From fc3f64a7e0f90452801f765d51feb74e7fd98b27 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mar 13 2018 11:31:00 +0000 Subject: libsepol-2.7-5 - cil: Create new keep field for type attribute sets - build: follow standard semantics for DESTDIR and PREFIX - cil: show an error when cil_expr_to_string() fails --- diff --git a/libsepol-fedora.patch b/libsepol-fedora.patch index ec6391c..bb93f61 100644 --- a/libsepol-fedora.patch +++ b/libsepol-fedora.patch @@ -11,7 +11,7 @@ index 86117f2..f8cfc3b 100644 extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables); extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown); diff --git libsepol-2.7/cil/src/cil.c libsepol-2.7/cil/src/cil.c -index c02a41a..3fe68af 100644 +index c02a41a..5a64c2b 100644 --- libsepol-2.7/cil/src/cil.c +++ libsepol-2.7/cil/src/cil.c @@ -1691,6 +1691,11 @@ void cil_set_mls(struct cil_db *db, int mls) @@ -26,6 +26,54 @@ index c02a41a..3fe68af 100644 void cil_set_target_platform(struct cil_db *db, int target_platform) { db->target_platform = target_platform; +@@ -2059,6 +2064,7 @@ void cil_typeattribute_init(struct cil_typeattribute **attr) + (*attr)->expr_list = NULL; + (*attr)->types = NULL; + (*attr)->used = CIL_FALSE; ++ (*attr)->keep = CIL_FALSE; + } + + void cil_typeattributeset_init(struct cil_typeattributeset **attrset) +diff --git libsepol-2.7/cil/src/cil_binary.c libsepol-2.7/cil/src/cil_binary.c +index c0ca60f..431cd9c 100644 +--- libsepol-2.7/cil/src/cil_binary.c ++++ libsepol-2.7/cil/src/cil_binary.c +@@ -567,7 +567,7 @@ int cil_typeattribute_to_policydb(policydb_t *pdb, struct cil_typeattribute *cil + char *key = NULL; + type_datum_t *sepol_attr = NULL; + +- if (!cil_attr->used) { ++ if (!cil_attr->keep) { + return SEPOL_OK; + } + +@@ -632,7 +632,7 @@ int cil_typeattribute_to_bitmap(policydb_t *pdb, const struct cil_db *db, struct + ebitmap_node_t *tnode; + unsigned int i; + +- if (!cil_attr->used) { ++ if (!cil_attr->keep) { + return SEPOL_OK; + } + +@@ -1442,7 +1442,7 @@ static int __cil_should_expand_attribute( const struct cil_db *db, struct cil_sy + + attr = (struct cil_typeattribute *)datum; + +- return !attr->used || (ebitmap_cardinality(attr->types) < db->attrs_expand_size); ++ return !attr->keep || (ebitmap_cardinality(attr->types) < db->attrs_expand_size); + } + + int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor) +@@ -2525,7 +2525,7 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d + if (rc != SEPOL_OK) { + if (FLAVOR(item->data) == CIL_TYPEATTRIBUTE) { + struct cil_typeattribute *attr = item->data; +- if (!attr->used) { ++ if (!attr->keep) { + rc = 0; + } + } diff --git libsepol-2.7/cil/src/cil_build_ast.c libsepol-2.7/cil/src/cil_build_ast.c index 04492e5..e84336b 100644 --- libsepol-2.7/cil/src/cil_build_ast.c @@ -100,7 +148,7 @@ index 04492e5..e84336b 100644 } diff --git libsepol-2.7/cil/src/cil_internal.h libsepol-2.7/cil/src/cil_internal.h -index 6d6a7d9..136a004 100644 +index 6d6a7d9..8393e39 100644 --- libsepol-2.7/cil/src/cil_internal.h +++ libsepol-2.7/cil/src/cil_internal.h @@ -316,6 +316,7 @@ struct cil_db { @@ -111,8 +159,16 @@ index 6d6a7d9..136a004 100644 int target_platform; int policy_version; }; +@@ -530,6 +531,7 @@ struct cil_typeattribute { + struct cil_list *expr_list; + ebitmap_t *types; + int used; // whether or not this attribute was used in a binary policy rule ++ int keep; + }; + + struct cil_typeattributeset { diff --git libsepol-2.7/cil/src/cil_policy.c libsepol-2.7/cil/src/cil_policy.c -index 729b6e0..6d4987c 100644 +index 729b6e0..99eb53c 100644 --- libsepol-2.7/cil/src/cil_policy.c +++ libsepol-2.7/cil/src/cil_policy.c @@ -775,7 +775,7 @@ static void cil_classes_to_policy(FILE *out, struct cil_list *classorder) @@ -124,8 +180,17 @@ index 729b6e0..6d4987c 100644 { struct cil_list_item *i1, *i2, *i3; struct cil_default *def; +@@ -1085,7 +1085,7 @@ static void cil_typeattributes_to_policy(FILE *out, struct cil_list *types, stru + type = i1->data; + cil_list_for_each(i2, attributes) { + attribute = i2->data; +- if (!attribute->used) ++ if (!attribute->keep) + continue; + if (ebitmap_get_bit(attribute->types, type->value)) { + if (first) { diff --git libsepol-2.7/cil/src/cil_post.c libsepol-2.7/cil/src/cil_post.c -index ad073e8..3e013c9 100644 +index ad073e8..a212245 100644 --- libsepol-2.7/cil/src/cil_post.c +++ libsepol-2.7/cil/src/cil_post.c @@ -1297,6 +1297,55 @@ static int cil_typeattribute_used(struct cil_typeattribute *attr, struct cil_db @@ -184,6 +249,15 @@ index ad073e8..3e013c9 100644 static int __cil_post_db_attr_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args) { int rc = SEPOL_ERR; +@@ -1320,7 +1369,7 @@ static int __cil_post_db_attr_helper(struct cil_tree_node *node, uint32_t *finis + rc = __evaluate_type_expression(attr, db); + if (rc != SEPOL_OK) goto exit; + } +- attr->used = cil_typeattribute_used(attr, db); ++ attr->keep = cil_typeattribute_used(attr, db); + break; + } + case CIL_ROLEATTRIBUTE: { @@ -2031,6 +2080,12 @@ static int cil_post_db(struct cil_db *db) goto exit; } @@ -197,6 +271,18 @@ index ad073e8..3e013c9 100644 rc = cil_tree_walk(db->ast->root, __cil_post_db_attr_helper, NULL, NULL, db); if (rc != SEPOL_OK) { cil_log(CIL_INFO, "Failed to create attribute bitmaps\n"); +diff --git libsepol-2.7/cil/src/cil_reset_ast.c libsepol-2.7/cil/src/cil_reset_ast.c +index 8a13a1c..43e6b88 100644 +--- libsepol-2.7/cil/src/cil_reset_ast.c ++++ libsepol-2.7/cil/src/cil_reset_ast.c +@@ -186,6 +186,7 @@ static void cil_reset_typeattr(struct cil_typeattribute *attr) + attr->expr_list = NULL; + } + attr->used = CIL_FALSE; ++ attr->keep = CIL_FALSE; + } + + static void cil_reset_typeattributeset(struct cil_typeattributeset *tas) diff --git libsepol-2.7/cil/src/cil_strpool.c libsepol-2.7/cil/src/cil_strpool.c index b1396d2..97d4c4b 100644 --- libsepol-2.7/cil/src/cil_strpool.c @@ -209,6 +295,63 @@ index b1396d2..97d4c4b 100644 } pthread_mutex_unlock(&cil_strpool_mutex); } +diff --git libsepol-2.7/cil/src/cil_tree.c libsepol-2.7/cil/src/cil_tree.c +index d36401b..b394a9d 100644 +--- libsepol-2.7/cil/src/cil_tree.c ++++ libsepol-2.7/cil/src/cil_tree.c +@@ -503,15 +503,19 @@ exit: + void cil_tree_print_expr(struct cil_list *datum_expr, struct cil_list *str_expr) + { + char *expr_str; ++ int rc; + + cil_log(CIL_INFO, "("); + + if (datum_expr != NULL) { +- cil_expr_to_string(datum_expr, &expr_str); ++ rc = cil_expr_to_string(datum_expr, &expr_str); + } else { +- cil_expr_to_string(str_expr, &expr_str); ++ rc = cil_expr_to_string(str_expr, &expr_str); ++ } ++ if (rc < 0) { ++ cil_log(CIL_INFO, "ERROR)"); ++ return; + } +- + cil_log(CIL_INFO, "%s)", expr_str); + free(expr_str); + } +diff --git libsepol-2.7/include/Makefile libsepol-2.7/include/Makefile +index 56b7a11..1ad4eca 100644 +--- libsepol-2.7/include/Makefile ++++ libsepol-2.7/include/Makefile +@@ -1,17 +1,17 @@ + # Installation directories. +-PREFIX ?= $(DESTDIR)/usr +-INCDIR ?= $(PREFIX)/include/sepol ++PREFIX ?= /usr ++INCDIR = $(PREFIX)/include/sepol + CILDIR ?