + BEGIN_EXCEPTION + if (qpol_avrule_get_rule_type(p, self, &rt)) { +@@ -2249,7 +2460,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + fail: + return (int) rt; + }; +- const qpol_type_t *get_source_type(qpol_policy_t *p) { ++ %rename(get_source_type) wrap_get_source_type; ++ const qpol_type_t *wrap_get_source_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_avrule_get_source_type(p, self, &t)) { +@@ -2259,7 +2471,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + fail: + return t; + }; +- const qpol_type_t *get_target_type(qpol_policy_t *p) { ++ %rename(get_target_type) wrap_get_target_type; ++ const qpol_type_t *wrap_get_target_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_avrule_get_target_type(p, self, &t)) { +@@ -2269,7 +2482,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + fail: + return t; + }; +- const qpol_class_t *get_object_class(qpol_policy_t *p) { ++ %rename(get_object_class) wrap_get_object_class; ++ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) { + const qpol_class_t *cls; + BEGIN_EXCEPTION + if (qpol_avrule_get_object_class(p, self, &cls)) { +@@ -2280,7 +2494,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + return cls; + }; + %newobject get_perm_iter(qpol_policy_t *p); +- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) { ++ %rename(get_perm_iter) wrap_get_perm_iter; ++ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_avrule_get_perm_iter(p, self, &iter)) { +@@ -2290,7 +2505,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + fail: + return iter; + }; +- const qpol_cond_t *get_cond(qpol_policy_t *p) { ++ %rename(get_cond) wrap_get_cond; ++ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) { + const qpol_cond_t *c; + BEGIN_EXCEPTION + if (qpol_avrule_get_cond(p, self, &c)) { +@@ -2300,7 +2516,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + fail: + return c; + }; +- int get_is_enabled(qpol_policy_t *p) { ++ %rename(get_is_enabled) wrap_get_is_enabled; ++ int wrap_get_is_enabled(qpol_policy_t *p) { + uint32_t e; + BEGIN_EXCEPTION + if (qpol_avrule_get_is_enabled(p, self, &e)) { +@@ -2310,7 +2527,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + fail: + return (int) e; + }; +- int get_which_list(qpol_policy_t *p) { ++ %rename(get_which_list) wrap_get_which_list; ++ int wrap_get_which_list(qpol_policy_t *p) { + const qpol_cond_t *c; + uint32_t which = 0; + BEGIN_EXCEPTION +@@ -2325,7 +2543,8 @@ typedef struct qpol_avrule {} qpol_avrule_t; + return (int) which; + }; + %newobject get_syn_avrule_iter(qpol_policy_t*); +- qpol_iterator_t *get_syn_avrule_iter(qpol_policy_t *p) { ++ %rename(get_syn_avrule_iter) wrap_get_syn_avrule_iter; ++ qpol_iterator_t *wrap_get_syn_avrule_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_avrule_get_syn_avrule_iter(p, self, &iter)) { +@@ -2348,18 +2567,19 @@ typedef struct qpol_avrule {} qpol_avrule_t; + #define QPOL_RULE_TYPE_MEMBER 32 + typedef struct qpol_terule {} qpol_terule_t; + %extend qpol_terule_t { +- qpol_terule_t() { ++ qpol_terule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_terule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_terule_t() { ++ ~qpol_terule() { + /* no op */ + return; + }; +- int get_rule_type(qpol_policy_t *p) { ++ %rename(get_rule_type) wrap_get_rule_type; ++ int wrap_get_rule_type(qpol_policy_t *p) { + uint32_t rt; + BEGIN_EXCEPTION + if (qpol_terule_get_rule_type(p, self, &rt)) { +@@ -2369,7 +2589,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return (int) rt; + }; +- const qpol_type_t *get_source_type(qpol_policy_t *p) { ++ %rename(get_source_type) wrap_get_source_type; ++ const qpol_type_t *wrap_get_source_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_terule_get_source_type(p, self, &t)) { +@@ -2379,7 +2600,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return t; + }; +- const qpol_type_t *get_target_type(qpol_policy_t *p) { ++ %rename(get_target_type) wrap_get_target_type; ++ const qpol_type_t *wrap_get_target_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_terule_get_target_type(p, self, &t)) { +@@ -2389,7 +2611,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return t; + }; +- const qpol_class_t *get_object_class(qpol_policy_t *p) { ++ %rename(get_object_class) wrap_get_object_class; ++ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) { + const qpol_class_t *cls; + BEGIN_EXCEPTION + if (qpol_terule_get_object_class(p, self, &cls)) { +@@ -2399,7 +2622,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return cls; + }; +- const qpol_type_t *get_default_type(qpol_policy_t *p) { ++ %rename(get_default_type) wrap_get_default_type; ++ const qpol_type_t *wrap_get_default_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_terule_get_default_type(p, self, &t)) { +@@ -2409,7 +2633,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return t; + }; +- const qpol_cond_t *get_cond(qpol_policy_t *p) { ++ %rename(get_cond) wrap_get_cond; ++ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) { + const qpol_cond_t *c; + BEGIN_EXCEPTION + if (qpol_terule_get_cond(p, self, &c)) { +@@ -2419,7 +2644,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return c; + }; +- int get_is_enabled(qpol_policy_t *p) { ++ %rename(get_is_enabled) wrap_get_is_enabled; ++ int wrap_get_is_enabled(qpol_policy_t *p) { + uint32_t e; + BEGIN_EXCEPTION + if (qpol_terule_get_is_enabled(p, self, &e)) { +@@ -2429,7 +2655,8 @@ typedef struct qpol_terule {} qpol_terule_t; + fail: + return (int) e; + }; +- int get_which_list(qpol_policy_t *p) { ++ %rename(get_which_list) wrap_get_which_list; ++ int wrap_get_which_list(qpol_policy_t *p) { + const qpol_cond_t *c; + uint32_t which = 0; + BEGIN_EXCEPTION +@@ -2444,7 +2671,8 @@ typedef struct qpol_terule {} qpol_terule_t; + return (int) which; + }; + %newobject get_syn_terule_iter(qpol_policy_t*); +- qpol_iterator_t *get_syn_terule_iter(qpol_policy_t *p) { ++ %rename(get_syn_terule_iter) wrap_get_syn_terule_iter; ++ qpol_iterator_t *wrap_get_syn_terule_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_terule_get_syn_terule_iter(p, self, &iter)) { +@@ -2464,19 +2692,20 @@ typedef struct qpol_terule {} qpol_terule_t; + /* qpol conditional */ + typedef struct qpol_cond {} qpol_cond_t; + %extend qpol_cond_t { +- qpol_cond_t() { ++ qpol_cond() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_cond_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_cond_t() { ++ ~qpol_cond() { + /* no op */ + return; + }; + %newobject get_expr_node_iter(qpol_policy_t*); +- qpol_iterator_t *get_expr_node_iter(qpol_policy_t *p) { ++ %rename(get_expr_node_iter) wrap_get_expr_node_iter; ++ qpol_iterator_t *wrap_get_expr_node_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_cond_get_expr_node_iter(p, self, &iter)) { +@@ -2487,7 +2716,8 @@ typedef struct qpol_cond {} qpol_cond_t; + return iter; + }; + %newobject get_av_true_iter(qpol_policy_t*, int); +- qpol_iterator_t *get_av_true_iter(qpol_policy_t *p, int rule_types) { ++ %rename(get_av_true_iter) wrap_get_av_true_iter; ++ qpol_iterator_t *wrap_get_av_true_iter(qpol_policy_t *p, int rule_types) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_cond_get_av_true_iter(p, self, rule_types, &iter)) { +@@ -2498,7 +2728,8 @@ typedef struct qpol_cond {} qpol_cond_t; + return iter; + }; + %newobject get_av_false_iter(qpol_policy_t*, int); +- qpol_iterator_t *get_av_false_iter(qpol_policy_t *p, int rule_types) { ++ %rename(get_av_false_iter) wrap_get_av_false_iter; ++ qpol_iterator_t *wrap_get_av_false_iter(qpol_policy_t *p, int rule_types) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_cond_get_av_false_iter(p, self, rule_types, &iter)) { +@@ -2509,7 +2740,8 @@ typedef struct qpol_cond {} qpol_cond_t; + return iter; + }; + %newobject get_te_true_iter(qpol_policy_t*, int); +- qpol_iterator_t *get_te_true_iter(qpol_policy_t *p, int rule_types) { ++ %rename(get_te_true_iter) wrap_get_te_true_iter; ++ qpol_iterator_t *wrap_get_te_true_iter(qpol_policy_t *p, int rule_types) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_cond_get_te_true_iter(p, self, rule_types, &iter)) { +@@ -2520,7 +2752,8 @@ typedef struct qpol_cond {} qpol_cond_t; + return iter; + }; + %newobject get_te_false_iter(qpol_policy_t*, int); +- qpol_iterator_t *get_te_false_iter(qpol_policy_t *p, int rule_types) { ++ %rename(get_te_false_iter) wrap_get_te_false_iter; ++ qpol_iterator_t *wrap_get_te_false_iter(qpol_policy_t *p, int rule_types) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_cond_get_te_false_iter(p, self, rule_types, &iter)) { +@@ -2530,7 +2763,8 @@ typedef struct qpol_cond {} qpol_cond_t; + fail: + return iter; + }; +- int eval(qpol_policy_t *p) { ++ %rename(eval) wrap_eval; ++ int wrap_eval(qpol_policy_t *p) { + uint32_t e; + BEGIN_EXCEPTION + if (qpol_cond_eval(p, self, &e)) { +@@ -2557,18 +2791,19 @@ typedef struct qpol_cond {} qpol_cond_t; + #define QPOL_COND_EXPR_NEQ 7 /* bool != bool */ + typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t; + %extend qpol_cond_expr_node_t { +- qpol_cond_expr_node_t() { ++ qpol_cond_expr_node() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_cond_expr_node_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_cond_expr_node_t() { ++ ~qpol_cond_expr_node() { + /* no op */ + return; + }; +- int get_expr_type(qpol_policy_t *p) { ++ %rename(get_expr_type) wrap_get_expr_type; ++ int wrap_get_expr_type(qpol_policy_t *p) { + uint32_t et; + BEGIN_EXCEPTION + if (qpol_cond_expr_node_get_expr_type(p, self, &et)) { +@@ -2578,7 +2813,8 @@ typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t; + fail: + return (int) et; + }; +- qpol_bool_t *get_bool(qpol_policy_t *p) { ++ %rename(get_bool) wrap_get_bool; ++ qpol_bool_t *wrap_get_bool(qpol_policy_t *p) { + uint32_t et; + qpol_bool_t *b = NULL; + BEGIN_EXCEPTION +@@ -2602,19 +2838,20 @@ typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t; + /* qpol type set */ + typedef struct qpol_type_set {} qpol_type_set_t; + %extend qpol_type_set_t { +- qpol_type_set_t() { ++ qpol_type_set() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_type_set_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_type_set_t() { ++ ~qpol_type_set() { + /* no op */ + return; + }; + %newobject get_included_types_iter(qpol_policy_t*); +- qpol_iterator_t *get_included_types_iter(qpol_policy_t *p) { ++ %rename(get_included_types_iter) wrap_get_included_types_iter; ++ qpol_iterator_t *wrap_get_included_types_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_type_set_get_included_types_iter(p, self, &iter)) { +@@ -2625,7 +2862,8 @@ typedef struct qpol_type_set {} qpol_type_set_t; + return iter; + }; + %newobject get_subtracted_types_iter(qpol_policy_t*); +- qpol_iterator_t *get_subtracted_types_iter(qpol_policy_t *p) { ++ %rename(get_subtracted_types_iter) wrap_get_subtracted_types_iter; ++ qpol_iterator_t *wrap_get_subtracted_types_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_type_set_get_subtracted_types_iter(p, self, &iter)) { +@@ -2635,7 +2873,8 @@ typedef struct qpol_type_set {} qpol_type_set_t; + fail: + return iter; + }; +- int get_is_star(qpol_policy_t *p) { ++ %rename(get_is_star) wrap_get_is_star; ++ int wrap_get_is_star(qpol_policy_t *p) { + uint32_t s; + BEGIN_EXCEPTION + if (qpol_type_set_get_is_star(p, self, &s)) { +@@ -2645,7 +2884,8 @@ typedef struct qpol_type_set {} qpol_type_set_t; + fail: + return (int) s; + }; +- int get_is_comp(qpol_policy_t *p) { ++ %rename(get_is_comp) wrap_get_is_comp; ++ int wrap_get_is_comp(qpol_policy_t *p) { + uint32_t c; + BEGIN_EXCEPTION + if (qpol_type_set_get_is_comp(p, self, &c)) { +@@ -2665,18 +2905,19 @@ typedef struct qpol_type_set {} qpol_type_set_t; + /* qpol syn av rule */ + typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + %extend qpol_syn_avrule_t { +- qpol_syn_avrule_t() { ++ qpol_syn_avrule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_syn_avrule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_syn_avrule_t() { ++ ~qpol_syn_avrule() { + /* no op */ + return; + }; +- int get_rule_type(qpol_policy_t *p) { ++ %rename(get_rule_type) wrap_get_rule_type; ++ int wrap_get_rule_type(qpol_policy_t *p) { + uint32_t rt; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_rule_type(p, self, &rt)) { +@@ -2686,7 +2927,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + fail: + return (int) rt; + }; +- const qpol_type_set_t *get_source_type_set(qpol_policy_t *p) { ++ %rename(get_source_type_set) wrap_get_source_type_set; ++ const qpol_type_set_t *wrap_get_source_type_set(qpol_policy_t *p) { + const qpol_type_set_t *ts; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_source_type_set(p, self, &ts)) { +@@ -2696,7 +2938,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + fail: + return ts; + }; +- const qpol_type_set_t *get_target_type_set(qpol_policy_t *p) { ++ %rename(get_target_type_set) wrap_get_target_type_set; ++ const qpol_type_set_t *wrap_get_target_type_set(qpol_policy_t *p) { + const qpol_type_set_t *ts; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_target_type_set(p, self, &ts)) { +@@ -2706,7 +2949,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + fail: + return ts; + }; +- int get_is_target_self(qpol_policy_t *p) { ++ %rename(get_is_target_self) wrap_get_is_target_self; ++ int wrap_get_is_target_self(qpol_policy_t *p) { + uint32_t i; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_is_target_self(p, self, &i)) { +@@ -2717,7 +2961,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + return (int) i; + }; + %newobject get_class_iter(qpol_policy_t*); +- qpol_iterator_t *get_class_iter(qpol_policy_t *p) { ++ %rename(get_class_iter) wrap_get_class_iter; ++ qpol_iterator_t *wrap_get_class_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_class_iter(p, self, &iter)) { +@@ -2728,7 +2973,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + return iter; + }; + %newobject get_perm_iter(qpol_policy_t*); +- qpol_iterator_t *get_perm_iter(qpol_policy_t *p) { ++ %rename(get_perm_iter) wrap_get_perm_iter; ++ qpol_iterator_t *wrap_get_perm_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_perm_iter(p, self, &iter)) { +@@ -2738,7 +2984,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + fail: + return iter; + }; +- long get_lineno(qpol_policy_t *p) { ++ %rename(get_lineno) wrap_get_lineno; ++ long wrap_get_lineno(qpol_policy_t *p) { + unsigned long l; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_lineno(p, self, &l)) { +@@ -2748,7 +2995,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + fail: + return (long)l; + }; +- const qpol_cond_t *get_cond(qpol_policy_t *p) { ++ %rename(get_cond) wrap_get_cond; ++ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) { + const qpol_cond_t *c; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_cond(p, self, &c)) { +@@ -2758,7 +3006,8 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + fail: + return c; + }; +- int get_is_enabled(qpol_policy_t *p) { ++ %rename(get_is_enabled) wrap_get_is_enabled; ++ int wrap_get_is_enabled(qpol_policy_t *p) { + uint32_t e; + BEGIN_EXCEPTION + if (qpol_syn_avrule_get_is_enabled(p, self, &e)) { +@@ -2778,18 +3027,19 @@ typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + /* qpol syn te rule */ + typedef struct qpol_syn_terule {} qpol_syn_terule_t; + %extend qpol_syn_terule_t { +- qpol_syn_terule_t() { ++ qpol_syn_terule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_syn_terule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_syn_terule_t() { ++ ~qpol_syn_terule() { + /* no op */ + return; + }; +- int get_rule_type(qpol_policy_t *p) { ++ %rename(get_rule_type) wrap_get_rule_type; ++ int wrap_get_rule_type(qpol_policy_t *p) { + uint32_t rt; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_rule_type(p, self, &rt)) { +@@ -2799,7 +3049,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + fail: + return rt; + }; +- const qpol_type_set_t *get_source_type_set(qpol_policy_t *p) { ++ %rename(get_source_type_set) wrap_get_source_type_set; ++ const qpol_type_set_t *wrap_get_source_type_set(qpol_policy_t *p) { + const qpol_type_set_t *ts; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_source_type_set(p, self, &ts)) { +@@ -2809,7 +3060,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + fail: + return ts; + }; +- const qpol_type_set_t *get_target_type_set(qpol_policy_t *p) { ++ %rename(get_target_type_set) wrap_get_target_type_set; ++ const qpol_type_set_t *wrap_get_target_type_set(qpol_policy_t *p) { + const qpol_type_set_t *ts; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_target_type_set(p, self, &ts)) { +@@ -2820,7 +3072,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + return ts; + }; + %newobject get_class_iter(qpol_policy_t*); +- qpol_iterator_t *get_class_iter(qpol_policy_t *p) { ++ %rename(get_class_iter) wrap_get_class_iter; ++ qpol_iterator_t *wrap_get_class_iter(qpol_policy_t *p) { + qpol_iterator_t *iter; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_class_iter(p, self, &iter)) { +@@ -2830,7 +3083,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + fail: + return iter; + }; +- const qpol_type_t *get_default_type(qpol_policy_t *p) { ++ %rename(get_default_type) wrap_get_default_type; ++ const qpol_type_t *wrap_get_default_type(qpol_policy_t *p) { + const qpol_type_t *t; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_default_type(p, self, &t)) { +@@ -2840,7 +3094,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + fail: + return t; + }; +- long get_lineno(qpol_policy_t *p) { ++ %rename(get_lineno) wrap_get_lineno; ++ long wrap_get_lineno(qpol_policy_t *p) { + unsigned long l; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_lineno(p, self, &l)) { +@@ -2850,7 +3105,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + fail: + return (long)l; + }; +- const qpol_cond_t *get_cond(qpol_policy_t *p) { ++ %rename(get_cond) wrap_get_cond; ++ const qpol_cond_t *wrap_get_cond(qpol_policy_t *p) { + const qpol_cond_t *c; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_cond(p, self, &c)) { +@@ -2860,7 +3116,8 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + fail: + return c; + }; +- int get_is_enabled(qpol_policy_t *p) { ++ %rename(get_is_enabled) wrap_get_is_enabled; ++ int wrap_get_is_enabled(qpol_policy_t *p) { + uint32_t e; + BEGIN_EXCEPTION + if (qpol_syn_terule_get_is_enabled(p, self, &e)) { +@@ -2876,4 +3133,317 @@ typedef struct qpol_syn_terule {} qpol_syn_terule_t; + return (qpol_syn_terule_t*)x; + }; + %} ++ ++/* qpol filename trans */ ++typedef struct qpol_filename_trans {} qpol_filename_trans_t; ++%extend qpol_filename_trans_t { ++ qpol_filename_trans() { ++ BEGIN_EXCEPTION ++ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_filename_trans_t objects"); ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ ~qpol_filename_trans() { ++ /* no op */ ++ return; ++ }; ++ %rename(get_source_type) wrap_get_source_type; ++ const qpol_type_t *wrap_get_source_type (qpol_policy_t *p) { ++ const qpol_type_t *t; ++ BEGIN_EXCEPTION ++ if (qpol_filename_trans_get_source_type(p, self, &t)) { ++ SWIG_exception(SWIG_ValueError, "Could not get source for filename transition rule"); ++ } ++ END_EXCEPTION ++ fail: ++ return t; ++ }; ++ %rename(get_target_type) wrap_get_target_type; ++ const qpol_type_t *wrap_get_target_type (qpol_policy_t *p) { ++ const qpol_type_t *t; ++ BEGIN_EXCEPTION ++ if (qpol_filename_trans_get_target_type(p, self, &t)) { ++ SWIG_exception(SWIG_ValueError, "Could not get target for filename transition rule"); } ++ END_EXCEPTION ++ fail: ++ return t; ++ }; ++ %rename(get_object_class) wrap_get_object_class; ++ const qpol_class_t *wrap_get_object_class(qpol_policy_t *p) { ++ const qpol_class_t *cls; ++ BEGIN_EXCEPTION ++ if (qpol_filename_trans_get_object_class(p, self, &cls)) { ++ SWIG_exception(SWIG_ValueError, "Could not get class for filename transition rule"); } ++ END_EXCEPTION ++ fail: ++ return cls; ++ }; ++ %rename(get_default_type) wrap_get_default_type; ++ const qpol_type_t *wrap_get_default_type(qpol_policy_t *p) { ++ const qpol_type_t *t; ++ BEGIN_EXCEPTION ++ if (qpol_filename_trans_get_default_type(p, self, &t)) { ++ SWIG_exception(SWIG_ValueError, "Could not get default for filename transition rule"); ++ } ++ END_EXCEPTION ++ fail: ++ return t; ++ }; ++ %rename(get_filename) wrap_get_filename; ++ const char *wrap_get_filename(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_filename_trans_get_filename(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get file for filename transition rule"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++ ++}; ++%inline %{ ++ qpol_filename_trans_t *qpol_filename_trans_from_void(void *x) { ++ return (qpol_filename_trans_t*)x; ++ }; ++%} ++ ++/* qpol polcap */ ++typedef struct qpol_polcap {} qpol_polcap_t; ++%extend qpol_polcap_t { ++ qpol_polcap() { ++ BEGIN_EXCEPTION ++ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_polcap_t objects"); ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ ~qpol_polcap() { ++ /* no op */ ++ return; ++ }; ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_polcap_get_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get polcap name rule"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++ ++}; ++%inline %{ ++ qpol_polcap_t *qpol_polcap_from_void(void *x) { ++ return (qpol_polcap_t*)x; ++ }; ++%} ++ ++/* qpol typebounds */ ++typedef struct qpol_typebounds {} qpol_typebounds_t; ++%extend qpol_typebounds_t { ++ qpol_typebounds() { ++ BEGIN_EXCEPTION ++ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_typebounds_t objects"); ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ ~qpol_typebounds() { ++ /* no op */ ++ return; ++ }; ++ %rename(get_parent_name) wrap_get_parent_name; ++ const char *wrap_get_parent_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_typebounds_get_parent_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get parent name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++ %rename(get_child_name) wrap_get_child_name; ++ const char *wrap_get_child_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_typebounds_get_child_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get child name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++}; ++%inline %{ ++ qpol_typebounds_t *qpol_typebounds_from_void(void *x) { ++ return (qpol_typebounds_t*)x; ++ }; ++%} ++ ++/* qpol rolebounds */ ++typedef struct qpol_rolebounds {} qpol_rolebounds_t; ++%extend qpol_rolebounds_t { ++ qpol_rolebounds() { ++ BEGIN_EXCEPTION ++ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_rolebounds_t objects"); ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ ~qpol_rolebounds() { ++ /* no op */ ++ return; ++ }; ++ %rename(get_parent_name) wrap_get_parent_name; ++ const char *wrap_get_parent_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_rolebounds_get_parent_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get parent name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++ %rename(get_child_name) wrap_get_child_name; ++ const char *wrap_get_child_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_rolebounds_get_child_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get child name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++}; ++%inline %{ ++ qpol_rolebounds_t *qpol_rolebounds_from_void(void *x) { ++ return (qpol_rolebounds_t*)x; ++ }; ++%} ++ ++/* qpol userbounds */ ++typedef struct qpol_userbounds {} qpol_userbounds_t; ++%extend qpol_userbounds_t { ++ qpol_userbounds() { ++ BEGIN_EXCEPTION ++ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_userbounds_t objects"); ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ ~qpol_userbounds() { ++ /* no op */ ++ return; ++ }; ++ %rename(get_parent_name) wrap_get_parent_name; ++ const char *wrap_get_parent_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_userbounds_get_parent_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get parent name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++ %rename(get_child_name) wrap_get_child_name; ++ const char *wrap_get_child_name(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_userbounds_get_child_name(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get child name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++}; ++%inline %{ ++ qpol_userbounds_t *qpol_userbounds_from_void(void *x) { ++ return (qpol_userbounds_t*)x; ++ }; ++%} ++ ++/* qpol default_object */ ++typedef struct qpol_default_object {} qpol_default_object_t; ++%extend qpol_default_object_t { ++ qpol_default_object() { ++ BEGIN_EXCEPTION ++ SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_default_object_t objects"); ++ END_EXCEPTION ++ fail: ++ return NULL; ++ }; ++ ~qpol_default_object() { ++ /* no op */ ++ return; ++ }; ++ %rename(get_class) wrap_get_class; ++ const char *wrap_get_class(qpol_policy_t *p) { ++ const char *name; ++ BEGIN_EXCEPTION ++ if (qpol_default_object_get_class(p, self, &name)) { ++ SWIG_exception(SWIG_ValueError, "Could not get class name"); ++ } ++ END_EXCEPTION ++ fail: ++ return name; ++ }; ++ %rename(get_user_default) wrap_get_user_default; ++ const char *wrap_get_user_default(qpol_policy_t *p) { ++ const char *value; ++ BEGIN_EXCEPTION ++ if (qpol_default_object_get_user_default(p, self, &value)) { ++ SWIG_exception(SWIG_ValueError, "Could not get user default"); ++ } ++ END_EXCEPTION ++ fail: ++ return value; ++ }; ++ %rename(get_role_default) wrap_get_role_default; ++ const char *wrap_get_role_default(qpol_policy_t *p) { ++ const char *value; ++ BEGIN_EXCEPTION ++ if (qpol_default_object_get_role_default(p, self, &value)) { ++ SWIG_exception(SWIG_ValueError, "Could not get role default"); ++ } ++ END_EXCEPTION ++ fail: ++ return value; ++ }; ++ %rename(get_type_default) wrap_get_type_default; ++ const char *wrap_get_type_default(qpol_policy_t *p) { ++ const char *value; ++ BEGIN_EXCEPTION ++ if (qpol_default_object_get_type_default(p, self, &value)) { ++ SWIG_exception(SWIG_ValueError, "Could not get type default"); ++ } ++ END_EXCEPTION ++ fail: ++ return value; ++ }; ++ %rename(get_range_default) wrap_get_range_default; ++ const char *wrap_get_range_default(qpol_policy_t *p) { ++ const char *value; ++ BEGIN_EXCEPTION ++ if (qpol_default_object_get_range_default(p, self, &value)) { ++ SWIG_exception(SWIG_ValueError, "Could not get range defaults"); ++ } ++ END_EXCEPTION ++ fail: ++ return value; ++ }; ++}; ++%inline %{ ++ qpol_default_object_t *qpol_default_object_from_void(void *x) { ++ return (qpol_default_object_t*)x; ++ }; ++%} + // vim:ft=c noexpandtab +diff --git a/libseaudit/swig/seaudit.i b/libseaudit/swig/seaudit.i +index 8c96d89..3bd5fe4 100644 +--- a/libseaudit/swig/seaudit.i ++++ b/libseaudit/swig/seaudit.i +@@ -252,7 +252,7 @@ typedef struct tm { + int tm_isdst; /* daylight saving time */ + } tm_t; + %extend tm_t { +- tm_t() { ++ tm() { + struct tm *t; + BEGIN_EXCEPTION + t = calloc(1, sizeof(struct tm)); +@@ -263,7 +263,7 @@ typedef struct tm { + fail: + return t; + }; +- ~tm_t() { ++ ~tm() { + free(self); + } + /* use default accessor style for the rest */ +@@ -280,7 +280,7 @@ typedef enum seaudit_log_type + } seaudit_log_type_e; + typedef struct seaudit_log {} seaudit_log_t; + %extend seaudit_log_t { +- seaudit_log_t() { ++ seaudit_log() { + seaudit_log_t *slog; + BEGIN_EXCEPTION + slog = seaudit_log_create(seaudit_swig_message_callback, seaudit_swig_message_callback_arg); +@@ -291,14 +291,16 @@ typedef struct seaudit_log {} seaudit_log_t; + fail: + return slog; + }; +- ~seaudit_log_t() { ++ ~seaudit_log() { + seaudit_log_destroy(&self); + }; +- void clear () { ++ %rename(clear) wrap_clear; ++ void wrap_clear () { + seaudit_log_clear(self); + }; + %newobject get_users(); +- apol_string_vector_t *get_users() { ++ %rename(get_users) wrap_get_users; ++ apol_string_vector_t *wrap_get_users() { + apol_vector_t *v; + BEGIN_EXCEPTION + v = seaudit_log_get_users(self); +@@ -310,7 +312,8 @@ typedef struct seaudit_log {} seaudit_log_t; + return (apol_string_vector_t*)v; + }; + %newobject get_roles(); +- apol_string_vector_t *get_roles() { ++ %rename(get_roles) wrap_get_roles; ++ apol_string_vector_t *wrap_get_roles() { + apol_vector_t *v; + BEGIN_EXCEPTION + v = seaudit_log_get_roles(self); +@@ -322,7 +325,8 @@ typedef struct seaudit_log {} seaudit_log_t; + return (apol_string_vector_t*)v; + }; + %newobject get_types(); +- apol_string_vector_t *get_types() { ++ %rename(get_types) wrap_get_types; ++ apol_string_vector_t *wrap_get_types() { + apol_vector_t *v; + BEGIN_EXCEPTION + v = seaudit_log_get_types(self); +@@ -334,7 +338,8 @@ typedef struct seaudit_log {} seaudit_log_t; + return (apol_string_vector_t*)v; + }; + %newobject get_classes(); +- apol_string_vector_t *get_classes() { ++ %rename(get_classes) wrap_get_classes; ++ apol_string_vector_t *wrap_get_classes() { + apol_vector_t *v; + BEGIN_EXCEPTION + v = seaudit_log_get_classes(self); +@@ -357,14 +362,14 @@ typedef enum seaudit_message_type + } seaudit_message_type_e; + typedef struct seaudit_message {} seaudit_message_t; + %extend seaudit_message_t { +- seaudit_message_t() { ++ seaudit_message() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Canot directly create seaudit_message_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~seaudit_message_t() { ++ ~seaudit_message() { + /* no op */ + return; + }; +@@ -373,18 +378,22 @@ typedef struct seaudit_message {} seaudit_message_t; + (void)seaudit_message_get_data(self, &te); + return te; + }; +- void *get_data() { ++ %rename(get_data) wrap_get_data; ++ void *wrap_get_data() { + seaudit_message_type_e te; + return seaudit_message_get_data(self, &te); + }; +- const char *get_host() { ++ %rename(get_host) wrap_get_host; ++ const char *wrap_get_host() { + return seaudit_message_get_host(self); + }; +- const tm_t *get_time() { ++ %rename(get_time) wrap_get_time; ++ const tm_t *wrap_get_time() { + return seaudit_message_get_time(self); + } + %newobject to_string(); +- char *to_string() { ++ %rename(to_string) wrap_to_string; ++ char *wrap_to_string() { + char *str; + BEGIN_EXCEPTION + str = seaudit_message_to_string(self); +@@ -396,7 +405,8 @@ typedef struct seaudit_message {} seaudit_message_t; + return str; + }; + %newobject to_string_html(); +- char *to_string_html() { ++ %rename(to_string_html) wrap_to_string_html; ++ char *wrap_to_string_html() { + char *str; + BEGIN_EXCEPTION + str = seaudit_message_to_string_html(self); +@@ -408,7 +418,8 @@ typedef struct seaudit_message {} seaudit_message_t; + return str; + }; + %newobject to_misc_string(); +- char *to_misc_string() { ++ %rename(to_misc_string) wrap_to_misc_string; ++ char *wrap_to_misc_string() { + char *str; + BEGIN_EXCEPTION + str = seaudit_message_to_misc_string(self); +@@ -429,14 +440,14 @@ typedef struct seaudit_message {} seaudit_message_t; + /* seaudit load message */ + typedef struct seaudit_load_message {} seaudit_load_message_t; + %extend seaudit_load_message_t { +- seaudit_load_message_t() { ++ seaudit_load_message() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_load_message_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~seaudit_load_message_t() { ++ ~seaudit_load_message() { + /* no op */ + return; + }; +@@ -450,14 +461,14 @@ typedef struct seaudit_load_message {} seaudit_load_message_t; + /* seaudit bool message */ + typedef struct seaudit_bool_message {} seaudit_bool_message_t; + %extend seaudit_bool_message_t { +- seaudit_bool_message_t(void *msg) { ++ seaudit_bool_message(void *msg) { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_bool_message_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~seaudit_bool_message_t() { ++ ~seaudit_bool_message() { + /* no op */ + return; + }; +@@ -477,102 +488,131 @@ typedef enum seaudit_avc_message_type + } seaudit_avc_message_type_e; + typedef struct seaudit_avc_message {} seaudit_avc_message_t; + %extend seaudit_avc_message_t { +- seaudit_avc_message_t() { ++ seaudit_avc_message() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_avc_message_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~seaudit_avc_message_t() { ++ ~seaudit_avc_message() { + /* no op */ + return; + }; +- seaudit_avc_message_type_e get_message_type() { ++ %rename(get_message_type) wrap_get_message_type; ++ seaudit_avc_message_type_e wrap_get_message_type() { + return seaudit_avc_message_get_message_type(self); + }; +- long get_timestamp_nano() { ++ %rename(get_timestamp_nano) wrap_get_timestamp_nano; ++ long wrap_get_timestamp_nano() { + return seaudit_avc_message_get_timestamp_nano(self); + }; +- const char *get_source_user() { ++ %rename(get_source_user) wrap_get_source_user; ++ const char *wrap_get_source_user() { + return seaudit_avc_message_get_source_user(self); + }; +- const char *get_source_role() { ++ %rename(get_source_role) wrap_get_source_role; ++ const char *wrap_get_source_role() { + return seaudit_avc_message_get_source_role(self); + }; +- const char *get_source_type() { ++ %rename(get_source_type) wrap_get_source_type; ++ const char *wrap_get_source_type() { + return seaudit_avc_message_get_source_type(self); + }; +- const char *get_target_user() { ++ %rename(get_target_user) wrap_get_target_user; ++ const char *wrap_get_target_user() { + return seaudit_avc_message_get_target_user(self); + }; +- const char *get_target_role() { ++ %rename(get_target_role) wrap_get_target_role; ++ const char *wrap_get_target_role() { + return seaudit_avc_message_get_target_role(self); + }; +- const char *get_target_type() { ++ %rename(get_target_type) wrap_get_target_type; ++ const char *wrap_get_target_type() { + return seaudit_avc_message_get_target_type(self); + }; +- const char *get_object_class() { ++ %rename(get_object_class) wrap_get_object_class; ++ const char *wrap_get_object_class() { + return seaudit_avc_message_get_object_class(self); + }; +- const apol_string_vector_t *get_perm() { ++ %rename(get_perm) wrap_get_perm; ++ const apol_string_vector_t *wrap_get_perm() { + return (apol_string_vector_t*)seaudit_avc_message_get_perm(self); + }; +- const char *get_exe() { ++ %rename(get_exe) wrap_get_exe; ++ const char *wrap_get_exe() { + return seaudit_avc_message_get_exe(self); + }; +- const char *get_comm() { ++ %rename(get_comm) wrap_get_comm; ++ const char *wrap_get_comm() { + return seaudit_avc_message_get_comm(self); + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return seaudit_avc_message_get_name(self); + }; +- int get_pid() { ++ %rename(get_pid) wrap_get_pid; ++ int wrap_get_pid() { + return (int)seaudit_avc_message_get_pid(self); + }; +- long get_inode() { ++ %rename(get_inode) wrap_get_inode; ++ long wrap_get_inode() { + return (long)seaudit_avc_message_get_inode(self); + }; +- const char *get_path() { ++ %rename(get_path) wrap_get_path; ++ const char *wrap_get_path() { + return seaudit_avc_message_get_path(self); + }; +- const char *get_dev() { ++ %rename(get_dev) wrap_get_dev; ++ const char *wrap_get_dev() { + return seaudit_avc_message_get_dev(self); + }; +- const char *get_netif() { ++ %rename(get_netif) wrap_get_netif; ++ const char *wrap_get_netif() { + return seaudit_avc_message_get_netif(self); + }; +- int get_port() { ++ %rename(get_port) wrap_get_port; ++ int wrap_get_port() { + return seaudit_avc_message_get_port(self); + }; +- const char *get_laddr() { ++ %rename(get_laddr) wrap_get_laddr; ++ const char *wrap_get_laddr() { + return seaudit_avc_message_get_laddr(self); + }; +- int get_lport() { ++ %rename(get_lport) wrap_get_lport; ++ int wrap_get_lport() { + return seaudit_avc_message_get_lport(self); + }; +- const char *get_faddr() { ++ %rename(get_faddr) wrap_get_faddr; ++ const char *wrap_get_faddr() { + return seaudit_avc_message_get_faddr(self); + }; +- int get_fport() { ++ %rename(get_fport) wrap_get_fport; ++ int wrap_get_fport() { + return seaudit_avc_message_get_fport(self); + }; +- const char *get_saddr() { ++ %rename(get_saddr) wrap_get_saddr; ++ const char *wrap_get_saddr() { + return seaudit_avc_message_get_saddr(self); + }; +- int get_sport() { ++ %rename(get_sport) wrap_get_sport; ++ int wrap_get_sport() { + return seaudit_avc_message_get_sport(self); + }; +- const char *get_daddr() { ++ %rename(get_daddr) wrap_get_daddr; ++ const char *wrap_get_daddr() { + return seaudit_avc_message_get_daddr(self); + }; +- int get_dport() { ++ %rename(get_dport) wrap_get_dport; ++ int wrap_get_dport() { + return seaudit_avc_message_get_dport(self); + }; +- int get_key() { ++ %rename(get_key) wrap_get_key; ++ int wrap_get_key() { + return seaudit_avc_message_get_key(self); + }; +- int get_cap() { ++ %rename(get_cap) wrap_get_cap; ++ int wrap_get_cap() { + return seaudit_avc_message_get_cap(self); + }; + }; +@@ -608,7 +648,7 @@ typedef enum seaudit_filter_date_match + } seaudit_filter_date_match_e; + typedef struct seaudit_filter {} seaudit_filter_t; + %extend seaudit_filter_t { +- seaudit_filter_t(char *name = NULL) { ++ seaudit_filter(char *name = NULL) { + seaudit_filter_t *sf = NULL; + BEGIN_EXCEPTION + sf = seaudit_filter_create(name); +@@ -619,7 +659,7 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return sf; + }; +- seaudit_filter_t(seaudit_filter_t *in) { ++ seaudit_filter(seaudit_filter_t *in) { + seaudit_filter_t *sf = NULL; + BEGIN_EXCEPTION + sf = seaudit_filter_create_from_filter(in); +@@ -630,7 +670,7 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return sf; + }; +- ~seaudit_filter_t() { ++ ~seaudit_filter() { + seaudit_filter_destroy(&self); + }; + void save(char *path) { +@@ -642,7 +682,8 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- void set_match(seaudit_filter_match_e match) { ++ %rename(set_match) wrap_set_match; ++ void wrap_set_match(seaudit_filter_match_e match) { + BEGIN_EXCEPTION + if (seaudit_filter_set_match(self, match)) { + SWIG_exception(SWIG_RuntimeError, "Could not set filter matching method"); +@@ -651,10 +692,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + } +- seaudit_filter_match_e get_match() { ++ %rename(get_match) wrap_get_match; ++ seaudit_filter_match_e wrap_get_match() { + return seaudit_filter_get_match(self); + }; +- void set_name(char *name) { ++ %rename(set_name) wrap_set_name; ++ void wrap_set_name(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_name(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set filter name"); +@@ -663,10 +706,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return seaudit_filter_get_name(self); + }; +- void set_description(char *description) { ++ %rename(set_description) wrap_set_description; ++ void wrap_set_description(char *description) { + BEGIN_EXCEPTION + if (seaudit_filter_set_description(self, description)) { + SWIG_exception(SWIG_RuntimeError, "Could not set filter description"); +@@ -675,16 +720,20 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_description() { ++ %rename(get_description) wrap_get_description; ++ const char *wrap_get_description() { + return seaudit_filter_get_description(self); + }; +- void set_strict(bool is_strict) { ++ %rename(set_strict) wrap_set_strict; ++ void wrap_set_strict(bool is_strict) { + seaudit_filter_set_strict(self, is_strict); + }; +- bool get_strict() { ++ %rename(get_strict) wrap_get_strict; ++ bool wrap_get_strict() { + return seaudit_filter_get_strict(self); + }; +- void set_source_user(apol_string_vector_t *v) { ++ %rename(set_source_user) wrap_set_source_user; ++ void wrap_set_source_user(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_source_user(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source user list for filter"); +@@ -693,10 +742,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_source_user() { ++ %rename(get_source_user) wrap_get_source_user; ++ const apol_string_vector_t *wrap_get_source_user() { + return (apol_string_vector_t*)seaudit_filter_get_source_user(self); + }; +- void set_source_role(apol_string_vector_t *v) { ++ %rename(set_source_role) wrap_set_source_role; ++ void wrap_set_source_role(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_source_role(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source role list for filter"); +@@ -705,10 +756,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_source_role() { ++ %rename(get_source_role) wrap_get_source_role; ++ const apol_string_vector_t *wrap_get_source_role() { + return (apol_string_vector_t*)seaudit_filter_get_source_role(self); + }; +- void set_source_type(apol_string_vector_t *v) { ++ %rename(set_source_type) wrap_set_source_type; ++ void wrap_set_source_type(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_source_type(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source type list for filter"); +@@ -717,10 +770,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_source_type() { ++ %rename(get_source_type) wrap_get_source_type; ++ const apol_string_vector_t *wrap_get_source_type() { + return (apol_string_vector_t*)seaudit_filter_get_source_type(self); + }; +- void set_target_user(apol_string_vector_t *v) { ++ %rename(set_target_user) wrap_set_target_user; ++ void wrap_set_target_user(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_target_user(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target user list for filter"); +@@ -729,10 +784,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_target_user() { ++ %rename(get_target_user) wrap_get_target_user; ++ const apol_string_vector_t *wrap_get_target_user() { + return (apol_string_vector_t*)seaudit_filter_get_target_user(self); + }; +- void set_target_role(apol_string_vector_t *v) { ++ %rename(set_target_role) wrap_set_target_role; ++ void wrap_set_target_role(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_target_role(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target role list for filter"); +@@ -741,10 +798,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_target_role() { ++ %rename(get_target_role) wrap_get_target_role; ++ const apol_string_vector_t *wrap_get_target_role() { + return (apol_string_vector_t*)seaudit_filter_get_target_role(self); + }; +- void set_target_type(apol_string_vector_t *v) { ++ %rename(set_target_type) wrap_set_target_type; ++ void wrap_set_target_type(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_target_type(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target type list for filter"); +@@ -753,10 +812,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_target_type() { ++ %rename(get_target_type) wrap_get_target_type; ++ const apol_string_vector_t *wrap_get_target_type() { + return (apol_string_vector_t*)seaudit_filter_get_target_type(self); + }; +- void set_target_class(apol_string_vector_t *v) { ++ %rename(set_target_class) wrap_set_target_class; ++ void wrap_set_target_class(apol_string_vector_t *v) { + BEGIN_EXCEPTION + if (seaudit_filter_set_target_class(self, (apol_vector_t*)v)) { + SWIG_exception(SWIG_RuntimeError, "Could not set target class list for filter"); +@@ -765,10 +826,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const apol_string_vector_t *get_target_class() { ++ %rename(get_target_class) wrap_get_target_class; ++ const apol_string_vector_t *wrap_get_target_class() { + return (apol_string_vector_t*)seaudit_filter_get_target_class(self); + }; +- void set_permission(char *name) { ++ %rename(set_permission) wrap_set_permission; ++ void wrap_set_permission(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_permission(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set permission for filter"); +@@ -777,10 +840,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_permission() { ++ %rename(get_permission) wrap_get_permission; ++ const char *wrap_get_permission() { + return seaudit_filter_get_permission(self); + }; +- void set_executable(char *name) { ++ %rename(set_executable) wrap_set_executable; ++ void wrap_set_executable(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_executable(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set executable for filter"); +@@ -789,10 +854,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_executable() { ++ %rename(get_executable) wrap_get_executable; ++ const char *wrap_get_executable() { + return seaudit_filter_get_executable(self); + }; +- void set_host(char *name) { ++ %rename(set_host) wrap_set_host; ++ void wrap_set_host(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_host(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set host for filter"); +@@ -801,10 +868,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_host() { ++ %rename(get_host) wrap_get_host; ++ const char *wrap_get_host() { + return seaudit_filter_get_host(self); + }; +- void set_path(char *path) { ++ %rename(set_path) wrap_set_path; ++ void wrap_set_path(char *path) { + BEGIN_EXCEPTION + if (seaudit_filter_set_path(self, path)) { + SWIG_exception(SWIG_RuntimeError, "Could not set path for filter"); +@@ -813,10 +882,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_path() { ++ %rename(get_path) wrap_get_path; ++ const char *wrap_get_path() { + return seaudit_filter_get_path(self); + }; +- void set_command(char *name) { ++ %rename(set_command) wrap_set_command; ++ void wrap_set_command(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_command(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set command for filter"); +@@ -825,22 +896,28 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- void set_inode(long inode) { ++ %rename(set_inode) wrap_set_inode; ++ void wrap_set_inode(long inode) { + seaudit_filter_set_inode(self, (long) inode); + }; +- long get_inode() { ++ %rename(get_inode) wrap_get_inode; ++ long wrap_get_inode() { + return (long) seaudit_filter_get_inode(self); + }; +- void set_pid(long pid) { ++ %rename(set_pid) wrap_set_pid; ++ void wrap_set_pid(long pid) { + seaudit_filter_set_pid(self, (unsigned int) pid); + }; +- long get_pid() { ++ %rename(get_pid) wrap_get_pid; ++ long wrap_get_pid() { + return (long) seaudit_filter_get_pid(self); + }; +- const char *get_command() { ++ %rename(get_command) wrap_get_command; ++ const char *wrap_get_command() { + return seaudit_filter_get_command(self); + }; +- void set_anyaddr(char *name) { ++ %rename(set_anyaddr) wrap_set_anyaddr; ++ void wrap_set_anyaddr(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_anyaddr(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set ip address for filter"); +@@ -849,16 +926,20 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_anyaddr() { ++ %rename(get_anyaddr) wrap_get_anyaddr; ++ const char *wrap_get_anyaddr() { + return seaudit_filter_get_anyaddr(self); + }; +- void set_anyport(int port) { ++ %rename(set_anyport) wrap_set_anyport; ++ void wrap_set_anyport(int port) { + seaudit_filter_set_anyport(self, port); + }; +- int get_anyport() { ++ %rename(get_anyport) wrap_get_anyport; ++ int wrap_get_anyport() { + return seaudit_filter_get_anyport(self); + }; +- void set_laddr(char *name) { ++ %rename(set_laddr) wrap_set_laddr; ++ void wrap_set_laddr(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_laddr(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set local address for filter"); +@@ -867,16 +948,20 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_laddr() { ++ %rename(get_laddr) wrap_get_laddr; ++ const char *wrap_get_laddr() { + return seaudit_filter_get_laddr(self); + }; +- void set_lport(int port) { ++ %rename(set_lport) wrap_set_lport; ++ void wrap_set_lport(int port) { + seaudit_filter_set_lport(self, port); + }; +- int get_lport() { ++ %rename(get_lport) wrap_get_lport; ++ int wrap_get_lport() { + return seaudit_filter_get_lport(self); + }; +- void set_faddr(char *name) { ++ %rename(set_faddr) wrap_set_faddr; ++ void wrap_set_faddr(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_faddr(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set foreign address for filter"); +@@ -885,16 +970,20 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_faddr() { ++ %rename(get_faddr) wrap_get_faddr; ++ const char *wrap_get_faddr() { + return seaudit_filter_get_faddr(self); + }; +- void set_fport(int port) { ++ %rename(set_fport) wrap_set_fport; ++ void wrap_set_fport(int port) { + seaudit_filter_set_fport(self, port); + }; +- int get_fport() { ++ %rename(get_fport) wrap_get_fport; ++ int wrap_get_fport() { + return seaudit_filter_get_fport(self); + }; +- void set_saddr(char *name) { ++ %rename(set_saddr) wrap_set_saddr; ++ void wrap_set_saddr(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_saddr(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set source address for filter"); +@@ -903,16 +992,20 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_saddr() { ++ %rename(get_saddr) wrap_get_saddr; ++ const char *wrap_get_saddr() { + return seaudit_filter_get_saddr(self); + }; +- void set_sport(int port) { ++ %rename(set_sport) wrap_set_sport; ++ void wrap_set_sport(int port) { + seaudit_filter_set_sport(self, port); + }; +- int get_sport() { ++ %rename(get_sport) wrap_get_sport; ++ int wrap_get_sport() { + return seaudit_filter_get_sport(self); + }; +- void set_daddr(char *name) { ++ %rename(set_daddr) wrap_set_daddr; ++ void wrap_set_daddr(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_daddr(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set destination address for filter"); +@@ -921,22 +1014,28 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_daddr() { ++ %rename(get_daddr) wrap_get_daddr; ++ const char *wrap_get_daddr() { + return seaudit_filter_get_daddr(self); + }; +- void set_dport(int port) { ++ %rename(set_dport) wrap_set_dport; ++ void wrap_set_dport(int port) { + seaudit_filter_set_dport(self, port); + }; +- int get_dport() { ++ %rename(get_dport) wrap_get_dport; ++ int wrap_get_dport() { + return seaudit_filter_get_dport(self); + }; +- void set_port(int port) { ++ %rename(set_port) wrap_set_port; ++ void wrap_set_port(int port) { + seaudit_filter_set_port(self, port); + }; +- int get_port() { ++ %rename(get_port) wrap_get_port; ++ int wrap_get_port() { + return seaudit_filter_get_port(self); + }; +- void set_netif(char *name) { ++ %rename(set_netif) wrap_set_netif; ++ void wrap_set_netif(char *name) { + BEGIN_EXCEPTION + if (seaudit_filter_set_netif(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set network interface for filter"); +@@ -945,22 +1044,28 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- const char *get_netif() { ++ %rename(get_netif) wrap_get_netif; ++ const char *wrap_get_netif() { + return seaudit_filter_get_netif(self); + }; +- void set_key(int key) { ++ %rename(set_key) wrap_set_key; ++ void wrap_set_key(int key) { + seaudit_filter_set_key(self, key); + }; +- int get_key() { ++ %rename(get_key) wrap_get_key; ++ int wrap_get_key() { + return seaudit_filter_get_key(self); + }; +- void set_cap(int cap) { ++ %rename(set_cap) wrap_set_cap; ++ void wrap_set_cap(int cap) { + seaudit_filter_set_cap(self, cap); + }; +- int get_cap() { ++ %rename(get_cap) wrap_get_cap; ++ int wrap_get_cap() { + return seaudit_filter_get_cap(self); + }; +- void set_message_type(seaudit_avc_message_type_e mtype) { ++ %rename(set_message_type) wrap_set_message_type; ++ void wrap_set_message_type(seaudit_avc_message_type_e mtype) { + BEGIN_EXCEPTION + if (seaudit_filter_set_message_type(self, mtype)) { + SWIG_exception(SWIG_RuntimeError, "Could not set message type for filter"); +@@ -969,10 +1074,12 @@ typedef struct seaudit_filter {} seaudit_filter_t; + fail: + return; + }; +- seaudit_message_type_e get_message_type() { ++ %rename(get_message_type) wrap_get_message_type; ++ seaudit_message_type_e wrap_get_message_type() { + return seaudit_filter_get_message_type(self); + }; +- void set_date(struct tm *start, struct tm *end, seaudit_filter_date_match_e match) { ++ %rename(set_date) wrap_set_date; ++ void wrap_set_date(struct tm *start, struct tm *end, seaudit_filter_date_match_e match) { + BEGIN_EXCEPTION + if (seaudit_filter_set_date(self, start, end, match)) { + SWIG_exception(SWIG_RuntimeError, "Could not set date for filter"); +@@ -1014,14 +1121,14 @@ apol_vector_t *seaudit_filter_create_from_file(const char *filename); + /* seaudit sort */ + typedef struct seaudit_sort {} seaudit_sort_t; + %extend seaudit_sort_t { +- seaudit_sort_t() { ++ seaudit_sort() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create seaudit_sort_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- seaudit_sort_t(seaudit_sort_t *in) { ++ seaudit_sort(seaudit_sort_t *in) { + seaudit_sort_t *ss = NULL; + BEGIN_EXCEPTION + ss = seaudit_sort_create_from_sort(in); +@@ -1032,7 +1139,7 @@ typedef struct seaudit_sort {} seaudit_sort_t; + fail: + return ss; + }; +- ~seaudit_sort_t() { ++ ~seaudit_sort() { + seaudit_sort_destroy(&self); + }; + }; +@@ -1113,7 +1220,7 @@ extern seaudit_sort_t *seaudit_sort_by_cap(const int direction); + #endif + typedef struct seaudit_model {} seaudit_model_t; + %extend seaudit_model_t { +- seaudit_model_t(char *name = NULL, seaudit_log_t *slog = NULL) { ++ seaudit_model(char *name = NULL, seaudit_log_t *slog = NULL) { + seaudit_model_t *smod; + BEGIN_EXCEPTION + smod = seaudit_model_create(name, slog); +@@ -1124,7 +1231,7 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return smod; + }; +- seaudit_model_t(seaudit_model_t *in) { ++ seaudit_model(seaudit_model_t *in) { + seaudit_model_t *smod; + BEGIN_EXCEPTION + smod = seaudit_model_create_from_model(in); +@@ -1135,7 +1242,7 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return smod; + }; +- seaudit_model_t(char *path) { ++ seaudit_model(char *path) { + seaudit_model_t *smod; + BEGIN_EXCEPTION + smod = seaudit_model_create_from_file(path); +@@ -1146,7 +1253,7 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return smod; + } +- ~seaudit_model_t() { ++ ~seaudit_model() { + seaudit_model_destroy(&self); + }; + void save(char *path) { +@@ -1158,10 +1265,12 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + } +- const char *get_name() { ++ %rename(get_name) wrap_get_name; ++ const char *wrap_get_name() { + return seaudit_model_get_name(self); + }; +- void set_name(char *name) { ++ %rename(set_name) wrap_set_name; ++ void wrap_set_name(char *name) { + BEGIN_EXCEPTION + if (seaudit_model_set_name(self, name)) { + SWIG_exception(SWIG_RuntimeError, "Could not set model name"); +@@ -1170,7 +1279,8 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- void append_log(seaudit_log_t *slog) { ++ %rename(append_log) wrap_append_log; ++ void wrap_append_log(seaudit_log_t *slog) { + BEGIN_EXCEPTION + if (seaudit_model_append_log(self, slog)) { + SWIG_exception(SWIG_RuntimeError, "Could not append log to model"); +@@ -1179,7 +1289,8 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- void append_filter(seaudit_filter_t *filter) { ++ %rename(append_filter) wrap_append_filter; ++ void wrap_append_filter(seaudit_filter_t *filter) { + BEGIN_EXCEPTION + #ifdef SWIGJAVA /* duplicate so the garbage collector does not double free */ + seaudit_filter_t *tmp = seaudit_filter_create_from_filter(filter); +@@ -1196,11 +1307,13 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- const apol_vector_t *get_filters() { ++ %rename(get_filters) wrap_get_filters; ++ const apol_vector_t *wrap_get_filters() { + return seaudit_model_get_filters(self); + }; + %delobject remove_filter(); +- void remove_filter(seaudit_filter_t *filter) { ++ %rename(remove_filter) wrap_remove_filter; ++ void wrap_remove_filter(seaudit_filter_t *filter) { + BEGIN_EXCEPTION + if (seaudit_model_remove_filter(self, filter)) { + SWIG_exception(SWIG_ValueError, "Could not remove filter"); +@@ -1209,7 +1322,8 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- void set_filter_match(seaudit_filter_match_e match) { ++ %rename(set_filter_match) wrap_set_filter_match; ++ void wrap_set_filter_match(seaudit_filter_match_e match) { + BEGIN_EXCEPTION + if (seaudit_model_set_filter_match(self, match)) { + SWIG_exception(SWIG_RuntimeError, "Could not set filter matching method for model"); +@@ -1218,10 +1332,12 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- seaudit_filter_match_e get_filter_match() { ++ %rename(get_filter_match) wrap_get_filter_match; ++ seaudit_filter_match_e wrap_get_filter_match() { + return seaudit_model_get_filter_match(self); + }; +- void set_filter_visible(seaudit_filter_visible_e vis) { ++ %rename(set_filter_visible) wrap_set_filter_visible; ++ void wrap_set_filter_visible(seaudit_filter_visible_e vis) { + BEGIN_EXCEPTION + if (seaudit_model_set_filter_visible(self, vis)) { + SWIG_exception(SWIG_RuntimeError, "Could not set filter visibility for model"); +@@ -1230,10 +1346,12 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- seaudit_filter_visible_e get_filter_visible() { ++ %rename(get_filter_visible) wrap_get_filter_visible; ++ seaudit_filter_visible_e wrap_get_filter_visible() { + return seaudit_model_get_filter_visible(self); + }; +- void append_sort(seaudit_sort_t *ssort) { ++ %rename(append_sort) wrap_append_sort; ++ void wrap_append_sort(seaudit_sort_t *ssort) { + BEGIN_EXCEPTION + #ifdef SWIGJAVA + seaudit_sort_t *tmp = seaudit_sort_create_from_sort(ssort); +@@ -1250,7 +1368,8 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- void clear_sorts() { ++ %rename(clear_sorts) wrap_clear_sorts; ++ void wrap_clear_sorts() { + BEGIN_EXCEPTION + if (seaudit_model_clear_sorts(self)) { + SWIG_exception(SWIG_RuntimeError, "Could not clear model sorting criteria"); +@@ -1259,11 +1378,13 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return; + }; +- int is_changed() { ++ %rename(is_changed) wrap_is_changed; ++ int wrap_is_changed() { + return seaudit_model_is_changed(self); + }; + %newobject get_messages(seaudit_log_t*); +- apol_vector_t *get_messages(seaudit_log_t *slog) { ++ %rename(get_messages) wrap_get_messages; ++ apol_vector_t *wrap_get_messages(seaudit_log_t *slog) { + apol_vector_t *v = NULL; + BEGIN_EXCEPTION + v = seaudit_model_get_messages(slog, self); +@@ -1275,7 +1396,8 @@ typedef struct seaudit_model {} seaudit_model_t; + return v; + }; + %newobject get_malformed_messages(seaudit_log_t*); +- apol_vector_t *get_malformed_messages(seaudit_log_t *slog) { ++ %rename(get_malformed_messages) wrap_get_malformed_messages; ++ apol_vector_t *wrap_get_malformed_messages(seaudit_log_t *slog) { + apol_vector_t *v = NULL; + BEGIN_EXCEPTION + v = seaudit_model_get_malformed_messages(slog, self); +@@ -1286,19 +1408,24 @@ typedef struct seaudit_model {} seaudit_model_t; + fail: + return v; + }; +- void hide_message(seaudit_message_t *message) { ++ %rename(hide_message) wrap_hide_message; ++ void wrap_hide_message(seaudit_message_t *message) { + seaudit_model_hide_message(self, message); + }; +- size_t get_num_allows(seaudit_log_t *slog) { ++ %rename(get_num_allows) wrap_get_num_allows; ++ size_t wrap_get_num_allows(seaudit_log_t *slog) { + return seaudit_model_get_num_allows(slog, self); + }; +- size_t get_num_denies(seaudit_log_t *slog) { ++ %rename(get_num_denies) wrap_get_num_denies; ++ size_t wrap_get_num_denies(seaudit_log_t *slog) { + return seaudit_model_get_num_denies(slog, self); + }; +- size_t get_num_bools(seaudit_log_t *slog) { ++ %rename(get_num_bools) wrap_get_num_bools; ++ size_t wrap_get_num_bools(seaudit_log_t *slog) { + return seaudit_model_get_num_bools(slog, self); + }; +- size_t get_num_loads(seaudit_log_t *slog) { ++ %rename(get_num_loads) wrap_get_num_loads; ++ size_t wrap_get_num_loads(seaudit_log_t *slog) { + return seaudit_model_get_num_loads(slog, self); + }; + }; +@@ -1311,7 +1438,7 @@ typedef enum seaudit_report_format + } seaudit_report_format_e; + typedef struct seaudit_report {} seaudit_report_t; + %extend seaudit_report_t { +- seaudit_report_t(seaudit_model_t *m) { ++ seaudit_report(seaudit_model_t *m) { + seaudit_report_t *sr; + BEGIN_EXCEPTION + sr = seaudit_report_create(m); +@@ -1322,10 +1449,11 @@ typedef struct seaudit_report {} seaudit_report_t; + fail: + return sr; + }; +- ~seaudit_report_t() { ++ ~seaudit_report() { + seaudit_report_destroy(&self); + }; +- void write(seaudit_log_t *slog, char *path) { ++ %rename(write) wrap_write; ++ void wrap_write(seaudit_log_t *slog, char *path) { + BEGIN_EXCEPTION + if (seaudit_report_write(slog, self, path)) { + SWIG_exception(SWIG_RuntimeError, "Could not write report to file"); +@@ -1334,7 +1462,8 @@ typedef struct seaudit_report {} seaudit_report_t; + fail: + return; + }; +- void set_format(seaudit_log_t *slog, seaudit_report_format_e format) { ++ %rename(set_format) wrap_set_format; ++ void wrap_set_format(seaudit_log_t *slog, seaudit_report_format_e format) { + BEGIN_EXCEPTION + if (seaudit_report_set_format(slog, self, format)) { + SWIG_exception(SWIG_RuntimeError, "Could not set report format"); +@@ -1343,7 +1472,8 @@ typedef struct seaudit_report {} seaudit_report_t; + fail: + return; + }; +- void set_configuration(seaudit_log_t *slog, char *path) { ++ %rename(set_configuration) wrap_set_configuration; ++ void wrap_set_configuration(seaudit_log_t *slog, char *path) { + BEGIN_EXCEPTION + if (seaudit_report_set_configuration(slog, self, path)) { + SWIG_exception(SWIG_RuntimeError, "Could not set report configuration file"); +@@ -1352,7 +1482,8 @@ typedef struct seaudit_report {} seaudit_report_t; + fail: + return; + }; +- void set_stylesheet(seaudit_log_t *slog, char *path, int use_stylesheet) { ++ %rename(set_stylesheet) wrap_set_stylesheet; ++ void wrap_set_stylesheet(seaudit_log_t *slog, char *path, int use_stylesheet) { + BEGIN_EXCEPTION + if (seaudit_report_set_stylesheet(slog, self, path, use_stylesheet)) { + SWIG_exception(SWIG_RuntimeError, "Could not set report stylesheet"); +@@ -1361,7 +1492,8 @@ typedef struct seaudit_report {} seaudit_report_t; + fail: + return; + }; +- void set_malformed(seaudit_log_t *slog, int do_malformed) { ++ %rename(set_malformed) wrap_set_malformed; ++ void wrap_set_malformed(seaudit_log_t *slog, int do_malformed) { + BEGIN_EXCEPTION + if (seaudit_report_set_malformed(slog, self, do_malformed)) { + SWIG_exception(SWIG_RuntimeError, "Could not set report malformed flag"); +diff --git a/libsefs/src/db.cc b/libsefs/src/db.cc +index 88ad588..191d796 100644 +--- a/libsefs/src/db.cc ++++ b/libsefs/src/db.cc +@@ -479,8 +479,13 @@ int db_create_from_filesystem(sefs_fclist * fclist __attribute__ ((unused)), con + struct stat64 sb; + if (stat64(path, &sb) == -1) + { +- SEFS_ERR(dbc->_db, "%s", strerror(errno)); +- throw std::bad_alloc(); ++ /* If sym link broken/file not found, then ignore as this will allow ++ the index to be built. Useful when investigating broken systems. ++ Also see new_ftw.c comment regarding "lstat calls go through the ++ wrapper function" to stop index hanging on broken files. */ ++ link_target[127] = '\0'; ++ sb.st_mode = 0; ++ SEFS_WARN(dbc->_db, "Could not stat file: %s - ignoring", path); + } + if (S_ISLNK(sb.st_mode)) + { +diff --git a/libsefs/src/new_ftw.c b/libsefs/src/new_ftw.c +index 5ebaf29..10eb78f 100644 +--- a/libsefs/src/new_ftw.c ++++ b/libsefs/src/new_ftw.c +@@ -131,7 +131,11 @@ extern char *xgetcwd(void); + /* Arrange to make lstat calls go through the wrapper function + on systems with an lstat function that does not dereference symlinks + that are specified with a trailing slash. */ +-#if ! _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK ++/* If this is used on Linux (Fedora) when a sym link or file is broken, ++ the file context function will hang forever: ++ #if ! _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK ++ Therefore changed to this so uses Linux lstat function. */ ++#if _LIBC && ! LSTAT_FOLLOWS_SLASHED_SYMLINK + int rpl_lstat(const char *, struct stat *); + # undef lstat + # define lstat(Name, Stat_buf) rpl_lstat(Name, Stat_buf) +diff --git a/secmds/replcon.cc b/secmds/replcon.cc +index 34f7c1a..307c39f 100644 +--- a/secmds/replcon.cc ++++ b/secmds/replcon.cc +@@ -60,7 +60,7 @@ static struct option const longopts[] = { + {NULL, 0, NULL, 0} + }; + +-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak)); ++extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak)); + + /** + * As that setools must work with older libselinux versions that may +diff --git a/sediff/progress.c b/sediff/progress.c +index efaa120..09730dc 100644 +--- a/sediff/progress.c ++++ b/sediff/progress.c +@@ -99,7 +99,7 @@ void progress_hide(progress_t * progress) + + int progress_wait(progress_t * progress) + { +- GTimeVal wait_time = { 0, 50000 }; ++ gint64 wait_time; + g_mutex_lock(progress->mutex); + while (!progress->done) { + if (progress->s != NULL) { +@@ -111,7 +111,8 @@ int progress_wait(progress_t * progress) + // still be loading, and this dialog should not block + // until the entire source has been read + gtk_main_iteration_do(FALSE); +- g_cond_timed_wait(progress->cond, progress->mutex, &wait_time); ++ wait_time = g_get_monotonic_time () + 50000; ++ g_cond_wait_until(progress->cond, progress->mutex, wait_time); + } + g_mutex_unlock(progress->mutex); + if (progress->done < 0) { diff --git a/setools.spec b/setools.spec index ceaf5f8..aad7228 100644 --- a/setools.spec +++ b/setools.spec @@ -3,7 +3,7 @@ Name: setools Version: %{setools_maj_ver}.%{setools_min_ver} -Release: 7%{?dist} +Release: 8.99.1%{?dist} License: GPLv2 URL: http://oss.tresys.com/projects/setools BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -11,6 +11,7 @@ Source: http://oss.tresys.com/projects/setools/chrome/site/dists/setools-%{versi Source1: setools.pam Source2: apol.desktop Source3: seaudit.desktop +Patch0: setools-TresysTechnology-setools3.patch Patch1: 0001-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch Patch2: 0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch Patch3: 0003-mgrepl-patch-to-Fix-swig-coding-style-for-structures.patch @@ -150,16 +151,17 @@ This package includes the following graphical tools: %prep %setup -q +%patch0 -p 1 -b .TresysTechnology-setools3 %patch1 -p 1 -b .neverallow %patch2 -p 1 -b .libsepol -%patch3 -p 1 -b .swig +# %patch3 -p 1 -b .swig %patch4 -p 1 -b .current_policy %patch5 -p 1 -b .seaudit %patch6 -p 1 -b .boolean-subs %patch7 -p 1 -b .noship %patch8 -p 1 -b .seinfo-t %patch9 -p 1 -b .sesearch-D -%patch10 -p 1 -b .wig-patch +# %patch10 -p 1 -b .wig-patch %patch11 -p 1 -b .Wformat-security %patch12 -p 1 -b .version @@ -281,6 +283,9 @@ rm -rf ${RPM_BUILD_ROOT} %postun libs-tcl -p /sbin/ldconfig %changelog +* Fri Jan 08 2016 Petr Lautrbach 3.3.8-8.99.1 +- Update to latest upstream sources from https://github.com/TresysTechnology/setools3.git + * Fri Jun 19 2015 Fedora Release Engineering - 3.3.8-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild