[libsepol/f16] The filename_trans code had a bug where duplicate detection was being done between the unmapped type
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 31 20:35:26 UTC 2011
commit 5f22c47a3a929fb42c8672ee3e8d240cbc9cdcbc
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Oct 31 16:35:22 2011 -0400
The filename_trans code had a bug where duplicate detection was being
done between the unmapped type value of a new rule and the type value of
rules already in policy. This meant that duplicates were not being
silently dropped and were instead outputting a message that there was a
problem. It made things hard because the message WAS using the mapped
type to convert to the string representation, so it didn't look like a
dup!
.gitignore | 2 +
libsepol-rhat.patch | 73 ++++++++++++++++++++++++++++++---------------------
libsepol.spec | 41 ++++++++++++++++++++++++++--
sources | 2 +-
4 files changed, 84 insertions(+), 34 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index b98f4c6..bb3b6f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -154,3 +154,5 @@ libsepol-2.0.41.tgz
/libsepol-2.0.45.tgz
/libsepol-2.1.0.tgz
/libsepol-2.1.1.tgz
+/libsepol-2.1.2.tgz
+/libsepol-2.1.3.tgz
diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch
index 0881e1f..49a3346 100644
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@@ -1,36 +1,49 @@
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
-index b42acbe..cc700ab 100644
+index 2861776..493e478 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
-@@ -1249,23 +1249,26 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+@@ -1329,6 +1329,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
- cur_trans = state->out->role_tr;
- while (cur_trans) {
-+ unsigned int mapped_role;
+ cur_rule = rules;
+ while (cur_rule) {
++ uint32_t mapped_otype;
+
-+ mapped_role = state->rolemap[cur->new_role - 1];
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+@@ -1344,6 +1346,8 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ return -1;
+ }
+
++ mapped_otype = state->typemap[cur_rule->otype - 1];
+
- if ((cur_trans->role ==
- i + 1) &&
- (cur_trans->type ==
- j + 1) &&
- (cur_trans->tclass ==
- k + 1)) {
-- if (cur_trans->
-- new_role ==
-- cur->new_role) {
-+ if (cur_trans->new_role == mapped_role) {
- break;
- } else {
- ERR(state->handle,
-- "Conflicting role trans rule %s %s : %s %s",
-+ "Conflicting role trans rule %s %s : %s { %s vs %s }",
- state->out->p_role_val_to_name[i],
- state->out->p_type_val_to_name[j],
- state->out->p_class_val_to_name[k],
-- state->out->p_role_val_to_name[cur->new_role - 1]);
-+ state->out->p_role_val_to_name[mapped_role],
-+ state->out->p_role_val_to_name[cur_trans->new_role - 1]);
- return -1;
- }
- }
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+@@ -1358,7 +1362,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ (cur_trans->tclass == cur_rule->tclass) &&
+ (!strcmp(cur_trans->name, cur_rule->name))) {
+ /* duplicate rule, who cares */
+- if (cur_trans->otype == cur_rule->otype)
++ if (cur_trans->otype == mapped_otype)
+ break;
+
+ ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
+@@ -1367,7 +1371,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ state->out->p_type_val_to_name[j],
+ state->out->p_class_val_to_name[cur_trans->tclass - 1],
+ state->out->p_type_val_to_name[cur_trans->otype - 1],
+- state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]);
++ state->out->p_type_val_to_name[mapped_otype - 1]);
+
+ return -1;
+ }
+@@ -1397,7 +1401,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ new_trans->stype = i + 1;
+ new_trans->ttype = j + 1;
+ new_trans->tclass = cur_rule->tclass;
+- new_trans->otype = state->typemap[cur_rule->otype - 1];
++ new_trans->otype = mapped_otype;
+ }
+ }
+
diff --git a/libsepol.spec b/libsepol.spec
index 4e8ba51..17065f3 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,12 +1,12 @@
Summary: SELinux binary policy manipulation library
Name: libsepol
-Version: 2.1.1
-Release: 1%{?dist}
+Version: 2.1.3
+Release: 2%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
+Patch: libsepol-rhat.patch
URL: http://www.selinuxproject.org
-patch: libsepol-rhat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
@@ -46,6 +46,7 @@ needed for developing applications that manipulate binary policies.
%prep
%setup -q
%patch -p2 -b .rhat
+
# sparc64 is an -fPIC arch, so we need to fix it here
%ifarch sparc64
sed -i 's/fpic/fPIC/g' src/Makefile
@@ -98,6 +99,40 @@ exit 0
/%{_lib}/libsepol.so.1
%changelog
+* Mon Oct 31 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-2
+-The filename_trans code had a bug where duplicate detection was being
+done between the unmapped type value of a new rule and the type value of
+rules already in policy. This meant that duplicates were not being
+silently dropped and were instead outputting a message that there was a
+problem. It made things hard because the message WAS using the mapped
+type to convert to the string representation, so it didn't look like a
+dup!
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.3-1
+-Update to upstream
+ * Skip writing role attributes for policy.X and
+ * Indicate when boolean is indeed a tunable.
+ * Separate tunable from boolean during compile.
+ * Write and read TUNABLE flags in related
+ * Copy and check the cond_bool_datum_t.flags during link.
+ * Permanently discard disabled branches of tunables in
+ * Skip tunable identifier and cond_node_t in expansion.
+ * Create a new preserve_tunables flag
+ * Preserve tunables when required by semodule program.
+ * setools expects expand_module_avrules to be an exported
+ * tree: default make target to all not
+
+* Thu Sep 14 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.2-3
+- Add patch to handle preserving tunables
+
+* Thu Sep 1 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.2-2
+- export expand_module_avrules
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.2-0
+- Update to upstream
+ * Only call role_fix_callback for base.p_roles during expansion.
+ * use mapped role number instead of module role number
+
* Mon Aug 1 2011 Dan Walsh <dwalsh at redhat.com> 2.1.1-1
- Update to upstream
* Minor fix to reading policy with filename transition rules
diff --git a/sources b/sources
index c78d44b..46040cc 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-1c102206aa2a0f7cec1f3af727718f9d libsepol-2.1.1.tgz
+8278689ecf9d5219887b72fc24ff66ff libsepol-2.1.3.tgz
More information about the scm-commits
mailing list