Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package checkpolicy for openSUSE:Factory
checked in at 2025-07-20 15:27:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old)
and /work/SRC/openSUSE:Factory/.checkpolicy.new.8875 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy"
Sun Jul 20 15:27:50 2025 rev:40 rq:1294366 version:3.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2025-03-11
20:44:52.181071226 +0100
+++ /work/SRC/openSUSE:Factory/.checkpolicy.new.8875/checkpolicy.changes
2025-07-20 15:27:51.745066150 +0200
@@ -1,0 +2,8 @@
+Thu Jul 17 15:40:49 UTC 2025 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 3.9
+ * Add support for wildcard netifcon names
+ * Abort on mismatched declarations
+ * Introduce neveraudit types
+
+-------------------------------------------------------------------
Old:
----
checkpolicy-3.8.1.tar.gz
checkpolicy-3.8.1.tar.gz.asc
New:
----
checkpolicy-3.9.tar.gz
checkpolicy-3.9.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ checkpolicy.spec ++++++
--- /var/tmp/diff_new_pack.2E5dN0/_old 2025-07-20 15:27:52.605101739 +0200
+++ /var/tmp/diff_new_pack.2E5dN0/_new 2025-07-20 15:27:52.613102070 +0200
@@ -16,9 +16,9 @@
#
-%define libsepol_ver 3.8.1
+%define libsepol_ver 3.9
Name: checkpolicy
-Version: 3.8.1
+Version: 3.9
Release: 0
Summary: SELinux policy compiler
License: GPL-2.0-or-later
++++++ checkpolicy-3.8.1.tar.gz -> checkpolicy-3.9.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/VERSION new/checkpolicy-3.9/VERSION
--- old/checkpolicy-3.8.1/VERSION 2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/VERSION 2025-07-16 12:55:13.000000000 +0200
@@ -1 +1 @@
-3.8.1
+3.9
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/checkmodule.8
new/checkpolicy-3.9/checkmodule.8
--- old/checkpolicy-3.8.1/checkmodule.8 2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/checkmodule.8 2025-07-16 12:55:13.000000000 +0200
@@ -3,7 +3,7 @@
checkmodule \- SELinux policy module compiler
.SH SYNOPSIS
.B checkmodule
-.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-U
handle_unknown] [\-V] [\-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-L] [\-U
handle_unknown] [\-V] [\-o output_file] [input_file]"
.SH "DESCRIPTION"
This manual page describes the
.BR checkmodule
@@ -46,6 +46,11 @@
.B \-N,\-\-disable-neverallow
Do not check neverallow rules.
.TP
+.B \-L,\-\-line-marker-for-allow
+Output line markers for allow rules, in addition to neverallow rules. This
option increases the size
+of the output CIL policy file, but the additional line markers helps
debugging, especially
+neverallow failure reports. Can only be used when writing a CIL policy file.
+.TP
.B \-V,\-\-version
Show policy versions created by this program.
