[checkpolicy] Upgrade to upstream * dis* fixed signed vs unsigned errors * dismod: fix unused parameter errors
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 15 19:30:28 UTC 2011
commit 5ea3e823bf11c41bfe6b074991b72cbc96364523
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Dec 15 14:30:26 2011 -0500
Upgrade to upstream
* dis* fixed signed vs unsigned errors
* dismod: fix unused parameter errors
* test: Makefile: include -W and -Werror
* allow ~ in filename transition rules
Allow policy to specify the source of target for generating the default user,role
or mls label for a new target.
.gitignore | 1 +
checkpolicy-rhat.patch | 661 ++++++++++++++++++++++++++----------------------
checkpolicy.spec | 15 +-
sources | 2 +-
4 files changed, 372 insertions(+), 307 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 6e75576..ccefc98 100644
--- a/.gitignore
+++ b/.gitignore
@@ -83,3 +83,4 @@ checkpolicy-2.0.22.tgz
/checkpolicy-2.1.4.tgz
/checkpolicy-2.1.5.tgz
/checkpolicy-2.1.6.tgz
+/checkpolicy-2.1.7.tgz
diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch
index 1b33470..0943a49 100644
--- a/checkpolicy-rhat.patch
+++ b/checkpolicy-rhat.patch
@@ -1,320 +1,375 @@
-diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
-index 5ee27f8..b4b9066 100644
---- a/checkpolicy/policy_scan.l
-+++ b/checkpolicy/policy_scan.l
-@@ -222,7 +222,7 @@ POLICYCAP { return(POLICYCAP); }
- permissive |
- PERMISSIVE { return(PERMISSIVE); }
- "/"({alnum}|[_\.\-/])* { return(PATH); }
--\"({alnum}|[_\.\-])+\" { return(FILENAME); }
-+\"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
- {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
- {alnum}*{letter}{alnum}* { return(FILESYSTEM); }
- {digit}+|0x{hexval}+ { return(NUMBER); }
-diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
-index 65cf901..0731e89 100644
---- a/checkpolicy/test/Makefile
-+++ b/checkpolicy/test/Makefile
-@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin
- LIBDIR=$(PREFIX)/lib
- INCLUDEDIR ?= $(PREFIX)/include
-
--CFLAGS ?= -g -Wall -O2 -pipe
-+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
- override CFLAGS += -I$(INCLUDEDIR)
-
- LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
-diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
-index 1674a47..6a951f6 100644
---- a/checkpolicy/test/dismod.c
-+++ b/checkpolicy/test/dismod.c
-@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
- int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
- FILE * fp)
- {
-- int i, num_types;
-+ unsigned int i, num_types;
-
- if (set->flags & TYPE_STAR) {
- fprintf(fp, " * ");
-@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
-
- int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
- {
-- int i, num = 0;
-+ unsigned int i, num = 0;
-
- if (roles->flags & ROLE_STAR) {
- fprintf(fp, " * ");
-@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
-
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index 1bf669c..a86c6b3 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -327,6 +327,126 @@ int define_initial_sid(void)
+ return -1;
}
--/* 'what' values for this function */
--#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
--#define RENDER_ENABLED 0x0002
--#define RENDER_DISABLED 0x0004
--#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
--
--int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy,
-+int display_avrule(avrule_t * avrule, policydb_t * policy,
- FILE * fp)
- {
- class_perm_node_t *cur;
-@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
- {
- type_datum_t *type;
- FILE *fp;
-- int i, first_attrib = 1;
-+ unsigned int i, first_attrib = 1;
-
- type = (type_datum_t *) datum;
