From aac9abeb50a2a382a80bba971eb6dbdce7115e83 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Aug 01 2016 08:46:53 +0000 Subject: libsepol-2.5-9 - Warn instead of fail if permission is not resolved - Ignore object_r when adding userrole mappings to policydb --- diff --git a/libsepol-fedora.patch b/libsepol-fedora.patch index 4180158..23df58b 100644 --- a/libsepol-fedora.patch +++ b/libsepol-fedora.patch @@ -19,10 +19,12 @@ index a43b343..6d89f17 100644 $(LOCAL_PATH)/include/ \ $(LOCAL_PATH)/src/ \ diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog -index ace3d54..4c997c5 100644 +index ace3d54..b45f3ad 100644 --- libsepol-2.5/ChangeLog +++ libsepol-2.5/ChangeLog -@@ -1,3 +1,21 @@ +@@ -1,3 +1,23 @@ ++ * Warn instead of fail if permission is not resolved, from James Carter. ++ * Ignore object_r when adding userrole mappings to policydb, from Steve Lawrence. + * Add missing return to sepol_node_query(), from Petr Lautrbach. + * Add missing include, from Thomas Petazzoni. + * Correctly detect unknown classes in sepol_string_to_security_class, from Joshua Brindle. @@ -118,7 +120,7 @@ index afdc240..929ab19 100644 + (*info)->path = NULL; +} diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c -index f749e53..5d03127 100644 +index f749e53..46fea4b 100644 --- libsepol-2.5/cil/src/cil_binary.c +++ libsepol-2.5/cil/src/cil_binary.c @@ -31,6 +31,9 @@ @@ -146,7 +148,20 @@ index f749e53..5d03127 100644 } } -@@ -1770,13 +1775,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -749,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci + goto exit; + } + ++ if (sepol_role->s.value == 1) { ++ // role is object_r, ignore it since it is implicitly associated ++ // with all users ++ continue; ++ } ++ + if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) { + cil_log(CIL_INFO, "Failed to set role bit for user\n"); + rc = SEPOL_ERR; +@@ -1770,13 +1781,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu cil_typetrans = (struct cil_nametypetransition*)node->data; if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) { cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n"); @@ -162,7 +177,7 @@ index f749e53..5d03127 100644 goto exit; } break; -@@ -1784,7 +1788,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1784,7 +1794,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu cil_type_rule = node->data; rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor); if (rc != SEPOL_OK) { @@ -171,7 +186,7 @@ index f749e53..5d03127 100644 goto exit; } break; -@@ -1792,7 +1796,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1792,7 +1802,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu cil_avrule = node->data; rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor); if (rc != SEPOL_OK) { @@ -180,7 +195,7 @@ index f749e53..5d03127 100644 goto exit; } break; -@@ -1800,8 +1804,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1800,8 +1810,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu case CIL_TUNABLEIF: break; default: @@ -190,7 +205,7 @@ index f749e53..5d03127 100644 goto exit; } -@@ -2060,14 +2063,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c +@@ -2060,14 +2069,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c tmp_cond = cond_node_create(pdb, NULL); if (tmp_cond == NULL) { rc = SEPOL_ERR; @@ -207,7 +222,7 @@ index f749e53..5d03127 100644 goto exit; } -@@ -2123,7 +2125,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c +@@ -2123,7 +2131,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c bool_args.cond_flavor = CIL_CONDTRUE; rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args); if (rc != SEPOL_OK) { @@ -216,7 +231,7 @@ index f749e53..5d03127 100644 goto exit; } } -@@ -2132,7 +2134,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c +@@ -2132,7 +2140,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c bool_args.cond_flavor = CIL_CONDFALSE; rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args); if (rc != SEPOL_OK) { @@ -225,7 +240,7 @@ index f749e53..5d03127 100644 goto exit; } } -@@ -3035,6 +3037,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) +@@ -3035,6 +3043,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) case CIL_PROTOCOL_TCP: new_ocon->u.port.protocol = IPPROTO_TCP; break; @@ -235,7 +250,7 @@ index f749e53..5d03127 100644 default: /* should not get here */ rc = SEPOL_ERR; -@@ -3583,7 +3588,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) +@@ -3583,7 +3594,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) exit: if (rc != SEPOL_OK) { @@ -244,7 +259,7 @@ index f749e53..5d03127 100644 } return rc; } -@@ -4227,6 +4232,9 @@ exit: +@@ -4227,6 +4238,9 @@ exit: static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node) { avrule_t *avrule; @@ -254,7 +269,7 @@ index f749e53..5d03127 100644 avrule = cil_malloc(sizeof(avrule_t)); avrule->specified = kind; -@@ -4235,8 +4243,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no +@@ -4235,8 +4249,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no __cil_init_sepol_type_set(&avrule->ttypes); avrule->perms = NULL; avrule->line = node->line; @@ -273,7 +288,7 @@ index f749e53..5d03127 100644 avrule->next = NULL; return avrule; } -@@ -4263,10 +4280,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n) +@@ -4263,10 +4286,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n) __cil_print_parents(pad, n->parent); @@ -286,7 +301,7 @@ index f749e53..5d03127 100644 } } -@@ -4357,7 +4372,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr +@@ -4357,7 +4378,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr allow_str = CIL_KEY_ALLOWX; avrule_flavor = CIL_AVRULEX; } @@ -295,7 +310,7 @@ index f749e53..5d03127 100644 __cil_print_rule(" ", neverallow_str, cil_rule); cil_list_init(&matching, CIL_NODE); rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE); -@@ -4380,10 +4395,9 @@ exit: +@@ -4380,10 +4401,9 @@ exit: return rc; } @@ -308,7 +323,7 @@ index f749e53..5d03127 100644 struct cil_avrule *cil_rule = node->data; struct cil_symtab_datum *tgt = cil_rule->tgt; uint32_t kind; -@@ -4422,11 +4436,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct +@@ -4422,11 +4442,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct rc = check_assertion(pdb, rule); if (rc == CIL_TRUE) { @@ -321,7 +336,7 @@ index f749e53..5d03127 100644 } } else { -@@ -4444,12 +4458,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct +@@ -4444,12 +4464,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct rule->xperms = item->data; rc = check_assertion(pdb, rule); if (rc == CIL_TRUE) { @@ -335,7 +350,7 @@ index f749e53..5d03127 100644 } } } -@@ -4466,34 +4479,23 @@ exit: +@@ -4466,34 +4485,23 @@ exit: rule->xperms = NULL; __cil_destroy_sepol_avrules(rule); @@ -375,7 +390,7 @@ index f749e53..5d03127 100644 } static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[]) -@@ -4548,7 +4550,7 @@ exit: +@@ -4548,7 +4556,7 @@ exit: return rc; } @@ -384,7 +399,7 @@ index f749e53..5d03127 100644 { int rc = SEPOL_OK; int i; -@@ -4574,6 +4576,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4574,6 +4582,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void if (bad) { avtab_ptr_t cur; struct cil_avrule target; @@ -394,7 +409,7 @@ index f749e53..5d03127 100644 target.is_extended = 0; target.rule_kind = CIL_AVRULE_ALLOWED; -@@ -4585,7 +4590,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4585,7 +4596,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void for (cur = bad; cur; cur = cur->next) { struct cil_list_item *i2; struct cil_list *matching; @@ -402,7 +417,7 @@ index f749e53..5d03127 100644 rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil); if (rc != SEPOL_OK) { -@@ -4594,7 +4598,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4594,7 +4604,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void } __cil_print_rule(" ", "allow", &target); cil_list_init(&matching, CIL_NODE); @@ -411,7 +426,7 @@ index f749e53..5d03127 100644 if (rc) { cil_log(CIL_ERR, "Error occurred while checking type bounds\n"); cil_list_destroy(&matching, CIL_FALSE); -@@ -4602,14 +4606,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4602,14 +4612,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void bounds_destroy_bad(bad); goto exit; } @@ -435,7 +450,7 @@ index f749e53..5d03127 100644 cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&target.perms.classperms, CIL_TRUE); } -@@ -4753,20 +4760,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p +@@ -4753,20 +4766,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p __cil_set_conditional_state_and_flags(pdb); if (db->disable_neverallow != CIL_TRUE) { @@ -2014,9 +2029,23 @@ index 06146ca..de00679 100644 * statement isn't seen as a duplicate */ class->num_perms -= common->num_perms; diff --git libsepol-2.5/cil/src/cil_resolve_ast.c libsepol-2.5/cil/src/cil_resolve_ast.c -index 1489680..70e4462 100644 +index 1489680..8348d57 100644 --- libsepol-2.5/cil/src/cil_resolve_ast.c +++ libsepol-2.5/cil/src/cil_resolve_ast.c +@@ -131,10 +131,10 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, + } + } + if (rc != SEPOL_OK) { +- cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data); +- goto exit; ++ cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data); ++ } else { ++ cil_list_append(*perm_datums, CIL_DATUM, perm_datum); + } +- cil_list_append(*perm_datums, CIL_DATUM, perm_datum); + } else { + cil_list_append(*perm_datums, curr->flavor, curr->data); + } @@ -497,7 +497,7 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f int limit = 2; @@ -2197,7 +2226,7 @@ index 1489680..70e4462 100644 - cil_log(lvl, "Failed to resolve '%s' in %s statement at line %d of %s\n", - args->last_resolved_name, cil_node_to_string(node), node->line, node->path); -+ cil_tree_log(node, lvl, "Failed to resolve '%s' in %s statement", args->last_resolved_name, cil_node_to_string(node)); ++ cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); goto exit; } diff --git a/libsepol.spec b/libsepol.spec index e618627..df3df84 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,14 +1,14 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.5 -Release: 8%{?dist} +Release: 9%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol -# HEAD https://github.com/fedora-selinux/selinux/commit/9eb71873eb6e6073228257abbeb42f61b2719336 +# HEAD https://github.com/fedora-selinux/selinux/commit/dbf42c22e798a5e2cf9c1fc711c803e7da20cfb4 Patch1: libsepol-fedora.patch URL: https://github.com/SELinuxProject/selinux/wiki BuildRequires: flex @@ -106,6 +106,10 @@ exit 0 %{_libdir}/libsepol.so.1 %changelog +* Mon Aug 01 2016 Petr Lautrbach 2.5-9 +- Warn instead of fail if permission is not resolved +- Ignore object_r when adding userrole mappings to policydb + * Thu Jul 14 2016 Petr Lautrbach - 2.5-8 - Add missing return to sepol_node_query() - Add missing include