checkpolicy update package

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>
2018-05-16 12:53:42 +02:00 · 2018-05-16 12:53:42 +02:00 · fa447a4be2
parent 13f14cac7b
commit fa447a4be2
2 changed files with 1444 additions and 0 deletions
--- a/SOURCES/checkpolicy-rhel.patch
+++ b/SOURCES/checkpolicy-rhel.patch
@ -0,0 +1,608 @@
+diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
+index 98f5168..3b7ff8a 100644
+--- checkpolicy-2.5/Android.mk
+++ checkpolicy-2.5/Android.mk
+@@ -12,10 +12,6 @@ common_cflags := \
+ 	-Wall -Wshadow -O2 \
+ 	-pipe -fno-strict-aliasing \
+ 
+-ifeq ($(HOST_OS),darwin)
+-common_cflags += -DDARWIN
+-endif
+-
+ common_includes := \
+ 	$(LOCAL_PATH)/ \
+ 	$(LOCAL_PATH)/../libsepol/include/ \
+diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
+index dfe4908..f2216ec 100644
+--- checkpolicy-2.5/ChangeLog
+++ checkpolicy-2.5/ChangeLog
+@@ -1,3 +1,11 @@
+	* Extend checkpolicy pathname matching, from Stephen Smalley.
+	* Fix typos in test/dispol, from Petr Lautrbach.
+	* Set flex as default lexer, from Julien Pivotto.
+	* Fix checkmodule output message, from Petr Lautrbach.
+	* Build policy on systems not supporting DCCP protocol, from Richard Haines.
+	* Fail if module name different than output base filename, from James Carter
+	* Add support for portcon dccp protocol, from Richard Haines
+
+ 2.5 2016-02-23
+ 	* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
+ 	* fix double free on name-based type transitions, from Stephen Smalley.
+diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
+index e5fae3d..53a3074 100644
+--- checkpolicy-2.5/Makefile
+++ checkpolicy-2.5/Makefile
+@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
+ INCLUDEDIR ?= $(PREFIX)/include
+ TARGETS = checkpolicy checkmodule
+ 
+LEX = flex
+ YACC = bison -y
+ 
+ CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
+diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
+index 5957d29..53cc5a0 100644
+--- checkpolicy-2.5/checkmodule.c
+++ checkpolicy-2.5/checkmodule.c
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <sys/mman.h>
+#include <libgen.h>
+ 
+ #include <sepol/module_to_cil.h>
+ #include <sepol/policydb/policydb.h>
+@@ -258,6 +259,25 @@ int main(int argc, char **argv)
+ 		}
+ 	}
+ 
+	if (policy_type != POLICY_BASE && outfile) {
+		char *mod_name = modpolicydb.name;
+		char *out_path = strdup(outfile);
+		if (out_path == NULL) {
+			fprintf(stderr, "%s:  out of memory\n", argv[0]);
+			exit(1);
+		}
+		char *out_name = basename(out_path);
+		char *separator = strrchr(out_name, '.');
+		if (separator) {
+			*separator = '\0';
+		}
+		if (strcmp(mod_name, out_name) != 0) {
+			fprintf(stderr,	"%s:  Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
+			exit(1);
+		}
+		free(out_path);
+	}
+
+ 	if (modpolicydb.policy_type == POLICY_BASE && !cil) {
+ 		/* Verify that we can successfully expand the base module. */
+ 		policydb_t kernpolicydb;
+@@ -294,7 +314,7 @@ int main(int argc, char **argv)
+ 
+ 		if (!cil) {
+ 			printf("%s:  writing binary representation (version %d) to %s\n",
+-				   argv[0], policyvers, file);
+				   argv[0], policyvers, outfile);
+ 
+ 			if (write_binary_policy(&modpolicydb, outfp) != 0) {
+ 				fprintf(stderr, "%s:  error writing %s\n", argv[0], outfile);
+diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
+index 9da661e..5bc0c56 100644
+--- checkpolicy-2.5/checkpolicy.c
+++ checkpolicy-2.5/checkpolicy.c
+@@ -22,6 +22,7 @@
+  *
+  *	Policy Module support.
+  *
+ * Copyright (C) 2017 Mellanox Technologies Inc.
+  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+  * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+@@ -64,13 +65,16 @@
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+ #include <arpa/inet.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <sys/mman.h>
+ 
+-#ifdef DARWIN
+#ifdef __APPLE__
+ #include <ctype.h>
+ #endif
+ 
+@@ -679,6 +683,8 @@ int main(int argc, char **argv)
+ 	printf("h)  change a boolean value\n");
+ 	printf("i)  display constraint expressions\n");
+ 	printf("j)  display validatetrans expressions\n");
+	printf("k)  Call ibpkey_sid\n");
+	printf("l)  Call ibendport_sid\n");
+ #ifdef EQUIVTYPES
+ 	printf("z)  Show equivalent types\n");
+ #endif
+@@ -919,6 +925,8 @@ int main(int argc, char **argv)
+ 				protocol = IPPROTO_TCP;
+ 			else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
+ 				protocol = IPPROTO_UDP;
+			else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
+				protocol = IPPROTO_DCCP;
+ 			else {
+ 				printf("unknown protocol\n");
+ 				break;
+@@ -1198,6 +1206,50 @@ int main(int argc, char **argv)
+ 				    "\nNo validatetrans expressions found.\n");
+ 			}
+ 			break;
+		case 'k':
+			{
+				char *p;
+				struct in6_addr addr6;
+				uint64_t subnet_prefix;
+				unsigned int pkey;
+
+				printf("subnet prefix?  ");
+				FGETS(ans, sizeof(ans), stdin);
+				ans[strlen(ans) - 1] = 0;
+				p = (char *)&addr6;
+
+				if (inet_pton(AF_INET6, ans, p) < 1) {
+					printf("error parsing subnet prefix\n");
+					break;
+				}
+
+				memcpy(&subnet_prefix, p, sizeof(subnet_prefix));
+				printf("pkey? ");
+				FGETS(ans, sizeof(ans), stdin);
+				pkey = atoi(ans);
+				sepol_ibpkey_sid(subnet_prefix, pkey, &ssid);
+				printf("sid %d\n", ssid);
+			}
+			break;
+		case 'l':
+			printf("device name (eg. mlx4_0)?  ");
+			FGETS(ans, sizeof(ans), stdin);
+			ans[strlen(ans) - 1] = 0;
+
+			name = malloc((strlen(ans) + 1) * sizeof(char));
+			if (!name) {
+				fprintf(stderr, "couldn't malloc string.\n");
+				break;
+			}
+			strcpy(name, ans);
+
+			printf("port? ");
+			FGETS(ans, sizeof(ans), stdin);
+			port = atoi(ans);
+			sepol_ibendport_sid(name, port, &ssid);
+			printf("sid %d\n", ssid);
+			free(name);
+			break;
+ #ifdef EQUIVTYPES
+ 		case 'z':
+ 			identify_equiv_types();
+diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
+index ee20fea..f65958c 100644
+--- checkpolicy-2.5/policy_define.c
+++ checkpolicy-2.5/policy_define.c
+@@ -20,6 +20,7 @@
+  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+  * Copyright (C) 2003 - 2008 Tresys Technology, LLC
+  * Copyright (C) 2007 Red Hat Inc.