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/checkmodule.c
new/checkpolicy-3.9/checkmodule.c
--- old/checkpolicy-3.8.1/checkmodule.c 2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/checkmodule.c 2025-07-16 12:55:13.000000000 +0200
@@ -119,7 +119,7 @@
static __attribute__((__noreturn__)) void usage(const char *progname)
{
- printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m]
[-M] [-N] [-o FILE] [-c VERSION] [INPUT]\n", progname);
+ printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m]
[-M] [-N] [-L] [-o FILE] [-c VERSION] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
@@ -136,6 +136,7 @@
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -N do not check neverallow rules\n");
+ printf(" -L output line markers for allow rules\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
printf(" -c VERSION build a policy module targeting a modular policy
version (%d-%d)\n",
MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
@@ -146,6 +147,7 @@
{
const char *file = txtfile, *outfile = NULL;
unsigned int binary = 0, cil = 0, disable_neverallow = 0;
+ unsigned int line_marker_for_allow = 0;
unsigned int policy_type = POLICY_BASE;
unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
int ch;
@@ -159,12 +161,13 @@
{"handle-unknown", required_argument, NULL, 'U'},
{"mls", no_argument, NULL, 'M'},
{"disable-neverallow", no_argument, NULL, 'N'},
+ {"line-marker-for-allow", no_argument, NULL, 'L'},
{"cil", no_argument, NULL, 'C'},
{"werror", no_argument, NULL, 'E'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "ho:bVEU:mMNCc:", long_options,
NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "ho:bVEU:mMNCc:L", long_options,
NULL)) != -1) {
switch (ch) {
case 'h':
usage(argv[0]);
@@ -231,6 +234,9 @@
policyvers = n;
break;
}
+ case 'L':
+ line_marker_for_allow = 1;
+ break;
default:
usage(argv[0]);
}
@@ -252,6 +258,11 @@
exit(1);
}
+ if (line_marker_for_allow && !cil) {
+ fprintf(stderr, "%s: -L must be used along with -C.\n",
argv[0]);
+ exit(1);
+ }
+
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
@@ -347,6 +358,9 @@
exit(1);
}
} else {
+ if (line_marker_for_allow) {
+ modpolicydb.line_marker_avrules |=
AVRULE_ALLOWED | AVRULE_XPERMS_ALLOWED;
+ }
if (sepol_module_policydb_to_cil(outfp, &modpolicydb,
0) != 0) {
fprintf(stderr, "%s: error writing %s\n",
argv[0], outfile);
exit(1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/checkpolicy.8
new/checkpolicy-3.9/checkpolicy.8
--- old/checkpolicy-3.8.1/checkpolicy.8 2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/checkpolicy.8 2025-07-16 12:55:13.000000000 +0200
@@ -3,7 +3,7 @@
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-N]
[\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)]
[\-O] [\-E] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-N]
[\-L] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform
(selinux,xen)] [\-O] [\-E] [\-V] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
@@ -41,6 +41,11 @@
.B \-N,\-\-disable-neverallow
Do not check neverallow rules.
.TP
+.B \-L,\-\-line-marker-for-allow
+Output line markers for allow rules, in addition to neverallow rules. This
option increases the size
+of the output CIL policy file, but the additional line markers helps
debugging, especially
+neverallow failure reports. Can only be used when writing a CIL policy file.
+.TP
.B \-c policyvers
Specify the policy version, defaults to the latest.
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/checkpolicy.c
new/checkpolicy-3.9/checkpolicy.c
--- old/checkpolicy-3.8.1/checkpolicy.c 2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/checkpolicy.c 2025-07-16 12:55:13.000000000 +0200
@@ -107,7 +107,7 @@
printf
("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown
(allow,deny,reject)] [-M] "
"[-N] [-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] "
- "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
+ "[-t target_platform (selinux,xen)] [-E] [-V] [-L] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
