From 53af5b6865eceef9a172681e35ebdbee75f686bc Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Apr 12 2011 14:36:13 +0000 Subject: re-add Erics patch for filename transitions Update to upstream * Add new class field in role_transition by Harry Ciao. --- diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index 32a5b9d..99ac273 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -1,7 +1,8 @@ -diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.42/include/sepol/policydb/policydb.h ---- libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis 2010-12-21 16:41:58.000000000 -0500 -+++ libsepol-2.0.42/include/sepol/policydb/policydb.h 2011-03-23 14:11:28.432820275 -0400 -@@ -135,6 +135,16 @@ typedef struct role_allow { +diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h +index 94b8609..7b23a16 100644 +--- a/libsepol/include/sepol/policydb/policydb.h ++++ b/libsepol/include/sepol/policydb/policydb.h +@@ -136,6 +136,16 @@ typedef struct role_allow { struct role_allow *next; } role_allow_t; @@ -18,7 +19,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4 /* Type attributes */ typedef struct type_datum { symtab_datum_t s; -@@ -245,6 +255,15 @@ typedef struct role_allow_rule { +@@ -247,6 +257,15 @@ typedef struct role_allow_rule { struct role_allow_rule *next; } role_allow_rule_t; @@ -34,7 +35,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4 typedef struct range_trans_rule { type_set_t stypes; type_set_t ttypes; -@@ -374,6 +393,9 @@ typedef struct avrule_decl { +@@ -376,6 +395,9 @@ typedef struct avrule_decl { scope_index_t required; /* symbols needed to activate this block */ scope_index_t declared; /* symbols declared within this block */ @@ -44,7 +45,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4 /* for additive statements (type attribute, roles, and users) */ symtab_t symtab[SYM_NUM]; -@@ -484,6 +506,9 @@ typedef struct policydb { +@@ -486,6 +508,9 @@ typedef struct policydb { /* role transitions */ role_trans_t *role_tr; @@ -54,7 +55,7 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4 /* role allows */ role_allow_t *role_allow; -@@ -562,6 +587,8 @@ extern void avrule_destroy(avrule_t * x) +@@ -564,6 +589,8 @@ extern void avrule_destroy(avrule_t * x); extern void avrule_list_destroy(avrule_t * x); extern void role_trans_rule_init(role_trans_rule_t * x); extern void role_trans_rule_list_destroy(role_trans_rule_t * x); @@ -63,35 +64,36 @@ diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.4 extern void role_datum_init(role_datum_t * x); extern void role_datum_destroy(role_datum_t * x); -@@ -630,10 +657,11 @@ extern int policydb_set_target_platform( - #define POLICYDB_VERSION_POLCAP 22 +@@ -633,10 +660,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define POLICYDB_VERSION_PERMISSIVE 23 #define POLICYDB_VERSION_BOUNDARY 24 -+#define POLICYDB_VERSION_FILENAME_TRANS 25 + #define POLICYDB_VERSION_ROLETRANS 26 ++#define POLICYDB_VERSION_FILENAME_TRANS 27 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE --#define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY +-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 -@@ -645,9 +673,10 @@ extern int policydb_set_target_platform( - #define MOD_POLICYDB_VERSION_PERMISSIVE 8 +@@ -649,9 +677,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_BOUNDARY 9 #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10 -+#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11 + #define MOD_POLICYDB_VERSION_ROLETRANS 12 ++#define MOD_POLICYDB_VERSION_FILENAME_TRANS 13 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE --#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS +-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLETRANS +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_FILENAME_TRANS #define POLICYDB_CONFIG_MLS 1 -diff -up libsepol-2.0.42/src/avrule_block.c.eparis libsepol-2.0.42/src/avrule_block.c ---- libsepol-2.0.42/src/avrule_block.c.eparis 2010-12-21 16:41:58.000000000 -0500 -+++ libsepol-2.0.42/src/avrule_block.c 2011-03-23 12:15:48.241980087 -0400 -@@ -98,6 +98,7 @@ void avrule_decl_destroy(avrule_decl_t * +diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c +index 8d1f8f6..16c89f3 100644 +--- a/libsepol/src/avrule_block.c ++++ b/libsepol/src/avrule_block.c +@@ -98,6 +98,7 @@ void avrule_decl_destroy(avrule_decl_t * x) cond_list_destroy(x->cond_list); avrule_list_destroy(x->avrules); role_trans_rule_list_destroy(x->role_tr_rules); @@ -99,10 +101,11 @@ diff -up libsepol-2.0.42/src/avrule_block.c.eparis libsepol-2.0.42/src/avrule_bl