From 9d5bc6c8bd0d170eaa4ca9b59bb6812de9648775 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mar 29 2011 19:42:16 +0000 Subject: Patches from Eric Paris We just use random numbers to make menu selections. Use #defines and names that make some sense instead. --- diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index 135b82a..862db8c 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -10,3 +10,544 @@ diff --exclude-from=exclude -N -u -r nsacheckpolicy/policy_parse.y checkpolicy-2 | ipv4_addr_def /* version can look like ipv4 address */ ; avrules_block : avrule_decls avrule_user_defs +We just use random numbers to make menu selections. Use #defines and +names that make some sense instead. + +Signed-off-by: Eric Paris + +--- + +diff -up checkpolicy-2.0.23/test/dismod.c.eparis1 checkpolicy-2.0.23/test/dismod.c +--- checkpolicy-2.0.23/test/dismod.c.eparis1 2010-12-21 16:35:45.000000000 -0500 ++++ checkpolicy-2.0.23/test/dismod.c 2011-03-23 13:58:31.561072307 -0400 +@@ -45,6 +45,14 @@ + #define le32_to_cpu(x) bswap_32(x) + #endif + ++#define DISPLAY_AVBLOCK_COND_AVTAB 0 ++#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1 ++#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */ ++#define DISPLAY_AVBLOCK_ROLE_TRANS 3 ++#define DISPLAY_AVBLOCK_ROLE_ALLOW 4 ++#define DISPLAY_AVBLOCK_REQUIRES 5 ++#define DISPLAY_AVBLOCK_DECLARES 6 ++ + static policydb_t policydb; + extern unsigned int ss_initialized; + +@@ -571,7 +579,7 @@ int display_avdecl(avrule_decl_t * decl, + fprintf(out_fp, "decl %u:%s\n", decl->decl_id, + (decl->enabled ? " [enabled]" : "")); + switch (field) { +- case 0:{ ++ case DISPLAY_AVBLOCK_COND_AVTAB:{ + cond_list_t *cond = decl->cond_list; + avrule_t *avrule; + while (cond) { +@@ -599,7 +607,7 @@ int display_avdecl(avrule_decl_t * decl, + } + break; + } +- case 1:{ ++ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{ + avrule_t *avrule = decl->avrules; + if (avrule == NULL) { + fprintf(out_fp, " \n"); +@@ -613,26 +621,26 @@ int display_avdecl(avrule_decl_t * decl, + } + break; + } +- case 2:{ /* role_type_node */ ++ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */ + break; + } +- case 3:{ ++ case DISPLAY_AVBLOCK_ROLE_TRANS:{ + display_role_trans(decl->role_tr_rules, policy, out_fp); + break; + } +- case 4:{ ++ case DISPLAY_AVBLOCK_ROLE_ALLOW:{ + display_role_allow(decl->role_allow_rules, policy, + out_fp); + break; + } +- case 5:{ ++ case DISPLAY_AVBLOCK_REQUIRES:{ + if (display_scope_index + (&decl->required, policy, out_fp)) { + return -1; + } + break; + } +- case 6:{ ++ case DISPLAY_AVBLOCK_DECLARES:{ + if (display_scope_index + (&decl->declared, policy, out_fp)) { + return -1; +@@ -861,15 +869,16 @@ int main(int argc, char **argv) + fgets(ans, sizeof(ans), stdin); + switch (ans[0]) { + +- case '1':{ +- fprintf(out_fp, "unconditional avtab:\n"); +- display_avblock(1, RENDER_UNCONDITIONAL, +- &policydb, out_fp); +- break; +- } ++ case '1': ++ fprintf(out_fp, "unconditional avtab:\n"); ++ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB, ++ RENDER_UNCONDITIONAL, &policydb, ++ out_fp); ++ break; + case '2': + fprintf(out_fp, "conditional avtab:\n"); +- display_avblock(0, RENDER_UNCONDITIONAL, &policydb, ++ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB, ++ RENDER_UNCONDITIONAL, &policydb, + out_fp); + break; + case '3': +@@ -892,11 +901,13 @@ int main(int argc, char **argv) + break; + case '7': + fprintf(out_fp, "role transitions:\n"); +- display_avblock(3, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0, ++ &policydb, out_fp); + break; + case '8': + fprintf(out_fp, "role allows:\n"); +- display_avblock(4, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0, ++ &policydb, out_fp); + break; + case '9': + display_policycon(&policydb, out_fp); +@@ -906,11 +917,13 @@ int main(int argc, char **argv) + break; + case 'a': + fprintf(out_fp, "avrule block requirements:\n"); +- display_avblock(5, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0, ++ &policydb, out_fp); + break; + case 'b': + fprintf(out_fp, "avrule block declarations:\n"); +- display_avblock(6, 0, &policydb, out_fp); ++ display_avblock(DISPLAY_AVBLOCK_DECLARES, 0, ++ &policydb, out_fp); + break; + case 'c': + display_policycaps(&policydb, out_fp); + + + +-- +This message was distributed to subscribers of the selinux mailing list. +If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with +the words "unsubscribe selinux" without quotes as the message. +This patch adds support for using the last path component as part of the +information in making labeling decisions for new objects. A example +rule looks like so: + +type_transition unconfined_t etc_t:file system_conf_t eric; + +This rule says if unconfined_t creates a file in a directory labeled +etc_t and the last path component is "eric" (no globbing, no matching +magic, just exact strcmp) it should be labeled system_conf_t. + +The kernel and policy representation does not have support for such +rules in conditionals, and thus policy explicitly notes that fact if +such a rule is added to a conditional. + +Signed-off-by: Eric Paris +--- + +diff -up checkpolicy-2.0.23/module_compiler.c.eparis2 checkpolicy-2.0.23/module_compiler.c +--- checkpolicy-2.0.23/module_compiler.c.eparis2 2010-12-21 16:35:45.000000000 -0500 ++++ checkpolicy-2.0.23/module_compiler.c 2011-03-23 14:19:51.152530839 -0400 +@@ -1313,6 +1313,18 @@ void append_role_allow(role_allow_rule_t + } + + /* this doesn't actually append, but really prepends it */ ++void append_filename_trans(filename_trans_rule_t * filename_trans_rules) ++{ ++ avrule_decl_t *decl = stack_top->decl; ++ ++ /* filename transitions are not allowed within conditionals */ ++ assert(stack_top->type == 1); ++ ++ filename_trans_rules->next = decl->filename_trans_rules; ++ decl->filename_trans_rules = filename_trans_rules; ++} ++ ++/* this doesn't actually append, but really prepends it */ + void append_range_trans(range_trans_rule_t * range_tr_rules) + { + avrule_decl_t *decl = stack_top->decl; +diff -up checkpolicy-2.0.23/module_compiler.h.eparis2 checkpolicy-2.0.23/module_compiler.h +--- checkpolicy-2.0.23/module_compiler.h.eparis2 2010-12-21 16:35:45.000000000 -0500 ++++ checkpolicy-2.0.23/module_compiler.h 2011-03-23 14:19:51.154531123 -0400 +@@ -80,6 +80,7 @@ void append_avrule(avrule_t * avrule); + void append_role_trans(role_trans_rule_t * role_tr_rules); + void append_role_allow(role_allow_rule_t * role_allow_rules); + void append_range_trans(range_trans_rule_t * range_tr_rules); ++void append_filename_trans(filename_trans_rule_t * filename_trans_rules); + + /* Create a new optional block and add it to the global policy. + * During the second pass resolve the block's requirements. Return 0 +diff -up checkpolicy-2.0.23/policy_define.c.eparis2 checkpolicy-2.0.23/policy_define.c +--- checkpolicy-2.0.23/policy_define.c.eparis2 2010-12-21 16:35:45.000000000 -0500 ++++ checkpolicy-2.0.23/policy_define.c 2011-03-28 13:50:57.667710915 -0400 +@@ -2196,6 +2196,190 @@ int define_role_allow(void) + return 0; + } + ++avrule_t *define_cond_filename_trans(void) ++{ ++ yyerror("type transitions with a filename not allowed inside " ++ "conditionals\n"); ++ return COND_ERR; ++} ++ ++int define_filename_trans(void) ++{ ++ char *id, *name = NULL; ++ type_set_t stypes, ttypes; ++ ebitmap_t e_stypes, e_ttypes; ++ ebitmap_t e_tclasses; ++ ebitmap_node_t *snode, *tnode, *cnode; ++ filename_trans_t *ft; ++ filename_trans_rule_t *ftr; ++ class_datum_t *cladatum; ++ type_datum_t *typdatum; ++ uint32_t otype; ++ unsigned int c, s, t; ++ int add; ++ ++ if (pass == 1) { ++ /* stype */ ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ /* ttype */ ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ /* tclass */ ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ /* otype */ ++ id = queue_remove(id_queue); ++ free(id); ++ /* name */ ++ id = queue_remove(id_queue); ++ free(id); ++ return 0; ++ } ++ ++ ++ add = 1; ++ type_set_init(&stypes); ++ while ((id = queue_remove(id_queue))) { ++ if (set_types(&stypes, id, &add, 0)) ++ goto bad; ++ } ++ ++ add =1; ++ type_set_init(&ttypes); ++ while ((id = queue_remove(id_queue))) { ++ if (set_types(&ttypes, id, &add, 0)) ++ goto bad; ++ } ++ ++ ebitmap_init(&e_tclasses); ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ free(id); ++ goto bad; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ goto bad; ++ } ++ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { ++ yyerror("Out of memory"); ++ goto bad; ++ } ++ free(id); ++ } ++ ++ id = (char *)queue_remove(id_queue); ++ if (!id) { ++ yyerror("no otype in transition definition?"); ++ goto bad; ++ } ++ if (!is_id_in_scope(SYM_TYPES, id)) { ++ yyerror2("type %s is not within scope", id); ++ free(id); ++ goto bad; ++ } ++ typdatum = hashtab_search(policydbp->p_types.table, id); ++ if (!typdatum) { ++ yyerror2("unknown type %s used in transition definition", id); ++ goto bad; ++ } ++ free(id); ++ otype = typdatum->s.value; ++ ++ name = queue_remove(id_queue); ++ if (!name) { ++ yyerror("no pathname specified in filename_trans definition?"); ++ goto bad; ++ } ++ ++ /* We expand the class set into seperate rules. We expand the types ++ * just to make sure there are not duplicates. They will get turned ++ * into seperate rules later */ ++ ebitmap_init(&e_stypes); ++ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) ++ goto bad; ++ ++ ebitmap_init(&e_ttypes); ++ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) ++ goto bad; ++ ++ ebitmap_for_each_bit(&e_tclasses, cnode, c) { ++ if (!ebitmap_node_get_bit(cnode, c)) ++ continue; ++ ebitmap_for_each_bit(&e_stypes, snode, s) { ++ if (!ebitmap_node_get_bit(snode, s)) ++ continue; ++ ebitmap_for_each_bit(&e_ttypes, tnode, t) { ++ if (!ebitmap_node_get_bit(tnode, t)) ++ continue; ++ ++ for (ft = policydbp->filename_trans; ft; ft = ft->next) { ++ if (ft->stype == (s + 1) && ++ ft->ttype == (t + 1) && ++ ft->tclass == (c + 1) && ++ !strcmp(ft->name, name)) { ++ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", ++ name, ++ policydbp->p_type_val_to_name[s], ++ policydbp->p_type_val_to_name[t], ++ policydbp->p_class_val_to_name[c]); ++ goto bad; ++ } ++ } ++ ++ ft = malloc(sizeof(*ft)); ++ if (!ft) { ++ yyerror("out of memory"); ++ goto bad; ++ } ++ memset(ft, 0, sizeof(*ft)); ++ ++ ft->next = policydbp->filename_trans; ++ policydbp->filename_trans = ft; ++ ++ ft->name = strdup(name); ++ if (!ft->name) { ++ yyerror("out of memory"); ++ goto bad; ++ } ++ ft->stype = s + 1; ++ ft->ttype = t + 1; ++ ft->tclass = c + 1; ++ ft->otype = otype; ++ } ++ } ++ ++ /* Now add the real rule since we didn't find any duplicates */ ++ ftr = malloc(sizeof(*ftr)); ++ if (!ftr) { ++ yyerror("out of memory"); ++ goto bad; ++ } ++ filename_trans_rule_init(ftr); ++ append_filename_trans(ftr); ++ ++ ftr->name = strdup(name); ++ ftr->stypes = stypes; ++ ftr->ttypes = ttypes; ++ ftr->tclass = c + 1; ++ ftr->otype = otype; ++ } ++ ++ free(name); ++ ebitmap_destroy(&e_stypes); ++ ebitmap_destroy(&e_ttypes); ++ ebitmap_destroy(&e_tclasses); ++ ++ return 0; ++ ++bad: ++ free(name); ++ return -1; ++} ++ + static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) + { + constraint_expr_t *h = NULL, *l = NULL, *e, *newe; +diff -up checkpolicy-2.0.23/policy_define.h.eparis2 checkpolicy-2.0.23/policy_define.h +--- checkpolicy-2.0.23/policy_define.h.eparis2 2010-12-21 16:35:45.000000000 -0500 ++++ checkpolicy-2.0.23/policy_define.h 2011-03-28 13:50:05.489297128 -0400 +@@ -16,6 +16,7 @@ + avrule_t *define_cond_compute_type(int which); + avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt); + avrule_t *define_cond_te_avtab(int which); ++avrule_t *define_cond_filename_trans(void); + cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2); + int define_attrib(void); + int define_av_perms(int inherits); +@@ -47,6 +48,7 @@ int define_range_trans(int class_specifi + int define_role_allow(void); + int define_role_trans(void); + int define_role_types(void); ++int define_filename_trans(void); + int define_sens(void); + int define_te_avtab(int which); + int define_typealias(void); +diff -up checkpolicy-2.0.23/policy_parse.y.eparis2 checkpolicy-2.0.23/policy_parse.y +--- checkpolicy-2.0.23/policy_parse.y.eparis2 2011-03-23 14:19:51.133528148 -0400 ++++ checkpolicy-2.0.23/policy_parse.y 2011-03-28 13:49:03.489482156 -0400 +@@ -342,7 +342,10 @@ cond_rule_def : cond_transitio + | require_block + { $$ = NULL; } + ; +-cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' ++cond_transition_def : TYPE_TRANSITION names names ':' names identifier identifier ';' ++ { $$ = define_cond_filename_trans() ; ++ if ($$ == COND_ERR) return -1;} ++ | TYPE_TRANSITION names names ':' names identifier ';' + { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; + if ($$ == COND_ERR) return -1;} + | TYPE_MEMBER names names ':' names identifier ';' +@@ -377,7 +380,10 @@ cond_dontaudit_def : DONTAUDIT names nam + { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); + if ($$ == COND_ERR) return -1; } + ; +-transition_def : TYPE_TRANSITION names names ':' names identifier ';' ++ ; ++transition_def : TYPE_TRANSITION names names ':' names identifier identifier ';' ++ {if (define_filename_trans()) return -1; } ++ | TYPE_TRANSITION names names ':' names identifier ';' + {if (define_compute_type(AVRULE_TRANSITION)) return -1;} + | TYPE_MEMBER names names ':' names identifier ';' + {if (define_compute_type(AVRULE_MEMBER)) return -1;} +diff -up checkpolicy-2.0.23/test/dismod.c.eparis2 checkpolicy-2.0.23/test/dismod.c +--- checkpolicy-2.0.23/test/dismod.c.eparis2 2011-03-23 14:19:51.142529423 -0400 ++++ checkpolicy-2.0.23/test/dismod.c 2011-03-23 14:19:51.160531973 -0400 +@@ -52,6 +52,7 @@ + #define DISPLAY_AVBLOCK_ROLE_ALLOW 4 + #define DISPLAY_AVBLOCK_REQUIRES 5 + #define DISPLAY_AVBLOCK_DECLARES 6 ++#define DISPLAY_AVBLOCK_FILENAME_TRANS 7 + + static policydb_t policydb; + extern unsigned int ss_initialized; +@@ -480,6 +481,18 @@ void display_role_allow(role_allow_rule_ + } + } + ++void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, FILE * fp) ++{ ++ for (; tr; tr = tr->next) { ++ fprintf(fp, "filename transition %s", tr->name); ++ display_type_set(&tr->stypes, 0, p, fp); ++ display_type_set(&tr->ttypes, 0, p, fp); ++ display_id(p, fp, SYM_CLASSES, tr->tclass - 1, ":"); ++ display_id(p, fp, SYM_TYPES, tr->otype - 1, ""); ++ fprintf(fp, "\n"); ++ } ++} ++ + int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) + { + role_datum_t *role; +@@ -647,6 +660,11 @@ int display_avdecl(avrule_decl_t * decl, + } + break; + } ++ case DISPLAY_AVBLOCK_FILENAME_TRANS: ++ display_filename_trans(decl->filename_trans_rules, policy, ++ out_fp); ++ return -1; ++ break; + default:{ + assert(0); + } +@@ -812,6 +830,7 @@ int menu() + printf("c) Display policy capabilities\n"); + printf("l) Link in a module\n"); + printf("u) Display the unknown handling setting\n"); ++ printf("F) Display filename_trans rules\n"); + printf("\n"); + printf("f) set output file\n"); + printf("m) display menu\n"); +@@ -947,6 +966,11 @@ int main(int argc, char **argv) + if (out_fp != stdout) + printf("\nOutput to file: %s\n", OutfileName); + break; ++ case 'F': ++ fprintf(out_fp, "filename_trans rules:\n"); ++ display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS, ++ 0, &policydb, out_fp); ++ break; + case 'l': + link_module(&policydb, out_fp); + break; +diff -up checkpolicy-2.0.23/test/dispol.c.eparis2 checkpolicy-2.0.23/test/dispol.c +--- checkpolicy-2.0.23/test/dispol.c.eparis2 2010-12-21 16:35:45.000000000 -0500 ++++ checkpolicy-2.0.23/test/dispol.c 2011-03-23 14:19:51.162532256 -0400 +@@ -341,6 +341,21 @@ static void display_permissive(policydb_ + } + } + ++static void display_filename_trans(policydb_t *p, FILE *fp) ++{ ++ filename_trans_t *ft; ++ ++ fprintf(fp, "filename_trans rules:\n"); ++ for (ft = p->filename_trans; ft; ft = ft->next) { ++ fprintf(fp, "%s\n", ft->name); ++ display_id(p, fp, SYM_TYPES, ft->stype - 1, ""); ++ display_id(p, fp, SYM_TYPES, ft->ttype - 1, ""); ++ display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":"); ++ display_id(p, fp, SYM_TYPES, ft->otype - 1, ""); ++ fprintf(fp, "\n"); ++ } ++} ++ + int menu() + { + printf("\nSelect a command:\n"); +@@ -355,6 +370,8 @@ int menu() + printf("c) display policy capabilities\n"); + printf("p) display the list of permissive types\n"); + printf("u) display unknown handling setting\n"); ++ printf("F) display filename_trans rules\n"); ++ printf("\n"); + printf("f) set output file\n"); + printf("m) display menu\n"); + printf("q) quit\n"); +@@ -492,6 +509,9 @@ int main(int argc, char **argv) + if (out_fp != stdout) + printf("\nOutput to file: %s\n", OutfileName); + break; ++ case 'F': ++ display_filename_trans(&policydb, out_fp); ++ break; + case 'q': + policydb_destroy(&policydb); + exit(0); + + + +-- +This message was distributed to subscribers of the selinux mailing list. +If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with +the words "unsubscribe selinux" without quotes as the message. diff --git a/checkpolicy.spec b/checkpolicy.spec index e030755..f69465a 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,8 +1,8 @@ -%define libsepolver 2.0.39-1 +%define libsepolver 2.0.42-3 Summary: SELinux policy compiler Name: checkpolicy Version: 2.0.23 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 Group: Development/System Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz @@ -57,6 +57,26 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Tue Mar 29 2011 Dan Walsh - 2.0.23-4 +- Patches from Eric Paris +We just use random numbers to make menu selections. Use #defines and +names that make some sense instead. + +This patch adds support for using the last path component as part of the +information in making labeling decisions for new objects. A example +rule looks like so: + +type_transition unconfined_t etc_t:file system_conf_t eric; + +This rule says if unconfined_t creates a file in a directory labeled +etc_t and the last path component is "eric" (no globbing, no matching +magic, just exact strcmp) it should be labeled system_conf_t. + +The kernel and policy representation does not have support for such +rules in conditionals, and thus policy explicitly notes that fact if +such a rule is added to a conditional. + + * Tue Feb 08 2011 Fedora Release Engineering - 2.0.23-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild