diff --git a/SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch b/SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch new file mode 100644 index 00000000..0725857d --- /dev/null +++ b/SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch @@ -0,0 +1,35 @@ +From b00d11c941b689fbf3441e80b318c6a05c6657e4 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 19 Oct 2017 15:17:21 +0200 +Subject: [PATCH] libqpol: Do not fail on neverallow rule query + +Drawing upon the conclusion from: + +77bd0f2103e8f02f02ba75dd5fd5ceb263d4f878 +No need to take into account the policy capabilities in sesearch code, +the lower levels in the library handle it correctly. (fixes Fedora +bug #526460) +--- + libqpol/src/avrule_query.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/libqpol/src/avrule_query.c b/libqpol/src/avrule_query.c +index 749565b..c2dd010 100644 +--- a/libqpol/src/avrule_query.c ++++ b/libqpol/src/avrule_query.c +@@ -55,12 +55,6 @@ int qpol_policy_get_avrule_iter(const qpol_policy_t * policy, uint32_t rule_type + } + #endif + +- if ((rule_type_mask & QPOL_RULE_NEVERALLOW) && !qpol_policy_has_capability(policy, QPOL_CAP_NEVERALLOW)) { +- ERR(policy, "%s", "Cannot get avrules: Neverallow rules requested but not available"); +- errno = ENOTSUP; +- return STATUS_ERR; +- } +- + db = &policy->p->p; + + state = calloc(1, sizeof(avtab_state_t)); +-- +2.9.4 + diff --git a/SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch b/SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch new file mode 100644 index 00000000..882a1271 --- /dev/null +++ b/SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch @@ -0,0 +1,34 @@ +From 0332c009bd0581ab9a75a4ea80af92bb2d6b8b1f Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:46:38 -0400 +Subject: [PATCH 02/11] Fix sepol calls to work with latest libsepol + +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 577ce48..2a5b55b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -521,7 +521,7 @@ else + [AC_LANG_SOURCE([ + #include + int main () { +- return role_set_expand(NULL, NULL, NULL, NULL); ++ return role_set_expand(NULL, NULL, NULL, NULL, NULL); + }])], + sepol_new_user_role_mapping="yes", + sepol_new_user_role_mapping="no") +@@ -578,7 +578,7 @@ if test ${sepol_check_boolmap} = "yes"; then + [AC_LANG_SOURCE([ + #include + int main () { +- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0); ++ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0); + }])], + AC_MSG_RESULT([yes]), + AC_MSG_ERROR([this version of libsepol is incompatible with SETools])) +-- +1.8.5.3 + diff --git a/SOURCES/0004-Apply-selinux_current_policy_path-patch.patch b/SOURCES/0004-Apply-selinux_current_policy_path-patch.patch new file mode 100644 index 00000000..14cdbb6d --- /dev/null +++ b/SOURCES/0004-Apply-selinux_current_policy_path-patch.patch @@ -0,0 +1,97 @@ +From 85a12d481d664120865b46cd1c4c325307179471 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 10:53:54 +0200 +Subject: [PATCH 04/11] Apply selinux_current_policy_path patch + +--- + libqpol/src/util.c | 73 ++++-------------------------------------------------- + 1 file changed, 5 insertions(+), 68 deletions(-) + +diff --git a/libqpol/src/util.c b/libqpol/src/util.c +index 7c49876..8f74b2b 100644 +--- a/libqpol/src/util.c ++++ b/libqpol/src/util.c +@@ -84,75 +84,12 @@ static int get_binpol_version(const char *policy_fname) + + static int search_policy_binary_file(char **path) + { +- const char *binary_path; +- if ((binary_path = selinux_binary_policy_path()) == NULL) { +- return -1; +- } +- +- int expected_version = -1, latest_version = -1; +-#ifdef LIBSELINUX +- /* if the system has SELinux enabled, prefer the policy whose +- name matches the current policy version */ +- if ((expected_version = security_policyvers()) < 0) { +- return -1; +- } +-#endif +- +- glob_t glob_buf; +- struct stat fs; +- int rt, error = 0, retval = -1; +- size_t i; +- char *pattern = NULL; +- if (asprintf(&pattern, "%s.*", binary_path) < 0) { +- return -1; +- } +- glob_buf.gl_offs = 1; +- glob_buf.gl_pathc = 0; +- rt = glob(pattern, GLOB_DOOFFS, NULL, &glob_buf); +- if (rt != 0 && rt != GLOB_NOMATCH) { +- errno = EIO; +- return -1; +- } +- +- for (i = 0; i < glob_buf.gl_pathc; i++) { +- char *p = glob_buf.gl_pathv[i + glob_buf.gl_offs]; +- if (stat(p, &fs) != 0) { +- error = errno; +- goto cleanup; +- } +- if (S_ISDIR(fs.st_mode)) +- continue; +- +- if ((rt = get_binpol_version(p)) < 0) { +- error = errno; +- goto cleanup; +- } +- +- if (rt > latest_version || rt == expected_version) { +- free(*path); +- if ((*path = strdup(p)) == NULL) { +- error = errno; +- goto cleanup; +- } +- if (rt == expected_version) { +- break; +- } +- latest_version = rt; +- } +- } +- +- if (*path == NULL) { +- retval = 1; +- } else { +- retval = 0; +- } +- cleanup: +- free(pattern); +- globfree(&glob_buf); +- if (retval == -1) { +- errno = error; ++ const char *binary_path = selinux_current_policy_path(); ++ if (binary_path) { ++ *path = strdup(binary_path); ++ if (*path) return 0; + } +- return retval; ++ return -1; + } + + int qpol_default_policy_find(char **path) +-- +1.8.5.3 + diff --git a/SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch b/SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch new file mode 100644 index 00000000..29e5a0c3 --- /dev/null +++ b/SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch @@ -0,0 +1,24 @@ +From ba8e76cd514e8ce92a48931963e97fe79589a71a Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 11:12:37 +0200 +Subject: [PATCH 05/11] Apply seaudit patch for progress.c + +--- + libqpol/swig/java/Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/libqpol/swig/java/Makefile.am b/libqpol/swig/java/Makefile.am +index a25eacb..533b55a 100644 +--- a/libqpol/swig/java/Makefile.am ++++ b/libqpol/swig/java/Makefile.am +@@ -48,7 +48,6 @@ BUILT_SOURCES = qpol_wrap.c \ + qpol_type_t.java \ + qpol_user_t.java \ + qpol_validatetrans_t.java \ +- SWIGTYPE_p_int.java \ + SWIGTYPE_p_unsigned_int.java \ + SWIGTYPE_p_void.java + +-- +1.8.5.3 + diff --git a/SOURCES/0006-Add-support-for-boolean-subs.patch b/SOURCES/0006-Add-support-for-boolean-subs.patch new file mode 100644 index 00000000..a495755b --- /dev/null +++ b/SOURCES/0006-Add-support-for-boolean-subs.patch @@ -0,0 +1,39 @@ +From 61d3d40e791a4ac392930f11785e4057f67a5b09 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 11:14:50 +0200 +Subject: [PATCH 06/11] Add support for boolean subs + +--- + secmds/seinfo.c | 2 +- + secmds/sesearch.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index a970890..54b2a6a 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -1720,7 +1720,7 @@ int main(int argc, char **argv) + case 'b': /* conditional booleans */ + bools = 1; + if (optarg != 0) +- bool_name = optarg; ++ bool_name = selinux_boolean_sub(optarg); + break; + case OPT_INITIALSID: + isids = 1; +diff --git a/secmds/sesearch.c b/secmds/sesearch.c +index 387d526..e1436a7 100644 +--- a/secmds/sesearch.c ++++ b/secmds/sesearch.c +@@ -1067,7 +1067,7 @@ int main(int argc, char **argv) + printf("Missing boolean for -b (--bool)\n"); + exit(1); + } +- cmd_opts.bool_name = strdup(optarg); ++ cmd_opts.bool_name = strdup(selinux_boolean_sub(optarg)); + if (!cmd_opts.bool_name) { + fprintf(stderr, "%s\n", strerror(errno)); + exit(1); +-- +1.8.5.3 + diff --git a/SOURCES/0007-Setools-noship.patch b/SOURCES/0007-Setools-noship.patch new file mode 100644 index 00000000..eacd5088 --- /dev/null +++ b/SOURCES/0007-Setools-noship.patch @@ -0,0 +1,207 @@ +From a39d0831d654292fb2a1f7b9ee18ecc9239f610f Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:38:34 +0200 +Subject: [PATCH 07/11] Setools noship + +--- + Makefile.am | 26 +++----------------------- + configure.ac | 2 +- + man/Makefile.am | 15 +++------------ + seaudit/Makefile.am | 31 +++---------------------------- + secmds/Makefile.am | 14 +------------- + sediff/Makefile.am | 32 ++------------------------------ + 6 files changed, 13 insertions(+), 107 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 176c8ea..4cac386 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -78,9 +70,9 @@ install-logwatch: + $(MAKE) -C $(top_srcdir)/seaudit install-logwatch + + .PHONY: libqpol libapol libpoldiff libsefs libseaudit \ +- apol secmds seaudit sediff sediffx sechecker \ ++ apol secmds seaudit sediff sechecker\ + install-logwatch help \ +- seinfo sesearch indexcon findcon replcon searchcon \ ++ seinfo sesearch findcon \ + packages + + seinfo: libqpol libapol +diff --git a/configure.ac b/configure.ac +index 2a5b55b..5b1da5e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -63,7 +63,7 @@ if test ${ac_cv_prog_cc_c99} = "no"; then + fi + AC_PROG_CXX + AC_LANG([C]) +-AC_PROG_LIBTOOL ++AC_PROG_RANLIB + AC_PROG_LN_S + AC_PROG_LEX + AC_PROG_YACC +diff --git a/man/Makefile.am b/man/Makefile.am +index 0fafccb..f88e00a 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -1,19 +1,10 @@ + if BUILD_GUI + MAYBEMANS = apol.1 \ +- seaudit.8 seaudit-report.8 \ +- sediffx.1 ++ seaudit.8 + endif + + EXTRA_DIST=$(man_MANS) apol.1 \ +- seaudit.8 seaudit-report.8.in \ +- sediffx.1 ++ seaudit.8 + +-man_MANS = findcon.1 indexcon.1 replcon.1 \ +- sechecker.1 \ +- sediff.1 \ ++man_MANS = findcon.1 sediff.1 sechecker.1 \ + seinfo.1 sesearch.1 $(MAYBEMANS) +- +-seaudit-report.8: seaudit-report.8.in Makefile +- sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ +- +-CLEANFILES = seaudit-report.8 +diff --git a/seaudit/Makefile.am b/seaudit/Makefile.am +index 1987c99..3fa4413 100644 +--- a/seaudit/Makefile.am ++++ b/seaudit/Makefile.am +@@ -1,5 +1,4 @@ + setoolsdir = @setoolsdir@ +-bin_PROGRAMS = seaudit-report + sbin_PROGRAMS = seaudit + + AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ +@@ -20,13 +19,10 @@ LDADD = @SELINUX_LIB_FLAG@ @SEAUDIT_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@ + dist_setools_DATA = \ + seaudit.glade \ + seaudit_help.txt \ +- seaudit-report.conf \ +- seaudit-report.css \ + seaudit.png seaudit-small.png + + nodist_setools_DATA = \ +- dot_seaudit \ +- seaudit-report-service ++ dot_seaudit + + seaudit_SOURCES = \ + filter_view.c filter_view.h \ +@@ -50,31 +46,12 @@ seaudit_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \ + dot_seaudit: dot_seaudit.in Makefile + sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ + +-seaudit_report_SOURCES = seaudit-report.c +-seaudit_report_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \ +- $(top_builddir)/libapol/src/libapol.so \ +- $(top_builddir)/libqpol/src/libqpol.so +- + logwatch = $(DESTDIR)/etc/logwatch + LOGWATCH_GROUP = $(logwatch)/conf/logfiles + LOGWATCH_SERVICE = $(logwatch)/conf/services + LOGWATCH_FILTER = $(logwatch)/scripts/services + +-dist_noinst_DATA = dot_seaudit.in \ +- seaudit-report-group.conf \ +- seaudit-report-service.conf \ +- seaudit-report-service.in +- +-seaudit-report-service: seaudit-report-service.in Makefile +- sed -e 's|\@bindir\@|$(bindir)|g' $< > $@ +- +-install-logwatch: $(dist_noinst_DATA) seaudit-report-service +- mkdir -p -- $(LOGWATCH_GROUP) +- install -m 644 seaudit-report-group.conf $(LOGWATCH_GROUP) +- mkdir -p -- $(LOGWATCH_SERVICE) +- install -m 644 seaudit-report-service.conf $(LOGWATCH_SERVICE) +- mkdir -p -- $(LOGWATCH_FILTER) +- install -m 755 seaudit-report-service $(LOGWATCH_FILTER) ++dist_noinst_DATA = dot_seaudit.in + + $(top_builddir)/libapol/src/libapol.so: + $(MAKE) -C $(top_builddir)/libapol/src $(notdir $@) +@@ -85,6 +62,4 @@ $(top_builddir)/libqpol/src/libqpol.so: + $(top_builddir)/libsefs/src/libsefs.so: + $(MAKE) -C $(top_builddir)/libsefs/src $(notdir $@) + +-.PHONY: install-logwatch +- +-CLEANFILES = dot_seaudit seaudit-report-service ++CLEANFILES = dot_seaudit +diff --git a/secmds/Makefile.am b/secmds/Makefile.am +index ddc88b1..7fa4364 100644 +--- a/secmds/Makefile.am ++++ b/secmds/Makefile.am +@@ -1,6 +1,6 @@ + # various setools command line tools + +-bin_PROGRAMS = seinfo sesearch findcon replcon indexcon ++bin_PROGRAMS = seinfo sesearch findcon + + # These are for indexcon so that it is usable on machines without setools + STATICLIBS = ../libsefs/src/libsefs.a ../libapol/src/libapol.a ../libqpol/src/libqpol.a -lsqlite3 +diff --git a/sediff/Makefile.am b/sediff/Makefile.am +index 3f53cd3..2d9ce84 100644 +--- a/sediff/Makefile.am ++++ b/sediff/Makefile.am +@@ -1,13 +1,6 @@ + setoolsdir = @setoolsdir@ + +-dist_setools_DATA = sediff_help.txt sediffx.glade \ +- sediffx.png sediffx-small.png +- +-if BUILD_GUI +- MAYBE_SEDIFFX = sediffx +-endif +- +-bin_PROGRAMS = sediff $(MAYBE_SEDIFFX) ++bin_PROGRAMS = sediff + + AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ + @QPOL_CFLAGS@ @APOL_CFLAGS@ @POLDIFF_CFLAGS@ +@@ -15,14 +8,7 @@ AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS@ @PROFILELDFLAGS@ + + LDADD = @SELINUX_LIB_FLAG@ @POLDIFF_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@ + +-sediff_CFLAGS = $(AM_CFLAGS) +-sediffx_CFLAGS = $(AM_CFLAGS) \ +- @GTK_CFLAGS@ @PIXBUF_CFLAGS@ @GLADE_CFLAGS@ @GTHREAD_CFLAGS@ +- +-# need the -rdynamic flag below - glade uses dlopen() upon sediffx callbacks +-sediffx_LDFLAGS = $(AM_LDFLAGS) \ +- @GTK_LIBS@ @PIXBUF_LIBS@ @GLADE_LIBS@ @GTHREAD_LIBS@ @XML_LIBS@ \ +- -rdynamic ++sediff_CFLAGS = $(AM_CFLAGS) + + DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \ + $(top_builddir)/libapol/src/libapol.so \ +@@ -30,20 +16,6 @@ DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \ + + sediff_SOURCES = sediff.c + +-sediffx_SOURCES = \ +- find_dialog.c find_dialog.h \ +- open_policies_dialog.c open_policies_dialog.h \ +- policy_view.c policy_view.h \ +- progress.c progress.h \ +- remap_types_dialog.c remap_types_dialog.h \ +- result_item.c result_item.h \ +- result_item_render.c result_item_render.h \ +- results.c results.h \ +- select_diff_dialog.c select_diff_dialog.h \ +- toplevel.c toplevel.h \ +- utilgui.c utilgui.h \ +- sediffx.c sediffx.h +- + $(top_builddir)/libpoldiff/src/libpoldiff.so: + $(MAKE) -C $(top_builddir)/libpoldiff/src $(notdir $@) + +-- +1.8.5.3 + diff --git a/SOURCES/0008-Add-alias-support-to-seinfo-t.patch b/SOURCES/0008-Add-alias-support-to-seinfo-t.patch new file mode 100644 index 00000000..32d901aa --- /dev/null +++ b/SOURCES/0008-Add-alias-support-to-seinfo-t.patch @@ -0,0 +1,92 @@ +From 1136e61a9839ad3b60eb2da4d624413c02545c7d Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:42:27 +0200 +Subject: [PATCH 08/11] Add alias support to seinfo -t + +--- + secmds/seinfo.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index 54b2a6a..1878c49 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" + +@@ -54,6 +55,7 @@ + + static char *policy_file = NULL; + ++static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb); + static int print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); + static int print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); + static int print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand); +@@ -514,6 +516,7 @@ static int print_types(FILE * fp, const char *name, int expand, const apol_polic + goto cleanup; + if (print_type_attrs(fp, type_datum, policydb, expand)) + goto cleanup; ++ print_type_aliases(fp, type_datum, policydb); + } else { + if (qpol_policy_get_type_iter(q, &iter)) + goto cleanup; +@@ -1912,6 +1915,51 @@ int main(int argc, char **argv) + } + + /** ++ * Prints the alias of a type. ++ * ++ * @param fp Reference to a file to which to print type information ++ * @param type_datum Reference to sepol type_datum ++ * @param policydb Reference to a policy ++ * attributes ++ */ ++static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb) ++{ ++ qpol_iterator_t *iter = NULL; ++ size_t alias_size; ++ unsigned char isattr, isalias; ++ const char *type_name = NULL; ++ const char *alias_name; ++ qpol_policy_t *q = apol_policy_get_qpol(policydb); ++ ++ if (qpol_type_get_name(q, type_datum, &type_name)) ++ goto cleanup; ++ if (qpol_type_get_isattr(q, type_datum, &isattr)) ++ goto cleanup; ++ if (qpol_type_get_isalias(q, type_datum, &isalias)) ++ goto cleanup; ++ ++ if (isalias) { ++ fprintf(fp, " TypeName %s\n", type_name); ++ } ++ if (qpol_type_get_alias_iter(q, type_datum, &iter)) ++ goto cleanup; ++ if (qpol_iterator_get_size(iter, &alias_size)) ++ goto cleanup; ++ if (alias_size > 0) { ++ fprintf(fp, " Aliases\n"); ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ if (qpol_iterator_get_item(iter, (void **)&alias_name)) ++ goto cleanup; ++ fprintf(fp, " %s\n", alias_name); ++ } ++ } ++ ++ cleanup: ++ qpol_iterator_destroy(&iter); ++ return; ++} ++ ++/** + * Prints a textual representation of a type, and possibly + * all of that type's attributes. + * +-- +1.8.5.3 + diff --git a/SOURCES/0009-Fix-help-message-on-sesearch-D.patch b/SOURCES/0009-Fix-help-message-on-sesearch-D.patch new file mode 100644 index 00000000..e90eba42 --- /dev/null +++ b/SOURCES/0009-Fix-help-message-on-sesearch-D.patch @@ -0,0 +1,258 @@ +From bbe9f57845101d07eef31a772946437b3245c7d5 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:46:24 +0200 +Subject: [PATCH 09/11] Fix help message on sesearch -D + +--- + man/sesearch.1 | 2 +- + secmds/sesearch.c | 77 +++++++++++++++++-------------------------------------- + 2 files changed, 25 insertions(+), 54 deletions(-) + +diff --git a/man/sesearch.1 b/man/sesearch.1 +index 573aedd..dc119eb 100644 +--- a/man/sesearch.1 ++++ b/man/sesearch.1 +@@ -43,7 +43,7 @@ Search for allow rules. + Search for neverallow rules. + .IP "--auditallow" + Search for auditallow rules. +-.IP "--dontaudit" ++.IP "-D, --dontaudit" + Search for dontaudit rules. + .IP "-T, --type" + Search for type_transition, type_member, and type_change rules. +diff --git a/secmds/sesearch.c b/secmds/sesearch.c +index e1436a7..f53d670 100644 +--- a/secmds/sesearch.c ++++ b/secmds/sesearch.c +@@ -24,6 +24,7 @@ + */ + + #include ++#include + + /* libapol */ + #include +@@ -61,9 +62,8 @@ enum opt_values + static struct option const longopts[] = { + {"allow", no_argument, NULL, 'A'}, + {"neverallow", no_argument, NULL, RULE_NEVERALLOW}, +- {"audit", no_argument, NULL, RULE_AUDIT}, + {"auditallow", no_argument, NULL, RULE_AUDITALLOW}, +- {"dontaudit", no_argument, NULL, RULE_DONTAUDIT}, ++ {"dontaudit", no_argument, NULL, 'D'}, + {"type", no_argument, NULL, 'T'}, + {"role_allow", no_argument, NULL, RULE_ROLE_ALLOW}, + {"role_trans", no_argument, NULL, RULE_ROLE_TRANS}, +@@ -72,7 +72,6 @@ static struct option const longopts[] = { + + {"source", required_argument, NULL, 's'}, + {"target", required_argument, NULL, 't'}, +- {"default", required_argument, NULL, 'D'}, + {"role_source", required_argument, NULL, EXPR_ROLE_SOURCE}, + {"role_target", required_argument, NULL, EXPR_ROLE_TARGET}, + {"class", required_argument, NULL, 'c'}, +@@ -129,7 +128,7 @@ void usage(const char *program_name, int brief) + printf(" -A, --allow allow rules\n"); + printf(" --neverallow neverallow rules\n"); + printf(" --auditallow auditallow rules\n"); +- printf(" --dontaudit dontaudit rules\n"); ++ printf(" -D, --dontaudit dontaudit rules\n"); + printf(" -T, --type type_trans, type_member, and type_change\n"); + printf(" --role_allow role allow rules\n"); + printf(" --role_trans role_transition rules\n"); +@@ -138,7 +137,6 @@ void usage(const char *program_name, int brief) + printf("EXPRESSIONS:\n"); + printf(" -s NAME, --source=NAME rules with type/attribute NAME as source\n"); + printf(" -t NAME, --target=NAME rules with type/attribute NAME as target\n"); +- printf(" -D NAME, --default=NAME rules with type NAME as default\n"); + printf(" --role_source=NAME rules with role NAME as source\n"); + printf(" --role_target=NAME rules with role NAME as target\n"); + printf(" -c NAME, --class=NAME rules with class NAME as the object class\n"); +@@ -296,10 +294,8 @@ static void print_syn_av_results(const apol_policy_t * policy, const options_t * + tmp = apol_cond_expr_render(policy, cond); + enable_char = (enabled ? 'E' : 'D'); + branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +@@ -362,10 +358,8 @@ static void print_av_results(const apol_policy_t * policy, const options_t * opt + qpol_iterator_destroy(&iter); + enable_char = (enabled ? 'E' : 'D'); + branch_char = (list ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +@@ -421,8 +415,6 @@ static int perform_te_query(const apol_policy_t * policy, const options_t * opt, + apol_terule_query_set_target(policy, teq, opt->tgt_name, opt->indirect); + if (opt->bool_name) + apol_terule_query_set_bool(policy, teq, opt->bool_name); +- if (opt->default_name) +- apol_terule_query_set_default(policy, teq, opt->default_name); + if (opt->class_name) { + if (opt->class_vector == NULL) { + if (apol_terule_query_append_class(policy, teq, opt->class_name)) { +@@ -499,14 +491,12 @@ static void print_syn_te_results(const apol_policy_t * policy, const options_t * + tmp = apol_cond_expr_render(policy, cond); + enable_char = (enabled ? 'E' : 'D'); + branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +- goto cleanup; ++ break; + } + } + if (!(rule_str = apol_syn_terule_render(policy, rule))) +@@ -567,10 +557,8 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt + qpol_iterator_destroy(&iter); + enable_char = (enabled ? 'E' : 'D'); + branch_char = (list ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +@@ -629,7 +617,6 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, + goto err; + } + } +- + if (opt->default_name) { + if (apol_filename_trans_query_set_default(policy, ftq, opt->default_name)) { + error = errno; +@@ -677,13 +664,12 @@ static void print_ft_results(const apol_policy_t * policy, const options_t * opt + { + size_t i, num_filename_trans = 0; + const qpol_filename_trans_t *filename_trans = NULL; +- char *filename_trans_str = NULL; +- qpol_iterator_t *iter = NULL; ++ char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL; + + if (!(num_filename_trans = apol_vector_get_size(v))) + goto cleanup; + +- fprintf(stdout, "Found %zd named file transition rules:\n", num_filename_trans); ++ fprintf(stdout, "Found %zd named file transition filename_trans:\n", num_filename_trans); + + for (i = 0; i < num_filename_trans; i++) { + if (!(filename_trans = apol_vector_get_element(v, i))) +@@ -691,13 +677,17 @@ static void print_ft_results(const apol_policy_t * policy, const options_t * opt + + if (!(filename_trans_str = apol_filename_trans_render(policy, filename_trans))) + goto cleanup; +- fprintf(stdout, "%s\n", filename_trans_str); ++ fprintf(stdout, "%s %s\n", filename_trans_str, expr ? expr : ""); + free(filename_trans_str); + filename_trans_str = NULL; ++ free(expr); ++ expr = NULL; + } + + cleanup: ++ free(tmp); + free(filename_trans_str); ++ free(expr); + } + + static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) +@@ -814,13 +804,6 @@ static int perform_rt_query(const apol_policy_t * policy, const options_t * opt, + } + } + +- if (opt->default_name) { +- if (apol_role_trans_query_set_default(policy, rtq, opt->default_name)) { +- error = errno; +- goto err; +- } +- } +- + if (apol_role_trans_get_by_query(policy, rtq, v)) { + error = errno; + goto err; +@@ -973,7 +956,7 @@ int main(int argc, char **argv) + + memset(&cmd_opts, 0, sizeof(cmd_opts)); + cmd_opts.indirect = true; +- while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) { ++ while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dDRnSChV", longopts, NULL)) != -1) { + switch (optc) { + case 0: + break; +@@ -1001,18 +984,6 @@ int main(int argc, char **argv) + exit(1); + } + break; +- case 