powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
Browse Source

checkpolicy update package 

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64bebuilder0 7 years ago
parent
13f14cac7b
commit
fa447a4be2
2 changed files with 1444 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 608
      SOURCES/checkpolicy-rhel.patch
  2. 836
      SPECS/checkpolicy.spec

608
SOURCES/checkpolicy-rhel.patch
Unescape View File

@ -0,0 +1,608 @@
diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
index 98f5168..3b7ff8a 100644
--- checkpolicy-2.5/Android.mk
+++ checkpolicy-2.5/Android.mk
@@ -12,10 +12,6 @@ common_cflags := \
-Wall -Wshadow -O2 \
-pipe -fno-strict-aliasing \
-ifeq ($(HOST_OS),darwin)
-common_cflags += -DDARWIN
-endif
-
common_includes := \
$(LOCAL_PATH)/ \
$(LOCAL_PATH)/../libsepol/include/ \
diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
index dfe4908..f2216ec 100644
--- checkpolicy-2.5/ChangeLog
+++ checkpolicy-2.5/ChangeLog
@@ -1,3 +1,11 @@
+ * Extend checkpolicy pathname matching, from Stephen Smalley.
+ * Fix typos in test/dispol, from Petr Lautrbach.
+ * Set flex as default lexer, from Julien Pivotto.
+ * Fix checkmodule output message, from Petr Lautrbach.
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
+ * Fail if module name different than output base filename, from James Carter
+ * Add support for portcon dccp protocol, from Richard Haines
+
2.5 2016-02-23
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
* fix double free on name-based type transitions, from Stephen Smalley.
diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
index e5fae3d..53a3074 100644
--- checkpolicy-2.5/Makefile
+++ checkpolicy-2.5/Makefile
@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
TARGETS = checkpolicy checkmodule
+LEX = flex
YACC = bison -y
CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
index 5957d29..53cc5a0 100644
--- checkpolicy-2.5/checkmodule.c
+++ checkpolicy-2.5/checkmodule.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
+#include <libgen.h>
#include <sepol/module_to_cil.h>
#include <sepol/policydb/policydb.h>
@@ -258,6 +259,25 @@ int main(int argc, char **argv)
}
}
+ if (policy_type != POLICY_BASE && outfile) {
+ char *mod_name = modpolicydb.name;
+ char *out_path = strdup(outfile);
+ if (out_path == NULL) {
+ fprintf(stderr, "%s: out of memory\n", argv[0]);
+ exit(1);
+ }
+ char *out_name = basename(out_path);
+ char *separator = strrchr(out_name, '.');
+ if (separator) {
+ *separator = '\0';
+ }
+ if (strcmp(mod_name, out_name) != 0) {
+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
+ exit(1);
+ }
+ free(out_path);
+ }
+
if (modpolicydb.policy_type == POLICY_BASE && !cil) {
/* Verify that we can successfully expand the base module. */
policydb_t kernpolicydb;
@@ -294,7 +314,7 @@ int main(int argc, char **argv)
if (!cil) {
printf("%s: writing binary representation (version %d) to %s\n",
- argv[0], policyvers, file);
+ argv[0], policyvers, outfile);
if (write_binary_policy(&modpolicydb, outfp) != 0) {
fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
index 9da661e..5bc0c56 100644
--- checkpolicy-2.5/checkpolicy.c
+++ checkpolicy-2.5/checkpolicy.c
@@ -22,6 +22,7 @@
*
* Policy Module support.
*
+ * Copyright (C) 2017 Mellanox Technologies Inc.
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2005 Tresys Technology, LLC
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
@@ -64,13 +65,16 @@
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
#include <arpa/inet.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
-#ifdef DARWIN
+#ifdef __APPLE__
#include <ctype.h>
#endif
@@ -679,6 +683,8 @@ int main(int argc, char **argv)
printf("h) change a boolean value\n");
printf("i) display constraint expressions\n");
printf("j) display validatetrans expressions\n");
+ printf("k) Call ibpkey_sid\n");
+ printf("l) Call ibendport_sid\n");
#ifdef EQUIVTYPES
printf("z) Show equivalent types\n");
#endif
@@ -919,6 +925,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_TCP;
else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
protocol = IPPROTO_UDP;
+ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
+ protocol = IPPROTO_DCCP;
else {
printf("unknown protocol\n");
break;
@@ -1198,6 +1206,50 @@ int main(int argc, char **argv)
"\nNo validatetrans expressions found.\n");
}
break;
+ case 'k':
+ {
+ char *p;
+ struct in6_addr addr6;
+ uint64_t subnet_prefix;
+ unsigned int pkey;
+
+ printf("subnet prefix? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ p = (char *)&addr6;
+
+ if (inet_pton(AF_INET6, ans, p) < 1) {
+ printf("error parsing subnet prefix\n");
+ break;
+ }
+
+ memcpy(&subnet_prefix, p, sizeof(subnet_prefix));
+ printf("pkey? ");
+ FGETS(ans, sizeof(ans), stdin);
+ pkey = atoi(ans);
+ sepol_ibpkey_sid(subnet_prefix, pkey, &ssid);
+ printf("sid %d\n", ssid);
+ }
+ break;
+ case 'l':
+ printf("device name (eg. mlx4_0)? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+
+ name = malloc((strlen(ans) + 1) * sizeof(char));
+ if (!name) {
+ fprintf(stderr, "couldn't malloc string.\n");
+ break;
+ }
+ strcpy(name, ans);
+
+ printf("port? ");
+ FGETS(ans, sizeof(ans), stdin);
+ port = atoi(ans);
+ sepol_ibendport_sid(name, port, &ssid);
+ printf("sid %d\n", ssid);
+ free(name);
+ break;
#ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
index ee20fea..f65958c 100644
--- checkpolicy-2.5/policy_define.c
+++ checkpolicy-2.5/policy_define.c
@@ -20,6 +20,7 @@
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
* Copyright (C) 2007 Red Hat Inc.
+ * Copyright (C) 2017 Mellanox Techonologies Inc.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
@@ -36,6 +37,9 @@
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
#include <arpa/inet.h>
#include <stdlib.h>
#include <limits.h>
@@ -4876,6 +4880,8 @@ int define_port_context(unsigned int low, unsigned int high)
protocol = IPPROTO_TCP;
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
protocol = IPPROTO_UDP;
+ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
+ protocol = IPPROTO_DCCP;
} else {
yyerror2("unrecognized protocol %s", id);
free(newc);
@@ -4931,6 +4937,192 @@ int define_port_context(unsigned int low, unsigned int high)
return -1;
}
+int define_ibpkey_context(unsigned int low, unsigned int high)
+{
+ ocontext_t *newc, *c, *l, *head;
+ struct in6_addr subnet_prefix;
+ char *id;
+ int rc = 0;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("ibpkeycon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *)queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(*newc));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(*newc));
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read the subnet prefix");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET6, id, &subnet_prefix);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse the subnet prefix");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
+ yyerror("subnet prefix should be 0's in the low order 64 bits.");
+ rc = -1;
+ goto out;
+ }
+
+ if (low > 0xffff || high > 0xffff) {
+ yyerror("pkey value too large, pkeys are 16 bits.");
+ rc = -1;
+ goto out;
+ }
+
+ memcpy(&newc->u.ibpkey.subnet_prefix, &subnet_prefix.s6_addr[0],
+ sizeof(newc->u.ibpkey.subnet_prefix));
+
+ newc->u.ibpkey.low_pkey = low;
+ newc->u.ibpkey.high_pkey = high;
+
+ if (low > high) {
+ yyerror2("low pkey %d exceeds high pkey %d", low, high);
+ rc = -1;
+ goto out;
+ }
+
+ rc = parse_security_context(&newc->context[0]);
+ if (rc)
+ goto out;
+
+ /* Preserve the matching order specified in the configuration. */
+ head = policydbp->ocontexts[OCON_IBPKEY];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ unsigned int low2, high2;
+
+ low2 = c->u.ibpkey.low_pkey;
+ high2 = c->u.ibpkey.high_pkey;
+
+ if (low == low2 && high == high2 &&
+ c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
+ yyerror2("duplicate ibpkeycon entry for %d-%d ",
+ low, high);
+ rc = -1;
+ goto out;
+ }
+ if (low2 <= low && high2 >= high &&
+ c->u.ibpkey.subnet_prefix == newc->u.ibpkey.subnet_prefix) {
+ yyerror2("ibpkeycon entry for %d-%d hidden by earlier entry for %d-%d",
+ low, high, low2, high2);
+ rc = -1;
+ goto out;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_IBPKEY] = newc;
+
+ return 0;
+
+out:
+ free(newc);
+ return rc;
+}
+
+int define_ibendport_context(unsigned int port)
+{
+ ocontext_t *newc, *c, *l, *head;
+ char *id;
+ int rc = 0;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("ibendportcon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *)queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ if (port > 0xff || port == 0) {
+ yyerror("Invalid ibendport port number, should be 0 < port < 256");
+ return -1;
+ }
+
+ newc = malloc(sizeof(*newc));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(*newc));
+
+ newc->u.ibendport.dev_name = queue_remove(id_queue);
+ if (!newc->u.ibendport.dev_name) {
+ yyerror("failed to read infiniband device name.");
+ rc = -1;
+ goto out;
+ }
+
+ if (strlen(newc->u.ibendport.dev_name) > IB_DEVICE_NAME_MAX - 1) {
+ yyerror("infiniband device name exceeds max length of 63.");
+ rc = -1;
+ goto out;
+ }
+
+ newc->u.ibendport.port = port;
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ /* Preserve the matching order specified in the configuration. */
+ head = policydbp->ocontexts[OCON_IBENDPORT];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ unsigned int port2;
+
+ port2 = c->u.ibendport.port;
+
+ if (port == port2 &&
+ !strcmp(c->u.ibendport.dev_name,
+ newc->u.ibendport.dev_name)) {
+ yyerror2("duplicate ibendportcon entry for %s port %u",
+ newc->u.ibendport.dev_name, port);
+ rc = -1;
+ goto out;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_IBENDPORT] = newc;
+
+ return 0;
+
+out:
+ free(newc->u.ibendport.dev_name);
+ free(newc);
+ return rc;
+}
+
int define_netif_context(void)
{
ocontext_t *newc, *c, *head;
@@ -5135,7 +5327,7 @@ int define_ipv6_node_context(void)
memset(newc, 0, sizeof(ocontext_t));
-#ifdef DARWIN
+#ifdef __APPLE__
memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
#else
diff --git checkpolicy-2.5/policy_define.h checkpolicy-2.5/policy_define.h
index 964baae..3282aed 100644
--- checkpolicy-2.5/policy_define.h
+++ checkpolicy-2.5/policy_define.h
@@ -43,6 +43,8 @@ int define_level(void);
int define_netif_context(void);
int define_permissive(void);
int define_polcap(void);
+int define_ibpkey_context(unsigned int low, unsigned int high);
+int define_ibendport_context(unsigned int port);
int define_port_context(unsigned int low, unsigned int high);
int define_pirq_context(unsigned int pirq);
int define_iomem_context(uint64_t low, uint64_t high);
diff --git checkpolicy-2.5/policy_parse.y checkpolicy-2.5/policy_parse.y
index 3b6a2f8..35b7a33 100644
--- checkpolicy-2.5/policy_parse.y
+++ checkpolicy-2.5/policy_parse.y
@@ -21,6 +21,7 @@
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2008 Tresys Technology, LLC
* Copyright (C) 2007 Red Hat Inc.
+ * Copyright (C) 2017 Mellanox Technologies Inc.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
@@ -134,6 +135,8 @@ typedef int (* require_func_t)(int pass);
%token TARGET
%token SAMEUSER
%token FSCON PORTCON NETIFCON NODECON
+%token IBPKEYCON
+%token IBENDPORTCON
%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
%token FSUSEXATTR FSUSETASK FSUSETRANS
%token GENFSCON
@@ -169,7 +172,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
opt_default_rules opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
- initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
+ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts opt_ibpkey_contexts opt_ibendport_contexts
;
classes : class_def
| classes class_def
@@ -695,7 +698,7 @@ fs_contexts : fs_context_def
fs_context_def : FSCON number number security_context_def security_context_def
{if (define_fs_context($2,$3)) return -1;}
;
-net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
+net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
;
opt_port_contexts : port_contexts
|
@@ -708,6 +711,26 @@ port_context_def : PORTCON identifier number security_context_def
| PORTCON identifier number '-' number security_context_def
{if (define_port_context($3,$5)) return -1;}
;
+opt_ibpkey_contexts : ibpkey_contexts
+ |
+ ;
+ibpkey_contexts : ibpkey_context_def
+ | ibpkey_contexts ibpkey_context_def
+ ;
+ibpkey_context_def : IBPKEYCON ipv6_addr number security_context_def
+ {if (define_ibpkey_context($3,$3)) return -1;}
+ | IBPKEYCON ipv6_addr number '-' number security_context_def
+ {if (define_ibpkey_context($3,$5)) return -1;}
+ ;
+opt_ibendport_contexts : ibendport_contexts
+ |
+ ;
+ibendport_contexts : ibendport_context_def
+ | ibendport_contexts ibendport_context_def
+ ;
+ibendport_context_def : IBENDPORTCON identifier number security_context_def
+ {if (define_ibendport_context($3)) return -1;}
+ ;
opt_netif_contexts : netif_contexts
|
;
diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l
index 22da338..f38dd22 100644
--- checkpolicy-2.5/policy_scan.l
+++ checkpolicy-2.5/policy_scan.l
@@ -12,6 +12,7 @@
* Added support for binary policy modules
*
* Copyright (C) 2003-5 Tresys Technology, LLC
+ * Copyright (C) 2017 Mellanox Technologies Inc.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
@@ -181,6 +182,10 @@ INCOMP |
incomp { return(INCOMP);}
fscon |
FSCON { return(FSCON);}
+ibpkeycon |
+IBPKEYCON { return(IBPKEYCON);}
+ibendportcon |
+IBENDPORTCON { return(IBENDPORTCON);}
portcon |
PORTCON { return(PORTCON);}
netifcon |
@@ -249,9 +254,9 @@ high |
HIGH { return(HIGH); }
low |
LOW { return(LOW); }
-"/"({alnum}|[_\.\-/])* { return(PATH); }
-\""/"[ !#-~]*\" { return(QPATH); }
-\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
+"/"[^ \n\r\t\f]* { return(PATH); }
+\""/"[^\"\n]*\" { return(QPATH); }
+\"[^"/"\"\n]+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
diff --git checkpolicy-2.5/test/dismod.c checkpolicy-2.5/test/dismod.c
index 08b039d..c91ab93 100644
--- checkpolicy-2.5/test/dismod.c
+++ checkpolicy-2.5/test/dismod.c
@@ -243,6 +243,13 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
}
} else if (avrule->specified & AVRULE_NEVERALLOW) {
fprintf(fp, " neverallow");
+ } else if (avrule->specified & AVRULE_XPERMS) {
+ if (avrule->specified & AVRULE_XPERMS_ALLOWED)
+ fprintf(fp, "allowxperm ");
+ else if (avrule->specified & AVRULE_XPERMS_AUDITALLOW)
+ fprintf(fp, "auditallowxperm ");
+ else if (avrule->specified & AVRULE_XPERMS_DONTAUDIT)
+ fprintf(fp, "dontauditxperm ");
} else {
fprintf(fp, " ERROR: no valid rule type specified\n");
return -1;
@@ -282,6 +289,24 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
policy, fp);
} else if (avrule->specified & AVRULE_TYPE) {
display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
+ } else if (avrule->specified & AVRULE_XPERMS) {
+ avtab_extended_perms_t xperms;
+ int i;
+
+ if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLFUNCTION)
+ xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
+ else if (avrule->xperms->specified == AVRULE_XPERMS_IOCTLDRIVER)
+ xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
+ else {
+ fprintf(fp, " ERROR: no valid xperms specified\n");
+ return -1;
+ }
+
+ xperms.driver = avrule->xperms->driver;
+ for (i = 0; i < EXTENDED_PERMS_LEN; i++)
+ xperms.perms[i] = avrule->xperms->perms[i];
+
+ fprintf(fp, "%s", sepol_extended_perms_to_string(&xperms));
}
fprintf(fp, ";\n");
diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c
index 86f5688..a78ce81 100644
--- checkpolicy-2.5/test/dispol.c
+++ checkpolicy-2.5/test/dispol.c
@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
if (p->handle_unknown == ALLOW_UNKNOWN)
- fprintf(out_fp, "Allow unknown classes and permisions\n");
+ fprintf(out_fp, "Allow unknown classes and permissions\n");
else if (p->handle_unknown == DENY_UNKNOWN)
- fprintf(out_fp, "Deny unknown classes and permisions\n");
+ fprintf(out_fp, "Deny unknown classes and permissions\n");
else if (p->handle_unknown == REJECT_UNKNOWN)
- fprintf(out_fp, "Reject unknown classes and permisions\n");
+ fprintf(out_fp, "Reject unknown classes and permissions\n");
return 0;
}
@@ -349,7 +349,7 @@ int menu(void)
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
printf("2) display conditional AVTAB (entirely)\n");
- printf("3) display conditional AVTAG (only ENABLED rules)\n");
+ printf("3) display conditional AVTAB (only ENABLED rules)\n");
printf("4) display conditional AVTAB (only DISABLED rules)\n");
printf("5) display conditional bools\n");
printf("6) display conditional expressions\n");

