[checkpolicy/f16] Allow ~ in a filename
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Nov 14 22:32:43 UTC 2011
commit faf06563fa90cd4b174a5a8b912f4c7d80e0545c
Author: dwalsh <dwalsh at redhat.com>
Date: Mon Nov 14 17:32:11 2011 -0500
Allow ~ in a filename
.gitignore | 3 +
checkpolicy-rhat.patch | 373 ++++++++++++++++++++++++++++++++++++++++-------
checkpolicy.spec | 33 +++--
sources | 2 +-
4 files changed, 343 insertions(+), 68 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index fcde530..6e75576 100644
--- a/.gitignore
+++ b/.gitignore
@@ -80,3 +80,6 @@ checkpolicy-2.0.22.tgz
/checkpolicy-2.1.0.tgz
/checkpolicy-2.1.1.tgz
/checkpolicy-2.1.3.tgz
+/checkpolicy-2.1.4.tgz
+/checkpolicy-2.1.5.tgz
+/checkpolicy-2.1.6.tgz
diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch
index 57a9153..1b33470 100644
--- a/checkpolicy-rhat.patch
+++ b/checkpolicy-rhat.patch
@@ -1,59 +1,320 @@
-diff -up checkpolicy-2.1.3/policy_parse.y.rhat checkpolicy-2.1.3/policy_parse.y
---- checkpolicy-2.1.3/policy_parse.y.rhat 2011-08-18 06:47:32.000000000 -0400
-+++ checkpolicy-2.1.3/policy_parse.y 2011-11-14 11:37:40.727277673 -0500
-@@ -348,7 +348,7 @@ cond_rule_def : cond_transitio
- | require_block
- { $$ = NULL; }
- ;
--cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
-+cond_transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
- { $$ = define_cond_filename_trans() ;
- if ($$ == COND_ERR) return -1;}
- | TYPE_TRANSITION names names ':' names identifier ';'
-@@ -386,7 +386,7 @@ cond_dontaudit_def : DONTAUDIT names nam
- { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
- if ($$ == COND_ERR) return -1; }
- ;
--transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
-+transition_def : TYPE_TRANSITION names names ':' names identifier '\"' filename '\"' ';'
- {if (define_filename_trans()) return -1; }
- | TYPE_TRANSITION names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
-diff -up checkpolicy-2.1.3/policy_scan.l.rhat checkpolicy-2.1.3/policy_scan.l
---- checkpolicy-2.1.3/policy_scan.l.rhat 2011-08-18 06:47:32.000000000 -0400
-+++ checkpolicy-2.1.3/policy_scan.l 2011-11-14 11:39:07.764330673 -0500
-@@ -225,11 +225,10 @@ PERMISSIVE { return(PERMISSIVE); }
- {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
- {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
- {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
--\"({alnum}|[_\.\-])+\" { return(FILENAME); }
- {alnum}* { return(FILENAME); }
--\.({alnum}|[_\.\-])* { return(FILENAME); }
--{letter}+([-_\.]|{alnum})+ { return(FILENAME); }
--([_\.]){alnum}+ { return(FILENAME); }
-+\.({alnum}|[_\.\-\~])* { return(FILENAME); }
-+{letter}+([-_\.\~]|{alnum})+ { return(FILENAME); }
-+([_\.\~]){alnum}+ { return(FILENAME); }
- #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
- #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
- #[^\n]* { /* delete comments */ }
-@@ -251,6 +250,7 @@ PERMISSIVE { return(PERMISSIVE); }
- "-" |
- "." |
- "]" |
-+"\"" |
- "~" |
- "*" { return(yytext[0]); }
- . { yywarn("unrecognized character");}
-diff -up checkpolicy-2.1.3/test/dispol.c.rhat checkpolicy-2.1.3/test/dispol.c
---- checkpolicy-2.1.3/test/dispol.c.rhat 2011-08-18 06:47:32.000000000 -0400
-+++ checkpolicy-2.1.3/test/dispol.c 2011-11-14 11:37:40.726277672 -0500
-@@ -365,7 +365,7 @@ static void display_filename_trans(polic
- display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
- display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
- display_id(p, fp, SYM_TYPES, ft->otype - 1, "");
-- fprintf(fp, "%s\n", ft->name);
-+ fprintf(fp, " %s\n", ft->name);
+diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
+index 5ee27f8..b4b9066 100644
+--- a/checkpolicy/policy_scan.l
++++ b/checkpolicy/policy_scan.l
