Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2020-03-11 18:31:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy" Wed Mar 11 18:31:04 2020 rev:30 rq:781807 version:3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2020-01-18 12:17:36.459122065 +0100 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new.3160/checkpolicy.changes 2020-03-11 18:31:14.622858075 +0100 @@ -1,0 +2,8 @@ +Tue Mar 3 12:19:40 UTC 2020 - Johannes Segitz <[email protected]> + +- Update to version 3.0 + * add flag to enable policy optimization + * allow to write policy to stdout + * remove a redundant if-condition + +------------------------------------------------------------------- Old: ---- checkpolicy-2.9.tar.gz New: ---- checkpolicy-3.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.FQlp8r/_old 2020-03-11 18:31:15.650858706 +0100 +++ /var/tmp/diff_new_pack.FQlp8r/_new 2020-03-11 18:31:15.658858711 +0100 @@ -1,7 +1,7 @@ # # spec file for package checkpolicy # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,15 +16,15 @@ # -%define libsepol_ver 2.9 +%define libsepol_ver 3.0 Name: checkpolicy -Version: 2.9 +Version: 3.0 Release: 0 Summary: SELinux policy compiler License: GPL-2.0-or-later Group: Productivity/Security -Url: https://github.com/SELinuxProject/selinux -Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/%{name}-%{version}.tar.gz +URL: https://github.com/SELinuxProject/selinux +Source0: https://github.com/SELinuxProject/selinux/releases/download/20191204/%{name}-%{version}.tar.gz Source1: checkpolicy-tests.tar.gz Patch0: extern_te_assert_t.patch BuildRequires: bison ++++++ checkpolicy-2.9.tar.gz -> checkpolicy-3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/VERSION new/checkpolicy-3.0/VERSION --- old/checkpolicy-2.9/VERSION 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100 @@ -1 +1 @@ -2.9 +3.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/checkmodule.8 new/checkpolicy-3.0/checkmodule.8 --- old/checkpolicy-2.9/checkmodule.8 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/checkmodule.8 2019-11-28 13:46:48.000000000 +0100 @@ -38,7 +38,7 @@ Enable the MLS/MCS support when checking and compiling the policy module. .TP .B \-V,\-\-version - Show policy versions created by this program. Note that you cannot currently build older versions. +Show policy versions created by this program. .TP .B \-o,\-\-output filename Write a binary policy module file to the specified filename. @@ -47,6 +47,9 @@ .TP .B \-U,\-\-handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). +.TP +.B \-c policyvers +Specify the policy version, defaults to the latest. .SH EXAMPLE .nf @@ -56,8 +59,7 @@ .SH "SEE ALSO" .B semodule(8), semodule_package(8) -SELinux documentation at http://www.nsa.gov/research/selinux, -especially "Configuring the SELinux Policy". +SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki .SH AUTHOR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/checkmodule.c new/checkpolicy-3.0/checkmodule.c --- old/checkpolicy-2.9/checkmodule.c 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/checkmodule.c 2019-11-28 13:46:48.000000000 +0100 @@ -142,6 +142,8 @@ printf(" -m build a policy module instead of a base module\n"); printf(" -M enable MLS policy\n"); printf(" -o FILE write module to FILE (else just check syntax)\n"); + printf(" -c VERSION build a policy module targeting a modular policy version (%d-%d)\n", + MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); exit(1); } @@ -163,7 +165,7 @@ {NULL, 0, NULL, 0} }; - while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) { + while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) { switch (ch) { case 'h': usage(argv[0]); @@ -194,7 +196,6 @@ usage(argv[0]); case 'm': policy_type = POLICY_MOD; - policyvers = MOD_POLICYDB_VERSION_MAX; break; case 'M': mlspol = 1; @@ -202,6 +203,29 @@ case 'C': cil = 1; break; + case 'c': { + long int n; + errno = 0; + n = strtol(optarg, NULL, 10); + if (errno) { + fprintf(stderr, + "Invalid policyvers specified: %s\n", + optarg); + usage(argv[0]); + } + + if (n < MOD_POLICYDB_VERSION_MIN + || n > MOD_POLICYDB_VERSION_MAX) { + fprintf(stderr, + "policyvers value %ld not in range %d-%d\n", + n, MOD_POLICYDB_VERSION_MIN, + MOD_POLICYDB_VERSION_MAX); + usage(argv[0]); + } + + policyvers = n; + break; + } default: usage(argv[0]); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/checkpolicy.8 new/checkpolicy-3.0/checkpolicy.8 --- old/checkpolicy-2.9/checkpolicy.8 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/checkpolicy.8 2019-11-28 13:46:48.000000000 +0100 @@ -3,7 +3,7 @@ checkpolicy \- SELinux policy compiler .SH SYNOPSIS .B checkpolicy -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" .br .SH "DESCRIPTION" This manual page describes the @@ -40,7 +40,9 @@ Specify the policy version, defaults to the latest. .TP .B \-o,\-\-output filename -Write a binary policy file to the specified filename. +Write a policy file (binary, policy.conf, or CIL policy) +to the specified filename. If - is given as filename, +write it to standard output. .TP .B \-S,\-\-sort Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc. @@ -48,6 +50,9 @@ .B \-t,\-\-target Specify the target platform (selinux or xen). .TP +.B \-O,\-\-optimize +Optimize the final kernel policy (remove redundant rules). +.TP .B \-V,\-\-version Show version information. .TP @@ -55,8 +60,7 @@ Show usage information. .SH "SEE ALSO" -SELinux documentation at http://www.nsa.gov/research/selinux, -especially "Configuring the SELinux Policy". +SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki .SH AUTHOR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/checkpolicy.c new/checkpolicy-3.0/checkpolicy.c --- old/checkpolicy-2.9/checkpolicy.c 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/checkpolicy.c 2019-11-28 13:46:48.000000000 +0100 @@ -112,7 +112,7 @@ { printf ("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] " - "[-c policyvers (%d-%d)] [-o output_file] [-S] " + "[-c policyvers (%d-%d)] [-o output_file|-] [-S] " "[-t target_platform (selinux,xen)] [-V] [input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); @@ -390,11 +390,12 @@ struct sepol_av_decision avd; class_datum_t *cladatum; const char *file = txtfile; - char ans[80 + 1], *outfile = NULL, *path, *fstype; + char ans[80 + 1], *path, *fstype; + const char *outfile = NULL; size_t scontext_len, pathlen; unsigned int i; unsigned int protocol, port; - unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0; + unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0, optimize = 0; struct val_to_name v; int ret, ch, fd, target = SEPOL_TARGET_SELINUX; unsigned int nel, uret; @@ -419,11 +420,12 @@ {"cil", no_argument, NULL, 'C'}, {"conf",no_argument, NULL, 'F'}, {"sort", no_argument, NULL, 'S'}, + {"optimize", no_argument, NULL, 'O'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} }; - while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:h", long_options, NULL)) != -1) { + while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:Oh", long_options, NULL)) != -1) { switch (ch) { case 'o': outfile = optarg; @@ -466,6 +468,9 @@ case 'S': sort = 1; break; + case 'O': + optimize = 1; + break; case 'M': mlspol = 1; break; @@ -625,12 +630,25 @@ if (policydb_load_isids(&policydb, &sidtab)) exit(1); - if (outfile) { - outfp = fopen(outfile, "w"); - if (!outfp) { - perror(outfile); + if (optimize && policydbp->policy_type == POLICY_KERN) { + ret = policydb_optimize(policydbp); + if (ret) { + fprintf(stderr, "%s: error optimizing policy\n", argv[0]); exit(1); } + } + + if (outfile) { + if (!strcmp(outfile, "-")) { + outfp = stdout; + outfile = "<STDOUT>"; + } else { + outfp = fopen(outfile, "w"); + if (!outfp) { + perror(outfile); + exit(1); + } + } policydb.policyvers = policyvers; @@ -670,7 +688,7 @@ } } - if (outfile) { + if (outfp != stdout) { fclose(outfp); } } else if (cil) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/parse_util.c new/checkpolicy-3.0/parse_util.c --- old/checkpolicy-2.9/parse_util.c 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/parse_util.c 2019-11-28 13:46:48.000000000 +0100 @@ -69,9 +69,6 @@ } queue_destroy(id_queue); - if (policydb_errors) - return -1; - fclose(yyin); return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/policy_define.c new/checkpolicy-3.0/policy_define.c --- old/checkpolicy-2.9/policy_define.c 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/policy_define.c 2019-11-28 13:46:48.000000000 +0100 @@ -1210,10 +1210,7 @@ flags = TYPE_FLAGS_EXPAND_ATTR_FALSE; } - ebitmap_for_each_bit(&attrs, node, i) { - if (!ebitmap_node_get_bit(node, i)){ - continue; - } + ebitmap_for_each_positive_bit(&attrs, node, i) { attr = hashtab_search(policydbp->p_types.table, policydbp->sym_val_to_name[SYM_TYPES][i]); attr->flags |= flags; @@ -1673,19 +1670,17 @@ } free(id); - ebitmap_for_each_bit(&tclasses, node, i) { - if (ebitmap_node_get_bit(node, i)) { - perm = malloc(sizeof(class_perm_node_t)); - if (!perm) { - yyerror("out of memory"); - goto bad; - } - class_perm_node_init(perm); - perm->tclass = i + 1; - perm->data = datum->s.value; - perm->next = avrule->perms; - avrule->perms = perm; + ebitmap_for_each_positive_bit(&tclasses, node, i) { + perm = malloc(sizeof(class_perm_node_t)); + if (!perm) { + yyerror("out of memory"); + goto bad; } + class_perm_node_init(perm); + perm->tclass = i + 1; + perm->data = datum->s.value; + perm->next = avrule->perms; + avrule->perms = perm; } ebitmap_destroy(&tclasses); @@ -2027,7 +2022,7 @@ return -1; if (avrule_merge_ioctls(&rangehead)) return -1; - /* flip ranges if these are ommited*/ + /* flip ranges if these are omitted */ if (omit) { if (avrule_omit_ioctls(&rangehead)) return -1; @@ -2101,9 +2096,7 @@ perms = NULL; id = queue_head(id_queue); - ebitmap_for_each_bit(&tclasses, node, i) { - if (!ebitmap_node_get_bit(node, i)) - continue; + ebitmap_for_each_positive_bit(&tclasses, node, i) { cur_perms = (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); if (!cur_perms) { @@ -2196,7 +2189,7 @@ /* * using definitions found in kernel document ioctl-number.txt * The kernel components of an ioctl command are: - * dir, size, driver, and fucntion. Only the driver and function fields + * dir, size, driver, and function. Only the driver and function fields * are considered here */ #define IOC_DRIV(x) (x >> 8) @@ -2565,9 +2558,7 @@ goto out; perms = NULL; - ebitmap_for_each_bit(&tclasses, node, i) { - if (!ebitmap_node_get_bit(node, i)) - continue; + ebitmap_for_each_positive_bit(&tclasses, node, i) { cur_perms = (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); if (!cur_perms) { @@ -2586,9 +2577,7 @@ while ((id = queue_remove(id_queue))) { cur_perms = perms; - ebitmap_for_each_bit(&tclasses, node, i) { - if (!ebitmap_node_get_bit(node, i)) - continue; + ebitmap_for_each_positive_bit(&tclasses, node, i) { cladatum = policydbp->class_val_to_struct[i]; if (strcmp(id, "*") == 0) { @@ -2930,17 +2919,13 @@ return -1; } /* raise types and dominates from dominated role */ - ebitmap_for_each_bit(&rdp->dominates, node, i) { - if (ebitmap_node_get_bit(node, i)) - if (ebitmap_set_bit - (&rdatum->dominates, i, TRUE)) - goto oom; + ebitmap_for_each_positive_bit(&rdp->dominates, node, i) { + if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) + goto oom; } - ebitmap_for_each_bit(&types, node, i) { - if (ebitmap_node_get_bit(node, i)) - if (ebitmap_set_bit - (&rdatum->types.types, i, TRUE)) - goto oom; + ebitmap_for_each_positive_bit(&types, node, i) { + if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) + goto oom; } ebitmap_destroy(&types); } @@ -3018,20 +3003,17 @@ if (r) { ebitmap_t types; ebitmap_init(&types); - ebitmap_for_each_bit(&r->dominates, node, i) { - if (ebitmap_node_get_bit(node, i)) - if (ebitmap_set_bit(&role->dominates, i, TRUE)) - goto oom; + ebitmap_for_each_positive_bit(&r->dominates, node, i) { + if (ebitmap_set_bit(&role->dominates, i, TRUE)) + goto oom; } if (type_set_expand(&r->types, &types, policydbp, 1)) { ebitmap_destroy(&types); return NULL; } - ebitmap_for_each_bit(&types, node, i) { - if (ebitmap_node_get_bit(node, i)) - if (ebitmap_set_bit - (&role->types.types, i, TRUE)) - goto oom; + ebitmap_for_each_positive_bit(&types, node, i) { + if (ebitmap_set_bit(&role->types.types, i, TRUE)) + goto oom; } ebitmap_destroy(&types); if (!r->s.value) { @@ -3214,15 +3196,9 @@ if (type_set_expand(&types, &e_types, policydbp, 1)) goto bad; - ebitmap_for_each_bit(&e_roles, rnode, i) { - if (!ebitmap_node_get_bit(rnode, i)) - continue; - ebitmap_for_each_bit(&e_types, tnode, j) { - if (!ebitmap_node_get_bit(tnode, j)) - continue; - ebitmap_for_each_bit(&e_classes, cnode, k) { - if (!ebitmap_node_get_bit(cnode, k)) - continue; + ebitmap_for_each_positive_bit(&e_roles, rnode, i) { + ebitmap_for_each_positive_bit(&e_types, tnode, j) { + ebitmap_for_each_positive_bit(&e_classes, cnode, k) { for (tr = policydbp->role_tr; tr; tr = tr->next) { if (tr->role == (i + 1) && @@ -3401,25 +3377,18 @@ goto bad; } - /* We expand the class set into seperate rules. We expand the types + /* We expand the class set into separate rules. We expand the types * just to make sure there are not duplicates. They will get turned - * into seperate rules later */ + * into separate rules later */ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) goto bad; if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) goto bad; - ebitmap_for_each_bit(&e_tclasses, cnode, c) { - if (!ebitmap_node_get_bit(cnode, c)) - continue; - ebitmap_for_each_bit(&e_stypes, snode, s) { - if (!ebitmap_node_get_bit(snode, s)) - continue; - ebitmap_for_each_bit(&e_ttypes, tnode, t) { - if (!ebitmap_node_get_bit(tnode, t)) - continue; - + ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) { + ebitmap_for_each_positive_bit(&e_stypes, snode, s) { + ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) { ft = calloc(1, sizeof(*ft)); if (!ft) { yyerror("out of memory"); @@ -3652,39 +3621,36 @@ } while ((id = queue_remove(id_queue))) { - ebitmap_for_each_bit(&classmap, enode, i) { - if (ebitmap_node_get_bit(enode, i)) { - cladatum = policydbp->class_val_to_struct[i]; - node = cladatum->constraints; - - perdatum = - (perm_datum_t *) hashtab_search(cladatum-> - permissions. - table, - (hashtab_key_t) - id); + ebitmap_for_each_positive_bit(&classmap, enode, i) { + cladatum = policydbp->class_val_to_struct[i]; + node = cladatum->constraints; + + perdatum = + (perm_datum_t *) hashtab_search(cladatum-> + permissions. + table, + (hashtab_key_t) + id); + if (!perdatum) { + if (cladatum->comdatum) { + perdatum = + (perm_datum_t *) + hashtab_search(cladatum-> + comdatum-> + permissions. + table, + (hashtab_key_t) + id); + } if (!perdatum) { - if (cladatum->comdatum) { - perdatum = - (perm_datum_t *) - hashtab_search(cladatum-> - comdatum-> - permissions. - table, - (hashtab_key_t) - id); - } - if (!perdatum) { - yyerror2("permission %s is not" - " defined", id); - free(id); - ebitmap_destroy(&classmap); - return -1; - } + yyerror2("permission %s is not" + " defined", id); + free(id); + ebitmap_destroy(&classmap); + return -1; } - node->permissions |= - (1 << (perdatum->s.value - 1)); } + node->permissions |= (1 << (perdatum->s.value - 1)); } free(id); } @@ -4179,10 +4145,9 @@ } /* set the role and every role it dominates */ - ebitmap_for_each_bit(&r->dominates, node, i) { - if (ebitmap_node_get_bit(node, i)) - if (ebitmap_set_bit(&set->roles, i, TRUE)) - goto oom; + ebitmap_for_each_positive_bit(&r->dominates, node, i) { + if (ebitmap_set_bit(&set->roles, i, TRUE)) + goto oom; } free(id); return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/policy_parse.y new/checkpolicy-3.0/policy_parse.y --- old/checkpolicy-2.9/policy_parse.y 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/policy_parse.y 2019-11-28 13:46:48.000000000 +0100 @@ -155,7 +155,7 @@ %token PERMISSIVE %token FILESYSTEM %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE -%token LOW_HIGH LOW HIGH +%token LOW_HIGH LOW HIGH GLBLUB %left OR %left XOR @@ -247,6 +247,8 @@ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } | DEFAULT_RANGE names TARGET LOW_HIGH ';' {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } + | DEFAULT_RANGE names GLBLUB';' + {if (define_default_range(DEFAULT_GLBLUB)) return -1; } ; opt_mls : mls | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/policy_scan.l new/checkpolicy-3.0/policy_scan.l --- old/checkpolicy-2.9/policy_scan.l 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/policy_scan.l 2019-11-28 13:46:48.000000000 +0100 @@ -256,6 +256,8 @@ HIGH { return(HIGH); } low | LOW { return(LOW); } +glblub | +GLBLUB { return(GLBLUB); } "/"[^ \n\r\t\f]* { return(PATH); } \""/"[^\"\n]*\" { return(QPATH); } \"[^"/"\"\n]+\" { return(FILENAME); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/ru/checkmodule.8 new/checkpolicy-3.0/ru/checkmodule.8 --- old/checkpolicy-2.9/ru/checkmodule.8 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/ru/checkmodule.8 2019-11-28 13:46:48.000000000 +0100 @@ -46,8 +46,7 @@ .SH "СМОТРИТЕ ТАКЖЕ" .B semodule(8), semodule_package(8) -Документация SELinux по адресу http://www.nsa.gov/research/selinux, -в частности - "Настройка политики SELinux". +Документация SELinux Reference Policy по адресу https://github.com/SELinuxProject/refpolicy/wiki .SH АВТОРЫ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/ru/checkpolicy.8 new/checkpolicy-3.0/ru/checkpolicy.8 --- old/checkpolicy-2.9/ru/checkpolicy.8 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/ru/checkpolicy.8 2019-11-28 13:46:48.000000000 +0100 @@ -3,7 +3,7 @@ checkpolicy \- компилятор политики SELinux .SH ОБЗОР .B checkpolicy -.I "[\-b[F]] [\-C] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]" +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" .br .SH "ОПИСАНИЕ" Эта страница руководства содержит описание команды @@ -17,30 +17,33 @@ .B \-b,\-\-binary Прочитать существующий двоичный файл политики, а не исходный файл policy.conf. .TP +.B \-F,\-\-conf +Записать файл policy.conf, а не двоичный файл политики. Этот параметр можно использовать только при работе с двоичным файлом политики. +.TP .B \-C,\-\-cil Записать файл политики CIL, а не двоичный файл политики. .TP .B \-d,\-\-debug Войти в режим отладки после загрузки политики. .TP -.B \-F,\-\-conf -Записать файл policy.conf, а не двоичный файл политики. Этот параметр можно использовать только при работе с двоичным файлом политики. +.B \-U,\-\-handle-unknown <action> +Указать, как ядро должно обрабатывать неизвестные классы или разрешения (запрещать, разрешать или отклонять). .TP .B \-M,\-\-mls Включить политику MLS при проверке и компиляции политики. .TP +.B \-c policyvers +Указать версию политики (по умолчанию используется последняя). +.TP .B \-o,\-\-output filename Записать двоичный файл политики с указанным именем файла. .TP -.B \-c policyvers -Указать версию политики (по умолчанию используется последняя). +.B \-S,\-\-sort +Сортировать прочие контексты (ocontexts) перед записью двоичной политики. Этот параметр позволяет задать соответствие вывода checkpolicy двоичным политикам, созданным с помощью semanage и secilc. .TP .B \-t,\-\-target Указать целевую платформу (selinux или xen). .TP -.B \-U,\-\-handle-unknown <action> -Указать, как ядро должно обрабатывать неизвестные классы или разрешения (запрещать, разрешать или отклонять). -.TP .B \-V,\-\-version Показать сведения о версии. .TP @@ -48,9 +51,7 @@ Показать сведения об использовании. .SH "СМОТРИТЕ ТАКЖЕ" -Документация SELinux по адресу http://www.nsa.gov/research/selinux, -в частности - "Настройка политики SELinux". - +Документация SELinux Reference Policy по адресу https://github.com/SELinuxProject/refpolicy/wiki .SH АВТОРЫ Эта страница руководства была написана Arpad Magosanyi <[email protected]>, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/test/dismod.c new/checkpolicy-3.0/test/dismod.c --- old/checkpolicy-2.9/test/dismod.c 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/test/dismod.c 2019-11-28 13:46:48.000000000 +0100 @@ -825,15 +825,13 @@ unsigned int i; fprintf(fp, "policy capabilities:\n"); - ebitmap_for_each_bit(&p->policycaps, node, i) { - if (ebitmap_node_get_bit(node, i)) { - capname = sepol_polcap_getname(i); - if (capname == NULL) { - snprintf(buf, sizeof(buf), "unknown (%d)", i); - capname = buf; - } - fprintf(fp, "\t%s\n", capname); + ebitmap_for_each_positive_bit(&p->policycaps, node, i) { + capname = sepol_polcap_getname(i); + if (capname == NULL) { + snprintf(buf, sizeof(buf), "unknown (%d)", i); + capname = buf; } + fprintf(fp, "\t%s\n", capname); } } @@ -903,14 +901,14 @@ } if (policydb.policy_type == POLICY_BASE) { - printf("Binary base policy file loaded.\n\n"); + printf("Binary base policy file loaded.\n"); } else { printf("Binary policy module file loaded.\n"); printf("Module name: %s\n", policydb.name); printf("Module version: %s\n", policydb.version); - printf("\n"); } + printf("Policy version: %d\n\n", policydb.policyvers); menu(); for (;;) { printf("\nCommand (\'m\' for menu): "); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.9/test/dispol.c new/checkpolicy-3.0/test/dispol.c --- old/checkpolicy-2.9/test/dispol.c 2019-03-15 11:32:30.000000000 +0100 +++ new/checkpolicy-3.0/test/dispol.c 2019-11-28 13:46:48.000000000 +0100 @@ -282,15 +282,13 @@ unsigned int i; fprintf(fp, "policy capabilities:\n"); - ebitmap_for_each_bit(&p->policycaps, node, i) { - if (ebitmap_node_get_bit(node, i)) { - capname = sepol_polcap_getname(i); - if (capname == NULL) { - snprintf(buf, sizeof(buf), "unknown (%d)", i); - capname = buf; - } - fprintf(fp, "\t%s\n", capname); + ebitmap_for_each_positive_bit(&p->policycaps, node, i) { + capname = sepol_polcap_getname(i); + if (capname == NULL) { + snprintf(buf, sizeof(buf), "unknown (%d)", i); + capname = buf; } + fprintf(fp, "\t%s\n", capname); } } @@ -307,12 +305,10 @@ unsigned int i; fprintf(fp, "permissive sids:\n"); - ebitmap_for_each_bit(&p->permissive_map, node, i) { - if (ebitmap_node_get_bit(node, i)) { - fprintf(fp, "\t"); - display_id(p, fp, SYM_TYPES, i - 1, ""); - fprintf(fp, "\n"); - } + ebitmap_for_each_positive_bit(&p->permissive_map, node, i) { + fprintf(fp, "\t"); + display_id(p, fp, SYM_TYPES, i - 1, ""); + fprintf(fp, "\n"); } }