+ * Copyright (C) 2017 Mellanox Techonologies Inc.
+  *	This program is free software; you can redistribute it and/or modify
+  *  	it under the terms of the GNU General Public License as published by
+  *	the Free Software Foundation, version 2.
+@@ -36,6 +37,9 @@
+ #include <string.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+ #include <arpa/inet.h>
+ #include <stdlib.h>
+ #include <limits.h>
+@@ -4876,6 +4880,8 @@ int define_port_context(unsigned int low, unsigned int high)
+ 		protocol = IPPROTO_TCP;
+ 	} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
+ 		protocol = IPPROTO_UDP;
+	} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
+		protocol = IPPROTO_DCCP;
+ 	} else {
+ 		yyerror2("unrecognized protocol %s", id);
+ 		free(newc);
+@@ -4931,6 +4937,192 @@ int define_port_context(unsigned int low, unsigned int high)
+ 	return -1;
+ }
+ 
+int define_ibpkey_context(unsigned int low, unsigned int high)
+{
+	ocontext_t *newc, *c, *l, *head;
+	struct in6_addr subnet_prefix;
+	char *id;
+	int rc = 0;
+
+	if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+		yyerror("ibpkeycon not supported for target");
+		return -1;
+	}
+
+	if (pass == 1) {
+		id = (char *)queue_remove(id_queue);
+		free(id);
+		parse_security_context(NULL);
+		return 0;
+	}
+
+	newc = malloc(sizeof(*newc));
+	if (!newc) {
+		yyerror("out of memory");
+		return -1;
+	}
+	memset(newc, 0, sizeof(*newc));
+
+	id = queue_remove(id_queue);
+	if (!id) {
+		yyerror("failed to read the subnet prefix");
+		rc = -1;
+		goto out;
+	}
+
+	rc = inet_pton(AF_INET6, id, &subnet_prefix);
+	free(id);
+	if (rc < 1) {
+		yyerror("failed to parse the subnet prefix");
+		if (rc == 0)
+			rc = -1;
+		goto out;
+	}
+
+	if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
+		yyerror("subnet prefix should be 0's in the low order 64 bits.");
+		rc = -1;
+		goto out;
+	}
+
+	if (low > 0xffff || high > 0xffff) {
+		yyerror("pkey value too large, pkeys are 16 bits.");
+		rc = -1;
+		goto out;
+	}
+
+	memcpy(&newc->u.ibpkey.subnet_prefix, &subnet_prefix.s6_addr[0],
+	       sizeof(newc->u.ibpkey.subnet_prefix));
+
+	newc->u.ibpkey.low_pkey = low;
+	newc->u.ibpkey.high_pkey = high;
+
+	if (low > high) {
+		yyerror2("low pkey %d exceeds high pkey %d", low, high);
+		rc = -1;
+		goto out;
+	}
+
+	rc = parse_security_context(&newc->context[0]);
+	if (rc)
+		goto out;
+
+	/* Preserve the matching order specified in the configuration. */
+	head = policydbp->ocontexts[OCON_IBPKEY];
+	for (l = NULL, c = head; c; l = c, c = c->next) {
+		unsigned int low2, high2;
+
+		low2 = c->u.ibpkey.low_pkey;
+		high2 = c->u.ibpkey.high_pkey;
+
+		if (low == low2 && high == high2 &&
+		    c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
+			yyerror2("duplicate ibpkeycon entry for %d-%d ",
+				 low, high);
+			rc = -1;
+			goto out;
+		}
+		if (low2 <= low && high2 >= high &&
+		    c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
+			yyerror2("ibpkeycon entry for %d-%d hidden by earlier entry for %d-%d",
+				 low, high, low2, high2);
+			rc = -1;
+			goto out;
+		}
+	}
+
+	if (l)
+		l->next = newc;
+	else
+		policydbp->ocontexts[OCON_IBPKEY] = newc;
+
+	return 0;
+
+out:
+	free(newc);
+	return rc;
+}
+
+int define_ibendport_context(unsigned int port)
+{
+	ocontext_t *newc, *c, *l, *head;
+	char *id;
+	int rc = 0;
+
+	if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+		yyerror("ibendportcon not supported for target");
+		return -1;
+	}
+
+	if (pass == 1) {
+		id = (char *)queue_remove(id_queue);
+		free(id);
+		parse_security_context(NULL);
+		return 0;
+	}
+
+	if (port > 0xff || port == 0) {
+		yyerror("Invalid ibendport port number, should be 0 < port < 256");
+		return -1;
+	}
+
+	newc = malloc(sizeof(*newc));
+	if (!newc) {
+		yyerror("out of memory");
+		return -1;
+	}
+	memset(newc, 0, sizeof(*newc));
+
+	newc->u.ibendport.dev_name = queue_remove(id_queue);
+	if (!newc->u.ibendport.dev_name) {
+		yyerror("failed to read infiniband device name.");
+		rc = -1;
+		goto out;
+	}
+
+	if (strlen(newc->u.ibendport.dev_name) > IB_DEVICE_NAME_MAX - 1) {
+		yyerror("infiniband device name exceeds max length of 63.");
+		rc = -1;
+		goto out;
+	}
+
+	newc->u.ibendport.port = port;
+
+	if (parse_security_context(&newc->context[0])) {
+		free(newc);
+		return -1;
+	}
+
+	/* Preserve the matching order specified in the configuration. */
+	head = policydbp->ocontexts[OCON_IBENDPORT];
+	for (l = NULL, c = head; c; l = c, c = c->next) {
+		unsigned int port2;
+
+		port2 = c->u.ibendport.port;
+
+		if (port == port2 &&
+		    !strcmp(c->u.ibendport.dev_name,
+			     newc->u.ibendport.dev_name)) {
+			yyerror2("duplicate ibendportcon entry for %s port %u",
+				 newc->u.ibendport.dev_name, port);
+			rc = -1;
+			goto out;
+		}
+	}
+
+	if (l)
+		l->next = newc;
+	else
+		policydbp->ocontexts[OCON_IBENDPORT] = newc;
+
+	return 0;
+
+out:
+	free(newc->u.ibendport.dev_name);
+	free(newc);
+	return rc;
+}
+
+ int define_netif_context(void)
+ {
+ 	ocontext_t *newc, *c, *head;
+@@ -5135,7 +5327,7 @@ int define_ipv6_node_context(void)
+ 
+ 	memset(newc, 0, sizeof(ocontext_t));
+ 
+-#ifdef DARWIN
+#ifdef __APPLE__
+ 	memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
+ 	memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
+ #else
+diff --git checkpolicy-2.5/policy_define.h checkpolicy-2.5/policy_define.h
+index 964baae..3282aed 100644
+--- checkpolicy-2.5/policy_define.h
+++ checkpolicy-2.5/policy_define.h
+@@ -43,6 +43,8 @@ int define_level(void);
+ int define_netif_context(void);
+ int define_permissive(void);
+ int define_polcap(void);
+int define_ibpkey_context(unsigned int low, unsigned int high);
+int define_ibendport_context(unsigned int port);
+ int define_port_context(unsigned int low, unsigned int high);
+ int define_pirq_context(unsigned int pirq);
+ int define_iomem_context(uint64_t low, uint64_t high);
+diff --git checkpolicy-2.5/policy_parse.y checkpolicy-2.5/policy_parse.y
+index 3b6a2f8..35b7a33 100644
+--- checkpolicy-2.5/policy_parse.y
+++ checkpolicy-2.5/policy_parse.y
+@@ -21,6 +21,7 @@
+  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+  * Copyright (C) 2003 - 2008 Tresys Technology, LLC
+  * Copyright (C) 2007 Red Hat Inc.
+ * Copyright (C) 2017 Mellanox Technologies Inc.
+  *	This program is free software; you can redistribute it and/or modify
+  *  	it under the terms of the GNU General Public License as published by
+  *	the Free Software Foundation, version 2.
+@@ -134,6 +135,8 @@ typedef int (* require_func_t)(int pass);
+ %token TARGET
+ %token SAMEUSER
+ %token FSCON PORTCON NETIFCON NODECON 
+%token IBPKEYCON
+%token IBENDPORTCON
+ %token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
+ %token FSUSEXATTR FSUSETASK FSUSETRANS
+ %token GENFSCON
+@@ -169,7 +172,7 @@ base_policy             : { if (define_policy(pass, 0) == -1) return -1; }
+ 			  opt_default_rules opt_mls te_rbac users opt_constraints 
+                          { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
+ 			   else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
+-			  initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
+			  initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts opt_ibpkey_contexts opt_ibendport_contexts
+ 			;
+ classes			: class_def 
+ 			| classes class_def
+@@ -695,7 +698,7 @@ fs_contexts		: fs_context_def
+ fs_context_def		: FSCON number number security_context_def security_context_def
+ 			{if (define_fs_context($2,$3)) return -1;}
+ 			;
+-net_contexts		: opt_port_contexts opt_netif_contexts opt_node_contexts 
+net_contexts		: opt_port_contexts opt_netif_contexts opt_node_contexts
+ 			;
+ opt_port_contexts       : port_contexts
+                         |
+@@ -708,6 +711,26 @@ port_context_def	: PORTCON identifier number security_context_def
+ 			| PORTCON identifier number '-' number security_context_def
+ 			{if (define_port_context($3,$5)) return -1;}
+ 			;
+opt_ibpkey_contexts     : ibpkey_contexts
+                        |
+                        ;
+ibpkey_contexts		: ibpkey_context_def
+			| ibpkey_contexts ibpkey_context_def
+			;
+ibpkey_context_def	: IBPKEYCON ipv6_addr number security_context_def
+			{if (define_ibpkey_context($3,$3)) return -1;}
+			| IBPKEYCON ipv6_addr number '-' number security_context_def
+			{if (define_ibpkey_context($3,$5)) return -1;}
+			;
+opt_ibendport_contexts	: ibendport_contexts
+			|
+			;
+ibendport_contexts	: ibendport_context_def
+                        | ibendport_contexts ibendport_context_def
+                        ;
+ibendport_context_def	: IBENDPORTCON identifier number security_context_def
+                        {if (define_ibendport_context($3)) return -1;}
+                        ;
+ opt_netif_contexts      : netif_contexts 
+                         |
+                         ;
+diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l
+index 22da338..f38dd22 100644
+--- checkpolicy-2.5/policy_scan.l
+++ checkpolicy-2.5/policy_scan.l
+@@ -12,6 +12,7 @@
+  *	Added support for binary policy modules
+  *
+  * Copyright (C) 2003-5 Tresys Technology, LLC
+ * Copyright (C) 2017 Mellanox Technologies Inc.