+@@ -222,7 +222,7 @@ POLICYCAP { return(POLICYCAP); }
+ permissive |
+ PERMISSIVE { return(PERMISSIVE); }
+ "/"({alnum}|[_\.\-/])* { return(PATH); }
+-\"({alnum}|[_\.\-])+\" { return(FILENAME); }
++\"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
+ {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
+ {alnum}*{letter}{alnum}* { return(FILESYSTEM); }
+ {digit}+|0x{hexval}+ { return(NUMBER); }
+diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
+index 65cf901..0731e89 100644
+--- a/checkpolicy/test/Makefile
++++ b/checkpolicy/test/Makefile
+@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin
+ LIBDIR=$(PREFIX)/lib
+ INCLUDEDIR ?= $(PREFIX)/include
+
+-CFLAGS ?= -g -Wall -O2 -pipe
++CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
+ override CFLAGS += -I$(INCLUDEDIR)
+
+ LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
+diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
+index 1674a47..6a951f6 100644
+--- a/checkpolicy/test/dismod.c
++++ b/checkpolicy/test/dismod.c
+@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
+ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+ FILE * fp)
+ {
+- int i, num_types;
++ unsigned int i, num_types;
+
+ if (set->flags & TYPE_STAR) {
+ fprintf(fp, " * ");
+@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+
+ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+ {
+- int i, num = 0;
++ unsigned int i, num = 0;
+
+ if (roles->flags & ROLE_STAR) {
+ fprintf(fp, " * ");
+@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+
+ }
+
+-/* 'what' values for this function */
+-#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
+-#define RENDER_ENABLED 0x0002
+-#define RENDER_DISABLED 0x0004
+-#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
+-
+-int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy,
++int display_avrule(avrule_t * avrule, policydb_t * policy,
+ FILE * fp)
+ {
+ class_perm_node_t *cur;
+@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+ {
+ type_datum_t *type;
+ FILE *fp;
+- int i, first_attrib = 1;
++ unsigned int i, first_attrib = 1;
+
+ type = (type_datum_t *) datum;
+ fp = (FILE *) data;
+@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp)
+
+ int display_users(policydb_t * p, FILE * fp)
+ {
+- int i, j;
++ unsigned int i, j;
+ ebitmap_t *bitmap;
+ for (i = 0; i < p->p_users.nprim; i++) {
+ display_id(p, fp, SYM_USERS, i, "");
+@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp)
+
+ int display_bools(policydb_t * p, FILE * fp)
+ {
+- int i;
++ unsigned int i;
+
+ for (i = 0; i < p->p_bools.nprim; i++) {
+ display_id(p, fp, SYM_BOOLS, i, "");
+@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+ }
+ }
+
+-void display_policycon(policydb_t * p, FILE * fp)
++void display_policycon(FILE * fp)
+ {
+-#if 0
+- int i;
+- ocontext_t *cur;
+- char *name;
+-
+- for (i = 0; i < POLICYCON_NUM; i++) {
+- fprintf(fp, "%s:", symbol_labels[i]);
+- for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) {
+- if (*(cur->u.name) == '\0') {
+- name = "{default}";
+- } else {
+- name = cur->u.name;
+- }
+- fprintf(fp, "\n%16s - %s:%s:%s", name,
+- p->p_user_val_to_name[cur->context[0].user - 1],
+- p->p_role_val_to_name[cur->context[0].role - 1],
+- p->p_type_val_to_name[cur->context[0].type -
+- 1]);
+- }
+- fprintf(fp, "\n");
+- }
+-#endif
++ /* There was an attempt to implement this at one time. Look through
++ * git history to find it. */
++ fprintf(fp, "Sorry, not implemented\n");
+ }
+
+ void display_initial_sids(policydb_t * p, FILE * fp)
+@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
+
+ void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+ {
+- int i, num = 0;
++ unsigned int i, num = 0;
+
+ for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+ if (!ebitmap_get_bit(classes, i))
