[libsepol] Update to upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 13 16:32:22 UTC 2012
commit 7a85deddcfb0512bc01c1dd0fd1d3d0f86a2b631
Author: rhatdan <dwalsh at redhat.com>
Date: Thu Sep 13 12:32:09 2012 -0400
Update to upstream
* fix neverallow checking on attributes
* Move context_copy() after switch block in ocontext_copy_*().
* check for missing initial SID labeling statement.
* Add always_check_network policy capability
* role_fix_callback skips out-of-scope roles during expansion.
.gitignore | 1 +
libsepol-rhat.patch | 117 +++++++++++++++++++++++++++++++++++++++++++++++---
libsepol.spec | 12 ++++-
sources | 1 +
4 files changed, 122 insertions(+), 9 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index d7285e5..e38af3e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -159,3 +159,4 @@ libsepol-2.0.41.tgz
/libsepol-2.1.4.tgz
/libsepol-2.1.5.tgz
/libsepol-2.1.7.tgz
+/libsepol-2.1.8.tgz
diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch
index a4065aa..ae0995b 100644
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@@ -1,5 +1,18 @@
+diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
+index f90a48d..9152446 100644
+--- a/libsepol/include/sepol/policydb/polcaps.h
++++ b/libsepol/include/sepol/policydb/polcaps.h
+@@ -5,7 +5,7 @@
+ enum {
+ POLICYDB_CAPABILITY_NETPEER,
+ POLICYDB_CAPABILITY_OPENPERM,
+- POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
++ POLICYDB_CAPABILITY_PTRACE_CHILD,
+ POLICYDB_CAPABILITY_ALWAYSNETWORK,
+ __POLICYDB_CAPABILITY_MAX
+ };
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
-index bef759c..2854f33 100644
+index 2003eb6..79587af 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -49,6 +49,82 @@ typedef struct expand_state {
@@ -85,7 +98,7 @@ index bef759c..2854f33 100644
static void expand_state_init(expand_state_t * state)
{
memset(state, 0, sizeof(expand_state_t));
-@@ -1352,10 +1428,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+@@ -1357,10 +1433,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
{
unsigned int i, j;
@@ -107,7 +120,22 @@ index bef759c..2854f33 100644
cur_rule = rules;
while (cur_rule) {
-@@ -1378,6 +1464,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+@@ -1370,19 +1456,27 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ ebitmap_init(&ttypes);
+
+ if (expand_convert_type_set(state->out, state->typemap,
+- &cur_rule->stypes, &stypes, 1)) {
++ &cur_rule->stypes, &stypes, 0)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ if (expand_convert_type_set(state->out, state->typemap,
+- &cur_rule->ttypes, &ttypes, 1)) {
++ &cur_rule->ttypes, &ttypes, 0)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
mapped_otype = state->typemap[cur_rule->otype - 1];
@@ -122,7 +150,7 @@ index bef759c..2854f33 100644
ebitmap_for_each_bit(&stypes, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
-@@ -1385,16 +1479,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+@@ -1390,16 +1484,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
if (!ebitmap_node_get_bit(tnode, j))
continue;
@@ -142,7 +170,7 @@ index bef759c..2854f33 100644
ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
cur_trans->name,
state->out->p_type_val_to_name[i],
-@@ -1402,7 +1494,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+@@ -1407,7 +1499,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
state->out->p_class_val_to_name[cur_trans->tclass - 1],
state->out->p_type_val_to_name[cur_trans->otype - 1],
state->out->p_type_val_to_name[mapped_otype - 1]);
@@ -151,7 +179,7 @@ index bef759c..2854f33 100644
return -1;
}
cur_trans = cur_trans->next;
-@@ -1417,8 +1509,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+@@ -1422,8 +1514,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
return -1;
}
memset(new_trans, 0, sizeof(*new_trans));
@@ -160,7 +188,7 @@ index bef759c..2854f33 100644
new_trans->name = strdup(cur_rule->name);
if (!new_trans->name) {
-@@ -1429,9 +1519,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+@@ -1434,9 +1524,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
new_trans->ttype = j + 1;
new_trans->tclass = cur_rule->tclass;
new_trans->otype = mapped_otype;
@@ -177,3 +205,78 @@ index bef759c..2854f33 100644
ebitmap_destroy(&stypes);
ebitmap_destroy(&ttypes);
+@@ -2037,14 +2134,13 @@ static int ocontext_copy_xen(expand_state_t *state)
+ else
+ state->out->ocontexts[i] = n;
+ l = n;
++ if (context_copy(&n->context[0], &c->context[0],
++ state)) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
+ switch (i) {
+ case OCON_XEN_ISID:
+- if (c->context[0].user == 0) {
+- ERR(state->handle,
+- "Missing context for %s initial sid",
+- c->u.name);
+- return -1;
+- }
+ n->sid[0] = c->sid[0];
+ break;
+ case OCON_XEN_PIRQ:
+@@ -2067,11 +2163,6 @@ static int ocontext_copy_xen(expand_state_t *state)
+ ERR(state->handle, "Unknown ocontext");
+ return -1;
+ }
+- if (context_copy(&n->context[0], &c->context[0],
+- state)) {
+- ERR(state->handle, "Out of memory!");
+- return -1;
+- }
+ }
+ }
+ return 0;
+@@ -2096,14 +2187,12 @@ static int ocontext_copy_selinux(expand_state_t *state)
+ else
+ state->out->ocontexts[i] = n;
+ l = n;
++ if (context_copy(&n->context[0], &c->context[0], state)) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
+ switch (i) {
+ case OCON_ISID:
+- if (c->context[0].user == 0) {
+- ERR(state->handle,
+- "Missing context for %s initial sid",
+- c->u.name);
+- return -1;
+- }
+ n->sid[0] = c->sid[0];
+ break;
+ case OCON_FS: /* FALLTHROUGH */
+@@ -2147,10 +2236,6 @@ static int ocontext_copy_selinux(expand_state_t *state)
+ ERR(state->handle, "Unknown ocontext");
+ return -1;
+ }
+- if (context_copy(&n->context[0], &c->context[0], state)) {
+- ERR(state->handle, "Out of memory!");
+- return -1;
+- }
+ }
+ }
+ return 0;
+diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
+index 43a71a7..7615a9b 100644
+--- a/libsepol/src/polcaps.c
++++ b/libsepol/src/polcaps.c
+@@ -8,7 +8,7 @@
+ static const char *polcap_names[] = {
+ "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
+ "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
+- "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
++ "ptrace_child", /* POLICYDB_CAPABILITY_PTRACE_CHILD */
+ "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
+ NULL
+ };
diff --git a/libsepol.spec b/libsepol.spec
index ed3ccb9..22dda65 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,7 +1,7 @@
Summary: SELinux binary policy manipulation library
Name: libsepol
-Version: 2.1.7
-Release: 4%{?dist}
+Version: 2.1.8
+Release: 1%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
@@ -99,6 +99,14 @@ exit 0
/%{_lib}/libsepol.so.1
%changelog
+* Thu Sep 13 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.8-1
+- Update to upstream
+ * fix neverallow checking on attributes
+ * Move context_copy() after switch block in ocontext_copy_*().
+ * check for missing initial SID labeling statement.
+ * Add always_check_network policy capability
+ * role_fix_callback skips out-of-scope roles during expansion.
+
* Mon Jul 30 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.7-4
- Try new patches
diff --git a/sources b/sources
index 5af123a..acb2def 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
332c564144780537c25f4498578e531f libsepol-2.1.7.tgz
+ce02057c3d0922dd7775f9948f7932af libsepol-2.1.8.tgz
More information about the scm-commits
mailing list