+  *	This program is free software; you can redistribute it and/or modify
+  *  	it under the terms of the GNU General Public License as published by
+  *	the Free Software Foundation, version 2.
+@@ -181,6 +182,10 @@ INCOMP |
+ incomp				{ return(INCOMP);}
+ fscon |
+ FSCON                           { return(FSCON);}
+ibpkeycon |
+IBPKEYCON			{ return(IBPKEYCON);}
+ibendportcon |
+IBENDPORTCON			{ return(IBENDPORTCON);}
+ portcon |
+ PORTCON				{ return(PORTCON);}
+ netifcon |                     
+@@ -249,9 +254,9 @@ high |
+ HIGH				{ return(HIGH); }
+ low |
+ LOW				{ return(LOW); }
+-"/"({alnum}|[_\.\-/])*	        { return(PATH); }
+-\""/"[ !#-~]*\" 		{ return(QPATH); }
+-\"({alnum}|[_\.\-\+\~\: ])+\"	{ return(FILENAME); }
+"/"[^ \n\r\t\f]*	        { return(PATH); }
+\""/"[^\"\n]*\" 		{ return(QPATH); }
+\"[^"/"\"\n]+\"	{ return(FILENAME); }
+ {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
+ {digit}+|0x{hexval}+            { return(NUMBER); }
+ {alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
+diff --git checkpolicy-2.5/test/dismod.c checkpolicy-2.5/test/dismod.c
+index 08b039d..c91ab93 100644
+--- checkpolicy-2.5/test/dismod.c
+++ checkpolicy-2.5/test/dismod.c
+@@ -243,6 +243,13 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
+ 		}
+ 	} else if (avrule->specified & AVRULE_NEVERALLOW) {
+ 		fprintf(fp, "  neverallow");
+	} else if (avrule->specified & AVRULE_XPERMS) {
+		if (avrule->specified & AVRULE_XPERMS_ALLOWED)
+			fprintf(fp, "allowxperm ");
+		else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
+			fprintf(fp, "auditallowxperm ");
+		else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
+			fprintf(fp, "dontauditxperm ");
+ 	} else {
+ 		fprintf(fp, "     ERROR: no valid rule type specified\n");
+ 		return -1;
+@@ -282,6 +289,24 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
+ 				   policy, fp);
+ 	} else if (avrule->specified & AVRULE_TYPE) {
+ 		display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
+	} else if (avrule->specified & AVRULE_XPERMS) {
+		avtab_extended_perms_t xperms;
+		int i;
+
+		if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLFUNCTION)
+			xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
+		else if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLDRIVER)
+			xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
+		else {
+			fprintf(fp, "     ERROR: no valid xperms specified\n");
+			return -1;
+		}
+
+		xperms.driver = avrule->xperms->driver;
+		for (i = 0; i < EXTENDED_PERMS_LEN; i++)
+			xperms.perms[i] = avrule->xperms->perms[i];
+
+		fprintf(fp, "%s", sepol_extended_perms_to_string(&xperms));
+ 	}
+ 
+ 	fprintf(fp, ";\n");
+diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c
+index 86f5688..a78ce81 100644
+--- checkpolicy-2.5/test/dispol.c
+++ checkpolicy-2.5/test/dispol.c
+@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
+ int display_handle_unknown(policydb_t * p, FILE * out_fp)
+ {
+ 	if (p->handle_unknown == ALLOW_UNKNOWN)
+-		fprintf(out_fp, "Allow unknown classes and permisions\n");
+		fprintf(out_fp, "Allow unknown classes and permissions\n");
+ 	else if (p->handle_unknown == DENY_UNKNOWN)
+-		fprintf(out_fp, "Deny unknown classes and permisions\n");
+		fprintf(out_fp, "Deny unknown classes and permissions\n");
+ 	else if (p->handle_unknown == REJECT_UNKNOWN)
+-		fprintf(out_fp, "Reject unknown classes and permisions\n");
+		fprintf(out_fp, "Reject unknown classes and permissions\n");
+ 	return 0;
+ }
+ 
+@@ -349,7 +349,7 @@ int menu(void)
+ 	printf("\nSelect a command:\n");
+ 	printf("1)  display unconditional AVTAB\n");
+ 	printf("2)  display conditional AVTAB (entirely)\n");
+-	printf("3)  display conditional AVTAG (only ENABLED rules)\n");
+	printf("3)  display conditional AVTAB (only ENABLED rules)\n");
+ 	printf("4)  display conditional AVTAB (only DISABLED rules)\n");
+ 	printf("5)  display conditional bools\n");
+ 	printf("6)  display conditional expressions\n");
--- a/SPECS/checkpolicy.spec
+++ b/SPECS/checkpolicy.spec
@ -0,0 +1,836 @@
+%define libselinuxver 2.5-12
+%define libsepolver 2.5-8
+Summary: SELinux policy compiler
+Name: checkpolicy
+Version: 2.5
+Release: 6%{?dist}
+License: GPLv2
+Group: Development/System
+Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz
+# HEAD f4e2ab4e29496130bc89dddf8096e9367b25665b
+Patch1: checkpolicy-rhel.patch
+
+BuildRoot: %{_tmppath}/%{name}-buildroot
+BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel  >= %{libselinuxver} 
+
+%description
+Security-enhanced Linux is a feature of the Linux® kernel and a number
+of utilities with enhanced security functionality designed to add
+mandatory access controls to Linux.  The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These
+architectural components provide general support for the enforcement
+of many kinds of mandatory access control policies, including those
+based on the concepts of Type Enforcement®, Role-based Access
+Control, and Multi-level Security.
+
+This package contains checkpolicy, the SELinux policy compiler.  
+Only required for building policies. 
+
+%prep
+%setup -q -n checkpolicy-2.5
+%patch1 -p1 -b .rhel
+
+%build
+make clean
+make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" 
+cd test
+make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" 
+
+%install
+rm -rf ${RPM_BUILD_ROOT}
+mkdir -p ${RPM_BUILD_ROOT}%{_bindir}
+make LIBDIR="%{_libdir}" DESTDIR="${RPM_BUILD_ROOT}" install
+install test/dismod ${RPM_BUILD_ROOT}%{_bindir}/sedismod
+install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
+
+%clean
+rm -rf ${RPM_BUILD_ROOT}
+
+%files
+%defattr(-,root,root)
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_bindir}/checkpolicy
+%{_bindir}/checkmodule
+%{_mandir}/man8/checkpolicy.8.gz
+%{_mandir}/man8/checkmodule.8.gz
+%{_bindir}/sedismod
+%{_bindir}/sedispol
+
+%changelog
+* Thu Oct 19 2017 Vit Mojzis <vmojzis@redhat.com> - 2.5-6
+- Add ibendport ocontext handling
+- Add support for ibendportcon labels
+- Add ibpkey ocontext handling
+- Add support for ibpkeycon labels
+- Add binary module support for xperms
+
+* Mon Sep 25 2017 Vit Mojzis <vmojzis@redhat.com> - 2.5-5
+- Rebuild to incorporate cgroup_seclabel capability introduced in libsepol (rhbz#1494179)
+
+* Thu Aug 11 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-4
+- Extend checkpolicy pathname matching
+
+* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix typos in test/dispol
+- Set flex as default lexer
+- Fix checkmodule output message
+- Build policy on systems not supporting DCCP protocol
+- Fail if module name different than output base filename
+
+* Mon Apr 11 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
+- Add support for portcon dccp protocol
+
+* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
+- Update to upstream release 2016-02-23
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.1.12-6
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.1.12-5
+- Mass rebuild 2013-12-27
+
+* Tue Jul 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
+- Fix a segmentation fault if the --handle-unknown option was set without
+arguments.
+- Thanks to Alexandre Rebert and his team at Carnegie Mellon University
+for detecting this crash.
+
+* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
+- ":" should be allowed for file trans names
+
+* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
+- Space should be allowed for file trans names
+
+* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
+- Update to upstream 
+        * Fix errors found by coverity
+        * implement default type policy syntax
+        * Free allocated memory when clean up / exit.
+
+* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> -  2.1.11-3
+- Update to latest patches from eparis/Upstream
+-   checkpolicy: libsepol: implement default type policy syntax
+-   
+-   We currently have a mechanism in which the default user, role, and range
+-   can be picked up from the source or the target object.  This implements
+-   the same thing for types.  The kernel will override this with type
+-   transition rules and similar.  This is just the default if nothing
+-   specific is given.
+    
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
+- Rebuild with fixed libsepol
+
+* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
+- Update to upstream 
+	* fd leak reading policy
+	* check return code on ebitmap_set_bit
+
+* Mon Jul 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
+- Rebuild to grab latest libsepol
+
+* Tue Jul 24 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
+- Rebuild to grab latest libsepol
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
+- Update to upstream 
+	* sepolgen: We need to support files that have a + in them
+	* Android/MacOS X build support
+
+* Mon Apr 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-4
+- Rebuild to get latest libsepol which fixes the file_name transition problems
+
+* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
+- Recompile with libsepol that has support for ptrace_child
+
+* Tue Apr 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
+- Allow checkpolicy to use + in a file name
+
+* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
+- Update to upstream 
+	* implement new default labeling behaviors for usr, role, range
+	* Fix dead links to www.nsa.gov/selinux
+
+* Mon Jan 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
+- Fix man page to link to www.nsa.giv/research/selinux
+
+* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
+-Update to upstream
+	* add ignoredirs config for genhomedircon
+	* Fallback_user_level can be NULL if you are not using MLS
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-3
+- default_rules should be optional
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
+- Rebuild with latest libsepol
+
+* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
+- Upgrade to upstream
+	* dis* fixed signed vs unsigned errors
+	* dismod: fix unused parameter errors
+	* test: Makefile: include -W and -Werror
+	* allow ~ in filename transition rules
+- Allow policy to specify the source of target for generating the default user,role 
+- or mls label for a new target.
+
+* Mon Nov 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
+- Allow ~ in a filename 
+
+* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
+- Upgrade to upstream
+	* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
+	* drop libsepol dynamic link in checkpolicy
+
+* Tue Sep 20 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
+- Fix checkpolicy to ignore '"' in filename trans rules
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
+-Update to upstream
+	* Separate tunable from boolean during compile.
+
+* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-0
+-Update to upstream
+	* checkpolicy: fix spacing in output message
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-0
+	* add missing ; to attribute_role_def
+	*Redo filename/filesystem syntax to support filename trans
+
+* Wed Aug 3 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
+-Update to upstream
+	* .gitignore changes
+	* dispol output of role trans
+	* man page update: build a module with an older policy version
+
+* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.1-0
+-Update to upstream
+	* Minor updates to filename trans rule output in dis{mod,pol}
+
+* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
+-Update to upstream
+
+* Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.26-1
+-Update to upstream
+	* Wrap file names in filename transitions with quotes by Steve Lawrence.
+	* Allow filesystem names to start with a digit by James Carter.
+	* Add support for using the last path compnent in type transitions by Eric
+
+* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
+* Fixes for new role_transition class field by Eric Paris.
+
+* Fri Apr 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
+- Add "-" as a file type
+
+* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
+-Update to upstream
+	* Add new class field in role_transition by Harry Ciao.
+
+* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-5
+- Fix type_transition to allow all files
+
+* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-4
+- Patches from Eric Paris 
+We just use random numbers to make menu selections.  Use #defines and
+names that make some sense instead.
