From 4c1f4cf95afe68ddeafa5e02f79f7fd795d3289b Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Mon, 26 Nov 2018 00:20:36 +0100 Subject: [PATCH] libsepol package update Signed-off-by: basebuilder_pel7x64builder0 --- SOURCES/libsepol-rhel.patch | 325 ++++++++++++++++++++---------------- SPECS/libsepol.spec | 10 +- 2 files changed, 188 insertions(+), 147 deletions(-) diff --git a/SOURCES/libsepol-rhel.patch b/SOURCES/libsepol-rhel.patch index 4e5b8fa9..8cc29e78 100644 --- a/SOURCES/libsepol-rhel.patch +++ b/SOURCES/libsepol-rhel.patch @@ -44,18 +44,19 @@ index ace3d54..c7cc464 100644 * Fix unused variable annotations, from Nicolas Iooss. * Fix uninitialized variable in CIL, from Nicolas Iooss. diff --git libsepol-2.5/cil/src/cil.c libsepol-2.5/cil/src/cil.c -index afdc240..9b2c45b 100644 +index afdc240..3e99b24 100644 --- libsepol-2.5/cil/src/cil.c +++ libsepol-2.5/cil/src/cil.c -@@ -108,6 +108,7 @@ static void cil_init_keys(void) +@@ -108,6 +108,8 @@ static void cil_init_keys(void) CIL_KEY_STAR = cil_strpool_add("*"); CIL_KEY_UDP = cil_strpool_add("udp"); CIL_KEY_TCP = cil_strpool_add("tcp"); + CIL_KEY_DCCP = cil_strpool_add("dccp"); ++ CIL_KEY_SCTP = cil_strpool_add("sctp"); CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow"); CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif"); CIL_KEY_ALLOW = cil_strpool_add("allow"); -@@ -186,6 +187,8 @@ static void cil_init_keys(void) +@@ -186,6 +188,8 @@ static void cil_init_keys(void) CIL_KEY_MLSVALIDATETRANS = cil_strpool_add("mlsvalidatetrans"); CIL_KEY_CONTEXT = cil_strpool_add("context"); CIL_KEY_FILECON = cil_strpool_add("filecon"); @@ -64,7 +65,7 @@ index afdc240..9b2c45b 100644 CIL_KEY_PORTCON = cil_strpool_add("portcon"); CIL_KEY_NODECON = cil_strpool_add("nodecon"); CIL_KEY_GENFSCON = cil_strpool_add("genfscon"); -@@ -232,6 +235,9 @@ static void cil_init_keys(void) +@@ -232,6 +236,9 @@ static void cil_init_keys(void) CIL_KEY_PERMISSIONX = cil_strpool_add("permissionx"); CIL_KEY_IOCTL = cil_strpool_add("ioctl"); CIL_KEY_UNORDERED = cil_strpool_add("unordered"); @@ -74,7 +75,7 @@ index afdc240..9b2c45b 100644 } void cil_db_init(struct cil_db **db) -@@ -252,6 +258,8 @@ void cil_db_init(struct cil_db **db) +@@ -252,6 +259,8 @@ void cil_db_init(struct cil_db **db) cil_sort_init(&(*db)->genfscon); cil_sort_init(&(*db)->filecon); cil_sort_init(&(*db)->nodecon); @@ -83,7 +84,7 @@ index afdc240..9b2c45b 100644 cil_sort_init(&(*db)->portcon); cil_sort_init(&(*db)->pirqcon); cil_sort_init(&(*db)->iomemcon); -@@ -301,6 +309,8 @@ void cil_db_destroy(struct cil_db **db) +@@ -301,6 +310,8 @@ void cil_db_destroy(struct cil_db **db) cil_sort_destroy(&(*db)->genfscon); cil_sort_destroy(&(*db)->filecon); cil_sort_destroy(&(*db)->nodecon); @@ -92,7 +93,7 @@ index afdc240..9b2c45b 100644 cil_sort_destroy(&(*db)->portcon); cil_sort_destroy(&(*db)->pirqcon); cil_sort_destroy(&(*db)->iomemcon); -@@ -712,9 +722,15 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) +@@ -712,9 +723,15 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) case CIL_FILECON: cil_destroy_filecon(*data); break; @@ -108,7 +109,7 @@ index afdc240..9b2c45b 100644 case CIL_NODECON: cil_destroy_nodecon(*data); break; -@@ -756,6 +772,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) +@@ -756,6 +773,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) case CIL_MLS: cil_destroy_mls(*data); break; @@ -118,7 +119,7 @@ index afdc240..9b2c45b 100644 case CIL_OP: case CIL_CONS_OPERAND: break; -@@ -763,8 +782,8 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) +@@ -763,8 +783,8 @@ void cil_destroy_data(void **data, enum cil_flavor flavor) cil_log(CIL_INFO, "Unknown data flavor: %d\n", flavor); break; } @@ -129,7 +130,7 @@ index afdc240..9b2c45b 100644 } int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *sym_index) -@@ -1076,6 +1095,10 @@ const char * cil_node_to_string(struct cil_tree_node *node) +@@ -1076,6 +1096,10 @@ const char * cil_node_to_string(struct cil_tree_node *node) return CIL_KEY_FSUSE; case CIL_FILECON: return CIL_KEY_FILECON; @@ -140,7 +141,7 @@ index afdc240..9b2c45b 100644 case CIL_PORTCON: return CIL_KEY_PORTCON; case CIL_NODECON: -@@ -1108,6 +1131,8 @@ const char * cil_node_to_string(struct cil_tree_node *node) +@@ -1108,6 +1132,8 @@ const char * cil_node_to_string(struct cil_tree_node *node) return CIL_KEY_HANDLEUNKNOWN; case CIL_MLS: return CIL_KEY_MLS; @@ -149,7 +150,7 @@ index afdc240..9b2c45b 100644 case CIL_ALL: return CIL_KEY_ALL; case CIL_RANGE: -@@ -1755,8 +1780,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s +@@ -1755,8 +1781,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s return SEPOL_OK; exit: @@ -159,7 +160,7 @@ index afdc240..9b2c45b 100644 return SEPOL_ERR; } -@@ -1796,6 +1820,16 @@ void cil_netifcon_init(struct cil_netifcon **netifcon) +@@ -1796,6 +1821,16 @@ void cil_netifcon_init(struct cil_netifcon **netifcon) (*netifcon)->context_str = NULL; } @@ -176,7 +177,7 @@ index afdc240..9b2c45b 100644 void cil_context_init(struct cil_context **context) { *context = cil_malloc(sizeof(**context)); -@@ -2212,6 +2246,17 @@ void cil_filecon_init(struct cil_filecon **filecon) +@@ -2212,6 +2247,17 @@ void cil_filecon_init(struct cil_filecon **filecon) (*filecon)->context = NULL; } @@ -194,7 +195,7 @@ index afdc240..9b2c45b 100644 void cil_portcon_init(struct cil_portcon **portcon) { *portcon = cil_malloc(sizeof(**portcon)); -@@ -2553,3 +2598,10 @@ void cil_mls_init(struct cil_mls **mls) +@@ -2553,3 +2599,10 @@ void cil_mls_init(struct cil_mls **mls) *mls = cil_malloc(sizeof(**mls)); (*mls)->value = 0; } @@ -206,20 +207,23 @@ index afdc240..9b2c45b 100644 + (*info)->path = NULL; +} diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c -index f749e53..c507124 100644 +index f749e53..9e71691 100644 --- libsepol-2.5/cil/src/cil_binary.c +++ libsepol-2.5/cil/src/cil_binary.c -@@ -31,6 +31,9 @@ +@@ -31,6 +31,12 @@ #include #include #include +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 +#endif #include #include -@@ -606,9 +609,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb) +@@ -606,9 +612,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb) rc = SEPOL_ERR; goto exit; } @@ -234,7 +238,7 @@ index f749e53..c507124 100644 } } -@@ -749,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci +@@ -749,6 +757,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } @@ -247,7 +251,7 @@ index f749e53..c507124 100644 if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) { cil_log(CIL_INFO, "Failed to set role bit for user\n"); rc = SEPOL_ERR; -@@ -1770,13 +1781,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1770,13 +1784,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu cil_typetrans = (struct cil_nametypetransition*)node->data; if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) { cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n"); @@ -263,7 +267,7 @@ index f749e53..c507124 100644 goto exit; } break; -@@ -1784,7 +1794,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1784,7 +1797,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu cil_type_rule = node->data; rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor); if (rc != SEPOL_OK) { @@ -272,7 +276,7 @@ index f749e53..c507124 100644 goto exit; } break; -@@ -1792,7 +1802,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1792,7 +1805,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu cil_avrule = node->data; rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor); if (rc != SEPOL_OK) { @@ -281,7 +285,7 @@ index f749e53..c507124 100644 goto exit; } break; -@@ -1800,8 +1810,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu +@@ -1800,8 +1813,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu case CIL_TUNABLEIF: break; default: @@ -291,7 +295,7 @@ index f749e53..c507124 100644 goto exit; } -@@ -2060,14 +2069,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c +@@ -2060,14 +2072,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c tmp_cond = cond_node_create(pdb, NULL); if (tmp_cond == NULL) { rc = SEPOL_ERR; @@ -308,7 +312,7 @@ index f749e53..c507124 100644 goto exit; } -@@ -2123,7 +2131,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c +@@ -2123,7 +2134,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c bool_args.cond_flavor = CIL_CONDTRUE; rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args); if (rc != SEPOL_OK) { @@ -317,7 +321,7 @@ index f749e53..c507124 100644 goto exit; } } -@@ -2132,7 +2140,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c +@@ -2132,7 +2143,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c bool_args.cond_flavor = CIL_CONDFALSE; rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args); if (rc != SEPOL_OK) { @@ -326,7 +330,7 @@ index f749e53..c507124 100644 goto exit; } } -@@ -3018,6 +3026,40 @@ exit: +@@ -3018,6 +3029,40 @@ exit: return rc; } @@ -367,17 +371,20 @@ index f749e53..c507124 100644 int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) { int rc = SEPOL_ERR; -@@ -3035,6 +3077,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) +@@ -3035,6 +3080,12 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) case CIL_PROTOCOL_TCP: new_ocon->u.port.protocol = IPPROTO_TCP; break; + case CIL_PROTOCOL_DCCP: + new_ocon->u.port.protocol = IPPROTO_DCCP; ++ break; ++ case CIL_PROTOCOL_SCTP: ++ new_ocon->u.port.protocol = IPPROTO_SCTP; + break; default: /* should not get here */ rc = SEPOL_ERR; -@@ -3086,6 +3131,30 @@ exit: +@@ -3086,6 +3137,30 @@ exit: return rc; } @@ -408,7 +415,7 @@ index f749e53..c507124 100644 int cil_nodecon_to_policydb(policydb_t *pdb, struct cil_sort *nodecons) { int rc = SEPOL_ERR; -@@ -3583,7 +3652,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) +@@ -3583,7 +3658,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args) exit: if (rc != SEPOL_OK) { @@ -417,7 +424,7 @@ index f749e53..c507124 100644 } return rc; } -@@ -3645,6 +3714,16 @@ int __cil_contexts_to_policydb(policydb_t *pdb, const struct cil_db *db) +@@ -3645,6 +3720,16 @@ int __cil_contexts_to_policydb(policydb_t *pdb, const struct cil_db *db) goto exit; } @@ -434,7 +441,7 @@ index f749e53..c507124 100644 if (db->target_platform == SEPOL_TARGET_XEN) { rc = cil_pirqcon_to_policydb(pdb, db->pirqcon); if (rc != SEPOL_OK) { -@@ -4227,6 +4306,9 @@ exit: +@@ -4227,6 +4312,9 @@ exit: static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node) { avrule_t *avrule; @@ -444,7 +451,7 @@ index f749e53..c507124 100644 avrule = cil_malloc(sizeof(avrule_t)); avrule->specified = kind; -@@ -4235,8 +4317,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no +@@ -4235,8 +4323,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no __cil_init_sepol_type_set(&avrule->ttypes); avrule->perms = NULL; avrule->line = node->line; @@ -463,7 +470,7 @@ index f749e53..c507124 100644 avrule->next = NULL; return avrule; } -@@ -4263,10 +4354,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n) +@@ -4263,10 +4360,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n) __cil_print_parents(pad, n->parent); @@ -476,7 +483,7 @@ index