@@ -390,6 +390,7 @@
unsigned int i;
unsigned int protocol, port;
unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0,
optimize = 0, disable_neverallow = 0;
+ unsigned int line_marker_for_allow = 0;
struct val_to_name v;
int ret, ch, fd, target = SEPOL_TARGET_SELINUX;
unsigned int policyvers = 0;
@@ -418,11 +419,12 @@
{"sort", no_argument, NULL, 'S'},
{"optimize", no_argument, NULL, 'O'},
{"werror", no_argument, NULL, 'E'},
+ {"line-marker-for-allow", no_argument, NULL, 'L'},
{"help", no_argument, NULL, 'h'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "o:t:dbU:MNCFSVc:OEh",
long_options, NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "o:t:dbU:MNCFSVc:OELh",
long_options, NULL)) != -1) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -506,6 +508,9 @@
case 'E':
werror = 1;
break;
+ case 'L':
+ line_marker_for_allow = 1;
+ break;
case 'h':
default:
usage(argv[0]);
@@ -535,6 +540,11 @@
exit(1);
}
+ if (line_marker_for_allow && !cil) {
+ fprintf(stderr, "Must convert to CIL for line markers to be
printed\n");
+ exit(1);
+ }
+
if (binary) {
fd = open(file, O_RDONLY);
if (fd < 0) {
@@ -690,6 +700,9 @@
exit(1);
}
} else {
+ if (line_marker_for_allow) {
+ policydbp->line_marker_avrules |=
AVRULE_ALLOWED | AVRULE_XPERMS_ALLOWED;
+ }
if (binary) {
ret = sepol_kernel_policydb_to_cil(outfp,
policydbp);
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/module_compiler.c
new/checkpolicy-3.9/module_compiler.c
--- old/checkpolicy-3.8.1/module_compiler.c 2025-03-05 19:59:06.000000000
+0100
+++ new/checkpolicy-3.9/module_compiler.c 2025-07-16 12:55:13.000000000
+0200
@@ -291,6 +291,7 @@
if (*role && (isattr != (*role)->flavor)) {
yyerror2("Identifier %s used as both an attribute and a
role",
id);
+ *role = NULL;
free(id);
role_datum_destroy(datum);
free(datum);
@@ -428,6 +429,7 @@
if (*type && (isattr != (*type)->flavor)) {
yyerror2("Identifier %s used as both an attribute and a
type",
id);
+ *type = NULL;
free(id);
return -1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/policy_define.c
new/checkpolicy-3.9/policy_define.c
--- old/checkpolicy-3.8.1/policy_define.c 2025-03-05 19:59:06.000000000
+0100
+++ new/checkpolicy-3.9/policy_define.c 2025-07-16 12:55:13.000000000 +0200
@@ -257,6 +257,49 @@
return rc;
}
+int define_neveraudit(void)
+{
+ char *type = NULL;
+ struct type_datum *t;
+ int rc = 0;
+
+ type = queue_remove(id_queue);
+
+ if (!type) {
+ yyerror2("forgot to include type in neveraudit definition?");
+ rc = -1;
+ goto out;
+ }
+
+ if (pass == 1)
+ goto out;
+
+ if (!is_id_in_scope(SYM_TYPES, type)) {
+ yyerror2("type %s is not within scope", type);
+ rc = -1;
+ goto out;
+ }
+
+ t = hashtab_search(policydbp->p_types.table, type);
+ if (!t) {
+ yyerror2("type is not defined: %s", type);
+ rc = -1;
+ goto out;
+ }
+
+ if (t->flavor == TYPE_ATTRIB) {
+ yyerror2("attributes may not be neveraudit: %s", type);
+ rc = -1;
+ goto out;
+ }
+
+ t->flags |= TYPE_FLAGS_NEVERAUDIT;
+
+out:
+ free(type);
+ return rc;
+}
+
int define_polcap(void)
{
char *id = 0;
@@ -1610,7 +1653,8 @@
/* Adds a type, given by its textual name, to a typeset. If *add is
0, then add the type to the negative set; otherwise if *add is 1
- then add it to the positive side. */
+ then add it to the positive side.
+ The identifier `id` is always consumed. */
static int set_types(type_set_t * set, char *id, int *add, char starallowed)
{
type_datum_t *t;
@@ -1699,6 +1743,8 @@
return -1;
}
+ ebitmap_init(&tclasses);
+
while ((id = queue_remove(id_queue))) {
if (set_types(&avrule->stypes, id, &add, 0))
goto bad;
@@ -1718,7 +1764,6 @@
goto bad;
}
- ebitmap_init(&tclasses);
if (read_classes(&tclasses))
goto bad;
@@ -1759,6 +1804,7 @@
return 0;
bad:
+ ebitmap_destroy(&tclasses);
avrule_destroy(avrule);
free(avrule);
return -1;
@@ -2117,18 +2163,17 @@
{
char *id;
class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
- class_datum_t *cladatum;
- perm_datum_t *perdatum = NULL;
+ const class_datum_t *cladatum;