role_allow_rule_list_destroy(x->role_allow_rules); range_trans_rule_list_destroy(x->range_tr_rules); scope_index_destroy(&x->required); -diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c ---- libsepol-2.0.42/src/expand.c.eparis 2010-12-21 16:41:58.000000000 -0500 -+++ libsepol-2.0.42/src/expand.c 2011-03-23 12:15:48.242980223 -0400 -@@ -1231,6 +1231,101 @@ static int copy_role_trans(expand_state_ +diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c +index 8539f88..b1af365 100644 +--- a/libsepol/src/expand.c ++++ b/libsepol/src/expand.c +@@ -1237,6 +1237,101 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) return 0; } @@ -204,7 +207,7 @@ diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass, mls_semantic_range_t * trange, expand_state_t * state) -@@ -2374,6 +2469,9 @@ static int copy_and_expand_avrule_block( +@@ -2380,6 +2475,9 @@ static int copy_and_expand_avrule_block(expand_state_t * state) goto cleanup; } @@ -214,10 +217,11 @@ diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c /* expand the range transition rules */ if (expand_range_trans(state, decl->range_tr_rules)) goto cleanup; -diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c ---- libsepol-2.0.42/src/link.c.eparis 2010-12-21 16:41:58.000000000 -0500 -+++ libsepol-2.0.42/src/link.c 2011-03-23 12:15:48.243980361 -0400 -@@ -1326,6 +1326,50 @@ static int copy_role_allow_list(role_all +diff --git a/libsepol/src/link.c b/libsepol/src/link.c +index e33db0f..23dbb1b 100644 +--- a/libsepol/src/link.c ++++ b/libsepol/src/link.c +@@ -1340,6 +1340,50 @@ static int copy_role_allow_list(role_allow_rule_t * list, return -1; } @@ -268,7 +272,7 @@ diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c static int copy_range_trans_list(range_trans_rule_t * rules, range_trans_rule_t ** dst, policy_module_t * mod, link_state_t * state) -@@ -1568,6 +1612,11 @@ static int copy_avrule_decl(link_state_t +@@ -1582,6 +1626,11 @@ static int copy_avrule_decl(link_state_t * state, policy_module_t * module, return -1; } @@ -280,10 +284,11 @@ diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c if (copy_range_trans_list(src_decl->range_tr_rules, &dest_decl->range_tr_rules, module, state)) return -1; -diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c ---- libsepol-2.0.42/src/policydb.c.eparis 2010-12-21 16:41:58.000000000 -0500 -+++ libsepol-2.0.42/src/policydb.c 2011-03-23 12:15:48.244980498 -0400 -@@ -136,6 +136,13 @@ static struct policydb_compat_info polic +diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c +index bbf3c88..d7be9fc 100644 +--- a/libsepol/src/policydb.c ++++ b/libsepol/src/policydb.c +@@ -143,6 +143,13 @@ static struct policydb_compat_info policydb_compat[] = { .ocon_num = OCON_NODE6 + 1, .target_platform = SEPOL_TARGET_SELINUX, }, @@ -297,7 +302,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, -@@ -186,6 +193,13 @@ static struct policydb_compat_info polic +@@ -200,6 +207,13 @@ static struct policydb_compat_info policydb_compat[] = { .target_platform = SEPOL_TARGET_SELINUX, }, { @@ -311,7 +316,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, -@@ -234,6 +248,13 @@ static struct policydb_compat_info polic +@@ -255,6 +269,13 @@ static struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, @@ -325,7 +330,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c }; #if 0 -@@ -433,6 +454,33 @@ void role_trans_rule_list_destroy(role_t +@@ -456,6 +477,33 @@ void role_trans_rule_list_destroy(role_trans_rule_t * x) } } @@ -359,7 +364,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c void role_allow_rule_init(role_allow_rule_t * x) { memset(x, 0, sizeof(role_allow_rule_t)); -@@ -1112,6 +1160,7 @@ void policydb_destroy(policydb_t * p) +@@ -1135,6 +1183,7 @@ void policydb_destroy(policydb_t * p) role_allow_t *ra, *lra = NULL; role_trans_t *tr, *ltr = NULL; range_trans_t *rt, *lrt = NULL; @@ -367,7 +372,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c if (!p) return; -@@ -1177,6 +1226,14 @@ void policydb_destroy(policydb_t * p) +@@ -1200,6 +1249,14 @@ void policydb_destroy(policydb_t * p) if (ltr) free(ltr); @@ -382,7 +387,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c for (ra = p->role_allow; ra; ra = ra->next) { if (lra) free(lra); -@@ -2168,6 +2225,55 @@ int role_allow_read(role_allow_t ** r, s +@@ -2201,6 +2258,55 @@ int role_allow_read(role_allow_t ** r, struct policy_file *fp) return 0; } @@ -438,7 +443,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c static int ocontext_read_xen(struct policydb_compat_info *info, policydb_t *p, struct policy_file *fp) { -@@ -2971,6 +3077,62 @@ static int role_allow_rule_read(role_all +@@ -3007,6 +3113,62 @@ static int role_allow_rule_read(role_allow_rule_t ** r, struct policy_file *fp) return 0; } @@ -501,7 +506,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c static int range_trans_rule_read(range_trans_rule_t ** r, struct policy_file *fp) { -@@ -3064,6 +3226,11 @@ static int avrule_decl_read(policydb_t * +@@ -3100,6 +3262,11 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl, role_allow_rule_read(&decl->role_allow_rules, fp) == -1) { return -1; } @@ -513,7 +518,7 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS && range_trans_rule_read(&decl->range_tr_rules, fp) == -1) { return -1; -@@ -3455,6 +3622,9 @@ int policydb_read(policydb_t * p, struct +@@ -3491,6 +3658,9 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) goto bad; if (role_allow_read(&p->role_allow, fp)) goto bad; @@ -523,10 +528,11 @@ diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c } else { /* first read the AV rule blocks, then the scope tables */ avrule_block_destroy(p->global); -diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c ---- libsepol-2.0.42/src/write.c.eparis 2010-12-21 16:41:58.000000000 -0500 -+++ libsepol-2.0.42/src/write.c 2011-03-23 12:15:48.245980639 -0400 -@@ -510,6 +510,42 @@ static int role_allow_write(role_allow_t +diff --git a/libsepol/src/write.c b/libsepol/src/write.c +index f9d59b6..c4f5035 100644 +--- a/libsepol/src/write.c ++++ b/libsepol/src/write.c +@@ -528,6 +528,42 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp) return POLICYDB_SUCCESS; } @@ -569,7 +575,7 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c static int role_set_write(role_set_t * x, struct policy_file *fp) { size_t items; -@@ -1476,6 +1512,47 @@ static int role_allow_rule_write(role_al +@@ -1496,6 +1532,47 @@ static int role_allow_rule_write(role_allow_rule_t * r, struct policy_file *fp) return POLICYDB_SUCCESS; } @@ -617,7 +623,7 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c static int range_trans_rule_write(range_trans_rule_t * t, struct policy_file *fp) { -@@ -1543,6 +1620,11 @@ static int avrule_decl_write(avrule_decl +@@ -1563,6 +1640,11 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms, role_allow_rule_write(decl->role_allow_rules, fp) == -1) { return POLICYDB_ERROR; } @@ -629,7 +635,7 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS && range_trans_rule_write(decl->range_tr_rules, fp) == -1) { return POLICYDB_ERROR; -@@ -1819,6 +1901,9 @@ int policydb_write(policydb_t * p, struc +@@ -1839,6 +1921,9 @@ int policydb_write(policydb_t * p, struct policy_file *fp) return POLICYDB_ERROR; if (role_allow_write(p->role_allow, fp)) return POLICYDB_ERROR; @@ -639,6 +645,3 @@ diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c } else { if (avrule_block_write(p->global, num_syms, p, fp) == -1) { return POLICYDB_ERROR; - - - diff --git a/libsepol.spec b/libsepol.spec index bb4dcda..1ff2d76 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,10 +1,11 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.0.43 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz +Patch: libsepol-rhat.patch URL: http://www.selinuxproject.org BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -45,6 +46,7 @@ needed for developing applications that manipulate binary policies. %prep %setup -q +%patch -p2 -b .rhat # sparc64 is an -fPIC arch, so we need to fix it here %ifarch sparc64 sed -i 's/fpic/fPIC/g' src/Makefile @@ -97,14 +99,12 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Tue Apr 29 2011 Dan Walsh 2.0.43-2 +- re-add Erics patch for filename transitions + * Tue Apr 29 2011 Dan Walsh 2.0.43-1 - * Give correct names to mount points in load_policy by Dan Walsh. - * Make sure selinux state is reported correctly if selinux is disabled or - fails to load by Dan Walsh. - * Fix crash if selinux_key_create was never called by Dan Walsh. - * Add new file_context.subs_dist for distro specific filecon substitutions - by Dan Walsh. - * Update man pages for selinux_color_* functions by Richard Haines. +-Update to upstream + * Add new class field in role_transition by Harry Ciao. * Tue Mar 29 2011 Dan Walsh 2.0.42-3 - Apply Eparis Patch @@ -115,7 +115,6 @@ the number of rules grows to an significant size I will likely choose to store these in a hash, both in libsepol and in the kernel. But as long as the number of such rules stays small, this should be good. - * Tue Feb 08 2011 Fedora Release Engineering - 2.0.42-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild