Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2013-03-08 09:08:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2012-08-10 19:00:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new/checkpolicy.changes 2013-03-08 09:08:16.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Jan 30 11:40:10 UTC 2013 - [email protected] + +- update to 2.1.11 + * fd leak reading policy + * check return code on ebitmap_set_bit + * sepolgen: We need to support files that have a + in them + * implement new default labeling behaviors for usr, role, range + +------------------------------------------------------------------- Old: ---- checkpolicy-2.1.8.tar.gz New: ---- checkpolicy-2.1.11.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.yv0OiF/_old 2013-03-08 09:08:17.000000000 +0100 +++ /var/tmp/diff_new_pack.yv0OiF/_new 2013-03-08 09:08:17.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package checkpolicy # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,14 +16,14 @@ # -%define libsepol_ver 2.1.4 +%define libsepol_ver 2.1.8 BuildRequires: bison BuildRequires: flex-old BuildRequires: libselinux-devel BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: checkpolicy -Version: 2.1.8 +Version: 2.1.11 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux policy compiler ++++++ checkpolicy-2.1.8.tar.gz -> checkpolicy-2.1.11.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/Android.mk new/checkpolicy-2.1.11/Android.mk --- old/checkpolicy-2.1.8/Android.mk 1970-01-01 01:00:00.000000000 +0100 +++ new/checkpolicy-2.1.11/Android.mk 2012-09-14 19:41:22.000000000 +0200 @@ -0,0 +1,62 @@ +LOCAL_PATH:= $(call my-dir) + +common_src_files := \ + policy_parse.y \ + policy_scan.l \ + queue.c \ + module_compiler.c \ + parse_util.c \ + policy_define.c + +common_cflags := \ + -Wall -Wshadow -O2 \ + -pipe -fno-strict-aliasing \ + -Wno-return-type + +ifeq ($(HOST_OS),darwin) +common_cflags += -DDARWIN +endif + +common_includes := \ + $(LOCAL_PATH)/ \ + $(LOCAL_PATH)/../libsepol/include/ \ + $(LOCAL_PATH)/../libsepol/src/ \ + +## +# "-x c" forces the lex/yacc files to be compiled as c +# the build system otherwise forces them to be c++ +yacc_flags := -x c + + +## +# checkpolicy +# +include $(CLEAR_VARS) + +LOCAL_MODULE := checkpolicy +LOCAL_MODULE_TAGS := optional +LOCAL_C_INCLUDES := $(common_includes) +LOCAL_CFLAGS := $(yacc_flags) $(common_cflags) +LOCAL_SRC_FILES := $(common_src_files) checkpolicy.c +LOCAL_STATIC_LIBRARIES := libsepol +LOCAL_YACCFLAGS := -v +LOCAL_MODULE_CLASS := EXECUTABLES + +include $(BUILD_HOST_EXECUTABLE) + + +## +# checkmodule +# +include $(CLEAR_VARS) + +LOCAL_MODULE := checkmodule +LOCAL_MODULE_TAGS := optional +LOCAL_C_INCLUDES := $(common_includes) +LOCAL_CFLAGS := $(yacc_flags) $(common_cflags) +LOCAL_SRC_FILES := $(common_src_files) checkmodule.c +LOCAL_STATIC_LIBRARIES := libsepol +LOCAL_YACCFLAGS := -v +LOCAL_MODULE_CLASS := EXECUTABLES + +include $(BUILD_HOST_EXECUTABLE) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/ChangeLog new/checkpolicy-2.1.11/ChangeLog --- old/checkpolicy-2.1.8/ChangeLog 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/ChangeLog 2012-09-14 19:41:22.000000000 +0200 @@ -1,3 +1,15 @@ +2.1.11 2012-09-13 + * fd leak reading policy + * check return code on ebitmap_set_bit + +2.1.10 2012-06-28 + * sepolgen: We need to support files that have a + in them + * Android/MacOS X build support + +2.1.9 2012-03-28 + * implement new default labeling behaviors for usr, role, range + * Fix dead links to www.nsa.gov/selinux + 2.1.8 2011-12-21 * add new helper to translate class sets into bitmaps diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/VERSION new/checkpolicy-2.1.11/VERSION --- old/checkpolicy-2.1.8/VERSION 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/VERSION 2012-09-14 19:41:22.000000000 +0200 @@ -1 +1 @@ -2.1.8 +2.1.11 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/checkmodule.8 new/checkpolicy-2.1.11/checkmodule.8 --- old/checkpolicy-2.1.8/checkmodule.8 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/checkmodule.8 