f749e53..c507124 100644 } } -@@ -4357,7 +4446,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr +@@ -4357,7 +4452,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr allow_str = CIL_KEY_ALLOWX; avrule_flavor = CIL_AVRULEX; } @@ -485,7 +492,7 @@ index f749e53..c507124 100644 __cil_print_rule(" ", neverallow_str, cil_rule); cil_list_init(&matching, CIL_NODE); rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE); -@@ -4380,10 +4469,9 @@ exit: +@@ -4380,10 +4475,9 @@ exit: return rc; } @@ -498,7 +505,7 @@ index f749e53..c507124 100644 struct cil_avrule *cil_rule = node->data; struct cil_symtab_datum *tgt = cil_rule->tgt; uint32_t kind; -@@ -4422,11 +4510,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct +@@ -4422,11 +4516,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct rc = check_assertion(pdb, rule); if (rc == CIL_TRUE) { @@ -511,7 +518,7 @@ index f749e53..c507124 100644 } } else { -@@ -4444,12 +4532,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct +@@ -4444,12 +4538,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct rule->xperms = item->data; rc = check_assertion(pdb, rule); if (rc == CIL_TRUE) { @@ -525,7 +532,7 @@ index f749e53..c507124 100644 } } } -@@ -4466,34 +4553,23 @@ exit: +@@ -4466,34 +4559,23 @@ exit: rule->xperms = NULL; __cil_destroy_sepol_avrules(rule); @@ -565,7 +572,7 @@ index f749e53..c507124 100644 } static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[]) -@@ -4548,7 +4624,7 @@ exit: +@@ -4548,7 +4630,7 @@ exit: return rc; } @@ -574,7 +581,7 @@ index f749e53..c507124 100644 { int rc = SEPOL_OK; int i; -@@ -4574,6 +4650,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4574,6 +4656,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void if (bad) { avtab_ptr_t cur; struct cil_avrule target; @@ -584,7 +591,7 @@ index f749e53..c507124 100644 target.is_extended = 0; target.rule_kind = CIL_AVRULE_ALLOWED; -@@ -4585,7 +4664,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4585,7 +4670,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void for (cur = bad; cur; cur = cur->next) { struct cil_list_item *i2; struct cil_list *matching; @@ -592,7 +599,7 @@ index f749e53..c507124 100644 rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil); if (rc != SEPOL_OK) { -@@ -4594,7 +4672,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4594,7 +4678,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void } __cil_print_rule(" ", "allow", &target); cil_list_init(&matching, CIL_NODE); @@ -601,7 +608,7 @@ index f749e53..c507124 100644 if (rc) { cil_log(CIL_ERR, "Error occurred while checking type bounds\n"); cil_list_destroy(&matching, CIL_FALSE); -@@ -4602,14 +4680,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void +@@ -4602,14 +4686,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void bounds_destroy_bad(bad); goto exit; } @@ -625,7 +632,7 @@ index f749e53..c507124 100644 cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&target.perms.classperms, CIL_TRUE); } -@@ -4753,20 +4834,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p +@@ -4753,20 +4840,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p __cil_set_conditional_state_and_flags(pdb); if (db->disable_neverallow != CIL_TRUE) { @@ -666,10 +673,11 @@ diff --git libsepol-2.5/cil/src/cil_binary.h libsepol-2.5/cil/src/cil_binary.h index c59b1e3..5367feb 100644 --- libsepol-2.5/cil/src/cil_binary.h +++ libsepol-2.5/cil/src/cil_binary.h -@@ -330,6 +330,30 @@ int cil_sepol_level_define(policydb_t *pdb, struct cil_sens *cil_sens); +@@ -329,6 +329,30 @@ int cil_sepol_level_define(policydb_t *pdb, struct cil_sens *cil_sens); + */ int cil_rangetransition_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_rangetransition *rangetrans, hashtab_t range_trans_table); - /** ++/** + * Insert cil ibpkeycon structure into sepol policydb. + * The function is given a structure containing the sorted ibpkeycons and + * loops over this structure inserting them into the policy database. @@ -693,12 +701,11 @@ index c59b1e3..5367feb 100644 + */ +int cil_ibendportcon_to_policydb(policydb_t *pdb, struct cil_sort *pkeycons); + -+/** + /** * Insert cil portcon structure into sepol policydb. * The function is given a structure containing the sorted portcons and - * loops over this structure inserting them into the policy database. diff --git libsepol-2.5/cil/src/cil_build_ast.c libsepol-2.5/cil/src/cil_build_ast.c -index 1135e06..855e2b4 100644 +index 1135e06..916e8cf 100644 --- libsepol-2.5/cil/src/cil_build_ast.c +++ libsepol-2.5/cil/src/cil_build_ast.c @@ -108,8 +108,7 @@ int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node @@ -1419,16 +1426,18 @@ index 1135e06..855e2b4 100644 int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node) { enum cil_syntax syntax[] = { -@@ -4261,6 +4282,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru +@@ -4261,6 +4282,10 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru portcon->proto = CIL_PROTOCOL_UDP; } else if (proto == CIL_KEY_TCP) { portcon->proto = CIL_PROTOCOL_TCP; + } else if (proto == CIL_KEY_DCCP) { + portcon->proto = CIL_PROTOCOL_DCCP; ++ } else if (proto == CIL_KEY_SCTP) { ++ portcon->proto = CIL_PROTOCOL_SCTP; } else { cil_log(CIL_ERR, "Invalid protocol\n"); rc = SEPOL_ERR; -@@ -4311,8 +4334,7 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru +@@ -4311,8 +4336,7 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru return SEPOL_OK; exit: @@ -1438,7 +1447,7 @@ index 1135e06..855e2b4 100644 cil_destroy_portcon(portcon); return rc; } -@@ -4393,8 +4415,7 @@ int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, stru +@@ -4393,8 +4417,7 @@ int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, stru return SEPOL_OK; exit: @@ -1448,7 +1457,7 @@ index 1135e06..855e2b4 100644 cil_destroy_nodecon(nodecon); return rc; } -@@ -4464,8 +4485,7 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str +@@ -4464,8 +4487,7 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str return SEPOL_OK; exit: @@ -1458,7 +1467,7 @@ index 1135e06..855e2b4 100644 cil_destroy_genfscon(genfscon); return SEPOL_ERR; } -@@ -4538,8 +4558,7 @@ int cil_gen_netifcon(struct cil_db *db, struct cil_tree_node *parse_current, str +@@ -4538,8 +4560,7 @@ int cil_gen_netifcon(struct cil_db *db, struct cil_tree_node *parse_current, str return SEPOL_OK; exit: @@ -1468,7 +1477,7 @@ index 1135e06..855e2b4 100644 cil_destroy_netifcon(netifcon); return SEPOL_ERR; } -@@ -4561,6 +4580,68 @@ void cil_destroy_netifcon(struct cil_netifcon *netifcon) +@@ -4561,6 +4582,68 @@ void cil_destroy_netifcon(struct cil_netifcon *netifcon) free(netifcon); } @@ -1537,7 +1546,7 @@ index 1135e06..855e2b4 100644 int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node) { enum cil_syntax syntax[] = { -@@ -4606,8 +4687,7 @@ int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, stru +@@ -4606,8 +4689,7 @@ int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, stru return SEPOL_OK; exit: @@ -1547,7 +1556,7 @@ index 1135e06..855e2b4 100644 cil_destroy_pirqcon(pirqcon); return rc; } -@@ -4692,8 +4772,7 @@ int cil_gen_iomemcon(struct cil_db *db, struct cil_tree_node *parse_current, str +@@ -4692,8 +4774,7 @@ int cil_gen_iomemcon(struct cil_db *db, struct cil_tree_node *parse_current, str return SEPOL_OK; exit: @@ -1557,7 +1566,7 @@ index 1135e06..855e2b4 100644 cil_destroy_iomemcon(iomemcon); return rc; } -@@ -4778,8 +4857,7 @@ int cil_gen_ioportcon(struct cil_db *db, struct cil_tree_node *parse_current, st +@@ -4778,8 +4859,7 @@ int cil_gen_ioportcon(struct cil_db *db, struct cil_tree_node *parse_current, st return SEPOL_OK; exit: @@ -1567,7 +1576,7 @@ index 1135e06..855e2b4 100644 cil_destroy_ioportcon(ioportcon); return rc; } -@@ -4842,8 +4920,7 @@ int cil_gen_pcidevicecon(struct cil_db *db, struct cil_tree_node *parse_current, +@@ -4842,8 +4922,7 @@ int cil_gen_pcidevicecon(struct cil_db *db, struct cil_tree_node *parse_current, return SEPOL_OK; exit: @@ -1577,7 +1586,7 @@ index 1135e06..855e2b4 100644 cil_destroy_pcidevicecon(pcidevicecon); return rc; } -@@ -4903,8 +4980,7 @@ int cil_gen_devicetreecon(struct cil_db *db, struct cil_tree_node *parse_current +@@ -4903,8 +4982,7 @@ int cil_gen_devicetreecon(struct cil_db *db, struct cil_tree_node *parse_current return SEPOL_OK; exit: @@ -1587,7 +1596,7 @@ index 1135e06..855e2b4 100644 cil_destroy_devicetreecon(devicetreecon); return rc; } -@@ -4979,8 +5055,7 @@ int cil_gen_fsuse(struct cil_db *db, struct cil_tree_node *parse_current, struct +@@ -4979,8 +5057,7 @@ int cil_gen_fsuse(struct cil_db *db, struct cil_tree_node *parse_current, struct return SEPOL_OK; exit: @@ -1597,7 +1606,7 @@ index 1135e06..855e2b4 100644 cil_destroy_fsuse(fsuse); return SEPOL_ERR; } -@@ -5137,8 +5212,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct +@@ -5137,8 +5214,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct return SEPOL_OK; exit: @@ -1607,7 +1616,7 @@ index 1135e06..855e2b4 100644 cil_destroy_macro(macro); cil_clear_node(ast_node); return SEPOL_ERR; -@@ -5196,8 +5270,7 @@ int cil_gen_call(struct cil_db *db, struct cil_tree_node *parse_current, struct +@@ -5196,8 +5272,7 @@ int cil_gen_call(struct cil_db *db, struct cil_tree_node *parse_current, struct return SEPOL_OK; exit: @@ -1617,7 +1626,7 @@ index 1135e06..855e2b4 100644 cil_destroy_call(call); return rc; } -@@ -5299,8 +5372,7 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str +@@ -5299,8 +5374,7 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str return SEPOL_OK; exit: @@ -1627,7 +1636,7 @@ index 1135e06..855e2b4 100644 cil_destroy_optional(optional); cil_clear_node(ast_node); return rc; -@@ -5348,8 +5420,7 @@ int cil_gen_policycap(struct cil_db *db, struct cil_tree_node *parse_current, st +@@ -5348,8 +5422,7 @@ int cil_gen_policycap(struct cil_db *db, struct cil_tree_node *parse_current, st return SEPOL_OK; exit: @@ -1637,7 +1646,7 @@ index 1135e06..855e2b4 100644 cil_destroy_policycap(polcap); cil_clear_node(ast_node); return rc; -@@ -5404,8 +5475,7 @@ int cil_gen_ipaddr(struct cil_db *db, struct cil_tree_node *parse_current, struc +@@ -5404,8 +5477,7 @@ int cil_gen_ipaddr(struct cil_db *db, struct cil_tree_node *parse_current, struc return SEPOL_OK; exit: @@ -1647,7 +1656,7 @@ index 1135e06..855e2b4 100644 cil_destroy_ipaddr(ipaddr); cil_clear_node(ast_node); return rc; -@@ -5609,8 +5679,7 @@ int cil_gen_bounds(struct cil_db *db, struct cil_tree_node *parse_current, struc +@@ -5609,8 +5681,7 @@ int cil_gen_bounds(struct cil_db *db, struct cil_tree_node *parse_current, struc return SEPOL_OK; exit: @@ -1657,7 +1666,7 @@ index 1135e06..855e2b4 100644 cil_destroy_bounds(bounds); return rc; } -@@ -5671,8 +5740,7 @@ int cil_gen_default(struct cil_tree_node *parse_current, struct cil_tree_node *a +@@ -5671,8 +5742,7 @@ int cil_gen_default(struct cil_tree_node *parse_current, struct cil_tree_node *a return SEPOL_OK; exit: @@ -1667,7 +1676,7 @@ index 1135e06..855e2b4 100644 cil_destroy_default(def); return rc; } -@@ -5758,8 +5826,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no +@@ -5758,8 +5828,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no return SEPOL_OK; exit: @@ -1677,7 +1686,7 @@ index 1135e06..855e2b4 100644 cil_destroy_defaultrange(def); return rc; } -@@ -5819,8 +5886,7 @@ int cil_gen_handleunknown(struct cil_tree_node *parse_current, struct cil_tree_n +@@ -5819,8 +5888,7 @@ int cil_gen_handleunknown(struct cil_tree_node *parse_current, struct cil_tree_n return SEPOL_OK; exit: @@ -1687,7 +1696,7 @@ index 1135e06..855e2b4 100644 cil_destroy_handleunknown(unknown); return rc; } -@@ -5868,8 +5934,7 @@ int cil_gen_mls(struct cil_tree_node *parse_current, struct cil_tree_node *ast_n +@@ -5868,8 +5936,7 @@ int cil_gen_mls(struct cil_tree_node *parse_current, struct cil_tree_node *ast_n return SEPOL_OK; exit: @@ -1697,7 +1706,7 @@ index 1135e06..855e2b4 100644 cil_destroy_mls(mls); return rc; } -@@ -5879,6 +5944,27 @@ void cil_destroy_mls(struct cil_mls *mls) +@@ -5879,6 +5946,27 @@ void cil_destroy_mls(struct cil_mls *mls) free(mls); } @@ -1725,7 +1734,7 @@ index 1135e06..855e2b4 100644 int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args) { struct cil_args_build *args = NULL; -@@ -5913,7 +5999,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -5913,7 +6001,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (parse_current->parent->parent == NULL) { rc = SEPOL_OK; } else { @@ -1734,7 +1743,7 @@ index 1135e06..855e2b4 100644 } goto exit; } -@@ -5926,7 +6012,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -5926,7 +6014,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f parse_current->data == CIL_KEY_BLOCKINHERIT || parse_current->data == CIL_KEY_BLOCKABSTRACT) { rc = SEPOL_ERR; @@ -1743,7 +1752,7 @@ index 1135e06..855e2b4 100644 goto exit; } } -@@ -5942,8 +6028,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -5942,8 +6030,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f parse_current->data != CIL_KEY_TYPECHANGE && parse_current->data != CIL_KEY_CALL) { rc = SEPOL_ERR; @@ -1753,7 +1762,7 @@ index 1135e06..855e2b4 100644 if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { cil_log(CIL_ERR, "%s cannot be defined within tunableif statement (treated as a booleanif due to preserve-tunables)\n", (char*)parse_current->data); -@@ -5958,8 +6043,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -5958,8 +6045,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (tunif != NULL) { if (parse_current->data == CIL_KEY_TUNABLE) { rc = SEPOL_ERR; @@ -1763,7 +1772,7 @@ index 1135e06..855e2b4 100644 cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n"); goto exit; } -@@ -5968,8 +6052,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -5968,8 +6054,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (in != NULL) { if (parse_current->data == CIL_KEY_IN) { rc = SEPOL_ERR; @@ -1773,7 +1782,7 @@ index 1135e06..855e2b4 100644 cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); goto exit; } -@@ -5979,7 +6062,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -5979,7 +6064,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f ast_node->parent = ast_current; ast_node->line = parse_current->line; @@ -1782,7 +1791,7 @@ index 1135e06..855e2b4 100644 if (parse_current->data == CIL_KEY_BLOCK) { rc = cil_gen_block(db, parse_current, ast_node, 0); -@@ -6182,6 +6265,12 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -6182,6 +6267,12 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f } else if (parse_current->data == CIL_KEY_FILECON) { rc = cil_gen_filecon(db, parse_current, ast_node); *finished = CIL_TREE_SKIP_NEXT; @@ -1795,7 +1804,7 @@ index 1135e06..855e2b4 100644 } else if (parse_current->data == CIL_KEY_PORTCON) { rc = cil_gen_portcon(db, parse_current, ast_node); *finished = CIL_TREE_SKIP_NEXT; -@@ -6242,8 +6331,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -6242,8 +6333,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f } else if (parse_current->data == CIL_KEY_MLS) { rc = cil_gen_mls(parse_current, ast_node); *finished = CIL_TREE_SKIP_NEXT; @@ -1807,7 +1816,7 @@ index 1135e06..855e2b4 100644 rc = SEPOL_ERR; } -@@ -6264,7 +6355,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f +@@ -6264,7 +6357,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f if (ast_current->flavor == CIL_IN) { args->in = ast_current; } @@ -2027,18 +2036,19 @@ index 865bd7d..dad1347 100644 return rc; diff --git libsepol-2.5/cil/src/cil_internal.h libsepol-2.5/cil/src/cil_internal.h -index a0a5480..dcc2111 100644 +index a0a5480..9f0aeb6 100644 --- libsepol-2.5/cil/src/cil_internal.h +++ libsepol-2.5/cil/src/cil_internal.h -@@ -101,6 +101,7 @@ char *CIL_KEY_OBJECT_R; +@@ -101,6 +101,8 @@ char *CIL_KEY_OBJECT_R; char *CIL_KEY_STAR; char *CIL_KEY_TCP; char *CIL_KEY_UDP; +char *CIL_KEY_DCCP; ++char *CIL_KEY_SCTP; char *CIL_KEY_AUDITALLOW; char *CIL_KEY_TUNABLEIF; char *CIL_KEY_ALLOW; -@@ -200,6 +201,8 @@ char *CIL_KEY_VALIDATETRANS; +@@ -200,6 +202,8 @@ char *CIL_KEY_VALIDATETRANS; char *CIL_KEY_MLSVALIDATETRANS; char *CIL_KEY_CONTEXT; char *CIL_KEY_FILECON; @@ -2047,7 +2057,7 @@ index a0a5480..dcc2111 100644 char *CIL_KEY_PORTCON; char *CIL_KEY_NODECON; char *CIL_KEY_GENFSCON; -@@ -225,6 +228,9 @@ char *CIL_KEY_NEVERALLOWX; +@@ -225,6 +229,9 @@ char *CIL_KEY_NEVERALLOWX; char *CIL_KEY_PERMISSIONX; char *CIL_KEY_IOCTL; char *CIL_KEY_UNORDERED; @@ -2057,7 +2067,7 @@ index a0a5480..dcc2111 100644 /* Symbol Table Array Indices -@@ -279,6 +285,8 @@ struct cil_db { +@@ -279,6 +286,8 @@ struct cil_db { struct cil_sort *genfscon; struct cil_sort *filecon; struct cil_sort *nodecon; @@ -2066,13 +2076,14 @@ index a0a5480..dcc2111 100644 struct cil_sort *portcon; struct cil_sort *pirqcon; struct cil_sort *iomemcon; -@@ -713,7 +721,16 @@ struct cil_filecon { +@@ -713,7 +722,17 @@ struct cil_filecon { enum cil_protocol { CIL_PROTOCOL_UDP = 1, - CIL_PROTOCOL_TCP + CIL_PROTOCOL_TCP, -+ CIL_PROTOCOL_DCCP ++ CIL_PROTOCOL_DCCP, ++ CIL_PROTOCOL_SCTP +}; + +struct cil_ibpkeycon { @@ -2084,7 +2095,7 @@ index a0a5480..dcc2111 100644 }; struct cil_portcon { -@@ -758,6 +775,12 @@ struct cil_netifcon { +@@ -758,6 +777,12 @@ struct cil_netifcon { char *context_str; }; @@ -2097,7 +2108,7 @@ index a0a5480..dcc2111 100644 struct cil_pirqcon { uint32_t pirq; char *context_str; -@@ -915,6 +938,11 @@ struct cil_mls { +@@ -915,6 +940,11 @@ struct cil_mls { int value; }; @@ -2109,7 +2120,7 @@ index a0a5480..dcc2111 100644 void cil_db_init(struct cil_db **db); void cil_db_destroy(struct cil_db **db); -@@ -938,6 +966,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s +@@ -938,6 +968,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s void cil_sort_init(struct cil_sort **sort); void cil_sort_destroy(struct cil_sort **sort); void cil_netifcon_init(struct cil_netifcon **netifcon); @@ -2117,7 +2128,7 @@ index a0a5480..dcc2111 100644 void cil_context_init(struct cil_context **context); void cil_level_init(struct cil_level **level); void cil_levelrange_init(struct cil_levelrange **lvlrange); -@@ -980,6 +1009,7 @@ void cil_catset_init(struct cil_catset **catset); +@@ -980,6 +1011,7 @@ void cil_catset_init(struct cil_catset **catset); void cil_cats_init(struct cil_cats **cats); void cil_senscat_init(struct cil_senscat **senscat); void cil_filecon_init(struct cil_filecon **filecon); @@ -2125,7 +2136,7 @@ index a0a5480..dcc2111 100644 void cil_portcon_init(struct cil_portcon **portcon); void cil_nodecon_init(struct cil_nodecon **nodecon); void cil_genfscon_init(struct cil_genfscon **genfscon); -@@ -1017,6 +1047,7 @@ void cil_default_init(struct cil_default **def); +@@ -1017,6 +1049,7 @@ void cil_default_init(struct cil_default **def); void cil_defaultrange_init(struct cil_defaultrange **def); void cil_handleunknown_init(struct cil_handleunknown **unk); void cil_mls_init(struct cil_mls **mls); @@ -2518,19 +2529,21 @@ index d0e108c..101520c 100644 + return SEPOL_ERR; } diff --git libsepol-2.5/cil/src/cil_policy.c libsepol-2.5/cil/src/cil_policy.c -index 2c9b158..7a57583 100644 +index 2c9b158..6bc3f09 100644 --- libsepol-2.5/cil/src/cil_policy.c +++ libsepol-2.5/cil/src/cil_policy.c -@@ -123,6 +123,8 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort) +@@ -123,6 +123,10 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort) fprintf(file_arr[NETIFCONS], "udp "); } else if (portcon->proto == CIL_PROTOCOL_TCP) { fprintf(file_arr[NETIFCONS], "tcp "); + } else if (portcon->proto == CIL_PROTOCOL_DCCP) { + fprintf(file_arr[NETIFCONS], "dccp "); ++ } else if (portcon->proto == CIL_PROTOCOL_SCTP) { ++ fprintf(file_arr[NETIFCONS], "sctp "); } fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low); fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high); -@@ -148,6 +150,39 @@ int cil_genfscon_to_policy(FILE **file_arr, struct cil_sort *sort) +@@ -148,6 +152,39 @@ int cil_genfscon_to_policy(FILE **file_arr, struct cil_sort *sort) return SEPOL_OK; } @@ -2570,7 +2583,7 @@ index 2c9b158..7a57583 100644 int cil_netifcon_to_policy(FILE **file_arr, struct cil_sort *sort) { uint32_t i = 0; -@@ -1321,6 +1356,18 @@ int cil_gen_policy(struct cil_db *db) +@@ -1321,6 +1358,18 @@ int cil_gen_policy(struct cil_db *db) cil_log(CIL_ERR, "Error creating policy.conf\n"); return rc; } @@ -3095,7 +3108,7 @@ index 1175f97..82c8ea3 100644 int cil_resolve_genfscon(struct cil_tree_node *current, void *extra_args); int cil_resolve_nodecon(struct cil_tree_node *current, void *extra_args); diff --git libsepol-2.5/cil/src/cil_tree.c libsepol-2.5/cil/src/cil_tree.c -index 1c23efc..599f756 100644 +index 1c23efc..aadedb4 100644 --- libsepol-2.5/cil/src/cil_tree.c +++ libsepol-2.5/cil/src/cil_tree.c @@ -1,6 +1,6 @@ @@ -3258,16 +3271,18 @@ index 1c23efc..599f756 100644 case CIL_PORTCON: { struct cil_portcon *portcon = node->data; cil_log(CIL_INFO, "PORTCON:"); -@@ -1319,6 +1419,8 @@ void cil_tree_print_node(struct cil_tree_node *node) +@@ -1319,6 +1419,10 @@ void cil_tree_print_node(struct cil_tree_node *node) cil_log(CIL_INFO, " udp"); } else if (portcon->proto == CIL_PROTOCOL_TCP) { cil_log(CIL_INFO, " tcp"); + } else if (portcon->proto == CIL_PROTOCOL_DCCP) { + cil_log(CIL_INFO, " dccp"); ++ } else if (portcon->proto == CIL_PROTOCOL_SCTP) { ++ cil_log(CIL_INFO, " sctp"); } cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high); -@@ -1393,6 +1495,19 @@ void cil_tree_print_node(struct cil_tree_node *node) +@@ -1393,6 +1497,19 @@ void cil_tree_print_node(struct cil_tree_node *node) cil_log(CIL_INFO, "\n"); return; } @@ -3944,12 +3959,15 @@ index 0000000..4ab0a8a +__END_DECLS +#endif diff --git libsepol-2.5/include/sepol/policydb/polcaps.h libsepol-2.5/include/sepol/policydb/polcaps.h -index 74b7c9e..2018083 100644 +index 74b7c9e..278af82 100644 --- libsepol-2.5/include/sepol/policydb/polcaps.h +++ libsepol-2.5/include/sepol/policydb/polcaps.h -@@ -11,6 +11,8 @@ enum { +@@ -9,8 +9,10 @@ __BEGIN_DECLS + enum { + POLICYDB_CAPABILITY_NETPEER, POLICYDB_CAPABILITY_OPENPERM, - POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */ +- POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */ ++ POLICYDB_CAPABILITY_EXTSOCKCLASS, POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_CGROUPSECLABEL, + POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, @@ -4056,10 +4074,11 @@ diff --git libsepol-2.5/include/sepol/policydb/services.h libsepol-2.5/include/s index 8a5dc9a..ea2fa2e 100644 --- libsepol-2.5/include/sepol/policydb/services.h +++ libsepol-2.5/include/sepol/policydb/services.h -@@ -186,6 +186,22 @@ extern int sepol_port_sid(uint16_t domain, +@@ -185,6 +185,22 @@ extern int sepol_port_sid(uint16_t domain, + uint8_t protocol, uint16_t port, sepol_security_id_t * out_sid); - /* ++/* + * Return the SID of the ibpkey specified by + * `subnet prefix', and `pkey'. + */ @@ -4075,19 +4094,19 @@ index 8a5dc9a..ea2fa2e 100644 + uint8_t port, + sepol_security_id_t *out_sid); + -+/* + /* * Return the SIDs to use for a network interface * with the name `name'. The `if_sid' SID is returned for - * the interface and the `msg_sid' SID is returned as diff --git libsepol-2.5/include/sepol/port_record.h libsepol-2.5/include/sepol/port_record.h -index 697cea4..c07d1fa 100644 +index 697cea4..4b45ebe 100644 --- libsepol-2.5/include/sepol/port_record.h +++ libsepol-2.5/include/sepol/port_record.h -@@ -14,6 +14,7 @@ typedef struct sepol_port_key sepol_port_key_t; +@@ -14,6 +14,8 @@ typedef struct sepol_port_key sepol_port_key_t; #define SEPOL_PROTO_UDP 0 #define SEPOL_PROTO_TCP 1 +#define SEPOL_PROTO_DCCP 2 ++#define SEPOL_PROTO_SCTP 3 /* Key */ extern int sepol_port_compare(const sepol_port_t * port, @@ -5968,7 +5987,7 @@ index f211164..cd4cc86 100644 (policy_module_t *) calloc(1, sizeof(policy_module_t))) == diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c -index 18ec6b9..26b1ee3 100644 +index 18ec6b9..fbded42 100644 --- libsepol-2.5/src/module_to_cil.c +++ libsepol-2.5/src/module_to_cil.c @@ -3,6 +3,7 @@ @@ -5979,17 +5998,20 @@ index 18ec6b9..26b1ee3 100644 * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public -@@ -26,6 +27,9 @@ +@@ -26,6 +27,12 @@ #include #include #include +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 +#endif #include #include #include -@@ -602,6 +606,103 @@ exit: +@@ -602,6 +609,103 @@ exit: return rc; } @@ -6093,7 +6115,7 @@ index 18ec6b9..26b1ee3 100644 static int num_digits(int n) { int num = 1; -@@ -1070,6 +1171,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a +@@ -1070,6 +1174,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a struct type_set *ts; for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) { @@ -6105,7 +6127,7 @@ index 18ec6b9..26b1ee3 100644 ts = &avrule->stypes; rc = process_typeset(indent, pdb, ts, attr_list, &snames, &num_snames); if (rc != 0) { -@@ -1084,14 +1190,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a +@@ -1084,14 +1193,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a for (s = 0; s < num_snames; s++) { for (t = 0; t < num_tnames; t++) { @@ -6130,7 +6152,7 @@ index 18ec6b9..26b1ee3 100644 if (rc != 0) { goto exit; } -@@ -1100,6 +1214,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a +@@ -1100,6 +1217,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a names_destroy(&snames, &num_snames); names_destroy(&tnames, &num_tnames); @@ -6142,7 +6164,7 @@ index 18ec6b9..26b1ee3 100644 } return 0; -@@ -1292,7 +1411,7 @@ static int cond_list_to_cil(int indent, struct policydb *pdb, struct cond_node * +@@ -1292,7 +1414,7 @@ static int cond_list_to_cil(int indent, struct policydb *pdb, struct cond_node * { int rc = -1; struct cond_node *cond; @@ -6151,15 +6173,16 @@ index 18ec6b9..26b1ee3 100644 rc = list_init(&attr_list); if (rc != 0) { -@@ -2537,6 +2656,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p +@@ -2537,6 +2659,8 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p switch (portcon->u.port.protocol) { case IPPROTO_TCP: protocol = "tcp"; break; case IPPROTO_UDP: protocol = "udp"; break; + case IPPROTO_DCCP: protocol = "dccp"; break; ++ case IPPROTO_SCTP: protocol = "sctp"; break; default: log_err("Unknown portcon protocol: %i", portcon->u.port.protocol); rc = -1; -@@ -2562,6 +2682,45 @@ exit: +@@ -2562,6 +2686,45 @@ exit: return rc; } @@ -6205,7 +6228,7 @@ index 18ec6b9..26b1ee3 100644 static int ocontext_selinux_netif_to_cil(struct policydb *pdb, struct ocontext *netifs) { struct ocontext *netif; -@@ -2642,6 +2801,19 @@ exit: +@@ -2642,6 +2805,19 @@ exit: return rc; } @@ -6225,7 +6248,7 @@ index 18ec6b9..26b1ee3 100644 static int ocontext_selinux_fsuse_to_cil(struct policydb *pdb, struct ocontext *fsuses) { -@@ -2795,6 +2967,8 @@ static int ocontexts_to_cil(struct policydb *pdb) +@@ -2795,6 +2971,8 @@ static int ocontexts_to_cil(struct policydb *pdb) ocontext_selinux_node_to_cil, ocontext_selinux_fsuse_to_cil, ocontext_selinux_node6_to_cil, @@ -6234,7 +6257,7 @@ index 18ec6b9..26b1ee3 100644 }; static int (*ocon_xen_funcs[OCON_NUM])(struct policydb *pdb, struct ocontext *ocon) = { ocontext_xen_isid_to_cil, -@@ -3470,7 +3644,7 @@ static int block_to_cil(struct policydb *pdb, struct avrule_block *block, struct +@@ -3470,7 +3648,7 @@ static int block_to_cil(struct policydb *pdb, struct avrule_block *block, struct { int rc = -1; struct avrule_decl *decl; @@ -6243,7 +6266,7 @@ index 18ec6b9..26b1ee3 100644 decl = block->branch_list; -@@ -3619,7 +3793,7 @@ static int blocks_to_cil(struct policydb *pdb) +@@ -3619,7 +3797,7 @@ static int blocks_to_cil(struct policydb *pdb) int rc = -1; struct avrule_block *block; int indent = 0; @@ -6252,7 +6275,7 @@ index 18ec6b9..26b1ee3 100644 rc = stack_init(&stack); if (rc != 0) { -@@ -3687,7 +3861,7 @@ static int linked_blocks_to_cil(struct policydb *pdb) +@@ -3687,7 +3865,7 @@ static int linked_blocks_to_cil(struct policydb *pdb) // Since it is linked, all optional blocks have been resolved int rc = -1; struct avrule_block *block; @@ -6296,12 +6319,15 @@ index 50cf21d..820346d 100644 } break; diff --git libsepol-2.5/src/polcaps.c libsepol-2.5/src/polcaps.c -index 43a71a7..0c6f2af 100644 +index 43a71a7..0581b85 100644 --- libsepol-2.5/src/polcaps.c +++ libsepol-2.5/src/polcaps.c -@@ -10,6 +10,8 @@ static const char *polcap_names[] = { +@@ -8,8 +8,10 @@ + static const char *polcap_names[] = { + "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */ "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */ - "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */ +- "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */ ++ "extended_socket_class", /* POLICYDB_CAPABILITY_EXTSOCKCLASS */ "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ + "cgroup_seclabel", /* POLICYDB_CAPABILITY_SECLABEL */ + "nnp_nosuid_transition", /* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */ @@ -6320,24 +6346,25 @@ index 6a80f94..98fb9c8 100644 * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public -@@ -186,6 +187,13 @@ static struct policydb_compat_info policydb_compat[] = { +@@ -185,6 +186,13 @@ static struct policydb_compat_info policydb_compat[] = { + .ocon_num = OCON_NODE6 + 1, .target_platform = SEPOL_TARGET_SELINUX, }, - { ++ { + .type = POLICY_KERN, + .version = POLICYDB_VERSION_INFINIBAND, + .sym_num = SYM_NUM, + .ocon_num = OCON_IBENDPORT + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, -+ { + { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, - .sym_num = SYM_NUM, -@@ -284,6 +292,20 @@ static struct policydb_compat_info policydb_compat[] = { +@@ -283,6 +291,20 @@ static struct policydb_compat_info policydb_compat[] = { + .ocon_num = OCON_NODE6 + 1, .target_platform = SEPOL_TARGET_SELINUX, }, - { ++ { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_XPERMS_IOCTL, + .sym_num = SYM_NUM, @@ -6351,10 +6378,9 @@ index 6a80f94..98fb9c8 100644 + .ocon_num = OCON_IBENDPORT + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, -+ { + { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, - .sym_num = SYM_NUM, @@ -381,6 +403,20 @@ static struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, @@ -6520,45 +6546,54 @@ index 6a80f94..98fb9c8 100644 bad: if (avrule) { diff --git libsepol-2.5/src/port_record.c libsepol-2.5/src/port_record.c -index 6a33d93..ed9093b 100644 +index 6a33d93..15fb198 100644 --- libsepol-2.5/src/port_record.c +++ libsepol-2.5/src/port_record.c -@@ -184,6 +184,8 @@ const char *sepol_port_get_proto_str(int proto) +@@ -184,6 +184,10 @@ const char *sepol_port_get_proto_str(int proto) return "udp"; case SEPOL_PROTO_TCP: return "tcp"; + case SEPOL_PROTO_DCCP: + return "dccp"; ++ case SEPOL_PROTO_SCTP: ++ return "sctp"; default: return "???"; } diff --git libsepol-2.5/src/ports.c libsepol-2.5/src/ports.c -index 607a629..62ec602 100644 +index 607a629..cc55863 100644 --- libsepol-2.5/src/ports.c +++ libsepol-2.5/src/ports.c -@@ -1,4 +1,7 @@ +@@ -1,4 +1,10 @@ #include +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 +#endif #include #include "debug.h" -@@ -16,6 +19,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto) +@@ -16,6 +22,10 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto) return IPPROTO_TCP; case SEPOL_PROTO_UDP: return IPPROTO_UDP; + case SEPOL_PROTO_DCCP: + return IPPROTO_DCCP; ++ case SEPOL_PROTO_SCTP: ++ return IPPROTO_SCTP; default: ERR(handle, "unsupported protocol %u", proto); return STATUS_ERR; -@@ -30,6 +35,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto) +@@ -30,6 +40,10 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto) return SEPOL_PROTO_TCP; case IPPROTO_UDP: return SEPOL_PROTO_UDP; + case IPPROTO_DCCP: + return SEPOL_PROTO_DCCP; ++ case IPPROTO_SCTP: ++ return SEPOL_PROTO_SCTP; default: ERR(handle, "invalid protocol %u " "found in policy", proto); return STATUS_ERR; @@ -6626,10 +6661,11 @@ index d64a8e8..ea8453b 100644 } /* -@@ -1811,6 +1808,79 @@ int hidden sepol_fs_sid(char *name, +@@ -1810,6 +1807,79 @@ int hidden sepol_fs_sid(char *name, + return rc; } - /* ++/* + * Return the SID of the ibpkey specified by + * `subnet prefix', and `pkey number'. + */ @@ -6702,10 +6738,9 @@ index d64a8e8..ea8453b 100644 +} + + -+/* + /* * Return the SID of the port specified by * `domain', `type', `protocol', and `port'. - */ diff --git libsepol-2.5/src/write.c libsepol-2.5/src/write.c index d87ea61..620baa9 100644 --- libsepol-2.5/src/write.c diff --git a/SPECS/libsepol.spec b/SPECS/libsepol.spec index b3ab8bf5..cf12bc73 100644 --- a/SPECS/libsepol.spec +++ b/SPECS/libsepol.spec @@ -1,11 +1,11 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.5 -Release: 8.1%{?dist} +Release: 10%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz -# HEAD f4aca6b867715e9f93537d116e6ff2268c3f3394 +# HEAD bfaa258580f74440ca92d68828ac31f58656f5ef Patch1: libsepol-rhel.patch URL: https://github.com/SELinuxProject/selinux/wiki BuildRequires: flex @@ -104,6 +104,12 @@ exit 0 %{_libdir}/libsepol.so.1 %changelog +* Wed Jul 25 2018 Vit Mojzis - 2.5-10 +- Add support for the SCTP portcon keyword (rhbz#1603571) + +* Mon Apr 30 2018 Vit Mojzis - 2.5-9 +- Define extended_socket_class policy capability (rhbz#1564775) + * Thu Oct 12 2017 Vit Mojzis - 2.5-8.1 - Define nnp_nosuid_transition policy capability (rhbz#1480519) - use IN6ADDR_ANY_INIT to initialize IPv6 addresses