- fp = (FILE *) data;
-@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp)
-
- int display_users(policydb_t * p, FILE * fp)
++static int read_classes(ebitmap_t *e_classes)
++{
++ char *id;
++ class_datum_t *cladatum;
++
++ while ((id = queue_remove(id_queue))) {
++ if (!is_id_in_scope(SYM_CLASSES, id)) {
++ yyerror2("class %s is not within scope", id);
++ return -1;
++ }
++ cladatum = hashtab_search(policydbp->p_classes.table, id);
++ if (!cladatum) {
++ yyerror2("unknown class %s", id);
++ return -1;
++ }
++ if (ebitmap_set_bit(e_classes, cladatum->s.value - 1, TRUE)) {
++ yyerror("Out of memory");
++ return -1;
++ }
++ free(id);
++ }
++ return 0;
++}
++
++int define_default_user(int which)
++{
++ char *id;
++ class_datum_t *cladatum;
++
++ if (pass == 1) {
++ while ((id = queue_remove(id_queue)))
++ free(id);
++ return 0;
++ }
++
++ while ((id = queue_remove(id_queue))) {
++ if (!is_id_in_scope(SYM_CLASSES, id)) {
++ yyerror2("class %s is not within scope", id);
++ return -1;
++ }
++ cladatum = hashtab_search(policydbp->p_classes.table, id);
++ if (!cladatum) {
++ yyerror2("unknown class %s", id);
++ return -1;
++ }
++ if (cladatum->default_user && cladatum->default_user != which) {
++ yyerror2("conflicting default user information for class %s", id);
++ return -1;
++ }
++ cladatum->default_user = which;
++ free(id);
++ }
++
++ return 0;
++}
++
++int define_default_role(int which)
++{
++ char *id;
++ class_datum_t *cladatum;
++
++ if (pass == 1) {
++ while ((id = queue_remove(id_queue)))
++ free(id);
++ return 0;
++ }
++
++ while ((id = queue_remove(id_queue))) {
++ if (!is_id_in_scope(SYM_CLASSES, id)) {
++ yyerror2("class %s is not within scope", id);
++ return -1;
++ }
++ cladatum = hashtab_search(policydbp->p_classes.table, id);
++ if (!cladatum) {
++ yyerror2("unknown class %s", id);
++ return -1;
++ }
++ if (cladatum->default_role && cladatum->default_role != which) {
++ yyerror2("conflicting default role information for class %s", id);
++ return -1;
++ }
++ cladatum->default_role = which;
++ free(id);
++ }
++
++ return 0;
++}
++
++int define_default_range(int which)
++{
++ char *id;
++ class_datum_t *cladatum;
++
++ if (pass == 1) {
++ while ((id = queue_remove(id_queue)))
++ free(id);
++ return 0;
++ }
++
++ while ((id = queue_remove(id_queue))) {
++ if (!is_id_in_scope(SYM_CLASSES, id)) {
++ yyerror2("class %s is not within scope", id);
++ return -1;
++ }
++ cladatum = hashtab_search(policydbp->p_classes.table, id);
++ if (!cladatum) {
++ yyerror2("unknown class %s", id);
++ return -1;
++ }
++ if (cladatum->default_range && cladatum->default_range != which) {
++ yyerror2("conflicting default range information for class %s", id);
++ return -1;
++ }
++ cladatum->default_range = which;
++ free(id);
++ }
++
++ return 0;
++}
++
+ int define_common_perms(void)
{
-- int i, j;
-+ unsigned int i, j;
- ebitmap_t *bitmap;
- for (i = 0; i < p->p_users.nprim; i++) {
- display_id(p, fp, SYM_USERS, i, "");
-@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp)
-
- int display_bools(policydb_t * p, FILE * fp)
+ char *id = 0, *perm = 0;
+@@ -1360,7 +1480,6 @@ int define_compute_type_helper(int which, avrule_t ** rule)
{
-- int i;
-+ unsigned int i;
-
- for (i = 0; i < p->p_bools.nprim; i++) {
- display_id(p, fp, SYM_BOOLS, i, "");
-@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+ char *id;
+ type_datum_t *datum;
+- class_datum_t *cladatum;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+@@ -1387,23 +1506,8 @@ int define_compute_type_helper(int which, avrule_t ** rule)
}
- }
--void display_policycon(policydb_t * p, FILE * fp)
-+void display_policycon(FILE * fp)
- {
--#if 0
-- int i;
-- ocontext_t *cur;
-- char *name;
--
-- for (i = 0; i < POLICYCON_NUM; i++) {
-- fprintf(fp, "%s:", symbol_labels[i]);
-- for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) {
-- if (*(cur->u.name) == '\0') {
-- name = "{default}";
-- } else {
-- name = cur->u.name;
-- }
-- fprintf(fp, "\n%16s - %s:%s:%s", name,
-- p->p_user_val_to_name[cur->context[0].user - 1],
-- p->p_role_val_to_name[cur->context[0].role - 1],
-- p->p_type_val_to_name[cur->context[0].type -
-- 1]);
+ ebitmap_init(&tclasses);
+- while ((id = queue_remove(id_queue))) {
+- if (!is_id_in_scope(SYM_CLASSES, id)) {
+- yyerror2("class %s is not within scope", id);
+- free(id);
+- goto bad;
+- }
+- cladatum = hashtab_search(policydbp->p_classes.table, id);
+- if (!cladatum) {
+- yyerror2("unknown class %s", id);
+- goto bad;
+- }
+- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
+- yyerror("Out of memory");
+- goto bad;
- }
-- fprintf(fp, "\n");
+- free(id);
- }
--#endif
-+ /* There was an attempt to implement this at one time. Look through
-+ * git history to find it. */
-+ fprintf(fp, "Sorry, not implemented\n");
- }
-
- void display_initial_sids(policydb_t * p, FILE * fp)
-@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
++ if (read_classes(&tclasses))
++ goto bad;
- void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
- {
-- int i, num = 0;
-+ unsigned int i, num = 0;
-
- for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
- if (!ebitmap_get_bit(classes, i))
-@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+@@ -1628,25 +1732,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
}
- }
-
--int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
-+int role_display_callback(hashtab_key_t key __attribute__((unused)),
-+ hashtab_datum_t datum, void *data)
- {
- role_datum_t *role;
- FILE *fp;
-@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
- static int display_scope_index(scope_index_t * indices, policydb_t * p,
- FILE * out_fp)
- {
-- int i;
-+ unsigned int i;
- for (i = 0; i < SYM_NUM; i++) {
-- int any_found = 0, j;
-+ unsigned int any_found = 0, j;
- fprintf(out_fp, "%s:", symbol_labels[i]);
- for (j = ebitmap_startbit(&indices->scope[i]);
- j < ebitmap_length(&indices->scope[i]); j++) {
-@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
- }
- #endif
--int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
-+int display_avdecl(avrule_decl_t * decl, int field,
- policydb_t * policy, FILE * out_fp)
- {
- fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
-@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
- avrule = cond->avtrue_list;
- while (avrule) {
- display_avrule(avrule,
-- RENDER_UNCONDITIONAL,
- &policydb, out_fp);
- avrule = avrule->next;
- }
-@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
- avrule = cond->avfalse_list;
- while (avrule) {
- display_avrule(avrule,
-- RENDER_UNCONDITIONAL,
- &policydb, out_fp);
- avrule = avrule->next;
- }
-@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
- fprintf(out_fp, " <empty>\n");
- }
- while (avrule != NULL) {
-- if (display_avrule
-- (avrule, what, policy, out_fp)) {
-+ if (display_avrule(avrule, policy, out_fp))
- return -1;
-- }
- avrule = avrule->next;
- }
- break;
-@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what,
- return 0; /* should never get here */
- }
-
--int display_avblock(int field, uint32_t what, policydb_t * policy,
-+int display_avblock(int field, policydb_t * policy,
- FILE * out_fp)
- {
- avrule_block_t *block = policydb.global;
-@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy,
- fprintf(out_fp, "--- begin avrule block ---\n");
