[libsepol] Apply Eparis Patch This patch add libsepol support for filename_trans rules. These rules allow on t
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Mar 29 19:27:41 UTC 2011
commit 92502fe369cf723aeda247efe92594ab81e14d23
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Mar 29 15:27:36 2011 -0400
Apply Eparis Patch
This patch add libsepol support for filename_trans rules. These rules
allow on to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.
libsepol-rhat.patch | 678 ++++++++++++++++++++++++++++++++++++++++++++++++---
libsepol.spec | 14 +-
2 files changed, 656 insertions(+), 36 deletions(-)
---
diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch
index 477f9bf..32a5b9d 100644
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@@ -1,34 +1,644 @@
-Only in libsepol-2.0.41: #ChangeLog#
-diff -u -r nsalibsepol/src/libsepol.pc.in libsepol-2.0.41/src/libsepol.pc.in
---- nsalibsepol/src/libsepol.pc.in 2009-11-02 12:58:30.000000000 -0500
-+++ libsepol-2.0.41/src/libsepol.pc.in 2010-02-18 10:02:35.000000000 -0500
-@@ -1,6 +1,6 @@
- prefix=@prefix@
- exec_prefix=${prefix}
--libdir=${exec_prefix}/lib
-+libdir=${exec_prefix}/@libdir@
- includedir=@includedir@
-
- Name: libsepol
-Only in libsepol-2.0.41/src: libsepol.pc.in~
-diff -u -r nsalibsepol/src/Makefile libsepol-2.0.41/src/Makefile
---- nsalibsepol/src/Makefile 2009-11-02 12:58:30.000000000 -0500
-+++ libsepol-2.0.41/src/Makefile 2010-02-18 10:04:51.000000000 -0500
-@@ -3,6 +3,7 @@
- INCLUDEDIR ?= $(PREFIX)/include
- LIBDIR ?= $(PREFIX)/lib
- SHLIBDIR ?= $(DESTDIR)/lib
-+LIBBASE=$(shell basename $(LIBDIR))
-
- VERSION = $(shell cat ../VERSION)
- LIBVERSION = 1
-@@ -27,7 +28,7 @@
- ln -sf $@ $(TARGET)
-
- $(LIBPC): $(LIBPC).in
-- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-
- %.o: %.c
- $(CC) $(CFLAGS) -fPIC -c -o $@ $<
-Only in libsepol-2.0.41/src: Makefile~
+diff -up libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis libsepol-2.0.42/include/sepol/policydb/policydb.h
+--- libsepol-2.0.42/include/sepol/policydb/policydb.h.eparis 2010-12-21 16:41:58.000000000 -0500
++++ libsepol-2.0.42/include/sepol/policydb/policydb.h 2011-03-23 14:11:28.432820275 -0400
+@@ -135,6 +135,16 @@ typedef struct role_allow {
+ struct role_allow *next;
+ } role_allow_t;
+
++/* filename_trans rules */
++typedef struct filename_trans {
++ uint32_t stype;
++ uint32_t ttype;
++ uint32_t tclass;
++ char *name;
++ uint32_t otype;
++ struct filename_trans *next;
++} filename_trans_t;
++
+ /* Type attributes */
+ typedef struct type_datum {
+ symtab_datum_t s;
+@@ -245,6 +255,15 @@ typedef struct role_allow_rule {
+ struct role_allow_rule *next;
+ } role_allow_rule_t;
+
++typedef struct filename_trans_rule {
++ type_set_t stypes;
++ type_set_t ttypes;
++ uint32_t tclass;
++ char *name;
++ uint32_t otype; /* new type */
++ struct filename_trans_rule *next;
++} filename_trans_rule_t;
++
+ typedef struct range_trans_rule {
+ type_set_t stypes;
+ type_set_t ttypes;
+@@ -374,6 +393,9 @@ typedef struct avrule_decl {
+ scope_index_t required; /* symbols needed to activate this block */
+ scope_index_t declared; /* symbols declared within this block */
+
++ /* type transition rules with a 'name' component */
++ filename_trans_rule_t *filename_trans_rules;
++
+ /* for additive statements (type attribute, roles, and users) */
+ symtab_t symtab[SYM_NUM];
+
+@@ -484,6 +506,9 @@ typedef struct policydb {
+ /* role transitions */
+ role_trans_t *role_tr;
+
++ /* type transition rules with a 'name' component */