+
+This patch adds support for using the last path component as part of the
+information in making labeling decisions for new objects.  A example
+rule looks like so:
+
+type_transition unconfined_t etc_t:file system_conf_t eric;
+
+This rule says if unconfined_t creates a file in a directory labeled
+etc_t and the last path component is "eric" (no globbing, no matching
+magic, just exact strcmp) it should be labeled system_conf_t.
+
+The kernel and policy representation does not have support for such
+rules in conditionals, and thus policy explicitly notes that fact if
+such a rule is added to a conditional.
+
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.23-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jan 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-2
+- Add James Carters Patch
+  *This patch is needed because some filesystem names (such as 9p) start
+  with a digit.
+
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.23-1
+- Latest update from NSA
+  * Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock
+
+* Wed Dec 8 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-2
+- Rebuild to make sure it will build in Fedora 
+
+* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
+- Latest update from NSA
+	* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
+- Allow policy version to be one number
+
+* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
+- Fix checkmodule man page and usage statements
+
+* Sun Nov 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
+- Latest update from NSA
+	* Add support for building Xen policies from Paul Nuzzi.
+	* Add long options to checkpolicy and checkmodule by Guido
+	  Trentalancia <guido@trentalancia.com>
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.19-1
+- Latest update from NSA
+	* Fix alias field in module format, caused by boundary format change
+	  from Caleb Case.
+
+* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.18-1
+- Latest update from NSA
+	* Properly escape regex symbols in the lexer from Stephen Smalley.
+	* Add bounds support from KaiGai Kohei.
+
+* Tue Oct 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-4
+
+* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-3
+- Rebuild with new libsepol
+
+* Wed May 28 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.16-2
+- fix license tag
+
+* Wed May 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-1
+- Latest update from NSA
+	* Update checkpolicy for user and role mapping support from Joshua Brindle.
+
+* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.15-1
+- Latest update from NSA
+	* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
+	  Resolves bug 444451.
+
+* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-2
+- Allow modules with 4 sections or more
+
+* Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
+- Latest update from NSA
+	* Add permissive domain support from Eric Paris.
+
+* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.13-1
+- Latest update from NSA
+	* Split out non-grammar parts of policy_parse.yacc into
+	  policy_define.c and policy_define.h from Todd C. Miller.
+	* Initialize struct policy_file before using it, from Todd C. Miller.
+	* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
+
+* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.10-1
+- Latest update from NSA
+	* Use yyerror2() where appropriate from Todd C. Miller.
+- Build against latest libsepol
+
+* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-2
+- Start shipping sedismod and sedispol
+
+* Mon Feb 4 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-1
+- Latest update from NSA
+	* Update dispol for libsepol avtab changes from Stephen Smalley.
+
+* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.8-1
+- Latest update from NSA
+	* Deprecate role dominance in parser.
+
+* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-2
+- Update to use libsepol-static library
+
+* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-1
+- Latest update from NSA
+	* Added support for policy capabilities from Todd Miller.
+
+* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.6-1
+- Latest update from NSA
+	* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
+	* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
+
+* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
+	* Merged handle unknown policydb flag support from Eric Paris.
+	  Adds new command line options -U {allow, reject, deny} for selecting
+	  the flag when a base module or kernel policy is built.
+
+* Tue Aug 28 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.0.3-3
+- Rebuild for selinux ppc32 issue.
+
+* Mon Jun 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-2
+- Rebuild with the latest libsepol
+
+* Sun Jun 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-1
+- Latest update from NSA
+	* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
+	* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
+
+* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
+- Latest update from NSA
+	* Merged checkmodule man page fix from Dan Walsh.
+
+* Fri Mar 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-3
+- Rebuild with new libsepol
+
+* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-2
+- Rebuild with new libsepol
+
+* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
+- Latest update from NSA
+	* Merged patch to allow dots in class identifiers from Caleb Case.
+
+* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
+- Latest update from NSA
+	* Merged patch to use new libsepol error codes by Karl MacMillan.
+	* Updated version for stable branch.
+
+* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-2
+- Rebuild for new libraries
+
+* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-1
+- Latest update from NSA
+	* Collapse user identifiers and identifiers together.
+
+* Tue Oct 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.32-1
+- Latest update from NSA
+	* Updated version for release.
+
+* Thu Sep 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.12-1
+- Latest update from NSA
+	* Merged user and range_transition support for modules from 
+	  Darrel Goeddel
+
+* Wed Sep 6 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.11-1
+- Latest update from NSA
+	* merged range_transition enhancements and user module format
+	  changes from Darrel Goeddel
+	* Merged symtab datum patch from Karl MacMillan.
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.30.9-1.1
+- rebuild
+
+* Tue Jul 4 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.8-1
+- Latest upgrade from NSA
+	* Lindent.
+	* Merged patch to remove TE rule conflict checking from the parser
+	  from Joshua Brindle.  This can only be done properly by the 
+	  expander.
+	* Merged patch to make checkpolicy/checkmodule handling of
+	  duplicate/conflicting TE rules the same as the expander 
+	  from Joshua Brindle.
+	* Merged optionals in base take 2 patch set from Joshua Brindle.
+
+* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.5-1
+- Latest upgrade from NSA
+	* Merged compiler cleanup patch from Karl MacMillan.
+	* Merged fix warnings patch from Karl MacMillan.	
+
+* Wed Apr 5 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.4-1
+- Latest upgrade from NSA
+	* Changed require_class to reject permissions that have not been
+	  declared if building a base module.
+
+* Tue Mar 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.3-1
+- Latest upgrade from NSA
+	* Fixed checkmodule to call link_modules prior to expand_module
+	  to handle optionals.
+	* Fixed require_class to avoid shadowing permissions already defined
+	  in an inherited common definition.
+
+* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-2
+- Rebuild with new libsepol
+
+* Thu Mar 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-1
+- Latest upgrade from NSA
+	* Moved processing of role and user require statements to 2nd pass.