- avrule_decl_t *decl = block->branch_list;
- while (decl != NULL) {
-- if (display_avdecl(decl, field, what, policy, out_fp)) {
-+ if (display_avdecl(decl, field, policy, out_fp)) {
- return -1;
- }
- decl = decl->next;
-@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
- ebitmap_node_t *node;
- const char *capname;
- char buf[64];
-- int i;
-+ unsigned int i;
-
- fprintf(fp, "policy capabilities:\n");
- ebitmap_for_each_bit(&p->policycaps, node, i) {
-@@ -915,14 +887,12 @@ int main(int argc, char **argv)
- case '1':
- fprintf(out_fp, "unconditional avtab:\n");
- display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
-- RENDER_UNCONDITIONAL, &policydb,
-- out_fp);
-+ &policydb, out_fp);
- break;
- case '2':
- fprintf(out_fp, "conditional avtab:\n");
- display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
-- RENDER_UNCONDITIONAL, &policydb,
-- out_fp);
-+ &policydb, out_fp);
- break;
- case '3':
- display_users(&policydb, out_fp);
-@@ -944,28 +914,28 @@ int main(int argc, char **argv)
- break;
- case '7':
- fprintf(out_fp, "role transitions:\n");
-- display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0,
-+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS,
- &policydb, out_fp);
- break;
- case '8':
- fprintf(out_fp, "role allows:\n");
-- display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0,
-+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW,
- &policydb, out_fp);
- break;
- case '9':
-- display_policycon(&policydb, out_fp);
-+ display_policycon(out_fp);
- break;
- case '0':
- display_initial_sids(&policydb, out_fp);
- break;
- case 'a':
- fprintf(out_fp, "avrule block requirements:\n");
-- display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0,
-+ display_avblock(DISPLAY_AVBLOCK_REQUIRES,
- &policydb, out_fp);
- break;
- case 'b':
- fprintf(out_fp, "avrule block declarations:\n");
-- display_avblock(DISPLAY_AVBLOCK_DECLARES, 0,
-+ display_avblock(DISPLAY_AVBLOCK_DECLARES,
- &policydb, out_fp);
- break;
- case 'c':
-@@ -993,7 +963,7 @@ int main(int argc, char **argv)
- case 'F':
- fprintf(out_fp, "filename_trans rules:\n");
- display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
-- 0, &policydb, out_fp);
-+ &policydb, out_fp);
- break;
- case 'l':
- link_module(&policydb, out_fp);
-diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
-index 0e08965..f41acdc 100644
---- a/checkpolicy/test/dispol.c
-+++ b/checkpolicy/test/dispol.c
-@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+ ebitmap_init(&tclasses);
+- while ((id = queue_remove(id_queue))) {
+- if (!is_id_in_scope(SYM_CLASSES, id)) {
+- yyerror2("class %s is not within scope", id);
+- ret = -1;
+- goto out;
+- }
+- cladatum = hashtab_search(policydbp->p_classes.table, id);
+- if (!cladatum) {
+- yyerror2("unknown class %s used in rule", id);
+- ret = -1;
+- goto out;
+- }
+- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
+- yyerror("Out of memory");
+- ret = -1;
+- goto out;
+- }
+- free(id);
+- }
++ ret = read_classes(&tclasses);
++ if (ret)
++ goto out;
- int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
- {
-- int i;
-+ unsigned int i;
- avtab_ptr_t cur;
- avtab_t expa;
+ perms = NULL;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+@@ -2242,22 +2330,8 @@ int define_role_trans(int class_specified)
+ }
-@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+ if (class_specified) {
+- while ((id = queue_remove(id_queue))) {
+- if (!is_id_in_scope(SYM_CLASSES, id)) {
+- yyerror2("class %s is not within scope", id);
+- free(id);
+- return -1;
+- }
+- cladatum = hashtab_search(policydbp->p_classes.table,
+- id);
+- if (!cladatum) {