++ filename_trans_t *filename_trans;
++
+ /* role allows */
+ role_allow_t *role_allow;
+
+@@ -562,6 +587,8 @@ extern void avrule_destroy(avrule_t * x)
+ extern void avrule_list_destroy(avrule_t * x);
+ extern void role_trans_rule_init(role_trans_rule_t * x);
+ extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
++extern void filename_trans_rule_init(filename_trans_rule_t * x);
++extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x);
+
+ extern void role_datum_init(role_datum_t * x);
+ extern void role_datum_destroy(role_datum_t * x);
+@@ -630,10 +657,11 @@ extern int policydb_set_target_platform(
+ #define POLICYDB_VERSION_POLCAP 22
+ #define POLICYDB_VERSION_PERMISSIVE 23
+ #define POLICYDB_VERSION_BOUNDARY 24
++#define POLICYDB_VERSION_FILENAME_TRANS 25
+
+ /* Range of policy versions we understand*/
+ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
+-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY
++#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS
+
+ /* Module versions and specific changes*/
+ #define MOD_POLICYDB_VERSION_BASE 4
+@@ -645,9 +673,10 @@ extern int policydb_set_target_platform(
+ #define MOD_POLICYDB_VERSION_PERMISSIVE 8
+ #define MOD_POLICYDB_VERSION_BOUNDARY 9
+ #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10
++#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11
+
+ #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
+-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS
++#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_FILENAME_TRANS
+
+ #define POLICYDB_CONFIG_MLS 1
+
+diff -up libsepol-2.0.42/src/avrule_block.c.eparis libsepol-2.0.42/src/avrule_block.c
+--- libsepol-2.0.42/src/avrule_block.c.eparis 2010-12-21 16:41:58.000000000 -0500
++++ libsepol-2.0.42/src/avrule_block.c 2011-03-23 12:15:48.241980087 -0400
+@@ -98,6 +98,7 @@ void avrule_decl_destroy(avrule_decl_t *
+ cond_list_destroy(x->cond_list);
+ avrule_list_destroy(x->avrules);
+ role_trans_rule_list_destroy(x->role_tr_rules);
++ filename_trans_rule_list_destroy(x->filename_trans_rules);
+ role_allow_rule_list_destroy(x->role_allow_rules);
+ range_trans_rule_list_destroy(x->range_tr_rules);
+ scope_index_destroy(&x->required);
+diff -up libsepol-2.0.42/src/expand.c.eparis libsepol-2.0.42/src/expand.c
+--- libsepol-2.0.42/src/expand.c.eparis 2010-12-21 16:41:58.000000000 -0500
++++ libsepol-2.0.42/src/expand.c 2011-03-23 12:15:48.242980223 -0400
+@@ -1231,6 +1231,101 @@ static int copy_role_trans(expand_state_
+ return 0;
+ }
+
++static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
++{
++ unsigned int i, j;
++ filename_trans_t *new_trans, *tail, *cur_trans;
++ filename_trans_rule_t *cur_rule;
++ ebitmap_t stypes, ttypes;
++ ebitmap_node_t *snode, *tnode;
++
++ /* start at the end of the list */
++ tail = state->out->filename_trans;
++ while (tail && tail->next)
++ tail = tail->next;
++
++ cur_rule = rules;
++ while (cur_rule) {
++ ebitmap_init(&stypes);
++ ebitmap_init(&ttypes);
++
++ if (expand_convert_type_set(state->out, state->typemap,
++ &cur_rule->stypes, &stypes, 1)) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
++
++ if (expand_convert_type_set(state->out, state->typemap,
++ &cur_rule->ttypes, &ttypes, 1)) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
++
++ ebitmap_for_each_bit(&stypes, snode, i) {
++ if (!ebitmap_node_get_bit(snode, i))
++ continue;
++ ebitmap_for_each_bit(&ttypes, tnode, j) {
++ if (!ebitmap_node_get_bit(tnode, j))
++ continue;
++
