diff --git a/.checkpolicy.metadata b/.checkpolicy.metadata index 65fa1fd..5c8e70c 100644 --- a/.checkpolicy.metadata +++ b/.checkpolicy.metadata @@ -1 +1 @@ -d0cd01d4f3a775f9c93ceb26e13b33cc84f344e6 SOURCES/checkpolicy-2.1.12.tgz +730c4a8848e33f5033e3f906f7a8944f52f82989 SOURCES/checkpolicy-2.5.tar.gz diff --git a/.gitignore b/.gitignore index 058522e..c4e105f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/checkpolicy-2.1.12.tgz +SOURCES/checkpolicy-2.5.tar.gz diff --git a/SOURCES/checkpolicy-rhat.patch b/SOURCES/checkpolicy-rhat.patch deleted file mode 100644 index e5759bf..0000000 --- a/SOURCES/checkpolicy-rhat.patch +++ /dev/null @@ -1,92 +0,0 @@ -diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 -index 40f73c5..2a7ab5c 100644 ---- a/checkpolicy/checkmodule.8 -+++ b/checkpolicy/checkmodule.8 -@@ -3,7 +3,7 @@ - checkmodule \- SELinux policy module compiler - .SH SYNOPSIS - .B checkmodule --.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]" -+.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]" - .SH "DESCRIPTION" - This manual page describes the - .BR checkmodule -@@ -12,7 +12,7 @@ command. - .B checkmodule - is a program that checks and compiles a SELinux security policy module - into a binary representation. It can generate either a base policy --module (default) or a non-base policy module (-m option); typically, -+module (default) or a non-base policy module (\-m option); typically, - you would build a non-base policy module to add to an existing module - store that already has a base module provided by the base policy. Use - semodule_package to combine this module with its optional file -@@ -48,7 +48,7 @@ Specify how the kernel should handle unknown classes or permissions (deny, allow - .SH EXAMPLE - .nf - # Build a MLS/MCS-enabled non-base policy module. --$ checkmodule -M -m httpd.te -o httpd.mod -+$ checkmodule \-M \-m httpd.te \-o httpd.mod - .fi - - .SH "SEE ALSO" -diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 -index 6826938..0086bdc 100644 ---- a/checkpolicy/checkpolicy.8 -+++ b/checkpolicy/checkpolicy.8 -@@ -3,7 +3,7 @@ - checkpolicy \- SELinux policy compiler - .SH SYNOPSIS - .B checkpolicy --.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]" -+.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]" - .br - .SH "DESCRIPTION" - This manual page describes the -@@ -14,7 +14,7 @@ command. - is a program that checks and compiles a SELinux security policy configuration - into a binary representation that can be loaded into the kernel. If no - input file name is specified, checkpolicy will attempt to read from --policy.conf or policy, depending on whether the -b flag is specified. -+policy.conf or policy, depending on whether the \-b flag is specified. - - .SH OPTIONS - .TP -diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c -index 544f235..292f568 100644 ---- a/checkpolicy/checkpolicy.c -+++ b/checkpolicy/checkpolicy.c -@@ -402,7 +402,7 @@ int main(int argc, char **argv) - {"binary", no_argument, NULL, 'b'}, - {"debug", no_argument, NULL, 'd'}, - {"version", no_argument, NULL, 'V'}, -- {"handle-unknown", optional_argument, NULL, 'U'}, -+ {"handle-unknown", required_argument, NULL, 'U'}, - {"mls", no_argument, NULL, 'M'}, - {"help", no_argument, NULL, 'h'}, - {NULL, 0, NULL, 0} -diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l -index bba7667..ab046cc 100644 ---- a/checkpolicy/policy_scan.l -+++ b/checkpolicy/policy_scan.l -@@ -240,7 +240,7 @@ HIGH { return(HIGH); } - low | - LOW { return(LOW); } - "/"({alnum}|[_\.\-/])* { return(PATH); } --\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); } -+\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } - {alnum}*{letter}{alnum}* { return(FILESYSTEM); } - {digit}+|0x{hexval}+ { return(NUMBER); } -diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile -index 0731e89..63b4d24 100644 ---- a/checkpolicy/test/Makefile -+++ b/checkpolicy/test/Makefile -@@ -3,7 +3,7 @@ - # - PREFIX ?= $(DESTDIR)/usr - BINDIR=$(PREFIX)/bin --LIBDIR=$(PREFIX)/lib -+LIBDIR ?= $(PREFIX)/lib - INCLUDEDIR ?= $(PREFIX)/include - - CFLAGS ?= -g -Wall -W -Werror -O2 -pipe diff --git a/SOURCES/checkpolicy-rhel.patch b/SOURCES/checkpolicy-rhel.patch new file mode 100644 index 0000000..4b922a1 --- /dev/null +++ b/SOURCES/checkpolicy-rhel.patch @@ -0,0 +1,198 @@ +diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk +index 98f5168..3b7ff8a 100644 +--- checkpolicy-2.5/Android.mk ++++ checkpolicy-2.5/Android.mk +@@ -12,10 +12,6 @@ common_cflags := \ + -Wall -Wshadow -O2 \ + -pipe -fno-strict-aliasing \ + +-ifeq ($(HOST_OS),darwin) +-common_cflags += -DDARWIN +-endif +- + common_includes := \ + $(LOCAL_PATH)/ \ + $(LOCAL_PATH)/../libsepol/include/ \ +diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog +index dfe4908..f2216ec 100644 +--- checkpolicy-2.5/ChangeLog ++++ checkpolicy-2.5/ChangeLog +@@ -1,3 +1,11 @@ ++ * Extend checkpolicy pathname matching, from Stephen Smalley. ++ * Fix typos in test/dispol, from Petr Lautrbach. ++ * Set flex as default lexer, from Julien Pivotto. ++ * Fix checkmodule output message, from Petr Lautrbach. ++ * Build policy on systems not supporting DCCP protocol, from Richard Haines. ++ * Fail if module name different than output base filename, from James Carter ++ * Add support for portcon dccp protocol, from Richard Haines ++ + 2.5 2016-02-23 + * Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep. + * fix double free on name-based type transitions, from Stephen Smalley. +diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile +index e5fae3d..53a3074 100644 +--- checkpolicy-2.5/Makefile ++++ checkpolicy-2.5/Makefile +@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib + INCLUDEDIR ?= $(PREFIX)/include + TARGETS = checkpolicy checkmodule + ++LEX = flex + YACC = bison -y + + CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing +diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c +index 5957d29..53cc5a0 100644 +--- checkpolicy-2.5/checkmodule.c ++++ checkpolicy-2.5/checkmodule.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -258,6 +259,25 @@ int main(int argc, char **argv) + } + } + ++ if (policy_type != POLICY_BASE && outfile) { ++ char *mod_name = modpolicydb.name; ++ char *out_path = strdup(outfile); ++ if (out_path == NULL) { ++ fprintf(stderr, "%s: out of memory\n", argv[0]); ++ exit(1); ++ } ++ char *out_name = basename(out_path); ++ char *separator = strrchr(out_name, '.'); ++ if (separator) { ++ *separator = '\0'; ++ } ++ if (strcmp(mod_name, out_name) != 0) { ++ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name); ++ exit(1); ++ } ++ free(out_path); ++ } ++ + if (modpolicydb.policy_type == POLICY_BASE && !cil) { + /* Verify that we can successfully expand the base module. */ + policydb_t kernpolicydb; +@@ -294,7 +314,7 @@ int main(int argc, char **argv) + + if (!cil) { + printf("%s: writing binary representation (version %d) to %s\n", +- argv[0], policyvers, file); ++ argv[0], policyvers, outfile); + + if (write_binary_policy(&modpolicydb, outfp) != 0) { + fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); +diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c +index 9da661e..2d68316 100644 +--- checkpolicy-2.5/checkpolicy.c ++++ checkpolicy-2.5/checkpolicy.c +@@ -64,13 +64,16 @@ + #include + #include + #include ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif + #include + #include + #include + #include + #include + +-#ifdef DARWIN ++#ifdef __APPLE__ + #include + #endif + +@@ -919,6 +922,8 @@ int main(int argc, char **argv) + protocol = IPPROTO_TCP; + else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP")) + protocol = IPPROTO_UDP; ++ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP")) ++ protocol = IPPROTO_DCCP; + else { + printf("unknown protocol\n"); + break; +diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c +index ee20fea..100e517 100644 +--- checkpolicy-2.5/policy_define.c ++++ checkpolicy-2.5/policy_define.c +@@ -36,6 +36,9 @@ + #include + #include + #include ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif + #include + #include + #include +@@ -4876,6 +4879,8 @@ int define_port_context(unsigned int low, unsigned int high) + protocol = IPPROTO_TCP; + } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { + protocol = IPPROTO_UDP; ++ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) { ++ protocol = IPPROTO_DCCP; + } else { + yyerror2("unrecognized protocol %s", id); + free(newc); +@@ -5135,7 +5140,7 @@ int define_ipv6_node_context(void) + + memset(newc, 0, sizeof(ocontext_t)); + +-#ifdef DARWIN ++#ifdef __APPLE__ + memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16); + memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16); + #else +diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l +index 22da338..2f7f221 100644 +--- checkpolicy-2.5/policy_scan.l ++++ checkpolicy-2.5/policy_scan.l +@@ -249,9 +249,9 @@ high | + HIGH { return(HIGH); } + low | + LOW { return(LOW); } +-"/"({alnum}|[_\.\-/])* { return(PATH); } +-\""/"[ !#-~]*\" { return(QPATH); } +-\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } ++"/"[^ \n\r\t\f]* { return(PATH); } ++\""/"[^\"\n]*\" { return(QPATH); } ++\"[^"/"\"\n]+\" { return(FILENAME); } + {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } + {digit}+|0x{hexval}+ { return(NUMBER); } + {alnum}*{letter}{alnum}* { return(FILESYSTEM); } +diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c +index 86f5688..a78ce81 100644 +--- checkpolicy-2.5/test/dispol.c ++++ checkpolicy-2.5/test/dispol.c +@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp) + int display_handle_unknown(policydb_t * p, FILE * out_fp) + { + if (p->handle_unknown == ALLOW_UNKNOWN) +- fprintf(out_fp, "Allow unknown classes and permisions\n"); ++ fprintf(out_fp, "Allow unknown classes and permissions\n"); + else if (p->handle_unknown == DENY_UNKNOWN) +- fprintf(out_fp, "Deny unknown classes and permisions\n"); ++ fprintf(out_fp, "Deny unknown classes and permissions\n"); + else if (p->handle_unknown == REJECT_UNKNOWN) +- fprintf(out_fp, "Reject unknown classes and permisions\n"); ++ fprintf(out_fp, "Reject unknown classes and permissions\n"); + return 0; + } + +@@ -349,7 +349,7 @@ int menu(void) + printf("\nSelect a command:\n"); + printf("1) display unconditional AVTAB\n"); + printf("2) display conditional AVTAB (entirely)\n"); +- printf("3) display conditional AVTAG (only ENABLED rules)\n"); ++ printf("3) display conditional AVTAB (only ENABLED rules)\n"); + printf("4) display conditional AVTAB (only DISABLED rules)\n"); + printf("5) display conditional bools\n"); + printf("6) display conditional expressions\n"); diff --git a/SPECS/checkpolicy.spec b/SPECS/checkpolicy.spec index 40162a4..a8fa080 100644 --- a/SPECS/checkpolicy.spec +++ b/SPECS/checkpolicy.spec @@ -1,13 +1,14 @@ -%define libselinuxver 2.1.13-1 -%define libsepolver 2.1.9-1 +%define libselinuxver 2.5-5 +%define libsepolver 2.5-6 Summary: SELinux policy compiler Name: checkpolicy -Version: 2.1.12 -Release: 6%{?dist} +Version: 2.5 +Release: 4%{?dist} License: GPLv2 Group: Development/System -Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz -Patch: checkpolicy-rhat.patch +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz +# HEAD e7ab0f8b86a3f6234f264d3bf98ccfb070ebaca7 +Patch1: checkpolicy-rhel.patch BuildRoot: %{_tmppath}/%{name}-buildroot BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver} @@ -27,8 +28,8 @@ This package contains checkpolicy, the SELinux policy compiler. Only required for building policies. %prep -%setup -q -%patch -p2 -b .rhat +%setup -q -n checkpolicy-2.5 +%patch1 -p1 -b .rhel %build make clean @@ -48,6 +49,8 @@ rm -rf ${RPM_BUILD_ROOT} %files %defattr(-,root,root) +%{!?_licensedir:%global license %%doc} +%license COPYING %{_bindir}/checkpolicy %{_bindir}/checkmodule %{_mandir}/man8/checkpolicy.8.gz @@ -56,6 +59,22 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/sedispol %changelog +* Thu Aug 11 2016 Petr Lautrbach 2.5-4 +- Extend checkpolicy pathname matching + +* Mon Jun 27 2016 Petr Lautrbach - 2.5-3 +- Fix typos in test/dispol +- Set flex as default lexer +- Fix checkmodule output message +- Build policy on systems not supporting DCCP protocol +- Fail if module name different than output base filename + +* Mon Apr 11 2016 Petr Lautrbach - 2.5-2 +- Add support for portcon dccp protocol + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + * Fri Jan 24 2014 Daniel Mach - 2.1.12-6 - Mass rebuild 2014-01-24