Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2026-02-09 11:42:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy" Mon Feb 9 11:42:49 2026 rev:43 rq:1331573 version:3.10 Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2025-07-24 18:34:35.030456158 +0200 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new.1670/checkpolicy.changes 2026-02-09 11:43:12.957383426 +0100 @@ -1,0 +2,12 @@ +Thu Feb 5 16:10:58 UTC 2026 - Cathy Hu <[email protected]> + +- Update to version 3.10 + https://github.com/SELinuxProject/selinux/releases/tag/3.10 + - Fix problem with bounds statements in optional blocks + - Provide a better error message for implicit role and user bounds + - Allow type attributes to be associated with other type attributes + - checkpolicy/tests: Modify tests to check handling of initial sids +- keyring: Add key of Jason Zaman <[email protected]> + * added 63191CE94183098689CAB8DB7EF137EC935B0EAF [expires: 2026-02-08] + +------------------------------------------------------------------- Old: ---- checkpolicy-3.9.tar.gz checkpolicy-3.9.tar.gz.asc New: ---- checkpolicy-3.10.tar.gz checkpolicy-3.10.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.JmhQSW/_old 2026-02-09 11:43:13.769417587 +0100 +++ /var/tmp/diff_new_pack.JmhQSW/_new 2026-02-09 11:43:13.773417756 +0100 @@ -1,7 +1,7 @@ # # spec file for package checkpolicy # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,9 +16,9 @@ # -%define libsepol_ver 3.9 +%define libsepol_ver 3.10 Name: checkpolicy -Version: 3.9 +Version: 3.10 Release: 0 Summary: SELinux policy compiler License: GPL-2.0-or-later ++++++ checkpolicy-3.9.tar.gz -> checkpolicy-3.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/Makefile new/checkpolicy-3.10/Makefile --- old/checkpolicy-3.9/Makefile 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/Makefile 2026-02-02 03:01:16.000000000 +0100 @@ -77,6 +77,3 @@ clean: -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c tests/testpol.conf tests/testpol.bin $(MAKE) -C test clean - -indent: - ../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/VERSION new/checkpolicy-3.10/VERSION --- old/checkpolicy-3.9/VERSION 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/VERSION 2026-02-02 03:01:16.000000000 +0100 @@ -1 +1 @@ -3.9 +3.10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/module_compiler.c new/checkpolicy-3.10/module_compiler.c --- old/checkpolicy-3.9/module_compiler.c 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/module_compiler.c 2026-02-02 03:01:16.000000000 +0100 @@ -207,8 +207,7 @@ return ret; } -static int role_implicit_bounds(hashtab_t roles_tab, - char *role_id, role_datum_t *role) +static int role_implicit_bounds(hashtab_t roles_tab, char *role_id, role_datum_t *role) { role_datum_t *bounds; char *bounds_id, *delim; @@ -226,21 +225,13 @@ bounds = hashtab_search(roles_tab, bounds_id); if (!bounds) { - yyerror2("role %s doesn't exist, is implicit bounds of %s", - bounds_id, role_id); + yyerror2("Implicit role bounds declared (%s), but the parent (%s) was not found in the same scope", role_id, bounds_id); free(bounds_id); return -1; } - if (!role->bounds) - role->bounds = bounds->s.value; - else if (role->bounds != bounds->s.value) { - yyerror2("role %s has inconsistent bounds %s/%s", - role_id, bounds_id, - policydbp->p_role_val_to_name[role->bounds - 1]); - free(bounds_id); - return -1; - } + role->bounds = bounds->s.value; + free(bounds_id); return 0; @@ -456,8 +447,7 @@ return type; } -static int user_implicit_bounds(hashtab_t users_tab, - char *user_id, user_datum_t *user) +static int user_implicit_bounds(hashtab_t users_tab, char *user_id, user_datum_t *user) { user_datum_t *bounds; char *bounds_id, *delim; @@ -475,21 +465,13 @@ bounds = hashtab_search(users_tab, bounds_id); if (!bounds) { - yyerror2("user %s doesn't exist, is implicit bounds of %s", - bounds_id, user_id); + yyerror2("Implicit user bounds declared (%s), but the parent (%s) was not found in the same scope", user_id, bounds_id); free(bounds_id); return -1; } - if (!user->bounds) - user->bounds = bounds->s.value; - else if (user->bounds != bounds->s.value) { - yyerror2("user %s has inconsistent bounds %s/%s", - user_id, bounds_id, - policydbp->p_role_val_to_name[user->bounds - 1]); - free(bounds_id); - return -1; - } + user->bounds = bounds->s.value; + free(bounds_id); return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/policy_define.c new/checkpolicy-3.10/policy_define.c --- old/checkpolicy-3.9/policy_define.c 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/policy_define.c 2026-02-02 03:01:16.000000000 +0100 @@ -1440,11 +1440,18 @@ return -1; } t = hashtab_search(policydbp->p_types.table, id); - if (!t || t->flavor == TYPE_ATTRIB) { + if (!t) { yyerror2("unknown type %s", id); free(id); return -1; + } else if (t->flavor == TYPE_ATTRIB) { + if (policydbp->policy_type != POLICY_KERN && policydbp->policyvers < MOD_POLICYDB_VERSION_TYPE_ATTR_ATTRS) { + yyerror2("Type attributes cannot be used in a typeattribute definition in policy version %d", policydbp->policyvers); + free(id); + return -1; + } } + free(id); while ((id = queue_remove(id_queue))) { @@ -1484,6 +1491,8 @@ static int define_typebounds_helper(const char *bounds_id, const char *type_id) { type_datum_t *bounds, *type; + char *id; + uint32_t value; if (!is_id_in_scope(SYM_TYPES, bounds_id)) { yyerror2("type %s is not within scope", bounds_id); @@ -1507,10 +1516,11 @@ return -1; } - if (type->flavor == TYPE_TYPE && !type->primary) { - type = policydbp->type_val_to_struct[type->s.value - 1]; - } else if (type->flavor == TYPE_ALIAS) { - type = policydbp->type_val_to_struct[type->primary - 1]; + id = strdup(type_id); + value = (type->flavor != TYPE_ALIAS) ? type->s.value : type->primary; + type = get_local_type(id, value, 0); + if (!type) { + yyerror("Out of memory!"); } if (!type->bounds) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce.conf new/checkpolicy-3.10/tests/policy_allonce.conf --- old/checkpolicy-3.9/tests/policy_allonce.conf 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/tests/policy_allonce.conf 2026-02-02 03:01:16.000000000 +0100 @@ -7,6 +7,8 @@ class file class process sid kernel +sid security +sid unlabeled common COMMON1 { CPERM1 } class CLASS1 { PERM1 ioctl } class CLASS2 inherits COMMON1 @@ -64,6 +66,7 @@ # sameuser will be turned into (u1 == u2) validatetrans CLASS2 sameuser and t3 == ATTR1; sid kernel USER1:ROLE1:TYPE1 +sid unlabeled USER1:ROLE1:TYPE1 # fscon statements are not dumped fscon 2 3 USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1 fs_use_xattr btrfs USER1:ROLE1:TYPE1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce.expected.conf new/checkpolicy-3.10/tests/policy_allonce.expected.conf --- old/checkpolicy-3.9/tests/policy_allonce.expected.conf 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/tests/policy_allonce.expected.conf 2026-02-02 03:01:16.000000000 +0100 @@ -7,6 +7,8 @@ class file class process sid kernel +sid security +sid unlabeled common COMMON1 { CPERM1 } class CLASS1 { PERM1 ioctl } class CLASS2 