2012-09-14 19:41:22.000000000 +0200 @@ -53,7 +53,7 @@ .SH "SEE ALSO" .B semodule(8), semodule_package(8) -SELinux documentation at http://www.nsa.gov/selinux, +SELinux documentation at http://www.nsa.gov/research/selinux, especially "Configuring the SELinux Policy". diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/checkmodule.c new/checkpolicy-2.1.11/checkmodule.c --- old/checkpolicy-2.1.8/checkmodule.c 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/checkmodule.c 2012-09-14 19:41:22.000000000 +0200 @@ -63,10 +63,12 @@ if (fstat(fd, &sb) < 0) { fprintf(stderr, "Can't stat '%s': %s\n", file, strerror(errno)); + close(fd); return -1; } map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + close(fd); if (map == MAP_FAILED) { fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno)); return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/checkpolicy.8 new/checkpolicy-2.1.11/checkpolicy.8 --- old/checkpolicy-2.1.8/checkpolicy.8 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/checkpolicy.8 2012-09-14 19:41:22.000000000 +0200 @@ -46,7 +46,7 @@ Show usage information. .SH "SEE ALSO" -SELinux documentation at http://www.nsa.gov/selinux, +SELinux documentation at http://www.nsa.gov/research/selinux, especially "Configuring the SELinux Policy". diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/checkpolicy.c new/checkpolicy-2.1.11/checkpolicy.c --- old/checkpolicy-2.1.8/checkpolicy.c 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/checkpolicy.c 2012-09-14 19:41:22.000000000 +0200 @@ -70,6 +70,10 @@ #include <errno.h> #include <sys/mman.h> +#ifdef DARWIN +#include <ctype.h> +#endif + #include <sepol/policydb/policydb.h> #include <sepol/policydb/services.h> #include <sepol/policydb/conditional.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/policy_define.c new/checkpolicy-2.1.11/policy_define.c --- old/checkpolicy-2.1.8/policy_define.c 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/policy_define.c 2012-09-14 19:41:22.000000000 +0200 @@ -351,6 +351,102 @@ return 0; } +int define_default_user(int which) +{ + char *id; + class_datum_t *cladatum; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + return -1; + } + cladatum = hashtab_search(policydbp->p_classes.table, id); + if (!cladatum) { + yyerror2("unknown class %s", id); + return -1; + } + if (cladatum->default_user && cladatum->default_user != which) { + yyerror2("conflicting default user information for class %s", id); + return -1; + } + cladatum->default_user = which; + free(id); + } + + return 0; +} + +int define_default_role(int which) +{ + char *id; + class_datum_t *cladatum; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + return -1; + } + cladatum = hashtab_search(policydbp->p_classes.table, id); + if (!cladatum) { + yyerror2("unknown class %s", id); + return -1; + } + if (cladatum->default_role && cladatum->default_role != which) { + yyerror2("conflicting default role information for class %s", id); + return -1; + } + cladatum->default_role = which; + free(id); + } + + return 0; +} + +int define_default_range(int which) +{ + char *id; + class_datum_t *cladatum; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + return -1; + } + cladatum = hashtab_search(policydbp->p_classes.table, id); + if (!cladatum) { + yyerror2("unknown class %s", id); + return -1; + } + if (cladatum->default_range && cladatum->default_range != which) { + yyerror2("conflicting default range information for class %s", id); + return -1; + } + cladatum->default_range = which; + free(id); + } + + return 0; +} + int define_common_perms(void) { char *id = 0, *perm = 0; @@ -2245,7 +2341,10 @@ return -1; } - ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE); + if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) { + yyerror("out of memory"); + return -1; + } } id = (char *)queue_remove(id_queue); @@ -4247,8 +4346,14 @@ } memset(newc, 0, sizeof(ocontext_t)); + +#ifdef DARWIN + memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16); + memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16); +#else