diff --git a/.cvsignore b/.cvsignore index 8f1b06a..acc6702 100644 --- a/.cvsignore +++ b/.cvsignore @@ -118,3 +118,4 @@ libsepol-2.0.1.tgz libsepol-2.0.2.tgz libsepol-2.0.3.tgz libsepol-2.0.4.tgz +libsepol-2.0.5.tgz diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index 8b54e5b..109f00f 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -1,237 +1,77 @@ -diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/policydb/conditional.h libsepol-2.0.1/include/sepol/policydb/conditional.h ---- nsalibsepol/include/sepol/policydb/conditional.h 2006-11-16 17:14:15.000000000 -0500 -+++ libsepol-2.0.1/include/sepol/policydb/conditional.h 2007-03-28 14:13:02.000000000 -0400 -@@ -100,6 +100,8 @@ - cond_node_t * needle, cond_node_t * haystack, - int *was_created); - -+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node); -+ - extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list, - cond_node_t * cn); - -diff --exclude-from=exclude -N -u -r nsalibsepol/src/conditional.c libsepol-2.0.1/src/conditional.c ---- nsalibsepol/src/conditional.c 2006-11-16 17:14:24.000000000 -0500 -+++ libsepol-2.0.1/src/conditional.c 2007-03-28 14:13:02.000000000 -0400 -@@ -26,9 +26,6 @@ - - #include "private.h" - --#undef min --#define min(a,b) (((a) < (b)) ? (a) : (b)) -- - /* move all type rules to top of t/f lists to help kernel on evaluation */ - static void cond_optimize(cond_av_list_t ** l) - { -@@ -136,6 +133,38 @@ - return 1; - } - -+/* Create a new conditional node, optionally copying -+ * the conditional expression from an existing node. -+ * If node is NULL then a new node will be created -+ * with no conditional expression. -+ */ -+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node) -+{ -+ cond_node_t *new_node; -+ unsigned int i; -+ -+ new_node = (cond_node_t *)malloc(sizeof(cond_node_t)); -+ if (!new_node) { -+ return NULL; -+ } -+ memset(new_node, 0, sizeof(cond_node_t)); -+ -+ if (node) { -+ new_node->expr = cond_copy_expr(node->expr); -+ if (!new_node->expr) { -+ free(new_node); -+ return NULL; -+ } -+ new_node->cur_state = cond_evaluate_expr(p, new_node->expr); -+ new_node->nbools = node->nbools; -+ for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++) -+ new_node->bool_ids[i] = node->bool_ids[i]; -+ new_node->expr_pre_comp = node->expr_pre_comp; -+ } -+ -+ return new_node; -+} -+ - /* Find a conditional (the needle) within a list of existing ones (the - * haystack) that has a matching expression. If found, return a - * pointer to the existing node, setting 'was_created' to 0. -@@ -145,9 +174,6 @@ - cond_node_t * needle, cond_node_t * haystack, - int *was_created) - { -- cond_node_t *new_node; -- unsigned int i; -- - while (haystack) { - if (cond_expr_equal(needle, haystack)) { - *was_created = 0; -@@ -156,26 +182,8 @@ - haystack = haystack->next; - } - *was_created = 1; -- new_node = (cond_node_t *) malloc(sizeof(cond_node_t)); -- if (!new_node) { -- return NULL; -- } -- memset(new_node, 0, sizeof(cond_node_t)); -- new_node->expr = cond_copy_expr(needle->expr); -- if (!new_node->expr) { -- free(new_node); -- return NULL; -- } -- new_node->cur_state = cond_evaluate_expr(p, new_node->expr); -- new_node->nbools = needle->nbools; -- for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++) -- new_node->bool_ids[i] = needle->bool_ids[i]; -- new_node->expr_pre_comp = needle->expr_pre_comp; -- new_node->true_list = NULL; -- new_node->false_list = NULL; -- new_node->avtrue_list = NULL; -- new_node->avfalse_list = NULL; -- return new_node; -+ -+ return cond_node_create(p, needle); - } - - /* return either a pre-existing matching node or create a new node */ -diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.1/src/expand.c ---- nsalibsepol/src/expand.c 2007-02-07 12:11:48.000000000 -0500 -+++ libsepol-2.0.1/src/expand.c 2007-03-28 14:13:02.000000000 -0400 -@@ -35,10 +35,12 @@ - #include - +diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/handle.h libsepol-2.0.5/include/sepol/handle.h +--- nsalibsepol/include/sepol/handle.h 2007-07-16 14:20:40.000000000 -0400 ++++ libsepol-2.0.5/include/sepol/handle.h 2007-08-10 09:42:16.000000000 -0400 +@@ -7,6 +7,10 @@ + /* Create and return a sepol handle. */ + sepol_handle_t *sepol_handle_create(void); + ++/* Set whether or not to disable dontaudits, 0 is default and does ++ * not disable dontaudits, 1 disables them */ ++void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit); ++ + /* Destroy a sepol handle. */ + void sepol_handle_destroy(sepol_handle_t *); + +diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.5/src/expand.c +--- nsalibsepol/src/expand.c 2007-07-16 14:20:41.000000000 -0400 ++++ libsepol-2.0.5/src/expand.c 2007-08-10 09:42:16.000000000 -0400 +@@ -1367,6 +1367,8 @@ + } else if (specified & AVRULE_AUDITDENY) { + spec = AVTAB_AUDITDENY; + } else if (specified & AVRULE_DONTAUDIT) { ++ if (handle->disable_dontaudit) ++ return EXPAND_RULE_SUCCESS; + spec = AVTAB_AUDITDENY; + } else if (specified & AVRULE_NEVERALLOW) { + spec = AVTAB_NEVERALLOW; +diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.c libsepol-2.0.5/src/handle.c +--- nsalibsepol/src/handle.c 2007-07-16 14:20:41.000000000 -0400 ++++ libsepol-2.0.5/src/handle.c 2007-08-10 09:42:16.000000000 -0400 +@@ -1,4 +1,5 @@ + #include ++#include + #include "handle.h" #include "debug.h" -+#include "private.h" - - typedef struct expand_state { - int verbose; - uint32_t *typemap; -+ uint32_t *boolmap; - policydb_t *base; - policydb_t *out; - sepol_handle_t *handle; -@@ -791,8 +793,8 @@ - return -1; - } - -- new_bool->s.value = bool->s.value; - state->out->p_bools.nprim++; -+ new_bool->s.value = state->out->p_bools.nprim; - ret = hashtab_insert(state->out->p_bools.table, - (hashtab_key_t) new_id, -@@ -804,6 +806,8 @@ - return -1; - } +@@ -13,9 +14,18 @@ + sh->msg_callback = sepol_msg_default_handler; + sh->msg_callback_arg = NULL; -+ state->boolmap[bool->s.value - 1] = new_bool->s.value; ++ /* by default do not disable dontaudits */ ++ sh->disable_dontaudit = 0; + - new_bool->state = bool->state; - - return 0; -@@ -1555,12 +1559,35 @@ - return 0; + return sh; } -+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn) ++void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit) +{ -+ cond_expr_t *cur; -+ unsigned int i; -+ -+ cur = cn->expr; -+ while (cur) { -+ if (cur->bool) -+ cur->bool = state->boolmap[cur->bool - 1]; -+ cur = cur->next; -+ } -+ -+ for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++) -+ cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1]; -+ -+ if (cond_normalize_expr(state->out, cn)) { -+ ERR(state->handle, "Error while normalizing conditional"); -+ return -1; -+ } -+ -+ return 0; ++ assert(sh !