From 0708d417f5992c96f65912d1a6554df8fe042dc4 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 20 2011 14:06:14 +0000 Subject: Fix checkpolicy to ignore '"' in filename trans rules --- diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index e69de29..971e35f 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -0,0 +1,42 @@ +diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y +index 49ac15f..1e3ef6f 100644 +--- a/checkpolicy/policy_parse.y ++++ b/checkpolicy/policy_parse.y +@@ -353,7 +353,7 @@ cond_rule_def : cond_transition_def + | require_block + { $$ = NULL; } + ; +-cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' ++cond_transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';' + { $$ = define_cond_filename_trans() ; + if ($$ == COND_ERR) return -1;} + | TYPE_TRANSITION names names ':' names identifier ';' +@@ -391,7 +391,7 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' + { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); + if ($$ == COND_ERR) return -1; } + ; +-transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' ++transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';' + {if (define_filename_trans()) return -1; } + | TYPE_TRANSITION names names ':' names identifier ';' + {if (define_compute_type(AVRULE_TRANSITION)) return -1;} +diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l +index a61e0db..2ba5971 100644 +--- a/checkpolicy/policy_scan.l ++++ b/checkpolicy/policy_scan.l +@@ -227,7 +227,6 @@ PERMISSIVE { return(PERMISSIVE); } + {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } + {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } + {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } +-\"({alnum}|[_\.\-])+\" { return(FILENAME); } + {alnum}* { return(FILENAME); } + \.({alnum}|[_\.\-])* { return(FILENAME); } + {letter}+([-_\.]|{alnum})+ { return(FILENAME); } +@@ -253,6 +252,7 @@ PERMISSIVE { return(PERMISSIVE); } + "-" | + "." | + "]" | ++"\"" | + "~" | + "*" { return(yytext[0]); } + . { yywarn("unrecognized character");} diff --git a/checkpolicy.spec b/checkpolicy.spec index 91f66b1..11257b3 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -2,10 +2,11 @@ Summary: SELinux policy compiler Name: checkpolicy Version: 2.1.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Group: Development/System Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz +Patch: checkpolicy-rhat.patch BuildRoot: %{_tmppath}/%{name}-buildroot BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel @@ -26,6 +27,7 @@ Only required for building policies. %prep %setup -q +%patch -p2 -b .rhat %build make clean @@ -53,7 +55,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog -* Mon Sep 19 2011 Dan Walsh - 2.1.5-0 +* Tue Sep 20 2011 Dan Walsh - 2.1.5-2 +- Fix checkpolicy to ignore '"' in filename trans rules + +* Mon Sep 19 2011 Dan Walsh - 2.1.5-1 -Update to upstream * Separate tunable from boolean during compile.