+@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
}
}
+-int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
++int role_display_callback(hashtab_key_t key __attribute__((unused)),
++ hashtab_datum_t datum, void *data)
+ {
+ role_datum_t *role;
+ FILE *fp;
+@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+ static int display_scope_index(scope_index_t * indices, policydb_t * p,
+ FILE * out_fp)
+ {
+- int i;
++ unsigned int i;
+ for (i = 0; i < SYM_NUM; i++) {
+- int any_found = 0, j;
++ unsigned int any_found = 0, j;
+ fprintf(out_fp, "%s:", symbol_labels[i]);
+ for (j = ebitmap_startbit(&indices->scope[i]);
+ j < ebitmap_length(&indices->scope[i]); j++) {
+@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+ }
+ #endif
+
+-int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
++int display_avdecl(avrule_decl_t * decl, int field,
+ policydb_t * policy, FILE * out_fp)
+ {
+ fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
+@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
+ avrule = cond->avtrue_list;
+ while (avrule) {
+ display_avrule(avrule,
+- RENDER_UNCONDITIONAL,
+ &policydb, out_fp);
+ avrule = avrule->next;
+ }
+@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
+ avrule = cond->avfalse_list;
+ while (avrule) {
+ display_avrule(avrule,
+- RENDER_UNCONDITIONAL,
+ &policydb, out_fp);
+ avrule = avrule->next;
+ }
+@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
+ fprintf(out_fp, " <empty>\n");
+ }
+ while (avrule != NULL) {
+- if (display_avrule
+- (avrule, what, policy, out_fp)) {
++ if (display_avrule(avrule, policy, out_fp))
+ return -1;
+- }
+ avrule = avrule->next;
+ }
+ break;
+@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
+ return 0; /* should never get here */
+ }
+
+-int display_avblock(int field, uint32_t what, policydb_t * policy,
++int display_avblock(int field, policydb_t * policy,
+ FILE * out_fp)
+ {
+ avrule_block_t *block = policydb.global;
+@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy,
+ fprintf(out_fp, "--- begin avrule block ---\n");
+ avrule_decl_t *decl = block->branch_list;
+ while (decl != NULL) {
+- if (display_avdecl(decl, field, what, policy, out_fp)) {
++ if (display_avdecl(decl, field, policy, out_fp)) {
+ return -1;
+ }
+ decl = decl->next;
+@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+- int i;
++ unsigned int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+@@ -915,14 +887,12 @@ int main(int argc, char **argv)
+ case '1':
+ fprintf(out_fp, "unconditional avtab:\n");
+ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
+- RENDER_UNCONDITIONAL, &policydb,
+- out_fp);
++ &policydb, out_fp);
+ break;
+ case '2':
+ fprintf(out_fp, "conditional avtab:\n");
+ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
+- RENDER_UNCONDITIONAL, &policydb,
+- out_fp);
++ &policydb, out_fp);
+ break;
+ case '3':
+ display_users(&policydb, out_fp);
+@@ -944,28 +914,28 @@ int main(int argc, char **argv)
+ break;
+ case '7':
+ fprintf(out_fp, "role transitions:\n");
+- display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
++ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS,
+ &policydb, out_fp);
+ break;
+ case '8':
+ fprintf(out_fp, "role allows:\n");
+- display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
++ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW,
+ &policydb, out_fp);
+ break;
+ case '9':
+- display_policycon(&policydb, out_fp);
++ display_policycon(out_fp);
+ break;
+ case '0':
+ display_initial_sids(&policydb, out_fp);
+ break;
+ case 'a':
+ fprintf(out_fp, "avrule block requirements:\n");
+- display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
++ display_avblock(DISPLAY_AVBLOCK_REQUIRES,
+ &policydb, out_fp);
+ break;
+ case 'b':
+ fprintf(out_fp, "avrule block declarations:\n");
+- display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
++ display_avblock(DISPLAY_AVBLOCK_DECLARES,
+ &policydb, out_fp);
+ break;
+ case 'c':
+@@ -993,7 +963,7 @@ int main(int argc, char **argv)
+ case 'F':
+ fprintf(out_fp, "filename_trans rules:\n");
+ display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
+- 0, &policydb, out_fp);
++ &policydb, out_fp);
+ break;
+ case 'l':
+ link_module(&policydb, out_fp);
+diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
+index 0e08965..f41acdc 100644
+--- a/checkpolicy/test/dispol.c
++++ b/checkpolicy/test/dispol.c
+@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+
+ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+ {
+- int i;
++ unsigned int i;
+ avtab_ptr_t cur;
+ avtab_t expa;
+
+@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+
+ int display_bools(policydb_t * p, FILE * fp)
+ {
+- int i;
++ unsigned int i;
+
+ for (i = 0; i < p->p_bools.nprim; i++) {
+ fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
+@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+- int i;
++ unsigned int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
+ static void display_permissive(policydb_t *p, FILE *fp)
+ {
+ ebitmap_node_t *node;
+- int i;
++ unsigned int i;
+
+ fprintf(fp, "permissive sids:\n");
+ ebitmap_for_each_bit(&p->permissive_map, node, i) {
diff --git a/checkpolicy.spec b/checkpolicy.spec
index 7fdb2f1..a53a5c7 100644
--- a/checkpolicy.spec
+++ b/checkpolicy.spec
@@ -1,15 +1,16 @@
-%define libsepolver 2.1.0-1
+%define libselinuxver 2.1.6-4
+%define libsepolver 2.1.2-3
Summary: SELinux policy compiler
Name: checkpolicy
-Version: 2.1.3
-Release: 1.3%{?dist}
+Version: 2.1.6
+Release: 2%{?dist}
License: GPLv2
Group: Development/System
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
Patch: checkpolicy-rhat.patch
BuildRoot: %{_tmppath}/%{name}-buildroot
-BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel
+BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
%description
Security-enhanced Linux is a feature of the Linux® kernel and a number
@@ -27,7 +28,7 @@ Only required for building policies.
%prep
%setup -q
-%patch -p1 -b .rhat
+%patch -p2 -b .rhat
%build
make clean
@@ -55,16 +56,26 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol
%changelog
-* Mon Nov 14 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-1.3
-- Allow ~ in FILENAMEs
+* Mon Nov 14 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-2
+- Allow ~ in a filename
-* Wed Sep 21 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-1.2
-- Try again
+* Fri Nov 4 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-1
+- Upgrade to upstream
+ * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
+ * drop libsepol dynamic link in checkpolicy
-* Tue Sep 20 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-1.1
+* Tue Sep 20 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-2
- Fix checkpolicy to ignore '"' in filename trans rules
-* Thu Aug 18 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-1
+* Mon Sep 19 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.5-1
+-Update to upstream
+ * Separate tunable from boolean during compile.
+
+* Tue Aug 30 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-0
+-Update to upstream
+ * checkpolicy: fix spacing in output message
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-0
* add missing ; to attribute_role_def
*Redo filename/filesystem syntax to support filename trans
diff --git a/sources b/sources
index b73aaa1..a97bde0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-5b025df9f12bd873b3bb815c50fb9172 checkpolicy-2.1.3.tgz
+a1115f9c92777da7c8cafab08a81b779 checkpolicy-2.1.6.tgz
More information about the scm-commits
mailing list