836
SPECS/checkpolicy.spec
Unescape View File

@ -0,0 +1,836 @@
%define libselinuxver 2.5-12
%define libsepolver 2.5-8
Summary: SELinux policy compiler
Name: checkpolicy
Version: 2.5
Release: 6%{?dist}
License: GPLv2
Group: Development/System
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz
# HEAD f4e2ab4e29496130bc89dddf8096e9367b25665b
Patch1: checkpolicy-rhel.patch

BuildRoot: %{_tmppath}/%{name}-buildroot
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}

%description
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement®, Role-based Access
Control, and Multi-level Security.

This package contains checkpolicy, the SELinux policy compiler.
Only required for building policies.

%prep
%setup -q -n checkpolicy-2.5
%patch1 -p1 -b .rhel

%build
make clean
make LIBDIR="%{_libdir}" CFLAGS="%{optflags}"
cd test
make LIBDIR="%{_libdir}" CFLAGS="%{optflags}"

%install
rm -rf ${RPM_BUILD_ROOT}
mkdir -p ${RPM_BUILD_ROOT}%{_bindir}
make LIBDIR="%{_libdir}" DESTDIR="${RPM_BUILD_ROOT}" install
install test/dismod ${RPM_BUILD_ROOT}%{_bindir}/sedismod
install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol

%clean
rm -rf ${RPM_BUILD_ROOT}

%files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license COPYING
%{_bindir}/checkpolicy
%{_bindir}/checkmodule
%{_mandir}/man8/checkpolicy.8.gz
%{_mandir}/man8/checkmodule.8.gz
%{_bindir}/sedismod
%{_bindir}/sedispol

%changelog
* Thu Oct 19 2017 Vit Mojzis <vmojzis@redhat.com> - 2.5-6
- Add ibendport ocontext handling
- Add support for ibendportcon labels
- Add ibpkey ocontext handling
- Add support for ibpkeycon labels
- Add binary module support for xperms

* Mon Sep 25 2017 Vit Mojzis <vmojzis@redhat.com> - 2.5-5
- Rebuild to incorporate cgroup_seclabel capability introduced in libsepol (rhbz#1494179)

* Thu Aug 11 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-4
- Extend checkpolicy pathname matching

* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
- Fix typos in test/dispol
- Set flex as default lexer
- Fix checkmodule output message
- Build policy on systems not supporting DCCP protocol
- Fail if module name different than output base filename

* Mon Apr 11 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
- Add support for portcon dccp protocol

* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
- Update to upstream release 2016-02-23

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.1.12-6
- Mass rebuild 2014-01-24

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.1.12-5
- Mass rebuild 2013-12-27

* Tue Jul 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
- Fix a segmentation fault if the --handle-unknown option was set without
arguments.
- Thanks to Alexandre Rebert and his team at Carnegie Mellon University
for detecting this crash.

* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
- ":" should be allowed for file trans names

* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
- Space should be allowed for file trans names

* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
- Update to upstream
* Fix errors found by coverity
* implement default type policy syntax
* Free allocated memory when clean up / exit.

* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.11-3
- Update to latest patches from eparis/Upstream
- checkpolicy: libsepol: implement default type policy syntax
-
- We currently have a mechanism in which the default user, role, and range
- can be picked up from the source or the target object. This implements
- the same thing for types. The kernel will override this with type
- transition rules and similar. This is just the default if nothing
- specific is given.

* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
- Rebuild with fixed libsepol

* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
- Update to upstream
* fd leak reading policy
* check return code on ebitmap_set_bit

* Mon Jul 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
- Rebuild to grab latest libsepol

* Tue Jul 24 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
- Rebuild to grab latest libsepol

* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
- Update to upstream
* sepolgen: We need to support files that have a + in them
* Android/MacOS X build support

* Mon Apr 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-4
- Rebuild to get latest libsepol which fixes the file_name transition problems

* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
- Recompile with libsepol that has support for ptrace_child

* Tue Apr 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
- Allow checkpolicy to use + in a file name

* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
- Update to upstream
* implement new default labeling behaviors for usr, role, range
* Fix dead links to www.nsa.gov/selinux

* Mon Jan 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
- Fix man page to link to www.nsa.giv/research/selinux

* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
-Update to upstream
* add ignoredirs config for genhomedircon
* Fallback_user_level can be NULL if you are not using MLS

* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-3
- default_rules should be optional

* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
- Rebuild with latest libsepol

* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
- Upgrade to upstream
* dis* fixed signed vs unsigned errors
* dismod: fix unused parameter errors
* test: Makefile: include -W and -Werror
* allow ~ in filename transition rules
- Allow policy to specify the source of target for generating the default user,role
- or mls label for a new target.

* Mon Nov 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
- Allow ~ in a filename

* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
- Upgrade to upstream
* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
* drop libsepol dynamic link in checkpolicy

* Tue Sep 20 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
- Fix checkpolicy to ignore '"' in filename trans rules

* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
-Update to upstream
* Separate tunable from boolean during compile.

* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-0
-Update to upstream
* checkpolicy: fix spacing in output message

* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-0
* add missing ; to attribute_role_def
*Redo filename/filesystem syntax to support filename trans

* Wed Aug 3 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
-Update to upstream
* .gitignore changes
* dispol output of role trans
* man page update: build a module with an older policy version

* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.1-0
-Update to upstream
* Minor updates to filename trans rule output in dis{mod,pol}

* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
-Update to upstream

* Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.26-1
-Update to upstream
* Wrap file names in filename transitions with quotes by Steve Lawrence.
* Allow filesystem names to start with a digit by James Carter.
* Add support for using the last path compnent in type transitions by Eric

* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
* Fixes for new role_transition class field by Eric Paris.

* Fri Apr 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
- Add "-" as a file type

* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
-Update to upstream
* Add new class field in role_transition by Harry Ciao.

* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-5
- Fix type_transition to allow all files

* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-4
- Patches from Eric Paris
We just use random numbers to make menu selections. Use #defines and
names that make some sense instead.

This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:

type_transition unconfined_t etc_t:file system_conf_t eric;

This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.