'D': /* default */ +- if (optarg == 0) { +- usage(argv[0], 1); +- printf("Missing default type for -D (--default)\n"); +- exit(1); +- } +- cmd_opts.default_name = strdup(optarg); +- if (!cmd_opts.default_name) { +- +- exit(1); +- } +- break; + case EXPR_ROLE_SOURCE: + if (optarg == 0) { + usage(argv[0], 1); +@@ -1093,7 +1064,7 @@ int main(int argc, char **argv) + case RULE_AUDITALLOW: + cmd_opts.auditallow = true; + break; +- case RULE_DONTAUDIT: ++ case 'D': + cmd_opts.dontaudit = true; + break; + case 'T': /* type */ +@@ -1273,12 +1244,13 @@ int main(int argc, char **argv) + fprintf(stdout, "\n"); + } + +- apol_vector_destroy(&v); +- if (perform_ft_query(policy, &cmd_opts, &v)) { +- rt = 1; +- goto cleanup; +- } +- if (v) { ++ if (cmd_opts.all || cmd_opts.type) { ++ apol_vector_destroy(&v); ++ if (perform_ft_query(policy, &cmd_opts, &v)) { ++ rt = 1; ++ goto cleanup; ++ } ++ + print_ft_results(policy, &cmd_opts, v); + fprintf(stdout, "\n"); + } +@@ -1317,7 +1289,6 @@ int main(int argc, char **argv) + apol_policy_path_destroy(&pol_path); + free(cmd_opts.src_name); + free(cmd_opts.tgt_name); +- free(cmd_opts.default_name); + free(cmd_opts.class_name); + free(cmd_opts.permlist); + free(cmd_opts.bool_name); +-- +1.8.5.3 + diff --git a/SOURCES/0011-Fix-Wformat-security-issues.patch b/SOURCES/0011-Fix-Wformat-security-issues.patch new file mode 100644 index 00000000..5288ed79 --- /dev/null +++ b/SOURCES/0011-Fix-Wformat-security-issues.patch @@ -0,0 +1,154 @@ +From 32ede3cc817ee4f6806877a34a6c84ed50c31df7 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:49:33 +0200 +Subject: [PATCH 11/11] Fix -Wformat-security issues + +--- + libseaudit/src/bool_message.c | 4 ++-- + libseaudit/src/filter.c | 2 +- + libseaudit/src/model.c | 2 +- + seaudit/progress.c | 4 ++-- + seaudit/toplevel.c | 2 +- + seaudit/utilgui.c | 2 +- + sediff/progress.c | 4 ++-- + sediff/toplevel.c | 2 +- + sediff/utilgui.c | 2 +- + 9 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/libseaudit/src/bool_message.c b/libseaudit/src/bool_message.c +index f105cf0..d5b1e33 100644 +--- a/libseaudit/src/bool_message.c ++++ b/libseaudit/src/bool_message.c +@@ -101,7 +101,7 @@ char *bool_message_to_string(const seaudit_message_t * msg, const char *date) + return NULL; + } + if ((misc_string = bool_message_to_misc_string(boolm)) == NULL || +- apol_str_appendf(&s, &len, misc_string) < 0 || apol_str_append(&s, &len, close_brace) < 0) { ++ apol_str_appendf(&s, &len, "%s", misc_string) < 0 || apol_str_append(&s, &len, close_brace) < 0) { + free(misc_string); + return NULL; + } +@@ -128,7 +128,7 @@ char *bool_message_to_string_html(const seaudit_message_t * msg, const char *dat + return NULL; + } + if ((misc_string = bool_message_to_misc_string(boolm)) == NULL || +- apol_str_appendf(&s, &len, misc_string) < 0 || apol_str_appendf(&s, &len, "%s%s
", s, close_brace) < 0) { ++ apol_str_appendf(&s, &len, "%s", misc_string) < 0 || apol_str_appendf(&s, &len, "%s%s
", s, close_brace) < 0) { + free(misc_string); + return NULL; + } +diff --git a/libseaudit/src/filter.c b/libseaudit/src/filter.c +index 298a309..c710ce4 100644 +--- a/libseaudit/src/filter.c ++++ b/libseaudit/src/filter.c +@@ -1108,7 +1108,7 @@ int seaudit_filter_save_to_file(const seaudit_filter_t * filter, const char *fil + if ((file = fopen(filename, "w")) == NULL) { + return -1; + } +- fprintf(file, XML_VER); ++ fprintf(file, "%s", XML_VER); + fprintf(file, "\n", FILTER_FILE_FORMAT_VERSION); + filter_append_to_file(filter, file, 1); + fprintf(file, "\n"); +diff --git a/libseaudit/src/model.c b/libseaudit/src/model.c +index 1bc4a23..4a130cb 100644 +--- a/libseaudit/src/model.c ++++ b/libseaudit/src/model.c +@@ -514,7 +514,7 @@ int seaudit_model_save_to_file(const seaudit_model_t * model, const char *filena + if ((file = fopen(filename, "w")) == NULL) { + return -1; + } +- fprintf(file, XML_VER); ++ fprintf(file, "%s", XML_VER); + fprintf(file, "\n", + FILTER_FILE_FORMAT_VERSION, model->name, + model->match == SEAUDIT_FILTER_MATCH_ALL ? "all" : "any", +diff --git a/seaudit/progress.c b/seaudit/progress.c +index 2e0abeb..f092858 100644 +--- a/seaudit/progress.c ++++ b/seaudit/progress.c +@@ -114,10 +114,10 @@ int progress_wait(progress_t * progress) + } + g_mutex_unlock(progress->mutex); + if (progress->done < 0) { +- toplevel_ERR(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_ERR(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done; + } else if (progress->done > 1) { +- toplevel_WARN(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_WARN(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done - 1; + } else { + progress->done = 0; +diff --git a/seaudit/toplevel.c b/seaudit/toplevel.c +index d901a99..27938d5 100644 +--- a/seaudit/toplevel.c ++++ b/seaudit/toplevel.c +@@ -902,7 +902,7 @@ static void toplevel_message(toplevel_t * top, GtkMessageType msg_type, const ch + ERR(NULL, "%s", strerror(errno)); + return; + } +- dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + free(msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); +diff --git a/seaudit/utilgui.c b/seaudit/utilgui.c +index 22028e1..78a1a08 100644 +--- a/seaudit/utilgui.c ++++ b/seaudit/utilgui.c +@@ -30,7 +30,7 @@ + void util_message(GtkWindow * parent, GtkMessageType msg_type, const char *msg) + { + GtkWidget *dialog; +- dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); + } +diff --git a/sediff/progress.c b/sediff/progress.c +index efaa120..312789e 100644 +--- a/sediff/progress.c ++++ b/sediff/progress.c +@@ -115,10 +115,10 @@ int progress_wait(progress_t * progress) + } + g_mutex_unlock(progress->mutex); + if (progress->done < 0) { +- toplevel_ERR(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_ERR(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done; + } else if (progress->done > 1) { +- toplevel_WARN(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_WARN(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done - 1; + } else { + progress->done = 0; +diff --git a/sediff/toplevel.c b/sediff/toplevel.c +index db6d1f5..aabd039 100644 +--- a/sediff/toplevel.c ++++ b/sediff/toplevel.c +@@ -453,7 +453,7 @@ static void toplevel_message(toplevel_t * top, GtkMessageType msg_type, const ch + ERR(NULL, "%s", strerror(errno)); + return; + } +- dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + free(msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); +diff --git a/sediff/utilgui.c b/sediff/utilgui.c +index 04e1e05..9e183ba 100644 +--- a/sediff/utilgui.c ++++ b/sediff/utilgui.c +@@ -31,7 +31,7 @@ + void util_message(GtkWindow * parent, GtkMessageType msg_type, const char *msg) + { + GtkWidget *dialog; +- dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); + } +-- +1.8.5.3 + diff --git a/SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch b/SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch new file mode 100644 index 00000000..efdd8a94 --- /dev/null +++ b/SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch @@ -0,0 +1,29 @@ +From f7b31b7e28a4f89bcfcd0d139cfca78777a4333e Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Thu, 4 Feb 2016 14:06:49 -0500 +Subject: [PATCH] libqpol: Skip types when building type attribute map. + +Fix originally from Richard Haines. + +Closes #94. +--- + libqpol/src/policy_extend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c +index 1417271..416bddb 100644 +--- a/libqpol/src/policy_extend.c ++++ b/libqpol/src/policy_extend.c +@@ -201,6 +201,9 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) + memset(&buff, 0, 10 * sizeof(char)); + + for (i = 0; i < db->p_types.nprim; i++) { ++ /* skip types */ ++ if (db->type_val_to_struct[i]->flavor == TYPE_TYPE) ++ continue; + count = 0; + ebitmap_for_each_bit(&db->attr_type_map[i], node, bit) { + if (ebitmap_node_get_bit(node, bit)) +-- +2.5.0 +