powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
Browse Source

setools add all patches 

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64bebuilder0 7 years ago
parent
85187b8aac
commit
41f3afef4c
10 changed files with 969 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 35
      SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch
  2. 34
      SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch
  3. 97
      SOURCES/0004-Apply-selinux_current_policy_path-patch.patch
  4. 24
      SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch
  5. 39
      SOURCES/0006-Add-support-for-boolean-subs.patch
  6. 207
      SOURCES/0007-Setools-noship.patch
  7. 92
      SOURCES/0008-Add-alias-support-to-seinfo-t.patch
  8. 258
      SOURCES/0009-Fix-help-message-on-sesearch-D.patch
  9. 154
      SOURCES/0011-Fix-Wformat-security-issues.patch
  10. 29
      SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch

35
SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch
Unescape View File

@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
From b00d11c941b689fbf3441e80b318c6a05c6657e4 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 19 Oct 2017 15:17:21 +0200
Subject: [PATCH] libqpol: Do not fail on neverallow rule query

Drawing upon the conclusion from:

77bd0f2103e8f02f02ba75dd5fd5ceb263d4f878
No need to take into account the policy capabilities in sesearch code,
the lower levels in the library handle it correctly. (fixes Fedora
bug #526460)
---
libqpol/src/avrule_query.c | 6 ------
1 file changed, 6 deletions(-)

diff --git a/libqpol/src/avrule_query.c b/libqpol/src/avrule_query.c
index 749565b..c2dd010 100644
--- a/libqpol/src/avrule_query.c
+++ b/libqpol/src/avrule_query.c
@@ -55,12 +55,6 @@ int qpol_policy_get_avrule_iter(const qpol_policy_t * policy, uint32_t rule_type
}
#endif
- if ((rule_type_mask & QPOL_RULE_NEVERALLOW) && !qpol_policy_has_capability(policy, QPOL_CAP_NEVERALLOW)) {
- ERR(policy, "%s", "Cannot get avrules: Neverallow rules requested but not available");
- errno = ENOTSUP;
- return STATUS_ERR;
- }
-
db = &policy->p->p;
state = calloc(1, sizeof(avtab_state_t));
--
2.9.4

34
SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch
Unescape View File

@ -0,0 +1,34 @@ @@ -0,0 +1,34 @@
From 0332c009bd0581ab9a75a4ea80af92bb2d6b8b1f Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 20 Sep 2011 15:46:38 -0400
Subject: [PATCH 02/11] Fix sepol calls to work with latest libsepol

---
configure.ac | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 577ce48..2a5b55b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -521,7 +521,7 @@ else
[AC_LANG_SOURCE([
#include <sepol/policydb/expand.h>
int main () {
- return role_set_expand(NULL, NULL, NULL, NULL);
+ return role_set_expand(NULL, NULL, NULL, NULL, NULL);
}])],
sepol_new_user_role_mapping="yes",
sepol_new_user_role_mapping="no")
@@ -578,7 +578,7 @@ if test ${sepol_check_boolmap} = "yes"; then
[AC_LANG_SOURCE([
#include <sepol/policydb/expand.h>
int main () {
- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
+ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
}])],
AC_MSG_RESULT([yes]),
AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
--
1.8.5.3

97
SOURCES/0004-Apply-selinux_current_policy_path-patch.patch
Unescape View File

@ -0,0 +1,97 @@ @@ -0,0 +1,97 @@
From 85a12d481d664120865b46cd1c4c325307179471 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 10:53:54 +0200
Subject: [PATCH 04/11] Apply selinux_current_policy_path patch

---
libqpol/src/util.c | 73 ++++--------------------------------------------------
1 file changed, 5 insertions(+), 68 deletions(-)

diff --git a/libqpol/src/util.c b/libqpol/src/util.c
index 7c49876..8f74b2b 100644
--- a/libqpol/src/util.c
+++ b/libqpol/src/util.c
@@ -84,75 +84,12 @@ static int get_binpol_version(const char *policy_fname)
static int search_policy_binary_file(char **path)
{
- const char *binary_path;
- if ((binary_path = selinux_binary_policy_path()) == NULL) {
- return -1;
- }
-
- int expected_version = -1, latest_version = -1;
-#ifdef LIBSELINUX
- /* if the system has SELinux enabled, prefer the policy whose
- name matches the current policy version */
- if ((expected_version = security_policyvers()) < 0) {
- return -1;
- }
-#endif
-
- glob_t glob_buf;
- struct stat fs;
- int rt, error = 0, retval = -1;
- size_t i;
- char *pattern = NULL;
- if (asprintf(&pattern, "%s.*", binary_path) < 0) {
- return -1;
- }
- glob_buf.gl_offs = 1;
- glob_buf.gl_pathc = 0;
- rt = glob(pattern, GLOB_DOOFFS, NULL, &glob_buf);
- if (rt != 0 && rt != GLOB_NOMATCH) {
- errno = EIO;
- return -1;
- }
-
- for (i = 0; i < glob_buf.gl_pathc; i++) {
- char *p = glob_buf.gl_pathv[i + glob_buf.gl_offs];
- if (stat(p, &fs) != 0) {
- error = errno;
- goto cleanup;
- }
- if (S_ISDIR(fs.st_mode))
- continue;
-
- if ((rt = get_binpol_version(p)) < 0) {
- error = errno;
- goto cleanup;
- }
-
- if (rt > latest_version || rt == expected_version) {
- free(*path);
- if ((*path = strdup(p)) == NULL) {
- error = errno;
- goto cleanup;
- }
- if (rt == expected_version) {
- break;
- }
- latest_version = rt;
- }
- }
-
- if (*path == NULL) {
- retval = 1;
- } else {
- retval = 0;
- }
- cleanup:
- free(pattern);
- globfree(&glob_buf);
- if (retval == -1) {
- errno = error;
+ const char *binary_path = selinux_current_policy_path();
+ if (binary_path) {
+ *path = strdup(binary_path);
+ if (*path) return 0;
}
- return retval;
+ return -1;
}
int qpol_default_policy_find(char **path)
--
1.8.5.3

24
SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch
Unescape View File

@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
From ba8e76cd514e8ce92a48931963e97fe79589a71a Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 11:12:37 +0200
Subject: [PATCH 05/11] Apply seaudit patch for progress.c

---
libqpol/swig/java/Makefile.am | 1 -
1 file changed, 1 deletion(-)

diff --git a/libqpol/swig/java/Makefile.am b/libqpol/swig/java/Makefile.am
index a25eacb..533b55a 100644
--- a/libqpol/swig/java/Makefile.am
+++ b/libqpol/swig/java/Makefile.am
@@ -48,7 +48,6 @@ BUILT_SOURCES = qpol_wrap.c \
qpol_type_t.java \
qpol_user_t.java \
qpol_validatetrans_t.java \
- SWIGTYPE_p_int.java \
SWIGTYPE_p_unsigned_int.java \
SWIGTYPE_p_void.java
--
1.8.5.3

39
SOURCES/0006-Add-support-for-boolean-subs.patch
Unescape View File

@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
From 61d3d40e791a4ac392930f11785e4057f67a5b09 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 11:14:50 +0200
Subject: [PATCH 06/11] Add support for boolean subs

---
secmds/seinfo.c | 2 +-
secmds/sesearch.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/secmds/seinfo.c b/secmds/seinfo.c
index a970890..54b2a6a 100644
--- a/secmds/seinfo.c
+++ b/secmds/seinfo.c
@@ -1720,7 +1720,7 @@ int main(int argc, char **argv)
case 'b': /* conditional booleans */
bools = 1;
if (optarg != 0)
- bool_name = optarg;
+ bool_name = selinux_boolean_sub(optarg);
break;
case OPT_INITIALSID:
isids = 1;
diff --git a/secmds/sesearch.c b/secmds/sesearch.c
index 387d526..e1436a7 100644
--- a/secmds/sesearch.c
+++ b/secmds/sesearch.c
@@ -1067,7 +1067,7 @@ int main(int argc, char **argv)
printf("Missing boolean for -b (--bool)\n");
exit(1);
}
- cmd_opts.bool_name = strdup(optarg);
+ cmd_opts.bool_name = strdup(selinux_boolean_sub(optarg));
if (!cmd_opts.bool_name) {
fprintf(stderr, "%s\n", strerror(errno));
exit(1);
--
1.8.5.3

207
SOURCES/0007-Setools-noship.patch
Unescape View File

@ -0,0 +1,207 @@ @@ -0,0 +1,207 @@
From a39d0831d654292fb2a1f7b9ee18ecc9239f610f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 18:38:34 +0200
Subject: [PATCH 07/11] Setools noship

---
Makefile.am | 26 +++-----------------------
configure.ac | 2 +-
man/Makefile.am | 15 +++------------
seaudit/Makefile.am | 31 +++----------------------------
secmds/Makefile.am | 14 +-------------
sediff/Makefile.am | 32 ++------------------------------
6 files changed, 13 insertions(+), 107 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 176c8ea..4cac386 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -78,9 +70,9 @@ install-logwatch:
$(MAKE) -C $(top_srcdir)/seaudit install-logwatch
.PHONY: libqpol libapol libpoldiff libsefs libseaudit \
- apol secmds seaudit sediff sediffx sechecker \
+ apol secmds seaudit sediff sechecker\
install-logwatch help \
- seinfo sesearch indexcon findcon replcon searchcon \
+ seinfo sesearch findcon \
packages
seinfo: libqpol libapol
diff --git a/configure.ac b/configure.ac
index 2a5b55b..5b1da5e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,7 +63,7 @@ if test ${ac_cv_prog_cc_c99} = "no"; then
fi
AC_PROG_CXX
AC_LANG([C])
-AC_PROG_LIBTOOL
+AC_PROG_RANLIB
AC_PROG_LN_S
AC_PROG_LEX
AC_PROG_YACC
diff --git a/man/Makefile.am b/man/Makefile.am
index 0fafccb..f88e00a 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,19 +1,10 @@
if BUILD_GUI
MAYBEMANS = apol.1 \
- seaudit.8 seaudit-report.8 \
- sediffx.1
+ seaudit.8
endif
EXTRA_DIST=$(man_MANS) apol.1 \
- seaudit.8 seaudit-report.8.in \
- sediffx.1
+ seaudit.8
-man_MANS = findcon.1 indexcon.1 replcon.1 \
- sechecker.1 \
- sediff.1 \
+man_MANS = findcon.1 sediff.1 sechecker.1 \
seinfo.1 sesearch.1 $(MAYBEMANS)
-
-seaudit-report.8: seaudit-report.8.in Makefile
- sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@
-
-CLEANFILES = seaudit-report.8
diff --git a/seaudit/Makefile.am b/seaudit/Makefile.am
index 1987c99..3fa4413 100644
--- a/seaudit/Makefile.am
+++ b/seaudit/Makefile.am
@@ -1,5 +1,4 @@
setoolsdir = @setoolsdir@
-bin_PROGRAMS = seaudit-report
sbin_PROGRAMS = seaudit
AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \
@@ -20,13 +19,10 @@ LDADD = @SELINUX_LIB_FLAG@ @SEAUDIT_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@
dist_setools_DATA = \
seaudit.glade \
seaudit_help.txt \
- seaudit-report.conf \
- seaudit-report.css \
seaudit.png seaudit-small.png
nodist_setools_DATA = \
- dot_seaudit \
- seaudit-report-service
+ dot_seaudit
seaudit_SOURCES = \
filter_view.c filter_view.h \
@@ -50,31 +46,12 @@ seaudit_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \
dot_seaudit: dot_seaudit.in Makefile
sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@
-seaudit_report_SOURCES = seaudit-report.c
-seaudit_report_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \
- $(top_builddir)/libapol/src/libapol.so \
- $(top_builddir)/libqpol/src/libqpol.so
-
logwatch = $(DESTDIR)/etc/logwatch
LOGWATCH_GROUP = $(logwatch)/conf/logfiles
LOGWATCH_SERVICE = $(logwatch)/conf/services
LOGWATCH_FILTER = $(logwatch)/scripts/services
-dist_noinst_DATA = dot_seaudit.in \
- seaudit-report-group.conf \
- seaudit-report-service.conf \
- seaudit-report-service.in
-
-seaudit-report-service: seaudit-report-service.in Makefile
- sed -e 's|\@bindir\@|$(bindir)|g' $< > $@
-
-install-logwatch: $(dist_noinst_DATA) seaudit-report-service
- mkdir -p -- $(LOGWATCH_GROUP)
- install -m 644 seaudit-report-group.conf $(LOGWATCH_GROUP)
- mkdir -p -- $(LOGWATCH_SERVICE)
- install -m 644 seaudit-report-service.conf $(LOGWATCH_SERVICE)
- mkdir -p -- $(LOGWATCH_FILTER)
- install -m 755 seaudit-report-service $(LOGWATCH_FILTER)
+dist_noinst_DATA = dot_seaudit.in
$(top_builddir)/libapol/src/libapol.so:
$(MAKE) -C $(top_builddir)/libapol/src $(notdir $@)
@@ -85,6 +62,4 @@ $(top_builddir)/libqpol/src/libqpol.so:
$(top_builddir)/libsefs/src/libsefs.so:
$(MAKE) -C $(top_builddir)/libsefs/src $(notdir $@)
-.PHONY: install-logwatch
-
-CLEANFILES = dot_seaudit seaudit-report-service
+CLEANFILES = dot_seaudit
diff --git a/secmds/Makefile.am b/secmds/Makefile.am
index ddc88b1..7fa4364 100644
--- a/secmds/Makefile.am
+++ b/secmds/Makefile.am
@@ -1,6 +1,6 @@
# various setools command line tools
-bin_PROGRAMS = seinfo sesearch findcon replcon indexcon
+bin_PROGRAMS = seinfo sesearch findcon
# These are for indexcon so that it is usable on machines without setools
STATICLIBS = ../libsefs/src/libsefs.a ../libapol/src/libapol.a ../libqpol/src/libqpol.a -lsqlite3
diff --git a/sediff/Makefile.am b/sediff/Makefile.am
index 3f53cd3..2d9ce84 100644
--- a/sediff/Makefile.am
+++ b/sediff/Makefile.am
@@ -1,13 +1,6 @@
setoolsdir = @setoolsdir@
-dist_setools_DATA = sediff_help.txt sediffx.glade \
- sediffx.png sediffx-small.png
-
-if BUILD_GUI
- MAYBE_SEDIFFX = sediffx
-endif
-
-bin_PROGRAMS = sediff $(MAYBE_SEDIFFX)
+bin_PROGRAMS = sediff
AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \
@QPOL_CFLAGS@ @APOL_CFLAGS@ @POLDIFF_CFLAGS@
@@ -15,14 +8,7 @@ AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS@ @PROFILELDFLAGS@
LDADD = @SELINUX_LIB_FLAG@ @POLDIFF_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@
-sediff_CFLAGS = $(AM_CFLAGS)
-sediffx_CFLAGS = $(AM_CFLAGS) \
- @GTK_CFLAGS@ @PIXBUF_CFLAGS@ @GLADE_CFLAGS@ @GTHREAD_CFLAGS@
-
-# need the -rdynamic flag below - glade uses dlopen() upon sediffx callbacks
-sediffx_LDFLAGS = $(AM_LDFLAGS) \
- @GTK_LIBS@ @PIXBUF_LIBS@ @GLADE_LIBS@ @GTHREAD_LIBS@ @XML_LIBS@ \
- -rdynamic
+sediff_CFLAGS = $(AM_CFLAGS)
DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \
$(top_builddir)/libapol/src/libapol.so \
@@ -30,20 +16,6 @@ DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \
sediff_SOURCES = sediff.c
-sediffx_SOURCES = \
- find_dialog.c find_dialog.h \
- open_policies_dialog.c open_policies_dialog.h \
- policy_view.c policy_view.h \
- progress.c progress.h \
- remap_types_dialog.c remap_types_dialog.h \
- result_item.c result_item.h \
- result_item_render.c result_item_render.h \
- results.c results.h \
- select_diff_dialog.c select_diff_dialog.h \
- toplevel.c toplevel.h \
- utilgui.c utilgui.h \
- sediffx.c sediffx.h
-
$(top_builddir)/libpoldiff/src/libpoldiff.so:
$(MAKE) -C $(top_builddir)/libpoldiff/src $(notdir $@)
--
1.8.5.3

92
SOURCES/0008-Add-alias-support-to-seinfo-t.patch
Unescape View File

@ -0,0 +1,92 @@ @@ -0,0 +1,92 @@
From 1136e61a9839ad3b60eb2da4d624413c02545c7d Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 18:42:27 +0200
Subject: [PATCH 08/11] Add alias support to seinfo -t

---
secmds/seinfo.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)

diff --git a/secmds/seinfo.c b/secmds/seinfo.c
index 54b2a6a..1878c49 100644
--- a/secmds/seinfo.c
+++ b/secmds/seinfo.c
@@ -46,6 +46,7 @@
#include <string.h>
#include <assert.h>
#include <getopt.h>
+#include <selinux/selinux.h>
#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC"
@@ -54,6 +55,7 @@
static char *policy_file = NULL;
+static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb);
static int print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand);
static int print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand);
static int print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand);
@@ -514,6 +516,7 @@ static int print_types(FILE * fp, const char *name, int expand, const apol_polic
goto cleanup;
if (print_type_attrs(fp, type_datum, policydb, expand))
goto cleanup;
+ print_type_aliases(fp, type_datum, policydb);
} else {
if (qpol_policy_get_type_iter(q, &iter))
goto cleanup;
@@ -1912,6 +1915,51 @@ int main(int argc, char **argv)
}
/**
+ * Prints the alias of a type.
+ *
+ * @param fp Reference to a file to which to print type information
+ * @param type_datum Reference to sepol type_datum
+ * @param policydb Reference to a policy
+ * attributes
+ */
+static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb)
+{
+ qpol_iterator_t *iter = NULL;
+ size_t alias_size;
+ unsigned char isattr, isalias;
+ const char *type_name = NULL;
+ const char *alias_name;
+ qpol_policy_t *q = apol_policy_get_qpol(policydb);
+
+ if (qpol_type_get_name(q, type_datum, &type_name))
+ goto cleanup;
+ if (qpol_type_get_isattr(q, type_datum, &isattr))
+ goto cleanup;
+ if (qpol_type_get_isalias(q, type_datum, &isalias))
+ goto cleanup;
+
+ if (isalias) {
+ fprintf(fp, " TypeName %s\n", type_name);
+ }
+ if (qpol_type_get_alias_iter(q, type_datum, &iter))
+ goto cleanup;
+ if (qpol_iterator_get_size(iter, &alias_size))
+ goto cleanup;
+ if (alias_size > 0) {
+ fprintf(fp, " Aliases\n");
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
+ if (qpol_iterator_get_item(iter, (void **)&alias_name))
+ goto cleanup;
+ fprintf(fp, " %s\n", alias_name);
+ }
+ }
+
+ cleanup:
+ qpol_iterator_destroy(&iter);
+ return;
+}
+
+/**
* Prints a textual representation of a type, and possibly
* all of that type's attributes.
*
--
1.8.5.3

258
SOURCES/0009-Fix-help-message-on-sesearch-D.patch
Unescape View File

@ -0,0 +1,258 @@ @@ -0,0 +1,258 @@
From bbe9f57845101d07eef31a772946437b3245c7d5 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 18:46:24 +0200
Subject: [PATCH 09/11] Fix help message on sesearch -D

---
man/sesearch.1 | 2 +-
secmds/sesearch.c | 77 +++++++++++++++++--------------------------------------
2 files changed, 25 insertions(+), 54 deletions(-)

diff --git a/man/sesearch.1 b/man/sesearch.1
index 573aedd..dc119eb 100644
--- a/man/sesearch.1
+++ b/man/sesearch.1
@@ -43,7 +43,7 @@ Search for allow rules.
Search for neverallow rules.
.IP "--auditallow"
Search for auditallow rules.
-.IP "--dontaudit"
+.IP "-D, --dontaudit"
Search for dontaudit rules.
.IP "-T, --type"
Search for type_transition, type_member, and type_change rules.
diff --git a/secmds/sesearch.c b/secmds/sesearch.c
index e1436a7..f53d670 100644
--- a/secmds/sesearch.c
+++ b/secmds/sesearch.c
@@ -24,6 +24,7 @@
*/
#include <config.h>
+#include <selinux/selinux.h>
/* libapol */
#include <apol/policy.h>
@@ -61,9 +62,8 @@ enum opt_values
static struct option const longopts[] = {
{"allow", no_argument, NULL, 'A'},
{"neverallow", no_argument, NULL, RULE_NEVERALLOW},
- {"audit", no_argument, NULL, RULE_AUDIT},
{"auditallow", no_argument, NULL, RULE_AUDITALLOW},
- {"dontaudit", no_argument, NULL, RULE_DONTAUDIT},
+ {"dontaudit", no_argument, NULL, 'D'},
{"type", no_argument, NULL, 'T'},
{"role_allow", no_argument, NULL, RULE_ROLE_ALLOW},
{"role_trans", no_argument, NULL, RULE_ROLE_TRANS},
@@ -72,7 +72,6 @@ static struct option const longopts[] = {
{"source", required_argument, NULL, 's'},
{"target", required_argument, NULL, 't'},
- {"default", required_argument, NULL, 'D'},
{"role_source", required_argument, NULL, EXPR_ROLE_SOURCE},
{"role_target", required_argument, NULL, EXPR_ROLE_TARGET},
{"class", required_argument, NULL, 'c'},
@@ -129,7 +128,7 @@ void usage(const char *program_name, int brief)
printf(" -A, --allow allow rules\n");
printf(" --neverallow neverallow rules\n");
printf(" --auditallow auditallow rules\n");
- printf(" --dontaudit dontaudit rules\n");
+ printf(" -D, --dontaudit dontaudit rules\n");
printf(" -T, --type type_trans, type_member, and type_change\n");
printf(" --role_allow role allow rules\n");
printf(" --role_trans role_transition rules\n");
@@ -138,7 +137,6 @@ void usage(const char *program_name, int brief)
printf("EXPRESSIONS:\n");
printf(" -s NAME, --source=NAME rules with type/attribute NAME as source\n");
printf(" -t NAME, --target=NAME rules with type/attribute NAME as target\n");
- printf(" -D NAME, --default=NAME rules with type NAME as default\n");
printf(" --role_source=NAME rules with role NAME as source\n");
printf(" --role_target=NAME rules with role NAME as target\n");
printf(" -c NAME, --class=NAME rules with class NAME as the object class\n");
@@ -296,10 +294,8 @@ static void print_syn_av_results(const apol_policy_t * policy, const options_t *
tmp = apol_cond_expr_render(policy, cond);
enable_char = (enabled ? 'E' : 'D');
branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F');
- if (asprintf(&expr, "[ %s ]", tmp) < 0) {
- expr = NULL;
+ if (asprintf(&expr, "[ %s ]", tmp) < 0)
goto cleanup;
- }
free(tmp);
tmp = NULL;
if (!expr)
@@ -362,10 +358,8 @@ static void print_av_results(const apol_policy_t * policy, const options_t * opt
qpol_iterator_destroy(&iter);
enable_char = (enabled ? 'E' : 'D');
branch_char = (list ? 'T' : 'F');
- if (asprintf(&expr, "[ %s ]", tmp) < 0) {
- expr = NULL;
+ if (asprintf(&expr, "[ %s ]", tmp) < 0)
goto cleanup;
- }
free(tmp);
tmp = NULL;
if (!expr)
@@ -421,8 +415,6 @@ static int perform_te_query(const apol_policy_t * policy, const options_t * opt,
apol_terule_query_set_target(policy, teq, opt->tgt_name, opt->indirect);
if (opt->bool_name)
apol_terule_query_set_bool(policy, teq, opt->bool_name);
- if (opt->default_name)
- apol_terule_query_set_default(policy, teq, opt->default_name);
if (opt->class_name) {
if (opt->class_vector == NULL) {
if (apol_terule_query_append_class(policy, teq, opt->class_name)) {