++ cur_trans = state->out->filename_trans;
++ while (cur_trans) {
++ if ((cur_trans->stype == i + 1) &&
++ (cur_trans->ttype == j + 1) &&
++ (cur_trans->tclass == cur_rule->tclass) &&
++ (!strcmp(cur_trans->name, cur_rule->name))) {
++ /* duplicate rule, who cares */
++ if (cur_trans->otype == cur_rule->otype)
++ break;
++
++ ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
++ cur_trans->name,
++ state->out->p_type_val_to_name[i],
++ state->out->p_type_val_to_name[j],
++ state->out->p_class_val_to_name[cur_trans->tclass - 1],
++ state->out->p_type_val_to_name[cur_trans->otype - 1],
++ state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]);
++
++ return -1;
++ }
++ cur_trans = cur_trans->next;
++ }
++ /* duplicate rule, who cares */
++ if (cur_trans)
++ continue;
++
++ new_trans = malloc(sizeof(*new_trans));
++ if (!new_trans) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
++ memset(new_trans, 0, sizeof(*new_trans));
++ if (tail)
++ tail->next = new_trans;
++ else
++ state->out->filename_trans = new_trans;
++ tail = new_trans;
++
++ new_trans->name = strdup(cur_rule->name);
++ if (!new_trans->name) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
++ new_trans->stype = i + 1;
++ new_trans->ttype = j + 1;
++ new_trans->tclass = cur_rule->tclass;
++ new_trans->otype = state->typemap[cur_rule->otype - 1];
++ }
++ }
++
++ ebitmap_destroy(&stypes);
++ ebitmap_destroy(&ttypes);
++
++ cur_rule = cur_rule->next;
++ }
++ return 0;
++}
++
+ static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
+ mls_semantic_range_t * trange,
+ expand_state_t * state)
+@@ -2374,6 +2469,9 @@ static int copy_and_expand_avrule_block(
+ goto cleanup;
+ }
+
++ if (expand_filename_trans(state, decl->filename_trans_rules))
++ goto cleanup;
++
+ /* expand the range transition rules */
+ if (expand_range_trans(state, decl->range_tr_rules))
+ goto cleanup;
+diff -up libsepol-2.0.42/src/link.c.eparis libsepol-2.0.42/src/link.c
+--- libsepol-2.0.42/src/link.c.eparis 2010-12-21 16:41:58.000000000 -0500
++++ libsepol-2.0.42/src/link.c 2011-03-23 12:15:48.243980361 -0400
+@@ -1326,6 +1326,50 @@ static int copy_role_allow_list(role_all
+ return -1;
+ }
+
++static int copy_filename_trans_list(filename_trans_rule_t * list,
++ filename_trans_rule_t ** dst,
++ policy_module_t * module,
++ link_state_t * state)
++{
++ filename_trans_rule_t *cur, *new_rule, *tail;
++
++ cur = list;
++ tail = *dst;
++ while (tail && tail->next)
++ tail = tail->next;
++
++ while (cur) {
++ new_rule = malloc(sizeof(*new_rule));
++ if (!new_rule)
++ goto err;
++
++ filename_trans_rule_init(new_rule);
++
++ if (*dst == NULL)
++ *dst = new_rule;
++ else
++ tail->next = new_rule;
++ tail = new_rule;
++
++ new_rule->name = strdup(cur->name);
++ if (!new_rule->name)
++ goto err;
++
++ if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) ||
++ type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state))
++ goto err;
++
++ new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1];
++ new_rule->otype = module->map[SYM_TYPES][cur->otype - 1];
++
++ cur = cur->next;
++ }
++ return 0;
++err:
++ ERR(state->handle, "Out of memory!");
++ return -1;
++}
++
+ static int copy_range_trans_list(range_trans_rule_t * rules,
+ range_trans_rule_t ** dst,
+ policy_module_t * mod, link_state_t * state)
+@@ -1568,6 +1612,11 @@ static int copy_avrule_decl(link_state_t
+ return -1;
+ }
+
++ if (copy_filename_trans_list(src_decl->filename_trans_rules,
++ &dest_decl->filename_trans_rules,
++ module, state))
++ return -1;