= ../cil + + all: + + install: all +- test -d $(INCDIR) || install -m 755 -d $(INCDIR) +- test -d $(INCDIR)/policydb || install -m 755 -d $(INCDIR)/policydb +- test -d $(INCDIR)/cil || install -m 755 -d $(INCDIR)/cil +- install -m 644 $(wildcard sepol/*.h) $(INCDIR) +- install -m 644 $(wildcard sepol/policydb/*.h) $(INCDIR)/policydb +- install -m 644 $(wildcard $(CILDIR)/include/cil/*.h) $(INCDIR)/cil ++ test -d $(DESTDIR)$(INCDIR) || install -m 755 -d $(DESTDIR)$(INCDIR) ++ test -d $(DESTDIR)$(INCDIR)/policydb || install -m 755 -d $(DESTDIR)$(INCDIR)/policydb ++ test -d $(DESTDIR)$(INCDIR)/cil || install -m 755 -d $(DESTDIR)$(INCDIR)/cil ++ install -m 644 $(wildcard sepol/*.h) $(DESTDIR)$(INCDIR) ++ install -m 644 $(wildcard sepol/policydb/*.h) $(DESTDIR)$(INCDIR)/policydb ++ install -m 644 $(wildcard $(CILDIR)/include/cil/*.h) $(DESTDIR)$(INCDIR)/cil + + indent: + ../../scripts/Lindent $(wildcard sepol/*.h) diff --git libsepol-2.7/include/sepol/policydb/avtab.h libsepol-2.7/include/sepol/policydb/avtab.h index 958848e..10ecde9 100644 --- libsepol-2.7/include/sepol/policydb/avtab.h @@ -327,6 +470,30 @@ index 68b5ad4..8b9ddca 100644 /* FLASK */ +diff --git libsepol-2.7/man/Makefile libsepol-2.7/man/Makefile +index 1192433..9b75454 100644 +--- libsepol-2.7/man/Makefile ++++ libsepol-2.7/man/Makefile +@@ -1,12 +1,13 @@ + # Installation directories. +-MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 +-MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 ++PREFIX ?= /usr ++MAN8DIR ?= $(PREFIX)/share/man/man8 ++MAN3DIR ?= $(PREFIX)/share/man/man3 + + all: + + install: all +- mkdir -p $(MAN3DIR) +- mkdir -p $(MAN8DIR) +- install -m 644 man3/*.3 $(MAN3DIR) +- install -m 644 man8/*.8 $(MAN8DIR) ++ mkdir -p $(DESTDIR)$(MAN3DIR) ++ mkdir -p $(DESTDIR)$(MAN8DIR) ++ install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR) ++ install -m 644 man8/*.8 $(DESTDIR)$(MAN8DIR) + diff --git libsepol-2.7/man/man3/sepol_genbools.3 libsepol-2.7/man/man3/sepol_genbools.3 index dcfb69d..5363383 100644 --- libsepol-2.7/man/man3/sepol_genbools.3 @@ -347,6 +514,57 @@ index afeaced..fc792c8 100644 .SH "NAME" genpolbools \- Rewrite a binary policy with different boolean settings .SH "SYNOPSIS" +diff --git libsepol-2.7/src/Makefile libsepol-2.7/src/Makefile +index 819d261..ccb7023 100644 +--- libsepol-2.7/src/Makefile ++++ libsepol-2.7/src/Makefile +@@ -1,10 +1,9 @@ + # Installation directories. +-PREFIX ?= $(DESTDIR)/usr ++PREFIX ?= /usr + INCLUDEDIR ?= $(PREFIX)/include + LIBDIR ?= $(PREFIX)/lib +-SHLIBDIR ?= $(DESTDIR)/lib ++SHLIBDIR ?= /lib + RANLIB ?= ranlib +-LIBBASE ?= $(shell basename $(LIBDIR)) + CILDIR ?= ../cil + + VERSION = $(shell cat ../VERSION) +@@ -52,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) + ln -sf $@ $(TARGET) + + $(LIBPC): $(LIBPC).in ../VERSION +- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ ++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + + $(LIBMAP): $(LIBMAP).in + ifneq ($(DISABLE_CIL),y) +@@ -80,16 +79,16 @@ endif + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< + + install: all +- test -d $(LIBDIR) || install -m 755 -d $(LIBDIR) +- install -m 644 $(LIBA) $(LIBDIR) +- test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR) +- install -m 755 $(LIBSO) $(SHLIBDIR) +- test -d $(LIBDIR)/pkgconfig || install -m 755 -d $(LIBDIR)/pkgconfig +- install -m 644 $(LIBPC) $(LIBDIR)/pkgconfig +- $(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET) ++ test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR) ++ install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR) ++ test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR) ++ install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR) ++ test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig ++ install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig ++ $(LN) -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) + + relabel: +- /sbin/restorecon $(SHLIBDIR)/$(LIBSO) ++ /sbin/restorecon $(DESTDIR)$(SHLIBDIR)/$(LIBSO) + + clean: + -rm -f $(LIBPC) $(LIBMAP) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) $(CIL_GENERATED) diff --git libsepol-2.7/src/avtab.c libsepol-2.7/src/avtab.c index 3854d6f..257f051 100644 --- libsepol-2.7/src/avtab.c @@ -430,6 +648,18 @@ index dd1fec2..2a9996f 100644 cil_write_policy_conf; sepol_ppfile_to_module_package; sepol_module_package_to_cil; +diff --git libsepol-2.7/src/libsepol.pc.in libsepol-2.7/src/libsepol.pc.in +index e52f589..f807fec 100644 +--- libsepol-2.7/src/libsepol.pc.in ++++ libsepol-2.7/src/libsepol.pc.in +@@ -1,6 +1,6 @@ + prefix=@prefix@ + exec_prefix=${prefix} +-libdir=${exec_prefix}/@libdir@ ++libdir=@libdir@ + includedir=@includedir@ + + Name: libsepol diff --git libsepol-2.7/src/mls.c libsepol-2.7/src/mls.c index be85475..bf1fdbd 100644 --- libsepol-2.7/src/mls.c @@ -528,3 +758,25 @@ index e486e28..1fb3095 100644 /* * Updated: Trusted Computer Solutions, Inc. +diff --git libsepol-2.7/utils/Makefile libsepol-2.7/utils/Makefile +index fba1d8a..31932c1 100644 +--- libsepol-2.7/utils/Makefile ++++ libsepol-2.7/utils/Makefile +@@ -1,5 +1,5 @@ + # Installation directories. +-PREFIX ?= $(DESTDIR)/usr ++PREFIX ?= /usr + BINDIR ?= $(PREFIX)/bin + + CFLAGS ?= -Wall -Werror +@@ -12,8 +12,8 @@ TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) + all: $(TARGETS) + + install: all +- -mkdir -p $(BINDIR) +- install -m 755 $(TARGETS) $(BINDIR) ++ -mkdir -p $(DESTDIR)$(BINDIR) ++ install -m 755 $(TARGETS) $(DESTDIR)$(BINDIR) + + clean: + -rm -f $(TARGETS) *.o diff --git a/libsepol.spec b/libsepol.spec index c6dd6e3..9fa673e 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,13 +1,13 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.7 -Release: 4%{?dist} +Release: 5%{?dist} License: LGPLv2+ Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/libsepol-2.7.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.7 ./make-fedora-selinux-patch.sh libsepol -# HEAD https://github.com/fedora-selinux/selinux/commit/2d0b90c1d95ec908f94c06337ec07a96b7d1205e +# HEAD https://github.com/fedora-selinux/selinux/commit/4e253a0231ca085df03b55c4c0490ad6a0e261eb Patch1: libsepol-fedora.patch URL: https://github.com/SELinuxProject/selinux/wiki BuildRequires: gcc @@ -64,7 +64,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_includedir} mkdir -p ${RPM_BUILD_ROOT}%{_bindir} mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man3 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8 -make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="${RPM_BUILD_ROOT}%{_libdir}" SHLIBDIR="${RPM_BUILD_ROOT}/%{_libdir}" install +make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolbools rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolusers rm -f ${RPM_BUILD_ROOT}%{_bindir}/chkcon @@ -97,6 +97,11 @@ exit 0 %{_libdir}/libsepol.so.1 %changelog +* Tue Mar 13 2018 Petr Lautrbach - 2.7-5 +- cil: Create new keep field for type attribute sets +- build: follow standard semantics for DESTDIR and PREFIX +- cil: show an error when cil_expr_to_string() fails + * Wed Feb 07 2018 Fedora Release Engineering - 2.7-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild