From f50a75ee0965c81db4b8e9ba0f178688b886297f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Mar 28 2007 18:55:21 +0000
Subject: Wed Feb 7 2007 Dan Walsh <dwalsh@redhat.com> 2.0.1-1

- Upgrade to latest from NSA
Merged libsepol segfault fix from Stephen Smalley for when sensitivities
    are required but not present in the base.
Merged patch to add errcodes.h to libsepol by Karl MacMillan.
Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> 1.16.0-1
- Upgrade to latest from NSA
Updated version for stable branch.

---

diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch
index 9c28806..8b54e5b 100644
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@@ -1,11 +1,237 @@
-diff --exclude-from=exclude -N -u -r nsalibsepol/Makefile libsepol-1.12.8/Makefile
---- nsalibsepol/Makefile	2006-05-08 09:52:40.000000000 -0400
-+++ libsepol-1.12.8/Makefile	2006-05-08 10:12:29.000000000 -0400
-@@ -1,7 +1,6 @@
- all: 
- 	$(MAKE) -C src 
- 	$(MAKE) -C utils
--	$(MAKE) -C tests
- 
- install: 
- 	$(MAKE) -C include install
+diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/policydb/conditional.h libsepol-2.0.1/include/sepol/policydb/conditional.h
+--- nsalibsepol/include/sepol/policydb/conditional.h	2006-11-16 17:14:15.000000000 -0500
++++ libsepol-2.0.1/include/sepol/policydb/conditional.h	2007-03-28 14:13:02.000000000 -0400
+@@ -100,6 +100,8 @@
+ 				   cond_node_t * needle, cond_node_t * haystack,
+ 				   int *was_created);
+ 
++extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
++
+ extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
+ 				     cond_node_t * cn);
+ 
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/conditional.c libsepol-2.0.1/src/conditional.c
+--- nsalibsepol/src/conditional.c	2006-11-16 17:14:24.000000000 -0500
++++ libsepol-2.0.1/src/conditional.c	2007-03-28 14:13:02.000000000 -0400
+@@ -26,9 +26,6 @@
+ 
+ #include "private.h"
+ 
+-#undef min
+-#define min(a,b) (((a) < (b)) ? (a) : (b))
+-
+ /* move all type rules to top of t/f lists to help kernel on evaluation */
+ static void cond_optimize(cond_av_list_t ** l)
+ {
+@@ -136,6 +133,38 @@
+ 	return 1;
+ }
+ 
++/* Create a new conditional node, optionally copying
++ * the conditional expression from an existing node.
++ * If node is NULL then a new node will be created
++ * with no conditional expression.
++ */
++cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
++{
++	cond_node_t *new_node;
++	unsigned int i;
++
++	new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
++	if (!new_node) {
++		return NULL;
++	}
++	memset(new_node, 0, sizeof(cond_node_t));
++
++	if (node) {
++		new_node->expr = cond_copy_expr(node->expr);
++		if (!new_node->expr) {
++			free(new_node);
++			return NULL;
++		}
++		new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
++		new_node->nbools = node->nbools;
++		for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
++			new_node->bool_ids[i] = node->bool_ids[i];
++		new_node->expr_pre_comp = node->expr_pre_comp;
++	}
++
++	return new_node;
++}
++
+ /* Find a conditional (the needle) within a list of existing ones (the
+  * haystack) that has a matching expression.  If found, return a
+  * pointer to the existing node, setting 'was_created' to 0.
+@@ -145,9 +174,6 @@
+ 			    cond_node_t * needle, cond_node_t * haystack,
+ 			    int *was_created)
+ {
+-	cond_node_t *new_node;
+-	unsigned int i;
+-
+ 	while (haystack) {
+ 		if (cond_expr_equal(needle, haystack)) {
+ 			*was_created = 0;
+@@ -156,26 +182,8 @@
+ 		haystack = haystack->next;
+ 	}
+ 	*was_created = 1;
+-	new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
+-	if (!new_node) {
+-		return NULL;
+-	}
+-	memset(new_node, 0, sizeof(cond_node_t));
+-	new_node->expr = cond_copy_expr(needle->expr);
+-	if (!new_node->expr) {
+-		free(new_node);
+-		return NULL;
+-	}
+-	new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
+-	new_node->nbools = needle->nbools;
+-	for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++)
+-		new_node->bool_ids[i] = needle->bool_ids[i];
+-	new_node->expr_pre_comp = needle->expr_pre_comp;
+-	new_node->true_list = NULL;
+-	new_node->false_list = NULL;
+-	new_node->avtrue_list = NULL;
+-	new_node->avfalse_list = NULL;
+-	return new_node;
++
++	return cond_node_create(p, needle);
+ }
+ 
+ /* return either a pre-existing matching node or create a new node */
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.1/src/expand.c
+--- nsalibsepol/src/expand.c	2007-02-07 12:11:48.000000000 -0500
++++ libsepol-2.0.1/src/expand.c	2007-03-28 14:13:02.000000000 -0400
+@@ -35,10 +35,12 @@
+ #include <assert.h>
+ 
+ #include "debug.h"
++#include "private.h"
+ 
+ typedef struct expand_state {
+ 	int verbose;
+ 	uint32_t *typemap;
++	uint32_t *boolmap;
+ 	policydb_t *base;
+ 	policydb_t *out;
+ 	sepol_handle_t *handle;
+@@ -791,8 +793,8 @@
+ 		return -1;
+ 	}
+ 
+-	new_bool->s.value = bool->s.value;
+ 	state->out->p_bools.nprim++;
++	new_bool->s.value = state->out->p_bools.nprim;
+ 
+ 	ret = hashtab_insert(state->out->p_bools.table,
+ 			     (hashtab_key_t) new_id,
+@@ -804,6 +806,8 @@
+ 		return -1;
+ 	}
+ 
++	state->boolmap[bool->s.value - 1] = new_bool->s.value;
++
+ 	new_bool->state = bool->state;
+ 
+ 	return 0;
+@@ -1555,12 +1559,35 @@
+ 	return 0;
+ }
+ 
++static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
++{
++	cond_expr_t *cur;
++	unsigned int i;
++
++	cur = cn->expr;
++	while (cur) {
++		if (cur->bool)
++			cur->bool = state->boolmap[cur->bool - 1];
++		cur = cur->next;
++	}
++
++	for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
++		cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
++
++	if (cond_normalize_expr(state->out, cn)) {
++		ERR(state->handle, "Error while normalizing conditional");
++		return -1;
++	}
++
++	return 0;
++}
++
+ /* copy the nodes in *reverse* order -- the result is that the last
+  * given conditional appears first in the policy, so as to match the
+  * behavior of the upstream compiler */
+ static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
+ {
+-	cond_node_t *new_cond;
++	cond_node_t *new_cond, *tmp;
+ 
+ 	if (cn == NULL) {
+ 		return 0;
+@@ -1573,11 +1600,26 @@
+ 		return -1;
+ 	}
+ 
+-	new_cond = cond_node_search(state->out, state->out->cond_list, cn);
++	/* create a new temporary conditional node with the booleans
++	 * mapped */
++	tmp = cond_node_create(state->base, cn);
++	if (!tmp) {
++		ERR(state->handle, "Out of memory");
++		return -1;
++	}
++
++	if (cond_node_map_bools(state, tmp)) {
++		ERR(state->handle, "Error mapping booleans");
++		return -1;
++	}
++
++	new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
+ 	if (!new_cond) {
++		cond_node_destroy(tmp);
+ 		ERR(state->handle, "Out of memory!");
+ 		return -1;
+ 	}
++	cond_node_destroy(tmp);
+ 
+ 	if (cond_avrule_list_copy
+ 	    (state->out, cn->avtrue_list, &state->out->te_cond_avtab,
+@@ -2210,6 +2252,12 @@
+ 		goto cleanup;
+ 	}
+ 
++	state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
++	if (!state.boolmap) {
++		ERR(handle, "Out of memory!");
++		goto cleanup;
++	}
++
+ 	/* order is important - types must be first */
+ 
+ 	/* copy types */
+@@ -2364,6 +2412,7 @@
+ 
+       cleanup:
+ 	free(state.typemap);
++	free(state.boolmap);
+ 	return retval;
+ }
+ 
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/private.h libsepol-2.0.1/src/private.h
+--- nsalibsepol/src/private.h	2007-02-07 12:11:48.000000000 -0500
++++ libsepol-2.0.1/src/private.h	2007-03-28 14:13:02.000000000 -0400
+@@ -24,6 +24,9 @@
+ #define le64_to_cpu(x) bswap_64(x)
+ #endif
+ 
++#undef min
++#define min(a,b) (((a) < (b)) ? (a) : (b))
++
+ /* Policy compatibility information. */
+ struct policydb_compat_info {
+ 	unsigned int type;
diff --git a/libsepol.spec b/libsepol.spec
index f455879..bc13f74 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,10 +1,11 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
+Patch: libsepol-rhat.patch
 
 Prefix: %{_prefix}
 BuildRoot: %{_tmppath}/%{name}-buildroot
@@ -37,6 +38,7 @@ needed for developing applications that manipulate binary policies.
 
 %prep
 %setup -q
+%patch -p1 -b .rhat
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile
@@ -85,6 +87,7 @@ exit 0
 /%{_lib}/libsepol.so.1
 
 %changelog
+* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> 2.0.1-2
 * Wed Feb 7 2007 Dan Walsh <dwalsh@redhat.com> 2.0.1-1
 - Upgrade to latest from NSA
 	* Merged libsepol segfault fix from Stephen Smalley for when