++
+ if (copy_range_trans_list(src_decl->range_tr_rules,
+ &dest_decl->range_tr_rules, module, state))
+ return -1;
+diff -up libsepol-2.0.42/src/policydb.c.eparis libsepol-2.0.42/src/policydb.c
+--- libsepol-2.0.42/src/policydb.c.eparis 2010-12-21 16:41:58.000000000 -0500
++++ libsepol-2.0.42/src/policydb.c 2011-03-23 12:15:48.244980498 -0400
+@@ -136,6 +136,13 @@ static struct policydb_compat_info polic
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
++ {
++ .type = POLICY_KERN,
++ .version = POLICYDB_VERSION_FILENAME_TRANS,
++ .sym_num = SYM_NUM,
++ .ocon_num = OCON_NODE6 + 1,
++ .target_platform = SEPOL_TARGET_SELINUX,
++ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_BASE,
+@@ -186,6 +193,13 @@ static struct policydb_compat_info polic
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
++ .type = POLICY_BASE,
++ .version = MOD_POLICYDB_VERSION_FILENAME_TRANS,
++ .sym_num = SYM_NUM,
++ .ocon_num = OCON_NODE6 + 1,
++ .target_platform = SEPOL_TARGET_SELINUX,
++ },
++ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_BASE,
+ .sym_num = SYM_NUM,
+@@ -234,6 +248,13 @@ static struct policydb_compat_info polic
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
++ {
++ .type = POLICY_MOD,
++ .version = MOD_POLICYDB_VERSION_FILENAME_TRANS,
++ .sym_num = SYM_NUM,
++ .ocon_num = 0,
++ .target_platform = SEPOL_TARGET_SELINUX,
++ },
+ };
+
+ #if 0
+@@ -433,6 +454,33 @@ void role_trans_rule_list_destroy(role_t
+ }
+ }
+
++void filename_trans_rule_init(filename_trans_rule_t * x)
++{
++ memset(x, 0, sizeof(*x));
++ type_set_init(&x->stypes);
++ type_set_init(&x->ttypes);
++}
++
++static void filename_trans_rule_destroy(filename_trans_rule_t * x)
++{
++ if (!x)
++ return;
++ type_set_destroy(&x->stypes);
++ type_set_destroy(&x->ttypes);
++ free(x->name);
++}
++
++void filename_trans_rule_list_destroy(filename_trans_rule_t * x)
++{
++ filename_trans_rule_t *next;
++ while (x) {
++ next = x->next;
++ filename_trans_rule_destroy(x);
++ free(x);
++ x = next;
++ }
++}
++
+ void role_allow_rule_init(role_allow_rule_t * x)
+ {
+ memset(x, 0, sizeof(role_allow_rule_t));
+@@ -1112,6 +1160,7 @@ void policydb_destroy(policydb_t * p)
+ role_allow_t *ra, *lra = NULL;
+ role_trans_t *tr, *ltr = NULL;
+ range_trans_t *rt, *lrt = NULL;
++ filename_trans_t *ft, *nft;
+
+ if (!p)
+ return;
+@@ -1177,6 +1226,14 @@ void policydb_destroy(policydb_t * p)
+ if (ltr)
+ free(ltr);
+
++ ft = p->filename_trans;
++ while (ft) {
++ nft = ft->next;
++ free(ft->name);
++ free(ft);
++ ft = nft;
++ }
++
+ for (ra = p->role_allow; ra; ra = ra->next) {
+ if (lra)
+ free(lra);
+@@ -2168,6 +2225,55 @@ int role_allow_read(role_allow_t ** r, s
+ return 0;
+ }
+
++int filename_trans_read(filename_trans_t **t, struct policy_file *fp)
++{
++ unsigned int i;
++ uint32_t buf[4], nel, len;
++ filename_trans_t *ft, *lft;
++ int rc;
++ char *name;
++
++ rc = next_entry(buf, fp, sizeof(uint32_t));
++ if (rc < 0)
++ return -1;
++ nel = le32_to_cpu(buf[0]);
++
++ lft = NULL;
++ for (i = 0; i < nel; i++) {
++ ft = calloc(1, sizeof(struct filename_trans));
++ if (!ft)
++ return -1;
++ if (lft)
++ lft->next = ft;
++ else
++ *t = ft;
++ rc = next_entry(buf, fp, sizeof(uint32_t));
++ if (rc < 0)
++ return -1;
++ len = le32_to_cpu(buf[0]);
++
++ name = calloc(len, sizeof(*name));
++ if (!name)
++ return -1;
++
++ ft->name = name;
++
++ rc = next_entry(name, fp, len);
++ if (rc < 0)
++ return -1;
++
++ rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
++ if (rc < 0)
++ return -1;
++
