Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2017-12-11 18:56:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy" Mon Dec 11 18:56:09 2017 rev:25 rq:545896 version:2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2017-07-06 00:02:05.289383435 +0200 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new/checkpolicy.changes 2017-12-11 18:56:11.615445834 +0100 @@ -1,0 +2,11 @@ +Fri Nov 24 09:01:04 UTC 2017 - [email protected] + +- Update to version 2.6. Notable changes: + * Add types associated to a role in the current scope when parsing + * Extend checkpolicy pathname matching + * Set flex as default lexer + * Fix checkmodule output message + * Fail if module name different than output base filename + * Add support for portcon dccp protocol + +------------------------------------------------------------------- Old: ---- checkpolicy-2.5.tar.gz New: ---- checkpolicy-2.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.kFKjd8/_old 2017-12-11 18:56:12.091423163 +0100 +++ /var/tmp/diff_new_pack.kFKjd8/_new 2017-12-11 18:56:12.091423163 +0100 @@ -16,15 +16,15 @@ # -%define libsepol_ver 2.5 +%define libsepol_ver 2.6 Name: checkpolicy -Version: 2.5 +Version: 2.6 Release: 0 Summary: SELinux policy compiler License: GPL-2.0+ Group: Productivity/Security Url: https://github.com/SELinuxProject/selinux -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz BuildRequires: bison BuildRequires: flex BuildRequires: libselinux-devel ++++++ checkpolicy-2.5.tar.gz -> checkpolicy-2.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/Android.mk new/checkpolicy-2.6/Android.mk --- old/checkpolicy-2.5/Android.mk 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/Android.mk 1970-01-01 01:00:00.000000000 +0100 @@ -1,77 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -common_src_files := \ - policy_parse.y \ - policy_scan.l \ - queue.c \ - module_compiler.c \ - parse_util.c \ - policy_define.c - -common_cflags := \ - -Wall -Wshadow -O2 \ - -pipe -fno-strict-aliasing \ - -ifeq ($(HOST_OS),darwin) -common_cflags += -DDARWIN -endif - -common_includes := \ - $(LOCAL_PATH)/ \ - $(LOCAL_PATH)/../libsepol/include/ \ - $(LOCAL_PATH)/../libsepol/src/ \ - -## -# "-x c" forces the lex/yacc files to be compiled as c the build system -# otherwise forces them to be c++. Need to also add an explicit -std because the -# build system will soon default C++ to -std=c++11. -yacc_flags := -x c -std=gnu89 - - -## -# checkpolicy -# -include $(CLEAR_VARS) - -LOCAL_MODULE := checkpolicy -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := $(common_includes) -LOCAL_CFLAGS := $(yacc_flags) $(common_cflags) -LOCAL_SRC_FILES := $(common_src_files) checkpolicy.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_YACCFLAGS := -v -LOCAL_MODULE_CLASS := EXECUTABLES - -include $(BUILD_HOST_EXECUTABLE) - - -## -# checkmodule -# -include $(CLEAR_VARS) - -LOCAL_MODULE := checkmodule -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := $(common_includes) -LOCAL_CFLAGS := $(yacc_flags) $(common_cflags) -LOCAL_SRC_FILES := $(common_src_files) checkmodule.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_YACCFLAGS := -v -LOCAL_MODULE_CLASS := EXECUTABLES - -include $(BUILD_HOST_EXECUTABLE) - -## -# dispol -# -include $(CLEAR_VARS) - -LOCAL_MODULE := dispol -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := $(common_includes) -LOCAL_CFLAGS := $(common_cflags) -LOCAL_SRC_FILES := test/dispol.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_MODULE_CLASS := EXECUTABLES - -include $(BUILD_HOST_EXECUTABLE) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/ChangeLog new/checkpolicy-2.6/ChangeLog --- old/checkpolicy-2.5/ChangeLog 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/ChangeLog 2016-10-14 17:31:26.000000000 +0200 @@ -1,3 +1,14 @@ +2.6 2016-10-14 + * Remove Android.mk files and only keep them in Android tree, from Bowgo Tsai. + * Add types associated to a role in the current scope when parsing, from Nicolas Iooss. + * Extend checkpolicy pathname matching, from Stephen Smalley. + * Fix typos in test/dispol, from Petr Lautrbach. + * Set flex as default lexer, from Julien Pivotto. + * Fix checkmodule output message, from Petr Lautrbach. + * Build policy on systems not supporting DCCP protocol, from Richard Haines. + * Fail if module name different than output base filename, from James Carter + * Add support for portcon dccp protocol, from Richard Haines + 2.5 2016-02-23 * Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep. * fix double free on name-based type transitions, from Stephen Smalley. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/Makefile new/checkpolicy-2.6/Makefile --- old/checkpolicy-2.5/Makefile 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/Makefile 2016-10-14 17:31:26.000000000 +0200 @@ -8,6 +8,7 @@ INCLUDEDIR ?= $(PREFIX)/include TARGETS = checkpolicy checkmodule +LEX = flex YACC = bison -y CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/VERSION new/checkpolicy-2.6/VERSION --- old/checkpolicy-2.5/VERSION 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/VERSION 2016-10-14 17:31:26.000000000 +0200 @@ -1 +1 @@ -2.5 +2.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/checkmodule.c new/checkpolicy-2.6/checkmodule.c --- old/checkpolicy-2.5/checkmodule.c 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/checkmodule.c 2016-10-14 17:31:26.000000000 +0200 @@ -19,6 +19,7 @@ #include <stdio.h> #include <errno.h> #include <sys/mman.h> +#include <libgen.h> #include <sepol/module_to_cil.h> #include <sepol/policydb/policydb.h> @@ -258,6 +259,25 @@ } } + if (policy_type != POLICY_BASE && outfile) { + char *mod_name = modpolicydb.name; + char *out_path = strdup(outfile); + if (out_path == NULL) { + fprintf(stderr, "%s: out of memory\n", argv[0]); + exit(1); + } + char *out_name = basename(out_path); + char *separator = strrchr(out_name, '.'); + if (separator) { + *separator = '\0'; + } + if (strcmp(mod_name, out_name) != 0) { + fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name); + exit(1); + } + free(out_path); + } + if (modpolicydb.policy_type == POLICY_BASE && !cil) { /* Verify that we can successfully expand the base module. */ policydb_t kernpolicydb; @@ -294,7 +314,7 @@ if (!cil) { printf("%s: writing binary representation (version %d) to %s\n", - argv[0], policyvers, file); + argv[0], policyvers, outfile); if (write_binary_policy(&modpolicydb, outfp) != 0) { fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/checkpolicy.c new/checkpolicy-2.6/checkpolicy.c --- old/checkpolicy-2.5/checkpolicy.c 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/checkpolicy.c 2016-10-14 17:31:26.000000000 +0200 @@ -64,13 +64,16 @@ #include <sys/stat.h> #include <sys/socket.h> #include <netinet/in.h> +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif #include <arpa/inet.h> #include <fcntl.h> #include <stdio.h> #include <errno.h> #include <sys/mman.h> -#ifdef DARWIN +#ifdef __APPLE__ #include <ctype.h> #endif @@ -919,6 +922,8 @@ protocol = IPPROTO_TCP; else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP")) protocol = IPPROTO_UDP; + else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP")) + protocol = IPPROTO_DCCP; else { printf("unknown protocol\n"); break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/policy_define.c new/checkpolicy-2.6/policy_define.c --- old/checkpolicy-2.5/policy_define.c 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/policy_define.c 2016-10-14 17:31:26.000000000 +0200 @@ -36,6 +36,9 @@ #include <string.h> #include <sys/socket.h> #include <netinet/in.h> +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif #include <arpa/inet.h> #include <stdlib.h> #include <limits.h> @@ -2611,6 +2614,7 @@ free(id); return -1; } + role = get_local_role(id, role->s.value, (role->flavor == ROLE_ATTRIB)); while ((id = queue_remove(id_queue))) { if (set_types(&role->types, id, &add, 0)) @@ -4876,6 +4880,8 @@ protocol = IPPROTO_TCP; } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { protocol = IPPROTO_UDP; + } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) { + protocol = IPPROTO_DCCP; } else { yyerror2("unrecognized protocol %s", id); free(newc); @@ -5135,7 +5141,7 @@ memset(newc, 0, sizeof(ocontext_t)); -#ifdef DARWIN +#ifdef __APPLE__ memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16); memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16); #else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/policy_scan.l new/checkpolicy-2.6/policy_scan.l --- old/checkpolicy-2.5/policy_scan.l 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/policy_scan.l 2016-10-14 17:31:26.000000000 +0200 @@ -249,9 +249,9 @@ HIGH { return(HIGH); } low | LOW { return(LOW); } -"/"({alnum}|[_\.\-/])* { return(PATH); } -\""/"[ !#-~]*\" { return(QPATH); } -\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } +"/"[^ \n\r\t\f]* { return(PATH); } +\""/"[^\"\n]*\" { return(QPATH); } +\"[^"/"\"\n]+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {alnum}*{letter}{alnum}* { return(FILESYSTEM); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.5/test/dispol.c new/checkpolicy-2.6/test/dispol.c --- old/checkpolicy-2.5/test/dispol.c 2016-02-23 17:31:41.000000000 +0100 +++ new/checkpolicy-2.6/test/dispol.c 2016-10-14 17:31:26.000000000 +0200 @@ -252,11 +252,11 @@ int display_handle_unknown(policydb_t * p, FILE * out_fp) { if (p->handle_unknown == ALLOW_UNKNOWN) - fprintf(out_fp, "Allow unknown classes and permisions\n"); + fprintf(out_fp, "Allow unknown classes and permissions\n"); else if (p->handle_unknown == DENY_UNKNOWN) - fprintf(out_fp, "Deny unknown classes and permisions\n"); + fprintf(out_fp, "Deny unknown classes and permissions\n"); else if (p->handle_unknown == REJECT_UNKNOWN) - fprintf(out_fp, "Reject unknown classes and permisions\n"); + fprintf(out_fp, "Reject unknown classes and permissions\n"); return 0; } @@ -349,7 +349,7 @@ printf("\nSelect a command:\n"); printf("1) display unconditional AVTAB\n"); printf("2) display conditional AVTAB (entirely)\n"); - printf("3) display conditional AVTAG (only ENABLED rules)\n"); + printf("3) display conditional AVTAB (only ENABLED rules)\n"); printf("4) display conditional AVTAB (only DISABLED rules)\n"); printf("5) display conditional bools\n"); printf("6) display conditional expressions\n");