+- yyerror2("unknow class %s", id);
+- return -1;
+- }
+-
+- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+- free(id);
+- }
++ if (read_classes(&e_classes))
++ return -1;
+ } else {
+ cladatum = hashtab_search(policydbp->p_classes.table,
+ "process");
+@@ -2410,7 +2484,6 @@ int define_filename_trans(void)
+ ebitmap_node_t *snode, *tnode, *cnode;
+ filename_trans_t *ft;
+ filename_trans_rule_t *ftr;
+- class_datum_t *cladatum;
+ type_datum_t *typdatum;
+ uint32_t otype;
+ unsigned int c, s, t;
+@@ -2451,23 +2524,8 @@ int define_filename_trans(void)
+ }
- int display_bools(policydb_t * p, FILE * fp)
- {
-- int i;
-+ unsigned int i;
+ ebitmap_init(&e_tclasses);
+- while ((id = queue_remove(id_queue))) {
+- if (!is_id_in_scope(SYM_CLASSES, id)) {
+- yyerror2("class %s is not within scope", id);
+- free(id);
+- goto bad;
+- }
+- cladatum = hashtab_search(policydbp->p_classes.table, id);
+- if (!cladatum) {
+- yyerror2("unknown class %s", id);
+- goto bad;
+- }
+- if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
+- yyerror("Out of memory");
+- goto bad;
+- }
+- free(id);
+- }
++ if (read_classes(&e_tclasses))
++ goto bad;
- for (i = 0; i < p->p_bools.nprim; i++) {
- fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
-@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
- ebitmap_node_t *node;
- const char *capname;
- char buf[64];
-- int i;
-+ unsigned int i;
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+@@ -4549,23 +4607,8 @@ int define_range_trans(int class_specified)
+ }
- fprintf(fp, "policy capabilities:\n");
- ebitmap_for_each_bit(&p->policycaps, node, i) {
-@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
- static void display_permissive(policydb_t *p, FILE *fp)
- {
- ebitmap_node_t *node;
-- int i;
-+ unsigned int i;
+ if (class_specified) {
+- while ((id = queue_remove(id_queue))) {
+- if (!is_id_in_scope(SYM_CLASSES, id)) {
+- yyerror2("class %s is not within scope", id);
+- free(id);
+- goto out;
+- }
+- cladatum = hashtab_search(policydbp->p_classes.table,
+- id);
+- if (!cladatum) {
+- yyerror2("unknown class %s", id);
+- goto out;
+- }
+-
+- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
+- TRUE);
+- free(id);
+- }
++ if (read_classes(&rule->tclasses))
++ goto out;
+ } else {
+ cladatum = hashtab_search(policydbp->p_classes.table,
+ "process");
+diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
+index 92a9be7..ccbe56f 100644
+--- a/checkpolicy/policy_define.h
++++ b/checkpolicy/policy_define.h
+@@ -24,6 +24,9 @@ int define_av_perms(int inherits);
+ int define_bool_tunable(int is_tunable);
+ int define_category(void);
+ int define_class(void);
++int define_default_user(int which);
++int define_default_role(int which);
++int define_default_range(int which);
+ int define_common_perms(void);
+ int define_compute_type(int which);
+ int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
+diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
+index d808111..3b7357f 100644
+--- a/checkpolicy/policy_parse.y
++++ b/checkpolicy/policy_parse.y
+@@ -143,6 +143,8 @@ typedef int (* require_func_t)();
+ %token POLICYCAP
+ %token PERMISSIVE
+ %token FILESYSTEM
++%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
++%token LOW_HIGH LOW HIGH
- fprintf(fp, "permissive sids:\n");
- ebitmap_for_each_bit(&p->permissive_map, node, i) {
+ %left OR
+ %left XOR
+@@ -157,7 +159,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
+ classes initial_sids access_vectors
+ { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
+ else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
+- opt_mls te_rbac users opt_constraints
++ default_rules opt_mls te_rbac users opt_constraints
+ { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
+ else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
+ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
+@@ -195,6 +197,36 @@ av_perms_def : CLASS identifier '{' identifier_list '}'
+ | CLASS identifier INHERITS identifier '{' identifier_list '}'
+ {if (define_av_perms(TRUE)) return -1;}
+ ;
++default_rules : default_user_def
++ | default_role_def
++ | default_range_def
++ | default_rules default_user_def
++ | default_rules default_role_def
++ | default_rules default_range_def
++ ;
++default_user_def : DEFAULT_USER names SOURCE ';'
++ {if (define_default_user(DEFAULT_SOURCE)) return -1; }
++ | DEFAULT_USER names TARGET ';'
++ {if (define_default_user(DEFAULT_TARGET)) return -1; }
++ ;
++default_role_def : DEFAULT_ROLE names SOURCE ';'
++ {if (define_default_role(DEFAULT_SOURCE)) return -1; }
++ | DEFAULT_ROLE names TARGET ';'
++ {if (define_default_role(DEFAULT_TARGET)) return -1; }
++ ;
++default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
++ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
++ | DEFAULT_RANGE names SOURCE HIGH ';'
++ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
++ | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
++ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
++ | DEFAULT_RANGE names TARGET LOW ';'
++ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
++ | DEFAULT_RANGE names TARGET HIGH ';'
++ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
++ | DEFAULT_RANGE names TARGET LOW_HIGH ';'
++ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
++ ;
+ opt_mls : mls
+ |
+ ;
+diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
+index 9b24db5..e767b5f 100644
+--- a/checkpolicy/policy_scan.l
++++ b/checkpolicy/policy_scan.l
+@@ -221,6 +221,18 @@ policycap |
+ POLICYCAP { return(POLICYCAP); }
+ permissive |
+ PERMISSIVE { return(PERMISSIVE); }
++default_user |
++DEFAULT_USER { return(DEFAULT_USER); }
++default_role |
++DEFAULT_ROLE { return(DEFAULT_ROLE); }
++default_range |
++DEFAULT_RANGE { return(DEFAULT_RANGE); }
++low-high |
++LOW-HIGH { return(LOW_HIGH); }
++high |
++HIGH { return(HIGH); }
++low |
++LOW { return(LOW); }
+ "/"({alnum}|[_\.\-/])* { return(PATH); }
+ \"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
+ {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
diff --git a/checkpolicy.spec b/checkpolicy.spec
index a53a5c7..29aba0f 100644
--- a/checkpolicy.spec
+++ b/checkpolicy.spec
@@ -1,9 +1,9 @@
%define libselinuxver 2.1.6-4
-%define libsepolver 2.1.2-3
+%define libsepolver 2.1.4-1
Summary: SELinux policy compiler
Name: checkpolicy
-Version: 2.1.6
-Release: 2%{?dist}
+Version: 2.1.7
+Release: 1%{?dist}
License: GPLv2
Group: Development/System
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
@@ -56,6 +56,15 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/sedispol
%changelog
+* Tue Dec 6 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-1
+- Upgrade to upstream
+ * dis* fixed signed vs unsigned errors
+ * dismod: fix unused parameter errors
+ * test: Makefile: include -W and -Werror
+ * allow ~ in filename transition rules
+- Allow policy to specify the source of target for generating the default user,role
+- or mls label for a new target.
+
* Mon Nov 14 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.6-2
- Allow ~ in a filename
diff --git a/sources b/sources
index a97bde0..986e4c8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-a1115f9c92777da7c8cafab08a81b779 checkpolicy-2.1.6.tgz
+19c722fd1e180250a22d25b1fb41a4fd checkpolicy-2.1.7.tgz
More information about the scm-commits
mailing list