memcpy(&newc->u.node6.addr[0], &addr.s6_addr32[0], 16); memcpy(&newc->u.node6.mask[0], &mask.s6_addr32[0], 16); +#endif if (parse_security_context(&newc->context[0])) { free(newc); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/policy_define.h new/checkpolicy-2.1.11/policy_define.h --- old/checkpolicy-2.1.8/policy_define.h 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/policy_define.h 2012-09-14 19:41:22.000000000 +0200 @@ -24,6 +24,9 @@ int define_bool_tunable(int is_tunable); int define_category(void); int define_class(void); +int define_default_user(int which); +int define_default_role(int which); +int define_default_range(int which); int define_common_perms(void); int define_compute_type(int which); int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/policy_parse.y new/checkpolicy-2.1.11/policy_parse.y --- old/checkpolicy-2.1.8/policy_parse.y 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/policy_parse.y 2012-09-14 19:41:22.000000000 +0200 @@ -143,6 +143,8 @@ %token POLICYCAP %token PERMISSIVE %token FILESYSTEM +%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE +%token LOW_HIGH LOW HIGH %left OR %left XOR @@ -157,7 +159,7 @@ classes initial_sids access_vectors { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} - opt_mls te_rbac users opt_constraints + opt_default_rules opt_mls te_rbac users opt_constraints { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts @@ -195,6 +197,39 @@ | CLASS identifier INHERITS identifier '{' identifier_list '}' {if (define_av_perms(TRUE)) return -1;} ; +opt_default_rules : default_rules + | + ; +default_rules : default_user_def + | default_role_def + | default_range_def + | default_rules default_user_def + | default_rules default_role_def + | default_rules default_range_def + ; +default_user_def : DEFAULT_USER names SOURCE ';' + {if (define_default_user(DEFAULT_SOURCE)) return -1; } + | DEFAULT_USER names TARGET ';' + {if (define_default_user(DEFAULT_TARGET)) return -1; } + ; +default_role_def : DEFAULT_ROLE names SOURCE ';' + {if (define_default_role(DEFAULT_SOURCE)) return -1; } + | DEFAULT_ROLE names TARGET ';' + {if (define_default_role(DEFAULT_TARGET)) return -1; } + ; +default_range_def : DEFAULT_RANGE names SOURCE LOW ';' + {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } + | DEFAULT_RANGE names SOURCE HIGH ';' + {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } + | DEFAULT_RANGE names SOURCE LOW_HIGH ';' + {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } + | DEFAULT_RANGE names TARGET LOW ';' + {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } + | DEFAULT_RANGE names TARGET HIGH ';' + {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } + | DEFAULT_RANGE names TARGET LOW_HIGH ';' + {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } + ; opt_mls : mls | ; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.8/policy_scan.l new/checkpolicy-2.1.11/policy_scan.l --- old/checkpolicy-2.1.8/policy_scan.l 2011-12-21 18:46:04.000000000 +0100 +++ new/checkpolicy-2.1.11/policy_scan.l 2012-09-14 19:41:22.000000000 +0200 @@ -27,7 +27,11 @@ typedef int (* require_func_t)(); +#ifdef ANDROID +#include "policy_parse.h" +#else #include "y.tab.h" +#endif static char linebuf[2][255]; static unsigned int lno = 0; @@ -43,7 +47,7 @@ unsigned int policydb_errors = 0; %} -%option noinput nounput +%option noinput nounput noyywrap %array letter [A-Za-z] @@ -221,8 +225,20 @@ POLICYCAP { return(POLICYCAP); } permissive | PERMISSIVE { return(PERMISSIVE); } +default_user | +DEFAULT_USER { return(DEFAULT_USER); } +default_role | +DEFAULT_ROLE { return(DEFAULT_ROLE); } +default_range | +DEFAULT_RANGE { return(DEFAULT_RANGE); } +low-high | +LOW-HIGH { return(LOW_HIGH); } +high | +HIGH { return(HIGH); } +low | +LOW { return(LOW); } "/"({alnum}|[_\.\-/])* { return(PATH); } -\"({alnum}|[_\.\-\~])+\" { return(FILENAME); } +\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {alnum}*{letter}{alnum}* { return(FILESYSTEM); } {digit}+|0x{hexval}+ { return(NUMBER); } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
