From e8c94879836848d46d4ddfe6fd28cc323186cc48 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Dec 01 2005 20:02:47 +0000
Subject: - Latest upgrade from NSA

Added error checking of all ebitmap_set_bit calls for out of memory
    conditions.
Merged removal of compatibility handling of netlink classes (requirement
    that policies with newer versions include the netlink class
    definitions, remapping of fine-grained netlink classes in newer source
    policies to single netlink class when generating older policies) from
    George Coker.

---

diff --git a/.cvsignore b/.cvsignore
index 8abf490..1d7e9a2 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -34,3 +34,4 @@ checkpolicy-1.27.10.tgz
 checkpolicy-1.27.11.tgz
 checkpolicy-1.27.16.tgz
 checkpolicy-1.27.17.tgz
+checkpolicy-1.27.19.tgz
diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch
index fd28976..6bf0880 100644
--- a/checkpolicy-rhat.patch
+++ b/checkpolicy-rhat.patch
@@ -1,29 +1,60 @@
-Index: checkpolicy/policy_parse.y
-===================================================================
-RCS file: /nfshome/pal/CVS/selinux-usr/checkpolicy/policy_parse.y,v
-retrieving revision 1.41
-diff -u -p -r1.41 policy_parse.y
---- checkpolicy/policy_parse.y	15 Aug 2005 16:10:56 -0000	1.41
-+++ checkpolicy/policy_parse.y	22 Aug 2005 17:49:36 -0000
-@@ -2965,6 +2965,7 @@ static int define_validatetrans(constrai
- 	ebitmap_t classmap;
- 	constraint_expr_t *e;
- 	int depth;
-+	unsigned char useexpr = 1;
+diff --exclude-from=exclude -N -u -r nsacheckpolicy/checkmodule.8 checkpolicy-1.27.19/checkmodule.8
+--- nsacheckpolicy/checkmodule.8	1969-12-31 19:00:00.000000000 -0500
++++ checkpolicy-1.27.19/checkmodule.8	2005-12-01 15:00:22.000000000 -0500
+@@ -0,0 +1,45 @@
++.TH CHECKMODULE 8
++.SH NAME
++checkmodule \- SELinux policy module compiler
++.SH SYNOPSIS
++.B checkmodule
++.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
++ .br
++.SH "DESCRIPTION"
++This manual page describes the
++.BR checkmodule
++command.
++.PP
++.B checkmodule
++is a program that checks and compiles a SELinux security policy module
++into a binary representation.  Use semodule_package to combine this module with
++its optional file context to create a policy package that can be loaded into the kernel.  
++
++.SH OPTIONS
++.TP
++.B \-b
++Read an existing binary policy file rather than a source policy.conf file.
++.TP
++.B \-d
++Enter debug mode after loading the policy.
++.TP
++.B \-M
++Enable the MLS policy when checking and compiling the policy.
++.TP
++.B \-o filename
++Write a binary policy file to the specified filename.
++.TP
++.B \-c policyvers
++Specify the policy version, defaults to the latest.
++
++.SH "SEE ALSO"
++.B load_policy(8), semodule(8), semodule_package(8), semodule_expand(8), semodule_link(8)
++SELinux documentation at http://www.nsa.gov/selinux/docs.html,
++especially "Configuring the SELinux Policy".
++
++
++.SH AUTHOR
++This manual page was copied from the checkpolicy man page 
++written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>, 
++and edited by Dan Walsh <dwalsh@redhat.com>.
++The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.
+diff --exclude-from=exclude -N -u -r nsacheckpolicy/Makefile checkpolicy-1.27.19/Makefile
+--- nsacheckpolicy/Makefile	2005-09-12 16:30:34.000000000 -0400
++++ checkpolicy-1.27.19/Makefile	2005-12-01 15:00:34.000000000 -0500
+@@ -45,6 +45,7 @@
+ 	-mkdir -p $(MANDIR)/man8
+ 	install -m 755 $(TARGETS) $(BINDIR)	
+ 	install -m 644 checkpolicy.8 $(MANDIR)/man8
++	install -m 644 checkmodule.8 $(MANDIR)/man8
  
- 	if (pass == 1) {
- 		while ((id = queue_remove(id_queue))) 
-@@ -3035,7 +3036,12 @@ static int define_validatetrans(constrai
- 			return -1;
- 		}
- 		memset(node, 0, sizeof(constraint_node_t));
--		node->expr = expr;
-+		if (useexpr) {
-+			node->expr = expr;
-+			useexpr = 0;
-+		} else {
-+			node->expr = constraint_expr_clone(expr);
-+		}
- 		node->permissions = 0;
- 
- 		node->next = cladatum->validatetrans;
+ relabel: install
+ 	/sbin/restorecon $(BINDIR)/checkpolicy
diff --git a/checkpolicy.spec b/checkpolicy.spec
index caab7ba..e9cede1 100644
--- a/checkpolicy.spec
+++ b/checkpolicy.spec
@@ -1,11 +1,13 @@
-%define libsepolver 1.9.39-1
+%define libsepolver 1.9.41-1
 Summary: SELinux policy compiler
 Name: checkpolicy
-Version: 1.27.17
-Release: 7
+Version: 1.27.19
+Release: 1
 License: GPL
 Group: Development/System
 Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
+Patch: checkpolicy-rhat.patch
+
 BuildRoot: %{_tmppath}/%{name}-buildroot
 BuildRequires: byacc flex libsepol-devel >= %{libsepolver} libselinux-devel
 
@@ -25,6 +27,7 @@ Only required for building policies.
 
 %prep
 %setup -q
+%patch -p1 -b .rhat
 
 %build
 make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" 
@@ -42,8 +45,19 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_bindir}/checkpolicy
 %{_bindir}/checkmodule
 %{_mandir}/man8/checkpolicy.8.gz
+%{_mandir}/man8/checkmodule.8.gz
 
 %changelog
+* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
+- Latest upgrade from NSA
+	* Added error checking of all ebitmap_set_bit calls for out of
+	  memory conditions.
+	* Merged removal of compatibility handling of netlink classes
+	  (requirement that policies with newer versions include the
+	   netlink class definitions, remapping of fine-grained netlink
+	   classes in newer source policies to single netlink class when
+	   generating older policies) from George Coker.
+
 * Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7
 - Rebuild to get latest libsepol
 
diff --git a/sources b/sources
index 773cf2a..cf57ad3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-c1233892de26b1935142aacbca84b042  checkpolicy-1.27.17.tgz
+37c62ce4447586c8e5311133e9ffa489  checkpolicy-1.27.19.tgz