@@ -499,14 +491,12 @@ static void print_syn_te_results(const apol_policy_t * policy, const options_t *
tmp = apol_cond_expr_render(policy, cond);
enable_char = (enabled ? 'E' : 'D');
branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F');
- if (asprintf(&expr, "[ %s ]", tmp) < 0) {
- expr = NULL;
+ if (asprintf(&expr, "[ %s ]", tmp) < 0)
goto cleanup;
- }
free(tmp);
tmp = NULL;
if (!expr)
- goto cleanup;
+ break;
}
}
if (!(rule_str = apol_syn_terule_render(policy, rule)))
@@ -567,10 +557,8 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt
qpol_iterator_destroy(&iter);
enable_char = (enabled ? 'E' : 'D');
branch_char = (list ? 'T' : 'F');
- if (asprintf(&expr, "[ %s ]", tmp) < 0) {
- expr = NULL;
+ if (asprintf(&expr, "[ %s ]", tmp) < 0)
goto cleanup;
- }
free(tmp);
tmp = NULL;
if (!expr)
@@ -629,7 +617,6 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt,
goto err;
}
}
-
if (opt->default_name) {
if (apol_filename_trans_query_set_default(policy, ftq, opt->default_name)) {
error = errno;
@@ -677,13 +664,12 @@ static void print_ft_results(const apol_policy_t * policy, const options_t * opt
{
size_t i, num_filename_trans = 0;
const qpol_filename_trans_t *filename_trans = NULL;
- char *filename_trans_str = NULL;
- qpol_iterator_t *iter = NULL;
+ char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL;
if (!(num_filename_trans = apol_vector_get_size(v)))
goto cleanup;
- fprintf(stdout, "Found %zd named file transition rules:\n", num_filename_trans);
+ fprintf(stdout, "Found %zd named file transition filename_trans:\n", num_filename_trans);
for (i = 0; i < num_filename_trans; i++) {
if (!(filename_trans = apol_vector_get_element(v, i)))
@@ -691,13 +677,17 @@ static void print_ft_results(const apol_policy_t * policy, const options_t * opt
if (!(filename_trans_str = apol_filename_trans_render(policy, filename_trans)))
goto cleanup;
- fprintf(stdout, "%s\n", filename_trans_str);
+ fprintf(stdout, "%s %s\n", filename_trans_str, expr ? expr : "");
free(filename_trans_str);
filename_trans_str = NULL;
+ free(expr);
+ expr = NULL;
}
cleanup:
+ free(tmp);
free(filename_trans_str);
+ free(expr);
}
static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
@@ -814,13 +804,6 @@ static int perform_rt_query(const apol_policy_t * policy, const options_t * opt,
}
}
- if (opt->default_name) {
- if (apol_role_trans_query_set_default(policy, rtq, opt->default_name)) {
- error = errno;
- goto err;
- }
- }
-
if (apol_role_trans_get_by_query(policy, rtq, v)) {
error = errno;
goto err;
@@ -973,7 +956,7 @@ int main(int argc, char **argv)
memset(&cmd_opts, 0, sizeof(cmd_opts));
cmd_opts.indirect = true;
- while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) {
+ while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dDRnSChV", longopts, NULL)) != -1) {
switch (optc) {
case 0:
break;
@@ -1001,18 +984,6 @@ int main(int argc, char **argv)
exit(1);
}
break;
- case 'D': /* default */
- if (optarg == 0) {
- usage(argv[0], 1);
- printf("Missing default type for -D (--default)\n");
- exit(1);
- }
- cmd_opts.default_name = strdup(optarg);
- if (!cmd_opts.default_name) {
-
- exit(1);
- }
- break;
case EXPR_ROLE_SOURCE:
if (optarg == 0) {
usage(argv[0], 1);
@@ -1093,7 +1064,7 @@ int main(int argc, char **argv)
case RULE_AUDITALLOW:
cmd_opts.auditallow = true;
break;
- case RULE_DONTAUDIT:
+ case 'D':
cmd_opts.dontaudit = true;
break;
case 'T': /* type */
@@ -1273,12 +1244,13 @@ int main(int argc, char **argv)
fprintf(stdout, "\n");
}
- apol_vector_destroy(&v);
- if (perform_ft_query(policy, &cmd_opts, &v)) {
- rt = 1;
- goto cleanup;
- }
- if (v) {
+ if (cmd_opts.all || cmd_opts.type) {
+ apol_vector_destroy(&v);
+ if (perform_ft_query(policy, &cmd_opts, &v)) {
+ rt = 1;
+ goto cleanup;
+ }
+
print_ft_results(policy, &cmd_opts, v);
fprintf(stdout, "\n");
}
@@ -1317,7 +1289,6 @@ int main(int argc, char **argv)
apol_policy_path_destroy(&pol_path);
free(cmd_opts.src_name);
free(cmd_opts.tgt_name);
- free(cmd_opts.default_name);
free(cmd_opts.class_name);
free(cmd_opts.permlist);
free(cmd_opts.bool_name);
--
1.8.5.3

154
SOURCES/0011-Fix-Wformat-security-issues.patch
Unescape View File

@ -0,0 +1,154 @@ @@ -0,0 +1,154 @@
From 32ede3cc817ee4f6806877a34a6c84ed50c31df7 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 11 Apr 2014 18:49:33 +0200
Subject: [PATCH 11/11] Fix -Wformat-security issues

---
libseaudit/src/bool_message.c | 4 ++--
libseaudit/src/filter.c | 2 +-
libseaudit/src/model.c | 2 +-
seaudit/progress.c | 4 ++--
seaudit/toplevel.c | 2 +-
seaudit/utilgui.c | 2 +-
sediff/progress.c | 4 ++--
sediff/toplevel.c | 2 +-
sediff/utilgui.c | 2 +-
9 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/libseaudit/src/bool_message.c b/libseaudit/src/bool_message.c
index f105cf0..d5b1e33 100644
--- a/libseaudit/src/bool_message.c
+++ b/libseaudit/src/bool_message.c
@@ -101,7 +101,7 @@ char *bool_message_to_string(const seaudit_message_t * msg, const char *date)
return NULL;
}
if ((misc_string = bool_message_to_misc_string(boolm)) == NULL ||
- apol_str_appendf(&s, &len, misc_string) < 0 || apol_str_append(&s, &len, close_brace) < 0) {
+ apol_str_appendf(&s, &len, "%s", misc_string) < 0 || apol_str_append(&s, &len, close_brace) < 0) {
free(misc_string);
return NULL;
}
@@ -128,7 +128,7 @@ char *bool_message_to_string_html(const seaudit_message_t * msg, const char *dat
return NULL;
}
if ((misc_string = bool_message_to_misc_string(boolm)) == NULL ||
- apol_str_appendf(&s, &len, misc_string) < 0 || apol_str_appendf(&s, &len, "%s%s<br>", s, close_brace) < 0) {
+ apol_str_appendf(&s, &len, "%s", misc_string) < 0 || apol_str_appendf(&s, &len, "%s%s<br>", s, close_brace) < 0) {
free(misc_string);
return NULL;
}
diff --git a/libseaudit/src/filter.c b/libseaudit/src/filter.c
index 298a309..c710ce4 100644
--- a/libseaudit/src/filter.c
+++ b/libseaudit/src/filter.c
@@ -1108,7 +1108,7 @@ int seaudit_filter_save_to_file(const seaudit_filter_t * filter, const char *fil
if ((file = fopen(filename, "w")) == NULL) {
return -1;
}
- fprintf(file, XML_VER);
+ fprintf(file, "%s", XML_VER);
fprintf(file, "<view xmlns=\"http://oss.tresys.com/projects/setools/seaudit-%s/\">\n", FILTER_FILE_FORMAT_VERSION);
filter_append_to_file(filter, file, 1);
fprintf(file, "</view>\n");
diff --git a/libseaudit/src/model.c b/libseaudit/src/model.c
index 1bc4a23..4a130cb 100644
--- a/libseaudit/src/model.c
+++ b/libseaudit/src/model.c
@@ -514,7 +514,7 @@ int seaudit_model_save_to_file(const seaudit_model_t * model, const char *filena
if ((file = fopen(filename, "w")) == NULL) {
return -1;
}
- fprintf(file, XML_VER);
+ fprintf(file, "%s", XML_VER);
fprintf(file, "<view xmlns=\"http://oss.tresys.com/projects/setools/seaudit-%s/\" name=\"%s\" match=\"%s\" show=\"%s\">\n",
FILTER_FILE_FORMAT_VERSION, model->name,
model->match == SEAUDIT_FILTER_MATCH_ALL ? "all" : "any",
diff --git a/seaudit/progress.c b/seaudit/progress.c
index 2e0abeb..f092858 100644
--- a/seaudit/progress.c
+++ b/seaudit/progress.c
@@ -114,10 +114,10 @@ int progress_wait(progress_t * progress)
}
g_mutex_unlock(progress->mutex);
if (progress->done < 0) {
- toplevel_ERR(progress->top, GTK_LABEL(progress->label2)->label);
+ toplevel_ERR(progress->top, "%s", GTK_LABEL(progress->label2)->label);
return progress->done;
} else if (progress->done > 1) {
- toplevel_WARN(progress->top, GTK_LABEL(progress->label2)->label);
+ toplevel_WARN(progress->top, "%s", GTK_LABEL(progress->label2)->label);
return progress->done - 1;
} else {
progress->done = 0;