+ const perm_datum_t *perdatum;
ebitmap_t tclasses;
ebitmap_node_t *node;
avrule_t *avrule;
unsigned int i;
- int add = 1, ret = 0;
+ int add = 1, ret;
avrule = (avrule_t *) malloc(sizeof(avrule_t));
if (!avrule) {
yyerror("out of memory");
- ret = -1;
goto out;
}
avrule_init(avrule);
@@ -2139,14 +2184,13 @@
avrule->xperms = NULL;
if (!avrule->source_filename) {
yyerror("out of memory");
- return -1;
+ goto out;
}
while ((id = queue_remove(id_queue))) {
if (set_types
(&avrule->stypes, id, &add,
which == AVRULE_XPERMS_NEVERALLOW ? 1 : 0)) {
- ret = -1;
goto out;
}
}
@@ -2156,13 +2200,11 @@
free(id);
if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) {
yyerror("-self is only supported in neverallow
and neverallowxperm rules");
- ret = -1;
goto out;
}
avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
if ((avrule->flags & RULE_SELF) && (avrule->flags &
RULE_NOTSELF)) {
yyerror("self and -self are mutual exclusive");
- ret = -1;
goto out;
}
continue;
@@ -2170,7 +2212,6 @@
if (set_types
(&avrule->ttypes, id, &add,
which == AVRULE_XPERMS_NEVERALLOW ? 1 : 0)) {
- ret = -1;
goto out;
}
}
@@ -2178,7 +2219,6 @@
if ((avrule->ttypes.flags & TYPE_COMP)) {
if (avrule->flags & RULE_NOTSELF) {
yyerror("-self is not supported in complements");
- ret = -1;
goto out;
}
if (avrule->flags & RULE_SELF) {
@@ -2190,7 +2230,7 @@
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
- goto out;
+ goto out2;
perms = NULL;
id = queue_head(id_queue);
@@ -2199,8 +2239,7 @@
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
if (!cur_perms) {
yyerror("out of memory");
- ret = -1;
- goto out;
+ goto out2;
}
class_perm_node_init(cur_perms);
cur_perms->tclass = i + 1;
@@ -2238,9 +2277,14 @@
avrule->perms = perms;
*rule = avrule;
+ return 0;
+out2:
+ ebitmap_destroy(&tclasses);
out:
- return ret;
+ avrule_destroy(avrule);
+ free(avrule);
+ return -1;
}
/* index of the u32 containing the permission */
@@ -3182,10 +3226,10 @@
int define_role_trans(int class_specified)
{
char *id;
- role_datum_t *role;
+ const role_datum_t *role;
role_set_t roles;
type_set_t types;
- class_datum_t *cladatum;
+ const class_datum_t *cladatum;
ebitmap_t e_types, e_roles, e_classes;
ebitmap_node_t *tnode, *rnode, *cnode;
struct role_trans *tr = NULL;
@@ -3214,29 +3258,29 @@
while ((id = queue_remove(id_queue))) {
if (set_roles(&roles, id))
- return -1;
+ goto bad;
}
add = 1;
while ((id = queue_remove(id_queue))) {
if (set_types(&types, id, &add, 0))
- return -1;
+ goto bad;
}
if (class_specified) {
if (read_classes(&e_classes))
- return -1;
+ goto bad;
} else {
cladatum = hashtab_search(policydbp->p_classes.table,
"process");
if (!cladatum) {
yyerror2("could not find process class for "
"legacy role_transition statement");
- return -1;
+ goto bad;
}
if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
yyerror("out of memory");
- return -1;
+ goto bad;
}
}
@@ -3292,7 +3336,7 @@
tr = malloc(sizeof(struct role_trans));
if (!tr) {
yyerror("out of memory");
- return -1;
+ goto bad;
}
memset(tr, 0, sizeof(struct role_trans));
tr->role = i + 1;
@@ -3308,7 +3352,7 @@
rule = malloc(sizeof(struct role_trans_rule));
if (!rule) {
yyerror("out of memory");
- return -1;
+ goto bad;
}
memset(rule, 0, sizeof(struct role_trans_rule));
rule->roles = roles;
@@ -3324,6 +3368,11 @@
return 0;
bad:
+ role_set_destroy(&roles);
+ type_set_destroy(&types);
+ ebitmap_destroy(&e_roles);
+ ebitmap_destroy(&e_types);
+ ebitmap_destroy(&e_classes);
return -1;
}
@@ -4202,6 +4251,7 @@
if (!e1 || e1->next) {
yyerror
("illegal right side of conditional binary op
expression");
+ cond_expr_destroy(arg1);
free(expr);
return NULL;
}
@@ -5960,6 +6010,7 @@
char *type = NULL;
const char *sclass;
size_t len, len2;
+ int wildcard = ebitmap_get_bit(&policydbp->policycaps,
POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
yyerror("genfs not supported for target");
@@ -6010,6 +6061,19 @@
newc->u.name = (char *)queue_remove(id_queue);
if (!newc->u.name)
goto fail;
+
+ if (wildcard) {