inherits COMMON1 @@ -72,6 +74,7 @@ constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); validatetrans CLASS2 (u1 == u2 and t3 == ATTR1); sid kernel USER1:ROLE1:TYPE1 +sid unlabeled USER1:ROLE1:TYPE1 fs_use_xattr btrfs USER1:ROLE1:TYPE1; fs_use_trans devpts USER1:ROLE1:TYPE1; fs_use_task pipefs USER1:ROLE1:TYPE1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce.expected_opt.conf new/checkpolicy-3.10/tests/policy_allonce.expected_opt.conf --- old/checkpolicy-3.9/tests/policy_allonce.expected_opt.conf 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/tests/policy_allonce.expected_opt.conf 2026-02-02 03:01:16.000000000 +0100 @@ -7,6 +7,8 @@ class file class process sid kernel +sid security +sid unlabeled common COMMON1 { CPERM1 } class CLASS1 { PERM1 ioctl } class CLASS2 inherits COMMON1 @@ -72,6 +74,7 @@ constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); validatetrans CLASS2 (u1 == u2 and t3 == ATTR1); sid kernel USER1:ROLE1:TYPE1 +sid unlabeled USER1:ROLE1:TYPE1 fs_use_xattr btrfs USER1:ROLE1:TYPE1; fs_use_trans devpts USER1:ROLE1:TYPE1; fs_use_task pipefs USER1:ROLE1:TYPE1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce_xen.conf new/checkpolicy-3.10/tests/policy_allonce_xen.conf --- old/checkpolicy-3.9/tests/policy_allonce_xen.conf 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/tests/policy_allonce_xen.conf 2026-02-02 03:01:16.000000000 +0100 @@ -6,6 +6,8 @@ class file class process sid kernel +sid dom0 +sid domio common COMMON1 { CPERM1 } class CLASS1 { PERM1 } class CLASS2 inherits COMMON1 @@ -53,6 +55,7 @@ constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); validatetrans CLASS2 sameuser and t3 == ATTR1; sid kernel USER1:ROLE1:TYPE1 +sid domio USER1:ROLE1:TYPE1 pirqcon 13 USER1:ROLE1:TYPE1 iomemcon 13 USER1:ROLE1:TYPE1 iomemcon 23-31 USER1:ROLE1:TYPE1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce_xen.expected.conf new/checkpolicy-3.10/tests/policy_allonce_xen.expected.conf --- old/checkpolicy-3.9/tests/policy_allonce_xen.expected.conf 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/tests/policy_allonce_xen.expected.conf 2026-02-02 03:01:16.000000000 +0100 @@ -6,6 +6,8 @@ class file class process sid xen +sid dom0 +sid domio common COMMON1 { CPERM1 } class CLASS1 { PERM1 } class CLASS2 inherits COMMON1 @@ -56,6 +58,7 @@ constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); validatetrans CLASS2 (u1 == u2 and t3 == ATTR1); sid xen USER1:ROLE1:TYPE1 +sid domio USER1:ROLE1:TYPE1 pirqcon 13 USER1:ROLE1:TYPE1 iomemcon 0xd USER1:ROLE1:TYPE1 iomemcon 0x17-0x1f USER1:ROLE1:TYPE1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce_xen.expected_opt.conf new/checkpolicy-3.10/tests/policy_allonce_xen.expected_opt.conf --- old/checkpolicy-3.9/tests/policy_allonce_xen.expected_opt.conf 2025-07-16 12:55:13.000000000 +0200 +++ new/checkpolicy-3.10/tests/policy_allonce_xen.expected_opt.conf 2026-02-02 03:01:16.000000000 +0100 @@ -6,6 +6,8 @@ class file class process sid xen +sid dom0 +sid domio common COMMON1 { CPERM1 } class CLASS1 { PERM1 } class CLASS2 inherits COMMON1 @@ -52,6 +54,7 @@ constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); validatetrans CLASS2 (u1 == u2 and t3 == ATTR1); sid xen USER1:ROLE1:TYPE1 +sid domio USER1:ROLE1:TYPE1 pirqcon 13 USER1:ROLE1:TYPE1 iomemcon 0xd USER1:ROLE1:TYPE1 iomemcon 0x17-0x1f USER1:ROLE1:TYPE1 ++++++ checkpolicy.keyring ++++++ ++++ 1396 lines (skipped) ++++ between checkpolicy.keyring ++++ and /work/SRC/openSUSE:Factory/.checkpolicy.new.1670/checkpolicy.keyring
