diff --git a/.gitignore b/.gitignore index b98f4c6..bb3b6f0 100644 --- a/.gitignore +++ b/.gitignore @@ -154,3 +154,5 @@ libsepol-2.0.41.tgz /libsepol-2.0.45.tgz /libsepol-2.1.0.tgz /libsepol-2.1.1.tgz +/libsepol-2.1.2.tgz +/libsepol-2.1.3.tgz diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index 0881e1f..49a3346 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -1,36 +1,49 @@ diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c -index b42acbe..cc700ab 100644 +index 2861776..493e478 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c -@@ -1249,23 +1249,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) +@@ -1329,6 +1329,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r - cur_trans = state->out->role_tr; - while (cur_trans) { -+ unsigned int mapped_role; + cur_rule = rules; + while (cur_rule) { ++ uint32_t mapped_otype; + -+ mapped_role = state->rolemap[cur->new_role - 1]; + ebitmap_init(&stypes); + ebitmap_init(&ttypes); + +@@ -1344,6 +1346,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r + return -1; + } + ++ mapped_otype = state->typemap[cur_rule->otype - 1]; + - if ((cur_trans->role == - i + 1) && - (cur_trans->type == - j + 1) && - (cur_trans->tclass == - k + 1)) { -- if (cur_trans-> -- new_role == -- cur->new_role) { -+ if (cur_trans->new_role == mapped_role) { - break; - } else { - ERR(state->handle, -- "Conflicting role trans rule %s %s : %s %s", -+ "Conflicting role trans rule %s %s : %s { %s vs %s }", - state->out->p_role_val_to_name[i], - state->out->p_type_val_to_name[j], - state->out->p_class_val_to_name[k], -- state->out->p_role_val_to_name[cur->new_role - 1]); -+ state->out->p_role_val_to_name[mapped_role], -+ state->out->p_role_val_to_name[cur_trans->new_role - 1]); - return -1; - } - } + ebitmap_for_each_bit(&stypes, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; +@@ -1358,7 +1362,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r + (cur_trans->tclass == cur_rule->tclass) && + (!strcmp(cur_trans->name, cur_rule->name))) { + /* duplicate rule, who cares */ +- if (cur_trans->otype == cur_rule->otype) ++ if (cur_trans->otype == mapped_otype) + break; + + ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s", +@@ -1367,7 +1371,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r + state->out->p_type_val_to_name[j], + state->out->p_class_val_to_name[cur_trans->tclass - 1], + state->out->p_type_val_to_name[cur_trans->otype - 1], +- state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]); ++ state->out->p_type_val_to_name[mapped_otype - 1]); + + return -1; + } +@@ -1397,7 +1401,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r + new_trans->stype = i + 1; + new_trans->ttype = j + 1; + new_trans->tclass = cur_rule->tclass; +- new_trans->otype = state->typemap[cur_rule->otype - 1]; ++ new_trans->otype = mapped_otype; + } + } + diff --git a/libsepol.spec b/libsepol.spec index 4e8ba51..17065f3 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,12 +1,12 @@ Summary: SELinux binary policy manipulation library Name: libsepol -Version: 2.1.1 -Release: 1%{?dist} +Version: 2.1.3 +Release: 2%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz +Patch: libsepol-rhat.patch URL: http://www.selinuxproject.org -patch: libsepol-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -46,6 +46,7 @@ needed for developing applications that manipulate binary policies. %prep %setup -q %patch -p2 -b .rhat + # sparc64 is an -fPIC arch, so we need to fix it here %ifarch sparc64 sed -i 's/fpic/fPIC/g' src/Makefile @@ -98,6 +99,40 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Mon Oct 31 2011 Dan Walsh - 2.1.3-2 +-The filename_trans code had a bug where duplicate detection was being +done between the unmapped type value of a new rule and the type value of +rules already in policy. This meant that duplicates were not being +silently dropped and were instead outputting a message that there was a +problem. It made things hard because the message WAS using the mapped +type to convert to the string representation, so it didn't look like a +dup! + +* Mon Sep 19 2011 Dan Walsh - 2.1.3-1 +-Update to upstream + * Skip writing role attributes for policy.X and + * Indicate when boolean is indeed a tunable. + * Separate tunable from boolean during compile. + * Write and read TUNABLE flags in related + * Copy and check the cond_bool_datum_t.flags during link. + * Permanently discard disabled branches of tunables in + * Skip tunable identifier and cond_node_t in expansion. + * Create a new preserve_tunables flag + * Preserve tunables when required by semodule program. + * setools expects expand_module_avrules to be an exported + * tree: default make target to all not + +* Thu Sep 14 2011 Dan Walsh - 2.1.2-3 +- Add patch to handle preserving tunables + +* Thu Sep 1 2011 Dan Walsh - 2.1.2-2 +- export expand_module_avrules + +* Thu Aug 18 2011 Dan Walsh - 2.1.2-0 +- Update to upstream + * Only call role_fix_callback for base.p_roles during expansion. + * use mapped role number instead of module role number + * Mon Aug 1 2011 Dan Walsh 2.1.1-1 - Update to upstream * Minor fix to reading policy with filename transition rules diff --git a/sources b/sources index c78d44b..46040cc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1c102206aa2a0f7cec1f3af727718f9d libsepol-2.1.1.tgz +8278689ecf9d5219887b72fc24ff66ff libsepol-2.1.3.tgz