++ ft->stype = le32_to_cpu(buf[0]);
++ ft->ttype = le32_to_cpu(buf[1]);
++ ft->tclass = le32_to_cpu(buf[2]);
++ ft->otype = le32_to_cpu(buf[3]);
++ }
++ return 0;
++}
++
+ static int ocontext_read_xen(struct policydb_compat_info *info,
+ policydb_t *p, struct policy_file *fp)
+ {
+@@ -2971,6 +3077,62 @@ static int role_allow_rule_read(role_all
+ return 0;
+ }
+
++static int filename_trans_rule_read(filename_trans_rule_t ** r, struct policy_file *fp)
++{
++ uint32_t buf[2], nel;
++ unsigned int i, len;
++ filename_trans_rule_t *ftr, *lftr;
++ int rc;
++
++ rc = next_entry(buf, fp, sizeof(uint32_t));
++ if (rc < 0)
++ return -1;
++ nel = le32_to_cpu(buf[0]);
++ lftr = NULL;
++ for (i = 0; i < nel; i++) {
++ ftr = malloc(sizeof(*ftr));
++ if (!ftr)
++ return -1;
++
++ filename_trans_rule_init(ftr);
++
++ if (lftr)
++ lftr->next = ftr;
++ else
++ *r = ftr;
++ lftr = ftr;
++
++ rc = next_entry(buf, fp, sizeof(uint32_t));
++ if (rc < 0)
++ return -1;
++
++ len = le32_to_cpu(buf[0]);
++
++ ftr->name = malloc(len + 1);
++ if (!ftr->name)
++ return -1;
++
++ rc = next_entry(ftr->name, fp, len);
++ if (rc)
++ return -1;
++ ftr->name[len] = 0;
++
++ if (type_set_read(&ftr->stypes, fp))
++ return -1;
++
++ if (type_set_read(&ftr->ttypes, fp))
++ return -1;
++
++ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
++ if (rc < 0)
++ return -1;
++ ftr->tclass = le32_to_cpu(buf[0]);
++ ftr->otype = le32_to_cpu(buf[1]);
++ }
++
++ return 0;
++}
++
+ static int range_trans_rule_read(range_trans_rule_t ** r,
+ struct policy_file *fp)
+ {
+@@ -3064,6 +3226,11 @@ static int avrule_decl_read(policydb_t *
+ role_allow_rule_read(&decl->role_allow_rules, fp) == -1) {
+ return -1;
+ }
++
++ if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
++ filename_trans_rule_read(&decl->filename_trans_rules, fp))
++ return -1;
++
+ if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
+ range_trans_rule_read(&decl->range_tr_rules, fp) == -1) {
+ return -1;
+@@ -3455,6 +3622,9 @@ int policydb_read(policydb_t * p, struct
+ goto bad;
+ if (role_allow_read(&p->role_allow, fp))
+ goto bad;
++ if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS &&
++ filename_trans_read(&p->filename_trans, fp))
++ goto bad;
+ } else {
+ /* first read the AV rule blocks, then the scope tables */
+ avrule_block_destroy(p->global);
+diff -up libsepol-2.0.42/src/write.c.eparis libsepol-2.0.42/src/write.c
+--- libsepol-2.0.42/src/write.c.eparis 2010-12-21 16:41:58.000000000 -0500
++++ libsepol-2.0.42/src/write.c 2011-03-23 12:15:48.245980639 -0400
+@@ -510,6 +510,42 @@ static int role_allow_write(role_allow_t
+ return POLICYDB_SUCCESS;
+ }
+
++static int filename_trans_write(filename_trans_t * r, struct policy_file *fp)
++{
++ filename_trans_t *ft;
++ uint32_t buf[4];
++ size_t nel, items, len;
++
++ nel = 0;
++ for (ft = r; ft; ft = ft->next)
++ nel++;
++ buf[0] = cpu_to_le32(nel);
++ items = put_entry(buf, sizeof(uint32_t), 1, fp);
++ if (items != 1)
++ return POLICYDB_ERROR;
++ for (ft = r; ft; ft = ft->next) {
++ len = strlen(ft->name);
++ buf[0] = cpu_to_le32(len);
++ items = put_entry(buf, sizeof(uint32_t), 1, fp);
++ if (items != 1)
++ return POLICYDB_ERROR;
++
++ items = put_entry(ft->name, sizeof(char), len, fp);
++ if (items != len)
++ return POLICYDB_ERROR;
++
++ buf[0] = cpu_to_le32(ft->stype);
++ buf[1] = cpu_to_le32(ft->ttype);
++ buf[2] = cpu_to_le32(ft->tclass);
++ buf[3] = cpu_to_le32(ft->otype);
++ items = put_entry(buf, sizeof(uint32_t), 4, fp);
++ if (items != 4)
++ return POLICYDB_ERROR;
++ }
++
++ return POLICYDB_SUCCESS;
++}
++
+ static int role_set_write(role_set_t * x, struct policy_file *fp)
+ {
+ size_t items;
+@@ -1476,6 +1512,47 @@ static int role_allow_rule_write(role_al
+ return POLICYDB_SUCCESS;
+ }
+
++static int filename_trans_rule_write(filename_trans_rule_t * t, struct policy_file *fp)
++{
++ int nel = 0;
++ size_t items;
++ uint32_t buf[2], len;
++ filename_trans_rule_t *ftr;
++
++ for (ftr = t; ftr; ftr = ftr->next)
++ nel++;
++
++ buf[0] = cpu_to_le32(nel);
++ items = put_entry(buf, sizeof(uint32_t), 1, fp);
++ if (items != 1)
++ return POLICYDB_ERROR;
++
++ for (ftr = t; ftr; ftr = ftr->next) {
++ len = strlen(ftr->name);
++ buf[0] = cpu_to_le32(len);
++ items = put_entry(buf, sizeof(uint32_t), 1, fp);
++ if (items != 1)
++ return POLICYDB_ERROR;
++
++ items = put_entry(ftr->name, sizeof(char), len, fp);
++ if (items != len)
++ return POLICYDB_ERROR;
++
++ if (type_set_write(&ftr->stypes, fp))
++ return POLICYDB_ERROR;
++ if (type_set_write(&ftr->ttypes, fp))
++ return POLICYDB_ERROR;
++
++ buf[0] = cpu_to_le32(ftr->tclass);
++ buf[1] = cpu_to_le32(ftr->otype);
++
++ items = put_entry(buf, sizeof(uint32_t), 2, fp);
++ if (items != 2)
++ return POLICYDB_ERROR;
++ }
++ return POLICYDB_SUCCESS;
++}
++
+ static int range_trans_rule_write(range_trans_rule_t * t,
+ struct policy_file *fp)
+ {
+@@ -1543,6 +1620,11 @@ static int avrule_decl_write(avrule_decl
+ role_allow_rule_write(decl->role_allow_rules, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
++
++ if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
++ filename_trans_rule_write(decl->filename_trans_rules, fp))
++ return POLICYDB_ERROR;
++
+ if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
+ range_trans_rule_write(decl->range_tr_rules, fp) == -1) {
+ return POLICYDB_ERROR;
+@@ -1819,6 +1901,9 @@ int policydb_write(policydb_t * p, struc
+ return POLICYDB_ERROR;
+ if (role_allow_write(p->role_allow, fp))
+ return POLICYDB_ERROR;
++ if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS &&
++ filename_trans_write(p->filename_trans, fp))
++ return POLICYDB_ERROR;
+ } else {
+ if (avrule_block_write(p->global, num_syms, p, fp) == -1) {
+ return POLICYDB_ERROR;
+
+
+
diff --git a/libsepol.spec b/libsepol.spec
index bbcc723..8d79367 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,7 +1,7 @@
Summary: SELinux binary policy manipulation library
Name: libsepol
Version: 2.0.42
-Release: 2%{?dist}
+Release: 3%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
@@ -46,7 +46,7 @@ needed for developing applications that manipulate binary policies.
%prep
%setup -q
-#%patch -p1 -b .rhat
+%patch -p1 -b .rhat
# sparc64 is an -fPIC arch, so we need to fix it here
%ifarch sparc64
sed -i 's/fpic/fPIC/g' src/Makefile
@@ -99,6 +99,16 @@ exit 0
/%{_lib}/libsepol.so.1
%changelog
+* Tue Mar 29 2011 Dan Walsh <dwalsh at redhat.com> 2.0.42-3
+- Apply Eparis Patch
+ This patch add libsepol support for filename_trans rules. These rules
+allow on to make labeling decisions for new objects based partially on
+the last path component. They are stored in a list. If we find that
+the number of rules grows to an significant size I will likely choose to
+store these in a hash, both in libsepol and in the kernel. But as long
+as the number of such rules stays small, this should be good.
+
+
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.0.42-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
More information about the scm-commits
mailing list