From 7a85deddcfb0512bc01c1dd0fd1d3d0f86a2b631 Mon Sep 17 00:00:00 2001 From: rhatdan Date: Sep 13 2012 16:32:09 +0000 Subject: Update to upstream * fix neverallow checking on attributes * Move context_copy() after switch block in ocontext_copy_*(). * check for missing initial SID labeling statement. * Add always_check_network policy capability * role_fix_callback skips out-of-scope roles during expansion. --- diff --git a/.gitignore b/.gitignore index d7285e5..e38af3e 100644 --- a/.gitignore +++ b/.gitignore @@ -159,3 +159,4 @@ libsepol-2.0.41.tgz /libsepol-2.1.4.tgz /libsepol-2.1.5.tgz /libsepol-2.1.7.tgz +/libsepol-2.1.8.tgz diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index a4065aa..ae0995b 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -1,5 +1,18 @@ +diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h +index f90a48d..9152446 100644 +--- a/libsepol/include/sepol/policydb/polcaps.h ++++ b/libsepol/include/sepol/policydb/polcaps.h +@@ -5,7 +5,7 @@ + enum { + POLICYDB_CAPABILITY_NETPEER, + POLICYDB_CAPABILITY_OPENPERM, +- POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */ ++ POLICYDB_CAPABILITY_PTRACE_CHILD, + POLICYDB_CAPABILITY_ALWAYSNETWORK, + __POLICYDB_CAPABILITY_MAX + }; diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c -index bef759c..2854f33 100644 +index 2003eb6..79587af 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -49,6 +49,82 @@ typedef struct expand_state { @@ -85,7 +98,7 @@ index bef759c..2854f33 100644 static void expand_state_init(expand_state_t * state) { memset(state, 0, sizeof(expand_state_t)); -@@ -1352,10 +1428,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) +@@ -1357,10 +1433,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) { unsigned int i, j; @@ -107,7 +120,22 @@ index bef759c..2854f33 100644 cur_rule = rules; while (cur_rule) { -@@ -1378,6 +1464,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r +@@ -1370,19 +1456,27 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r + ebitmap_init(&ttypes); + + if (expand_convert_type_set(state->out, state->typemap, +- &cur_rule->stypes, &stypes, 1)) { ++ &cur_rule->stypes, &stypes, 0)) { + ERR(state->handle, "Out of memory!"); + return -1; + } + + if (expand_convert_type_set(state->out, state->typemap, +- &cur_rule->ttypes, &ttypes, 1)) { ++ &cur_rule->ttypes, &ttypes, 0)) { + ERR(state->handle, "Out of memory!"); + return -1; + } mapped_otype = state->typemap[cur_rule->otype - 1]; @@ -122,7 +150,7 @@ index bef759c..2854f33 100644 ebitmap_for_each_bit(&stypes, snode, i) { if (!ebitmap_node_get_bit(snode, i)) continue; -@@ -1385,16 +1479,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r +@@ -1390,16 +1484,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r if (!ebitmap_node_get_bit(tnode, j)) continue; @@ -142,7 +170,7 @@ index bef759c..2854f33 100644 ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s", cur_trans->name, state->out->p_type_val_to_name[i], -@@ -1402,7 +1494,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r +@@ -1407,7 +1499,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r state->out->p_class_val_to_name[cur_trans->tclass - 1], state->out->p_type_val_to_name[cur_trans->otype - 1], state->out->p_type_val_to_name[mapped_otype - 1]); @@ -151,7 +179,7 @@ index bef759c..2854f33 100644 return -1; } cur_trans = cur_trans->next; -@@ -1417,8 +1509,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r +@@ -1422,8 +1514,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r return -1; } memset(new_trans, 0, sizeof(*new_trans)); @@ -160,7 +188,7 @@ index bef759c..2854f33 100644 new_trans->name = strdup(cur_rule->name); if (!new_trans->name) { -@@ -1429,9 +1519,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r +@@ -1434,9 +1524,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r new_trans->ttype = j + 1; new_trans->tclass = cur_rule->tclass; new_trans->otype = mapped_otype; @@ -177,3 +205,78 @@ index bef759c..2854f33 100644 ebitmap_destroy(&stypes); ebitmap_destroy(&ttypes); +@@ -2037,14 +2134,13 @@ static int ocontext_copy_xen(expand_state_t *state) + else + state->out->ocontexts[i] = n; + l = n; ++ if (context_copy(&n->context[0], &c->context[0], ++ state)) { ++ ERR(state->handle, "Out of memory!"); ++ return -1; ++ } + switch (i) { + case OCON_XEN_ISID: +- if (c->context[0].user == 0) { +- ERR(state->handle, +- "Missing context for %s initial sid", +- c->u.name); +- return -1; +- } + n->sid[0] = c->sid[0]; + break; + case OCON_XEN_PIRQ: +@@ -2067,11 +2163,6 @@ static int ocontext_copy_xen(expand_state_t *state) + ERR(state->handle, "Unknown ocontext"); + return -1; + } +- if (context_copy(&n->context[0], &c->context[0], +- state)) { +- ERR(state->handle, "Out of memory!"); +- return -1; +- } + } + } + return 0; +@@ -2096,14 +2187,12 @@ static int ocontext_copy_selinux(expand_state_t *state) + else + state->out->ocontexts[i] = n; + l = n; ++ if (context_copy(&n->context[0], &c->context[0], state)) { ++ ERR(state->handle, "Out of memory!"); ++ return -1; ++ } + switch (i) { + case OCON_ISID: +- if (c->context[0].user == 0) { +- ERR(state->handle, +- "Missing context for %s initial sid", +- c->u.name); +- return -1; +- } + n->sid[0] = c->sid[0]; + break; + case OCON_FS: /* FALLTHROUGH */ +@@ -2147,10 +2236,6 @@ static int ocontext_copy_selinux(expand_state_t *state) + ERR(state->handle, "Unknown ocontext"); + return -1; + } +- if (context_copy(&n->context[0], &c->context[0], state)) { +- ERR(state->handle, "Out of memory!"); +- return -1; +- } + } + } + return 0; +diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c +index 43a71a7..7615a9b 100644 +--- a/libsepol/src/polcaps.c ++++ b/libsepol/src/polcaps.c +@@ -8,7 +8,7 @@ + static const char *polcap_names[] = { + "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */ + "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */ +- "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */ ++ "ptrace_child", /* POLICYDB_CAPABILITY_PTRACE_CHILD */ + "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ + NULL + }; diff --git a/libsepol.spec b/libsepol.spec index ed3ccb9..22dda65 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,7 +1,7 @@ Summary: SELinux binary policy manipulation library Name: libsepol -Version: 2.1.7 -Release: 4%{?dist} +Version: 2.1.8 +Release: 1%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz @@ -99,6 +99,14 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Thu Sep 13 2012 Dan Walsh - 2.1.8-1 +- Update to upstream + * fix neverallow checking on attributes + * Move context_copy() after switch block in ocontext_copy_*(). + * check for missing initial SID labeling statement. + * Add always_check_network policy capability + * role_fix_callback skips out-of-scope roles during expansion. + * Mon Jul 30 2012 Dan Walsh - 2.1.7-4 - Try new patches diff --git a/sources b/sources index 5af123a..acb2def 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 332c564144780537c25f4498578e531f libsepol-2.1.7.tgz +ce02057c3d0922dd7775f9948f7932af libsepol-2.1.8.tgz