diff --git a/seaudit/toplevel.c b/seaudit/toplevel.c
index d901a99..27938d5 100644
--- a/seaudit/toplevel.c
+++ b/seaudit/toplevel.c
@@ -902,7 +902,7 @@ static void toplevel_message(toplevel_t * top, GtkMessageType msg_type, const ch
ERR(NULL, "%s", strerror(errno));
return;
}
- dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg);
+ dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg);
free(msg);
gtk_dialog_run(GTK_DIALOG(dialog));
gtk_widget_destroy(dialog);
diff --git a/seaudit/utilgui.c b/seaudit/utilgui.c
index 22028e1..78a1a08 100644
--- a/seaudit/utilgui.c
+++ b/seaudit/utilgui.c
@@ -30,7 +30,7 @@
void util_message(GtkWindow * parent, GtkMessageType msg_type, const char *msg)
{
GtkWidget *dialog;
- dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg);
+ dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg);
gtk_dialog_run(GTK_DIALOG(dialog));
gtk_widget_destroy(dialog);
}
diff --git a/sediff/progress.c b/sediff/progress.c
index efaa120..312789e 100644
--- a/sediff/progress.c
+++ b/sediff/progress.c
@@ -115,10 +115,10 @@ int progress_wait(progress_t * progress)
}
g_mutex_unlock(progress->mutex);
if (progress->done < 0) {
- toplevel_ERR(progress->top, GTK_LABEL(progress->label2)->label);
+ toplevel_ERR(progress->top, "%s", GTK_LABEL(progress->label2)->label);
return progress->done;
} else if (progress->done > 1) {
- toplevel_WARN(progress->top, GTK_LABEL(progress->label2)->label);
+ toplevel_WARN(progress->top, "%s", GTK_LABEL(progress->label2)->label);
return progress->done - 1;
} else {
progress->done = 0;
diff --git a/sediff/toplevel.c b/sediff/toplevel.c
index db6d1f5..aabd039 100644
--- a/sediff/toplevel.c
+++ b/sediff/toplevel.c
@@ -453,7 +453,7 @@ static void toplevel_message(toplevel_t * top, GtkMessageType msg_type, const ch
ERR(NULL, "%s", strerror(errno));
return;
}
- dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg);
+ dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg);
free(msg);
gtk_dialog_run(GTK_DIALOG(dialog));
gtk_widget_destroy(dialog);
diff --git a/sediff/utilgui.c b/sediff/utilgui.c
index 04e1e05..9e183ba 100644
--- a/sediff/utilgui.c
+++ b/sediff/utilgui.c
@@ -31,7 +31,7 @@
void util_message(GtkWindow * parent, GtkMessageType msg_type, const char *msg)
{
GtkWidget *dialog;
- dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg);
+ dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg);
gtk_dialog_run(GTK_DIALOG(dialog));
gtk_widget_destroy(dialog);
}
--
1.8.5.3

29
SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch
Unescape View File

@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
From f7b31b7e28a4f89bcfcd0d139cfca78777a4333e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 4 Feb 2016 14:06:49 -0500
Subject: [PATCH] libqpol: Skip types when building type attribute map.

Fix originally from Richard Haines.

Closes #94.
---
libqpol/src/policy_extend.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c
index 1417271..416bddb 100644
--- a/libqpol/src/policy_extend.c
+++ b/libqpol/src/policy_extend.c
@@ -201,6 +201,9 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy)
memset(&buff, 0, 10 * sizeof(char));
for (i = 0; i < db->p_types.nprim; i++) {
+ /* skip types */
+ if (db->type_val_to_struct[i]->flavor == TYPE_TYPE)
+ continue;
count = 0;
ebitmap_for_each_bit(&db->attr_type_map[i], node, bit) {
if (ebitmap_node_get_bit(node, bit))
--
2.5.0

Write Preview
Loading…
Cancel
Save