+ size_t name_len = strlen(newc->u.name);
+ newc->u.name = realloc(newc->u.name, name_len + 2);
+ if (newc->u.name == NULL) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ newc->u.name[name_len] = '*';
+ newc->u.name[name_len + 1] = '\0';
+ }
+
if (has_type) {
type = (char *)queue_remove(id_queue);
if (!type)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/policy_define.h
new/checkpolicy-3.9/policy_define.h
--- old/checkpolicy-3.8.1/policy_define.h 2025-03-05 19:59:06.000000000
+0100
+++ new/checkpolicy-3.9/policy_define.h 2025-07-16 12:55:13.000000000 +0200
@@ -45,6 +45,7 @@
int define_level(void);
int define_netif_context(void);
int define_permissive(void);
+int define_neveraudit(void);
int define_polcap(void);
int define_ibpkey_context(unsigned int low, unsigned int high);
int define_ibendport_context(unsigned int port);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/policy_parse.y
new/checkpolicy-3.9/policy_parse.y
--- old/checkpolicy-3.8.1/policy_parse.y 2025-03-05 19:59:06.000000000
+0100
+++ new/checkpolicy-3.9/policy_parse.y 2025-07-16 12:55:13.000000000 +0200
@@ -152,7 +152,9 @@
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%token POLICYCAP
%token PERMISSIVE
+%token NEVERAUDIT
%token FILESYSTEM
+%token NETIFNAME
%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
%token LOW_HIGH LOW HIGH GLBLUB
%token INVALID_CHAR
@@ -330,6 +332,7 @@
| range_trans_def
| te_avtab_def
| permissive_def
+ | neveraudit_def
;
attribute_def : ATTRIBUTE identifier ';'
{ if (define_attrib()) YYABORT;}
@@ -748,7 +751,7 @@
netif_contexts : netif_context_def
| netif_contexts netif_context_def
;
-netif_context_def : NETIFCON identifier security_context_def
security_context_def
+netif_context_def : NETIFCON netifname security_context_def
security_context_def
{if (define_netif_context()) YYABORT;}
;
opt_node_contexts : node_contexts
@@ -901,6 +904,13 @@
filename : FILENAME
{ yytext[strlen(yytext) - 1] = '\0'; if
(insert_id(yytext + 1,0)) YYABORT; }
;
+netifname : NETIFNAME
+ { if (insert_id(yytext,0)) YYABORT; }
+ | IDENTIFIER
+ { if (insert_id(yytext,0)) YYABORT; }
+ | FILESYSTEM
+ { if (insert_id(yytext,0)) YYABORT; }
+ ;
number : NUMBER
{ unsigned long x;
errno = 0;
@@ -934,6 +944,8 @@
;
permissive_def : PERMISSIVE identifier ';'
{if (define_permissive()) YYABORT;}
+neveraudit_def : NEVERAUDIT identifier ';'
+ {if (define_neveraudit()) YYABORT;}
/*********** module grammar below ***********/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/policy_scan.l
new/checkpolicy-3.9/policy_scan.l
--- old/checkpolicy-3.8.1/policy_scan.l 2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/policy_scan.l 2025-07-16 12:55:13.000000000 +0200
@@ -57,6 +57,7 @@
#endif
void set_source_file(const char *name);
+static void set_source_line_and_file(const char *line);
char source_file[PATH_MAX];
unsigned long source_lineno = 1;
@@ -270,6 +271,8 @@
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
+neveraudit |
+NEVERAUDIT { return(NEVERAUDIT); }
default_user |
DEFAULT_USER { return(DEFAULT_USER); }
default_role |
@@ -297,7 +300,8 @@
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*"/"{digit}{1,3} {
return(IPV6_CIDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
-#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
+({alnum}({alnum}|[\*\?_]){0,15}|[\*\?]({alnum}|[\*\?_]){1,15}) {
return(NETIFNAME); }
+#line[ ]{digit}+[ ]\"[^\n]*\" { set_source_line_and_file(yytext+6); }
#line[ ]{digit}+ {
errno = 0;
source_lineno = strtoul(yytext+6, NULL, 10) -
1;
@@ -395,3 +399,21 @@
if (strlen(source_file) && source_file[strlen(source_file)-1] == '"')
source_file[strlen(source_file)-1] = '\0';
}
+
+void set_source_line_and_file(const char *line)
+{
+ char *name;
+ unsigned long lineno;
+ errno = 0;
+ lineno = strtoul(line, &name, 10) - 1;
+ if (errno) {
+ yywarn("source line number too big");
+ }
+ set_source_file(name + 2 /* skip a space and a quote */ );
+
+ /*
+ * set_source_file sets source_lineno to 1.