+
+* Fri Mar 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.30-1
+- Latest upgrade from NSA
+	* Updated version for release.
+	* Fixed bug in role dominance (define_role_dom).
+
+* Fri Feb 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.4-1
+- Latest upgrade from NSA
+	* Added a check for failure to declare each sensitivity in
+	  a level definition.
+	* Changed to clone level data for aliased sensitivities to
+	  avoid double free upon sens_destroy.  Bug reported by Kevin
+	  Carr of Tresys Technology.
+
+* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.2-1
+- Latest upgrade from NSA
+	* Merged optionals in base patch from Joshua Brindle.
+
+* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.1-1.2
+- Need to build againi
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.29.1-1.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.1-1
+- Latest upgrade from NSA
+	* Merged sepol_av_to_string patch from Joshua Brindle.
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.28-5.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
+- Rebuild to get latest libsepol
+
+* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
+- Rebuild to get latest libsepol
+
+* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.28-4
+- Rebuild to get latest libsepol
+
+* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.28-3
+- Rebuild to get latest libsepol
+
+* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 1.28-2
+- Rebuild to get latest libsepol
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Fri Dec 9 2005 Dan Walsh <dwalsh@redhat.com> 1.28-1
+- Latest upgrade from NSA
+
+* Sun Dec 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.20-1
+- Latest upgrade from NSA
+	* Merged checkmodule man page from Dan Walsh, and edited it.
+
+* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
+- Latest upgrade from NSA
+	* Added error checking of all ebitmap_set_bit calls for out of
+	  memory conditions.
+	* Merged removal of compatibility handling of netlink classes
+	  (requirement that policies with newer versions include the
+	   netlink class definitions, remapping of fine-grained netlink
+	   classes in newer source policies to single netlink class when
+	   generating older policies) from George Coker.
+
+* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7
+- Rebuild to get latest libsepol
+
+* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-1
+- Latest upgrade from NSA
+	* Merged dismod fix from Joshua Brindle.
+
+* Thu Oct 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.16-1
+- Latest upgrade from NSA
+	* Removed obsolete cond_check_type_rules() function and call and 
+	  cond_optimize_lists() call from checkpolicy.c; these are handled
+	  during parsing and expansion now.
+	* Updated calls to expand_module for interface change.
+	* Changed checkmodule to verify that expand_module succeeds 
+	  when building base modules.
+	* Merged module compiler fixes from Joshua Brindle.
+	* Removed direct calls to hierarchy_check_constraints() and 
+	  check_assertions() from checkpolicy since they are now called 
+	  internally by expand_module().
+
+* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.11-1
+- Latest upgrade from NSA
+	* Updated for changes to sepol policydb_index_others interface.
+
+* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.10-1
+- Latest upgrade from NSA
+	* Updated for changes to sepol expand_module and link_modules interfaces.
+* Sat Oct 15 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
+- Rebuild to get latest libsepol
+
+* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-1
+- Latest upgrade from NSA
+	* Merged support for require blocks inside conditionals from
+	Joshua Brindle (Tresys).
+
+* Wed Oct 12 2005 Karsten Hopp <karsten@redhat.de> 1.27.8-2
+- add buildrequirement for libselinux-devel for dispol
+
+* Mon Oct 10 2005 Dan Walsh <dwalsh@redhat.com> 1.27.8-1
+- Latest upgrade from NSA
+	* Updated for changes to libsepol.
+
+* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-2
+- Rebuild to get latest libsepol
+
+* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-1
+- Latest upgrade from NSA
+	* Merged several bug fixes from Joshua Brindle (Tresys).
+
+* Tue Oct 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.6-1
+- Latest upgrade from NSA
+	* Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+* Mon Oct 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-2
+- Rebuild to get latest libsepol
+
+* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-1
+- Latest upgrade from NSA
+	* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
+
+* Tue Sep 27 2005 Dan Walsh <dwalsh@redhat.com> 1.27.4-1
+- Latest upgrade from NSA
+	* Merged bugfix for dup role transition error messages from
+	Karl MacMillan (Tresys).
+
+* Fri Sep 23 2005 Dan Walsh <dwalsh@redhat.com> 1.27.3-1
+- Latest upgrade from NSA
+	* Merged policyver/modulever patches from Joshua Brindle (Tresys).
+
+* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-2
+- Rebuild to get latest libsepol
+
+* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-1
+- Latest upgrade from NSA
+	* Fixed parse_categories handling of undefined category.
+
+* Tue Sep 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
+- Rebuild to get latest libsepol
+
+* Sat Sep 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-1
+- Latest upgrade from NSA
+	* Merged bug fix for role dominance handling from Darrel Goeddel (TCS). 
+* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
+- Rebuild to get latest libsepol
+
+* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-1
+- Latest upgrade from NSA
+	* Updated version for release.
+- Rebuild to get latest libsepol
+
+* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-3
+- Rebuild to get latest libsepol
+
+* Mon Aug 29 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-2
+- Rebuild to get latest libsepol
+
+* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-1
+- Update to NSA Release
+	* Fixed handling of validatetrans constraint expressions.
+	Bug reported by Dan Walsh for checkpolicy -M.
+
+* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-2
+- Fix mls crash
+
+* Fri Aug 19 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-1
+- Update to NSA Release
+	* Merged use-after-free fix from Serge Hallyn (IBM).  
+	  Bug found by Coverity.
+
+* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.10-1
+- Update to NSA Release
+	* Fixed further memory leaks found by valgrind.
+	* Changed checkpolicy to destroy the policydbs prior to exit
+	  to allow leak detection.
+	* Fixed several memory leaks found by valgrind.
+
+* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-3
+- Rebuild to get latest libsepol changes
+
+* Sat Aug 13 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-2
+- Rebuild to get latest libsepol changes
+
+* Thu Aug 11 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-1
+- Update to NSA Release
+	* Updated checkpolicy and dispol for the new avtab format.
