diff --git a/.gitignore b/.gitignore index 6e75576..ccefc98 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,4 @@ checkpolicy-2.0.22.tgz /checkpolicy-2.1.4.tgz /checkpolicy-2.1.5.tgz /checkpolicy-2.1.6.tgz +/checkpolicy-2.1.7.tgz diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index 1b33470..0943a49 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,320 +1,375 @@ -diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l -index 5ee27f8..b4b9066 100644 ---- a/checkpolicy/policy_scan.l -+++ b/checkpolicy/policy_scan.l -@@ -222,7 +222,7 @@ POLICYCAP { return(POLICYCAP); } - permissive | - PERMISSIVE { return(PERMISSIVE); } - "/"({alnum}|[_\.\-/])* { return(PATH); } --\"({alnum}|[_\.\-])+\" { return(FILENAME); } -+\"({alnum}|[_\.\-\~])+\" { return(FILENAME); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } - {alnum}*{letter}{alnum}* { return(FILESYSTEM); } - {digit}+|0x{hexval}+ { return(NUMBER); } -diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile -index 65cf901..0731e89 100644 ---- a/checkpolicy/test/Makefile -+++ b/checkpolicy/test/Makefile -@@ -6,7 +6,7 @@ BINDIR=$(PREFIX)/bin - LIBDIR=$(PREFIX)/lib - INCLUDEDIR ?= $(PREFIX)/include - --CFLAGS ?= -g -Wall -O2 -pipe -+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe - override CFLAGS += -I$(INCLUDEDIR) - - LDLIBS=-lfl -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) -diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c -index 1674a47..6a951f6 100644 ---- a/checkpolicy/test/dismod.c -+++ b/checkpolicy/test/dismod.c -@@ -115,7 +115,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type, - int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, - FILE * fp) - { -- int i, num_types; -+ unsigned int i, num_types; - - if (set->flags & TYPE_STAR) { - fprintf(fp, " * "); -@@ -178,7 +178,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, - - int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) - { -- int i, num = 0; -+ unsigned int i, num = 0; - - if (roles->flags & ROLE_STAR) { - fprintf(fp, " * "); -@@ -211,13 +211,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) - +diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c +index 1bf669c..a86c6b3 100644 +--- a/checkpolicy/policy_define.c ++++ b/checkpolicy/policy_define.c +@@ -327,6 +327,126 @@ int define_initial_sid(void) + return -1; } --/* 'what' values for this function */ --#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */ --#define RENDER_ENABLED 0x0002 --#define RENDER_DISABLED 0x0004 --#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED) -- --int display_avrule(avrule_t * avrule, uint32_t what, policydb_t * policy, -+int display_avrule(avrule_t * avrule, policydb_t * policy, - FILE * fp) - { - class_perm_node_t *cur; -@@ -299,7 +293,7 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) - { - type_datum_t *type; - FILE *fp; -- int i, first_attrib = 1; -+ unsigned int i, first_attrib = 1; - - type = (type_datum_t *) datum; - fp = (FILE *) data; -@@ -346,7 +340,7 @@ int display_types(policydb_t * p, FILE * fp) - - int display_users(policydb_t * p, FILE * fp) ++static int read_classes(ebitmap_t *e_classes) ++{ ++ char *id; ++ class_datum_t *cladatum; ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (ebitmap_set_bit(e_classes, cladatum->s.value - 1, TRUE)) { ++ yyerror("Out of memory"); ++ return -1; ++ } ++ free(id); ++ } ++ return 0; ++} ++ ++int define_default_user(int which) ++{ ++ char *id; ++ class_datum_t *cladatum; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_user && cladatum->default_user != which) { ++ yyerror2("conflicting default user information for class %s", id); ++ return -1; ++ } ++ cladatum->default_user = which; ++ free(id); ++ } ++ ++ return 0; ++} ++ ++int define_default_role(int which) ++{ ++ char *id; ++ class_datum_t *cladatum; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_role && cladatum->default_role != which) { ++ yyerror2("conflicting default role information for class %s", id); ++ return -1; ++ } ++ cladatum->default_role = which; ++ free(id); ++ } ++ ++ return 0; ++} ++ ++int define_default_range(int which) ++{ ++ char *id; ++ class_datum_t *cladatum; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_range && cladatum->default_range != which) { ++ yyerror2("conflicting default range information for class %s", id); ++ return -1; ++ } ++ cladatum->default_range = which; ++ free(id); ++ } ++ ++ return 0; ++} ++ + int define_common_perms(void) { -- int i, j; -+ unsigned int i, j; - ebitmap_t *bitmap; - for (i = 0; i < p->p_users.nprim; i++) { - display_id(p, fp, SYM_USERS, i, ""); -@@ -365,7 +359,7 @@ int display_users(policydb_t * p, FILE * fp) - - int display_bools(policydb_t * p, FILE * fp) + char *id = 0, *perm = 0; +@@ -1360,7 +1480,6 @@ int define_compute_type_helper(int which, avrule_t ** rule) { -- int i; -+ unsigned int i; - - for (i = 0; i < p->p_bools.nprim; i++) { - display_id(p, fp, SYM_BOOLS, i, ""); -@@ -409,30 +403,11 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) + char *id; + type_datum_t *datum; +- class_datum_t *cladatum; + ebitmap_t tclasses; + ebitmap_node_t *node; + avrule_t *avrule; +@@ -1387,23 +1506,8 @@ int define_compute_type_helper(int which, avrule_t ** rule) } - } --void display_policycon(policydb_t * p, FILE * fp) -+void display_policycon(FILE * fp) - { --#if 0 -- int i; -- ocontext_t *cur; -- char *name; -- -- for (i = 0; i < POLICYCON_NUM; i++) { -- fprintf(fp, "%s:", symbol_labels[i]); -- for (cur = p->policycon[i].head; cur != NULL; cur = cur->next) { -- if (*(cur->u.name) == '\0') { -- name = "{default}"; -- } else { -- name = cur->u.name; -- } -- fprintf(fp, "\n%16s - %s:%s:%s", name, -- p->p_user_val_to_name[cur->context[0].user - 1], -- p->p_role_val_to_name[cur->context[0].role - 1], -- p->p_type_val_to_name[cur->context[0].type - -- 1]); + ebitmap_init(&tclasses); +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- goto bad; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s", id); +- goto bad; +- } +- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) { +- yyerror("Out of memory"); +- goto bad; - } -- fprintf(fp, "\n"); +- free(id); - } --#endif -+ /* There was an attempt to implement this at one time. Look through -+ * git history to find it. */ -+ fprintf(fp, "Sorry, not implemented\n"); - } - - void display_initial_sids(policydb_t * p, FILE * fp) -@@ -462,7 +437,7 @@ void display_initial_sids(policydb_t * p, FILE * fp) ++ if (read_classes(&tclasses)) ++ goto bad; - void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) - { -- int i, num = 0; -+ unsigned int i, num = 0; - - for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) { - if (!ebitmap_get_bit(classes, i)) -@@ -518,7 +493,8 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F + id = (char *)queue_remove(id_queue); + if (!id) { +@@ -1628,25 +1732,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule) } - } - --int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) -+int role_display_callback(hashtab_key_t key __attribute__((unused)), -+ hashtab_datum_t datum, void *data) - { - role_datum_t *role; - FILE *fp; -@@ -538,9 +514,9 @@ int role_display_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) - static int display_scope_index(scope_index_t * indices, policydb_t * p, - FILE * out_fp) - { -- int i; -+ unsigned int i; - for (i = 0; i < SYM_NUM; i++) { -- int any_found = 0, j; -+ unsigned int any_found = 0, j; - fprintf(out_fp, "%s:", symbol_labels[i]); - for (j = ebitmap_startbit(&indices->scope[i]); - j < ebitmap_length(&indices->scope[i]); j++) { -@@ -611,7 +587,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp) - } - #endif --int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, -+int display_avdecl(avrule_decl_t * decl, int field, - policydb_t * policy, FILE * out_fp) - { - fprintf(out_fp, "decl %u:%s\n", decl->decl_id, -@@ -629,7 +605,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, - avrule = cond->avtrue_list; - while (avrule) { - display_avrule(avrule, -- RENDER_UNCONDITIONAL, - &policydb, out_fp); - avrule = avrule->next; - } -@@ -637,7 +612,6 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, - avrule = cond->avfalse_list; - while (avrule) { - display_avrule(avrule, -- RENDER_UNCONDITIONAL, - &policydb, out_fp); - avrule = avrule->next; - } -@@ -651,10 +625,8 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, - fprintf(out_fp, " \n"); - } - while (avrule != NULL) { -- if (display_avrule -- (avrule, what, policy, out_fp)) { -+ if (display_avrule(avrule, policy, out_fp)) - return -1; -- } - avrule = avrule->next; - } - break; -@@ -696,7 +668,7 @@ int display_avdecl(avrule_decl_t * decl, int field, uint32_t what, - return 0; /* should never get here */ - } - --int display_avblock(int field, uint32_t what, policydb_t * policy, -+int display_avblock(int field, policydb_t * policy, - FILE * out_fp) - { - avrule_block_t *block = policydb.global; -@@ -704,7 +676,7 @@ int display_avblock(int field, uint32_t what, policydb_t * policy, - fprintf(out_fp, "--- begin avrule block ---\n"); - avrule_decl_t *decl = block->branch_list; - while (decl != NULL) { -- if (display_avdecl(decl, field, what, policy, out_fp)) { -+ if (display_avdecl(decl, field, policy, out_fp)) { - return -1; - } - decl = decl->next; -@@ -820,7 +792,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) - ebitmap_node_t *node; - const char *capname; - char buf[64]; -- int i; -+ unsigned int i; - - fprintf(fp, "policy capabilities:\n"); - ebitmap_for_each_bit(&p->policycaps, node, i) { -@@ -915,14 +887,12 @@ int main(int argc, char **argv) - case '1': - fprintf(out_fp, "unconditional avtab:\n"); - display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB, -- RENDER_UNCONDITIONAL, &policydb, -- out_fp); -+ &policydb, out_fp); - break; - case '2': - fprintf(out_fp, "conditional avtab:\n"); - display_avblock(DISPLAY_AVBLOCK_COND_AVTAB, -- RENDER_UNCONDITIONAL, &policydb, -- out_fp); -+ &policydb, out_fp); - break; - case '3': - display_users(&policydb, out_fp); -@@ -944,28 +914,28 @@ int main(int argc, char **argv) - break; - case '7': - fprintf(out_fp, "role transitions:\n"); -- display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, 0, -+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS, - &policydb, out_fp); - break; - case '8': - fprintf(out_fp, "role allows:\n"); -- display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, 0, -+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW, - &policydb, out_fp); - break; - case '9': -- display_policycon(&policydb, out_fp); -+ display_policycon(out_fp); - break; - case '0': - display_initial_sids(&policydb, out_fp); - break; - case 'a': - fprintf(out_fp, "avrule block requirements:\n"); -- display_avblock(DISPLAY_AVBLOCK_REQUIRES, 0, -+ display_avblock(DISPLAY_AVBLOCK_REQUIRES, - &policydb, out_fp); - break; - case 'b': - fprintf(out_fp, "avrule block declarations:\n"); -- display_avblock(DISPLAY_AVBLOCK_DECLARES, 0, -+ display_avblock(DISPLAY_AVBLOCK_DECLARES, - &policydb, out_fp); - break; - case 'c': -@@ -993,7 +963,7 @@ int main(int argc, char **argv) - case 'F': - fprintf(out_fp, "filename_trans rules:\n"); - display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS, -- 0, &policydb, out_fp); -+ &policydb, out_fp); - break; - case 'l': - link_module(&policydb, out_fp); -diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c -index 0e08965..f41acdc 100644 ---- a/checkpolicy/test/dispol.c -+++ b/checkpolicy/test/dispol.c -@@ -157,7 +157,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, + ebitmap_init(&tclasses); +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- ret = -1; +- goto out; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s used in rule", id); +- ret = -1; +- goto out; +- } +- if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) { +- yyerror("Out of memory"); +- ret = -1; +- goto out; +- } +- free(id); +- } ++ ret = read_classes(&tclasses); ++ if (ret) ++ goto out; - int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) - { -- int i; -+ unsigned int i; - avtab_ptr_t cur; - avtab_t expa; + perms = NULL; + ebitmap_for_each_bit(&tclasses, node, i) { +@@ -2242,22 +2330,8 @@ int define_role_trans(int class_specified) + } -@@ -184,7 +184,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) + if (class_specified) { +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- return -1; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, +- id); +- if (!cladatum) { +- yyerror2("unknow class %s", id); +- return -1; +- } +- +- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE); +- free(id); +- } ++ if (read_classes(&e_classes)) ++ return -1; + } else { + cladatum = hashtab_search(policydbp->p_classes.table, + "process"); +@@ -2410,7 +2484,6 @@ int define_filename_trans(void) + ebitmap_node_t *snode, *tnode, *cnode; + filename_trans_t *ft; + filename_trans_rule_t *ftr; +- class_datum_t *cladatum; + type_datum_t *typdatum; + uint32_t otype; + unsigned int c, s, t; +@@ -2451,23 +2524,8 @@ int define_filename_trans(void) + } - int display_bools(policydb_t * p, FILE * fp) - { -- int i; -+ unsigned int i; + ebitmap_init(&e_tclasses); +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- goto bad; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, id); +- if (!cladatum) { +- yyerror2("unknown class %s", id); +- goto bad; +- } +- if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { +- yyerror("Out of memory"); +- goto bad; +- } +- free(id); +- } ++ if (read_classes(&e_tclasses)) ++ goto bad; - for (i = 0; i < p->p_bools.nprim; i++) { - fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i], -@@ -304,7 +304,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) - ebitmap_node_t *node; - const char *capname; - char buf[64]; -- int i; -+ unsigned int i; + id = (char *)queue_remove(id_queue); + if (!id) { +@@ -4549,23 +4607,8 @@ int define_range_trans(int class_specified) + } - fprintf(fp, "policy capabilities:\n"); - ebitmap_for_each_bit(&p->policycaps, node, i) { -@@ -329,7 +329,7 @@ static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type, - static void display_permissive(policydb_t *p, FILE *fp) - { - ebitmap_node_t *node; -- int i; -+ unsigned int i; + if (class_specified) { +- while ((id = queue_remove(id_queue))) { +- if (!is_id_in_scope(SYM_CLASSES, id)) { +- yyerror2("class %s is not within scope", id); +- free(id); +- goto out; +- } +- cladatum = hashtab_search(policydbp->p_classes.table, +- id); +- if (!cladatum) { +- yyerror2("unknown class %s", id); +- goto out; +- } +- +- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, +- TRUE); +- free(id); +- } ++ if (read_classes(&rule->tclasses)) ++ goto out; + } else { + cladatum = hashtab_search(policydbp->p_classes.table, + "process"); +diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h +index 92a9be7..ccbe56f 100644 +--- a/checkpolicy/policy_define.h ++++ b/checkpolicy/policy_define.h +@@ -24,6 +24,9 @@ int define_av_perms(int inherits); + int define_bool_tunable(int is_tunable); + int define_category(void); + int define_class(void); ++int define_default_user(int which); ++int define_default_role(int which); ++int define_default_range(int which); + int define_common_perms(void); + int define_compute_type(int which); + int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); +diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y +index d808111..3b7357f 100644 +--- a/checkpolicy/policy_parse.y ++++ b/checkpolicy/policy_parse.y +@@ -143,6 +143,8 @@ typedef int (* require_func_t)(); + %token POLICYCAP + %token PERMISSIVE + %token FILESYSTEM ++%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE ++%token LOW_HIGH LOW HIGH - fprintf(fp, "permissive sids:\n"); - ebitmap_for_each_bit(&p->permissive_map, node, i) { + %left OR + %left XOR +@@ -157,7 +159,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } + classes initial_sids access_vectors + { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} +- opt_mls te_rbac users opt_constraints ++ default_rules opt_mls te_rbac users opt_constraints + { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts +@@ -195,6 +197,36 @@ av_perms_def : CLASS identifier '{' identifier_list '}' + | CLASS identifier INHERITS identifier '{' identifier_list '}' + {if (define_av_perms(TRUE)) return -1;} + ; ++default_rules : default_user_def ++ | default_role_def ++ | default_range_def ++ | default_rules default_user_def ++ | default_rules default_role_def ++ | default_rules default_range_def ++ ; ++default_user_def : DEFAULT_USER names SOURCE ';' ++ {if (define_default_user(DEFAULT_SOURCE)) return -1; } ++ | DEFAULT_USER names TARGET ';' ++ {if (define_default_user(DEFAULT_TARGET)) return -1; } ++ ; ++default_role_def : DEFAULT_ROLE names SOURCE ';' ++ {if (define_default_role(DEFAULT_SOURCE)) return -1; } ++ | DEFAULT_ROLE names TARGET ';' ++ {if (define_default_role(DEFAULT_TARGET)) return -1; } ++ ; ++default_range_def : DEFAULT_RANGE names SOURCE LOW ';' ++ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } ++ | DEFAULT_RANGE names SOURCE HIGH ';' ++ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } ++ | DEFAULT_RANGE names SOURCE LOW_HIGH ';' ++ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } ++ | DEFAULT_RANGE names TARGET LOW ';' ++ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } ++ | DEFAULT_RANGE names TARGET HIGH ';' ++ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } ++ | DEFAULT_RANGE names TARGET LOW_HIGH ';' ++ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } ++ ; + opt_mls : mls + | + ; +diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l +index 9b24db5..e767b5f 100644 +--- a/checkpolicy/policy_scan.l ++++ b/checkpolicy/policy_scan.l +@@ -221,6 +221,18 @@ policycap | + POLICYCAP { return(POLICYCAP); } + permissive | + PERMISSIVE { return(PERMISSIVE); } ++default_user | ++DEFAULT_USER { return(DEFAULT_USER); } ++default_role | ++DEFAULT_ROLE { return(DEFAULT_ROLE); } ++default_range | ++DEFAULT_RANGE { return(DEFAULT_RANGE); } ++low-high | ++LOW-HIGH { return(LOW_HIGH); } ++high | ++HIGH { return(HIGH); } ++low | ++LOW { return(LOW); } + "/"({alnum}|[_\.\-/])* { return(PATH); } + \"({alnum}|[_\.\-\~])+\" { return(FILENAME); } + {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } diff --git a/checkpolicy.spec b/checkpolicy.spec index a53a5c7..29aba0f 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,9 +1,9 @@ %define libselinuxver 2.1.6-4 -%define libsepolver 2.1.2-3 +%define libsepolver 2.1.4-1 Summary: SELinux policy compiler Name: checkpolicy -Version: 2.1.6 -Release: 2%{?dist} +Version: 2.1.7 +Release: 1%{?dist} License: GPLv2 Group: Development/System Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz @@ -56,6 +56,15 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Tue Dec 6 2011 Dan Walsh - 2.1.7-1 +- Upgrade to upstream + * dis* fixed signed vs unsigned errors + * dismod: fix unused parameter errors + * test: Makefile: include -W and -Werror + * allow ~ in filename transition rules +- Allow policy to specify the source of target for generating the default user,role +- or mls label for a new target. + * Mon Nov 14 2011 Dan Walsh - 2.1.6-2 - Allow ~ in a filename diff --git a/sources b/sources index a97bde0..986e4c8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a1115f9c92777da7c8cafab08a81b779 checkpolicy-2.1.6.tgz +19c722fd1e180250a22d25b1fb41a4fd checkpolicy-2.1.7.tgz