+ * Assign source_lineno after calling set_source_file.
+ */
+ source_lineno = lineno;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/tests/policy_allonce.conf
new/checkpolicy-3.9/tests/policy_allonce.conf
--- old/checkpolicy-3.8.1/tests/policy_allonce.conf 2025-03-05
19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/tests/policy_allonce.conf 2025-07-16
12:55:13.000000000 +0200
@@ -45,6 +45,7 @@
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
permissive TYPE1;
+neveraudit TYPE1;
attribute_role ROLE_ATTR1;
role ROLE1;
role ROLE3;
@@ -74,7 +75,11 @@
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
-netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net? USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon netx* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon 1o USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 192.168.42.0 255.255.0.0 USER1:ROLE1:TYPE1
nodecon 127.0.0.1/24 USER1:ROLE1:TYPE1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/tests/policy_allonce.expected.conf
new/checkpolicy-3.9/tests/policy_allonce.expected.conf
--- old/checkpolicy-3.8.1/tests/policy_allonce.expected.conf 2025-03-05
19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/tests/policy_allonce.expected.conf 2025-07-16
12:55:13.000000000 +0200
@@ -31,6 +31,7 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
+neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
@@ -79,7 +80,11 @@
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
-netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon 1o USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon netx* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net? USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/checkpolicy-3.8.1/tests/policy_allonce.expected_opt.conf
new/checkpolicy-3.9/tests/policy_allonce.expected_opt.conf
--- old/checkpolicy-3.8.1/tests/policy_allonce.expected_opt.conf
2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/tests/policy_allonce.expected_opt.conf 2025-07-16
12:55:13.000000000 +0200
@@ -31,6 +31,7 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
+neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
@@ -79,7 +80,11 @@
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
-netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon 1o USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon netx* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net? USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon net* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.8.1/tests/policy_allonce_mls.conf
new/checkpolicy-3.9/tests/policy_allonce_mls.conf
--- old/checkpolicy-3.8.1/tests/policy_allonce_mls.conf 2025-03-05
19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/tests/policy_allonce_mls.conf 2025-07-16
12:55:13.000000000 +0200
@@ -53,6 +53,7 @@
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
permissive TYPE1;
+neveraudit TYPE1;
attribute_role ROLE_ATTR1;
role ROLE1;
role ROLE3;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/checkpolicy-3.8.1/tests/policy_allonce_mls.expected.conf
new/checkpolicy-3.9/tests/policy_allonce_mls.expected.conf
--- old/checkpolicy-3.8.1/tests/policy_allonce_mls.expected.conf
2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/tests/policy_allonce_mls.expected.conf 2025-07-16
12:55:13.000000000 +0200
@@ -39,6 +39,7 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
+neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/checkpolicy-3.8.1/tests/policy_allonce_mls.expected_opt.conf
new/checkpolicy-3.9/tests/policy_allonce_mls.expected_opt.conf
--- old/checkpolicy-3.8.1/tests/policy_allonce_mls.expected_opt.conf
2025-03-05 19:59:06.000000000 +0100
+++ new/checkpolicy-3.9/tests/policy_allonce_mls.expected_opt.conf
2025-07-16 12:55:13.000000000 +0200
@@ -39,6 +39,7 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
+neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