=NULL); ++ sh->disable_dontaudit = disable_dontaudit; +} + - /* copy the nodes in *reverse* order -- the result is that the last - * given conditional appears first in the policy, so as to match the - * behavior of the upstream compiler */ - static int cond_node_copy(expand_state_t * state, cond_node_t * cn) + void sepol_handle_destroy(sepol_handle_t * sh) { -- cond_node_t *new_cond; -+ cond_node_t *new_cond, *tmp; - - if (cn == NULL) { - return 0; -@@ -1573,11 +1600,26 @@ - return -1; - } - -- new_cond = cond_node_search(state->out, state->out->cond_list, cn); -+ /* create a new temporary conditional node with the booleans -+ * mapped */ -+ tmp = cond_node_create(state->base, cn); -+ if (!tmp) { -+ ERR(state->handle, "Out of memory"); -+ return -1; -+ } + free(sh); +diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.h libsepol-2.0.5/src/handle.h +--- nsalibsepol/src/handle.h 2007-07-16 14:20:40.000000000 -0400 ++++ libsepol-2.0.5/src/handle.h 2007-08-10 09:42:16.000000000 -0400 +@@ -14,6 +14,9 @@ + void (*msg_callback) (void *varg, + sepol_handle_t * handle, const char *fmt, ...); + void *msg_callback_arg; + -+ if (cond_node_map_bools(state, tmp)) { -+ ERR(state->handle, "Error mapping booleans"); -+ return -1; -+ } ++ int disable_dontaudit; + -+ new_cond = cond_node_search(state->out, state->out->cond_list, tmp); - if (!new_cond) { -+ cond_node_destroy(tmp); - ERR(state->handle, "Out of memory!"); - return -1; - } -+ cond_node_destroy(tmp); - - if (cond_avrule_list_copy - (state->out, cn->avtrue_list, &state->out->te_cond_avtab, -@@ -2210,6 +2252,12 @@ - goto cleanup; - } - -+ state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t)); -+ if (!state.boolmap) { -+ ERR(handle, "Out of memory!"); -+ goto cleanup; -+ } -+ - /* order is important - types must be first */ - - /* copy types */ -@@ -2364,6 +2412,7 @@ + }; - cleanup: - free(state.typemap); -+ free(state.boolmap); - return retval; - } - -diff --exclude-from=exclude -N -u -r nsalibsepol/src/private.h libsepol-2.0.1/src/private.h ---- nsalibsepol/src/private.h 2007-02-07 12:11:48.000000000 -0500 -+++ libsepol-2.0.1/src/private.h 2007-03-28 14:13:02.000000000 -0400 -@@ -24,6 +24,9 @@ - #define le64_to_cpu(x) bswap_64(x) #endif - -+#undef min -+#define min(a,b) (((a) < (b)) ? (a) : (b)) -+ - /* Policy compatibility information. */ - struct policydb_compat_info { - unsigned int type; +diff --exclude-from=exclude -N -u -r nsalibsepol/src/libsepol.map libsepol-2.0.5/src/libsepol.map +--- nsalibsepol/src/libsepol.map 2007-07-16 14:20:41.000000000 -0400 ++++ libsepol-2.0.5/src/libsepol.map 2007-08-10 09:42:16.000000000 -0400 +@@ -12,5 +12,6 @@ + sepol_policydb_*; sepol_set_policydb_from_file; + sepol_policy_kern_*; + sepol_policy_file_*; ++ sepol_set_disable_dontaudit; + local: *; + }; diff --git a/libsepol.spec b/libsepol.spec index b99dc93..d1a109a 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,10 +1,12 @@ + Summary: SELinux binary policy manipulation library Name: libsepol -Version: 2.0.4 +Version: 2.0.5 Release: 1%{?dist} License: GPL Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz +Patch: libsepol-rhat.patch Prefix: %{_prefix} BuildRoot: %{_tmppath}/%{name}-buildroot @@ -37,6 +39,7 @@ needed for developing applications that manipulate binary policies. %prep %setup -q +%patch -p1 -b .rhat # sparc64 is an -fPIC arch, so we need to fix it here %ifarch sparc64 sed -i 's/fpic/fPIC/g' src/Makefile @@ -85,6 +88,14 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Fri Aug 10 2007 Dan Walsh 2.0.5-1 +- Upgrade to latest from NSA + * Fix sepol_context_clone to handle a NULL context correctly. + This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL) + to set the file context entry to "<>". +- Apply patch from Joshua Brindle to disable dontaudit rules + + * Thu Jun 21 2007 Dan Walsh 2.0.4-1 - Upgrade to latest from NSA * Merged error handling patch from Eamon Walsh. diff --git a/sources b/sources index 331a853..a1e55f1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ccb82efce867a164184168be77e4f427 libsepol-2.0.4.tgz +dba7b7efc17e1521e6513a303f01bd3f libsepol-2.0.5.tgz