The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.


* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.23-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Wed Jan 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-2
- Add James Carters Patch
*This patch is needed because some filesystem names (such as 9p) start
with a digit.

* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.23-1
- Latest update from NSA
* Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock

* Wed Dec 8 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-2
- Rebuild to make sure it will build in Fedora

* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
- Latest update from NSA
* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
- Allow policy version to be one number

* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
- Fix checkmodule man page and usage statements

* Sun Nov 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
- Latest update from NSA
* Add support for building Xen policies from Paul Nuzzi.
* Add long options to checkpolicy and checkmodule by Guido
Trentalancia <guido@trentalancia.com>

* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.19-1
- Latest update from NSA
* Fix alias field in module format, caused by boundary format change
from Caleb Case.

* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.18-1
- Latest update from NSA
* Properly escape regex symbols in the lexer from Stephen Smalley.
* Add bounds support from KaiGai Kohei.

* Tue Oct 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-4

* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-3
- Rebuild with new libsepol

* Wed May 28 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.16-2
- fix license tag

* Wed May 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-1
- Latest update from NSA
* Update checkpolicy for user and role mapping support from Joshua Brindle.

* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.15-1
- Latest update from NSA
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
Resolves bug 444451.

* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-2
- Allow modules with 4 sections or more

* Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
- Latest update from NSA
* Add permissive domain support from Eric Paris.

* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.13-1
- Latest update from NSA
* Split out non-grammar parts of policy_parse.yacc into
policy_define.c and policy_define.h from Todd C. Miller.
* Initialize struct policy_file before using it, from Todd C. Miller.
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.

* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.10-1
- Latest update from NSA
* Use yyerror2() where appropriate from Todd C. Miller.
- Build against latest libsepol

* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-2
- Start shipping sedismod and sedispol

* Mon Feb 4 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-1
- Latest update from NSA
* Update dispol for libsepol avtab changes from Stephen Smalley.

* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.8-1
- Latest update from NSA
* Deprecate role dominance in parser.

* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-2
- Update to use libsepol-static library

* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-1
- Latest update from NSA
* Added support for policy capabilities from Todd Miller.

* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.6-1
- Latest update from NSA
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.

* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
the flag when a base module or kernel policy is built.

* Tue Aug 28 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.0.3-3
- Rebuild for selinux ppc32 issue.

* Mon Jun 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-2
- Rebuild with the latest libsepol

* Sun Jun 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-1
- Latest update from NSA
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.

* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
- Latest update from NSA
* Merged checkmodule man page fix from Dan Walsh.

* Fri Mar 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-3
- Rebuild with new libsepol

* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-2
- Rebuild with new libsepol

* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
- Latest update from NSA
* Merged patch to allow dots in class identifiers from Caleb Case.

* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
- Latest update from NSA
* Merged patch to use new libsepol error codes by Karl MacMillan.
* Updated version for stable branch.

* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-2
- Rebuild for new libraries

* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-1
- Latest update from NSA
* Collapse user identifiers and identifiers together.

* Tue Oct 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.32-1
- Latest update from NSA
* Updated version for release.

* Thu Sep 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.12-1
- Latest update from NSA
* Merged user and range_transition support for modules from
Darrel Goeddel

* Wed Sep 6 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.11-1
- Latest update from NSA
* merged range_transition enhancements and user module format
changes from Darrel Goeddel
* Merged symtab datum patch from Karl MacMillan.

* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.30.9-1.1
- rebuild

* Tue Jul 4 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.8-1
- Latest upgrade from NSA
* Lindent.
* Merged patch to remove TE rule conflict checking from the parser
from Joshua Brindle. This can only be done properly by the
expander.
* Merged patch to make checkpolicy/checkmodule handling of
duplicate/conflicting TE rules the same as the expander
from Joshua Brindle.
* Merged optionals in base take 2 patch set from Joshua Brindle.

* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.5-1
- Latest upgrade from NSA
* Merged compiler cleanup patch from Karl MacMillan.
* Merged fix warnings patch from Karl MacMillan.

* Wed Apr 5 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.4-1
- Latest upgrade from NSA
* Changed require_class to reject permissions that have not been
declared if building a base module.

* Tue Mar 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.3-1
- Latest upgrade from NSA
* Fixed checkmodule to call link_modules prior to expand_module
to handle optionals.
* Fixed require_class to avoid shadowing permissions already defined
in an inherited common definition.

* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-2
- Rebuild with new libsepol

* Thu Mar 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-1
- Latest upgrade from NSA
* Moved processing of role and user require statements to 2nd pass.

* Fri Mar 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.30-1
- Latest upgrade from NSA
* Updated version for release.
* Fixed bug in role dominance (define_role_dom).