+	  Converted users of ebitmaps to new inline operators.
+  	  Note:  The binary policy format version has been incremented to 
+	  version 20 as a result of these changes.  To build a policy
+	  for a kernel that does not yet include these changes, use
+	  the -c 19 option to checkpolicy.
+	* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
+	* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
+
+* Wed Aug 10 2005 Dan Walsh <dwalsh@redhat.com> 1.25.5-1
+- Update to NSA Release
+	* Fixed call to hierarchy checking code to pass the right policydb.
+	* Merged patch to update dismod for the relocation of the
+	  module read/write code from libsemanage to libsepol, and
+	  to enable build of test subdirectory from Jason Tang (Tresys).
+
+* Thu Jul 28 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-1
+- Update to NSA Release
+	* Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+* Thu Jul 7 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-1
+- Update to NSA Release
+	* Merged loadable module support from Tresys Technology.
+	* Merged patch to prohibit the use of * and ~ in type sets 
+	  (other than in neverallow statements) and in role sets
+	  from Joshua Brindle (Tresys).
+	* Updated version for release.
+
+* Fri May 20 2005 Dan Walsh <dwalsh@redhat.com> 1.23-4-1
+- Update to NSA Release
+	* Merged cleanup patch from Dan Walsh.
+
+* Thu May 19 2005 Dan Walsh <dwalsh@redhat.com> 1.23-3-1
+- Update to NSA Release
+	* Added sepol_ prefix to Flask types to avoid namespace
+	  collision with libselinux.
+
+* Sat May 7 2005 Dan Walsh <dwalsh@redhat.com> 1.23-2-1
+- Update to NSA Release
+	* Merged identifier fix from Joshua Brindle (Tresys).
+
+* Thu Apr 14 2005 Dan Walsh <dwalsh@redhat.com> 1.23,1-1
+	* Merged hierarchical type/role patch from Tresys Technology.
+	* Merged MLS fixes from Darrel Goeddel of TCS.
+
+* Thu Mar 10 2005 Dan Walsh <dwalsh@redhat.com> 1.22-1
+- Update to NSA Release
+
+* Tue Mar 1 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-2
+- Rebuild for FC4
+
+* Thu Feb 17 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-1
+	* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
+	* Moved genpolusers utility to libsepol.
+	* Merged range_transition support from Darrel Goeddel (TCS).
+
+* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.2-1
+- Latest from NSA
+	* Changed relabel Makefile target to use restorecon.
+
+* Mon Feb 7 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
+- Latest from NSA
+	* Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+* Fri Jan 7 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-1
+- Update for version increase at NSA
+
+* Mon Dec 20 2004 Dan Walsh <dwalsh@redhat.com> 1.19.2-1
+- Latest from NSA
+	* Merged typeattribute statement patch from Darrel Goeddel of TCS.
+	* Changed genpolusers to handle multiple user config files.
+	* Merged nodecon ordering patch from Chad Hanson of TCS.
+
+* Thu Nov 11 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-1
+- Latest from NSA
+	* Merged nodecon ordering patch from Chad Hanson of TCS.
+
+* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-1
+- Latest from NSA
+	* MLS build fix.
+
+* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.5-1
+- Latest from NSA
+	* Fixed Makefile dependencies (Chris PeBenito).
+
+* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.4-1
+- Latest from NSA
+	* Fixed Makefile dependencies (Chris PeBenito).
+
+* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
+- Latest from NSA
+	* Merged fix for role dominance ordering issue from Chad Hanson of TCS.
+
+* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
+- Latest from NSA
+
+* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.16.3-1
+- Fix NSA package to not include y.tab files.
+
+* Tue Aug 24 2004 Dan Walsh <dwalsh@redhat.com> 1.16.2-1
+- Latest from NSA
+- Allow port ranges to overlap
+
+* Sun Aug 22 2004 Dan Walsh <dwalsh@redhat.com> 1.16.1-1
+- Latest from NSA
+
+* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
+- Latest from NSA
+
+* Fri Aug 13 2004 Dan Walsh <dwalsh@redhat.com> 1.15.5-1
+- Latest from NSA
+
+* Wed Aug 11 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
+- Latest from NSA
+
+* Sat Aug 7 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
+- Latest from NSA
+
+* Wed Aug 4 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
+- Latest from NSA
+
+* Sat Jul 31 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-1
+- Latest from NSA
+
+* Tue Jul 27 2004 Dan Walsh <dwalsh@redhat.com> 1.14.2-1
+- Latest from NSA
+
+* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
+- Latest from NSA
+
+* Fri Jun 18 2004 Dan Walsh <dwalsh@redhat.com> 1.12.2-1
+- Latest from NSA
+
+* Thu Jun 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12.1-1
+- Update to latest from NSA
+
+* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
+- Update to latest from NSA
+
+* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.10-5
+- Add nlclass patch
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Jun 4 2004 Dan Walsh <dwalsh@redhat.com> 1.10-3
+- Add BuildRequires flex
+
+* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-2
+- Add BuildRequires byacc
+
+* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-1
+- Upgrade to the latest from NSA
+
+* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
+- Upgrade to the latest from NSA
+
+* Tue Feb 24 2004 Dan Walsh <dwalsh@redhat.com> 1.6-1
+- Upgrade to the latest from NSA
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-6
+- Add typealias patch
+
+* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-5
+- Update excludetypes with negset-final patch
+
+* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-4
+- Add excludetypes patch
+
+* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-3
+- Add Colin Walter's lineno patch
+
+* Wed Jan 7 2004 Dan Walsh <dwalsh@redhat.com> 1.4-2
+- Remove check for roles transition
+
+* Sat Dec 6 2003 Dan Walsh <dwalsh@redhat.com> 1.4-1
+- upgrade to 1.4
+
+* Wed Oct 1 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
+- upgrade to 1.2
+
+* Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.1-2
+- upgrade to 1.1
+
+* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
+- Initial version