* Fri Feb 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.4-1
- Latest upgrade from NSA
* Added a check for failure to declare each sensitivity in
a level definition.
* Changed to clone level data for aliased sensitivities to
avoid double free upon sens_destroy. Bug reported by Kevin
Carr of Tresys Technology.

* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.2-1
- Latest upgrade from NSA
* Merged optionals in base patch from Joshua Brindle.

* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.1-1.2
- Need to build againi

* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.29.1-1.1
- bump again for double-long bug on ppc(64)

* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.1-1
- Latest upgrade from NSA
* Merged sepol_av_to_string patch from Joshua Brindle.

* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.28-5.1
- rebuilt for new gcc4.1 snapshot and glibc changes

* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
- Rebuild to get latest libsepol

* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
- Rebuild to get latest libsepol

* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.28-4
- Rebuild to get latest libsepol

* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.28-3
- Rebuild to get latest libsepol

* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 1.28-2
- Rebuild to get latest libsepol

* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt

* Fri Dec 9 2005 Dan Walsh <dwalsh@redhat.com> 1.28-1
- Latest upgrade from NSA

* Sun Dec 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.20-1
- Latest upgrade from NSA
* Merged checkmodule man page from Dan Walsh, and edited it.

* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
- Latest upgrade from NSA
* Added error checking of all ebitmap_set_bit calls for out of
memory conditions.
* Merged removal of compatibility handling of netlink classes
(requirement that policies with newer versions include the
netlink class definitions, remapping of fine-grained netlink
classes in newer source policies to single netlink class when
generating older policies) from George Coker.

* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7
- Rebuild to get latest libsepol

* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-1
- Latest upgrade from NSA
* Merged dismod fix from Joshua Brindle.

* Thu Oct 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.16-1
- Latest upgrade from NSA
* Removed obsolete cond_check_type_rules() function and call and
cond_optimize_lists() call from checkpolicy.c; these are handled
during parsing and expansion now.
* Updated calls to expand_module for interface change.
* Changed checkmodule to verify that expand_module succeeds
when building base modules.
* Merged module compiler fixes from Joshua Brindle.
* Removed direct calls to hierarchy_check_constraints() and
check_assertions() from checkpolicy since they are now called
internally by expand_module().

* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.11-1
- Latest upgrade from NSA
* Updated for changes to sepol policydb_index_others interface.

* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.10-1
- Latest upgrade from NSA
* Updated for changes to sepol expand_module and link_modules interfaces.
* Sat Oct 15 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
- Rebuild to get latest libsepol

* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-1
- Latest upgrade from NSA
* Merged support for require blocks inside conditionals from
Joshua Brindle (Tresys).

* Wed Oct 12 2005 Karsten Hopp <karsten@redhat.de> 1.27.8-2
- add buildrequirement for libselinux-devel for dispol

* Mon Oct 10 2005 Dan Walsh <dwalsh@redhat.com> 1.27.8-1
- Latest upgrade from NSA
* Updated for changes to libsepol.

* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-2
- Rebuild to get latest libsepol

* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-1
- Latest upgrade from NSA
* Merged several bug fixes from Joshua Brindle (Tresys).

* Tue Oct 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.6-1
- Latest upgrade from NSA
* Merged MLS in modules patch from Joshua Brindle (Tresys).

* Mon Oct 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-2
- Rebuild to get latest libsepol

* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-1
- Latest upgrade from NSA
* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).

* Tue Sep 27 2005 Dan Walsh <dwalsh@redhat.com> 1.27.4-1
- Latest upgrade from NSA
* Merged bugfix for dup role transition error messages from
Karl MacMillan (Tresys).

* Fri Sep 23 2005 Dan Walsh <dwalsh@redhat.com> 1.27.3-1
- Latest upgrade from NSA
* Merged policyver/modulever patches from Joshua Brindle (Tresys).

* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-2
- Rebuild to get latest libsepol

* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-1
- Latest upgrade from NSA
* Fixed parse_categories handling of undefined category.

* Tue Sep 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
- Rebuild to get latest libsepol

* Sat Sep 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-1
- Latest upgrade from NSA
* Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
- Rebuild to get latest libsepol

* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-1
- Latest upgrade from NSA
* Updated version for release.
- Rebuild to get latest libsepol

* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-3
- Rebuild to get latest libsepol

* Mon Aug 29 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-2
- Rebuild to get latest libsepol

* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-1
- Update to NSA Release
* Fixed handling of validatetrans constraint expressions.
Bug reported by Dan Walsh for checkpolicy -M.

* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-2
- Fix mls crash

* Fri Aug 19 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-1
- Update to NSA Release
* Merged use-after-free fix from Serge Hallyn (IBM).
Bug found by Coverity.

* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.10-1
- Update to NSA Release
* Fixed further memory leaks found by valgrind.
* Changed checkpolicy to destroy the policydbs prior to exit
to allow leak detection.
* Fixed several memory leaks found by valgrind.

* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-3
- Rebuild to get latest libsepol changes

* Sat Aug 13 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-2
- Rebuild to get latest libsepol changes

* Thu Aug 11 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-1
- Update to NSA Release
* Updated checkpolicy and dispol for the new avtab format.
Converted users of ebitmaps to new inline operators.
Note: The binary policy format version has been incremented to
version 20 as a result of these changes. To build a policy
for a kernel that does not yet include these changes, use
the -c 19 option to checkpolicy.
* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).

* Wed Aug 10 2005 Dan Walsh <dwalsh@redhat.com> 1.25.5-1
- Update to NSA Release
* Fixed call to hierarchy checking code to pass the right policydb.
* Merged patch to update dismod for the relocation of the
module read/write code from libsemanage to libsepol, and
to enable build of test subdirectory from Jason Tang (Tresys).

* Thu Jul 28 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-1
- Update to NSA Release
* Merged hierarchy check fix from Joshua Brindle (Tresys).

* Thu Jul 7 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-1
- Update to NSA Release
* Merged loadable module support from Tresys Technology.
* Merged patch to prohibit the use of * and ~ in type sets
(other than in neverallow statements) and in role sets
from Joshua Brindle (Tresys).
* Updated version for release.

* Fri May 20 2005 Dan Walsh <dwalsh@redhat.com> 1.23-4-1
- Update to NSA Release
* Merged cleanup patch from Dan Walsh.

* Thu May 19 2005 Dan Walsh <dwalsh@redhat.com> 1.23-3-1
- Update to NSA Release
* Added sepol_ prefix to Flask types to avoid namespace
collision with libselinux.

* Sat May 7 2005 Dan Walsh <dwalsh@redhat.com> 1.23-2-1
- Update to NSA Release
* Merged identifier fix from Joshua Brindle (Tresys).

* Thu Apr 14 2005 Dan Walsh <dwalsh@redhat.com> 1.23,1-1
* Merged hierarchical type/role patch from Tresys Technology.
* Merged MLS fixes from Darrel Goeddel of TCS.

* Thu Mar 10 2005 Dan Walsh <dwalsh@redhat.com> 1.22-1
- Update to NSA Release

* Tue Mar 1 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-2
- Rebuild for FC4

* Thu Feb 17 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-1
* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
* Moved genpolusers utility to libsepol.
* Merged range_transition support from Darrel Goeddel (TCS).

* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.2-1
- Latest from NSA
* Changed relabel Makefile target to use restorecon.

* Mon Feb 7 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
- Latest from NSA
* Merged enhanced MLS support from Darrel Goeddel (TCS).

* Fri Jan 7 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-1
- Update for version increase at NSA

* Mon Dec 20 2004 Dan Walsh <dwalsh@redhat.com> 1.19.2-1
- Latest from NSA
* Merged typeattribute statement patch from Darrel Goeddel of TCS.
* Changed genpolusers to handle multiple user config files.
* Merged nodecon ordering patch from Chad Hanson of TCS.

* Thu Nov 11 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-1
- Latest from NSA
* Merged nodecon ordering patch from Chad Hanson of TCS.

* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-1
- Latest from NSA
* MLS build fix.

* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.5-1
- Latest from NSA
* Fixed Makefile dependencies (Chris PeBenito).

* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.4-1
- Latest from NSA
* Fixed Makefile dependencies (Chris PeBenito).

* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
- Latest from NSA
* Merged fix for role dominance ordering issue from Chad Hanson of TCS.

* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
- Latest from NSA

* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.16.3-1
- Fix NSA package to not include y.tab files.

* Tue Aug 24 2004 Dan Walsh <dwalsh@redhat.com> 1.16.2-1
- Latest from NSA
- Allow port ranges to overlap

* Sun Aug 22 2004 Dan Walsh <dwalsh@redhat.com> 1.16.1-1
- Latest from NSA

* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
- Latest from NSA

* Fri Aug 13 2004 Dan Walsh <dwalsh@redhat.com> 1.15.5-1
- Latest from NSA

* Wed Aug 11 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
- Latest from NSA

* Sat Aug 7 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
- Latest from NSA

* Wed Aug 4 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
- Latest from NSA

* Sat Jul 31 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-1
- Latest from NSA

* Tue Jul 27 2004 Dan Walsh <dwalsh@redhat.com> 1.14.2-1
- Latest from NSA

* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
- Latest from NSA

* Fri Jun 18 2004 Dan Walsh <dwalsh@redhat.com> 1.12.2-1
- Latest from NSA

* Thu Jun 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12.1-1
- Update to latest from NSA

* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
- Update to latest from NSA

* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.10-5
- Add nlclass patch

* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt

* Fri Jun 4 2004 Dan Walsh <dwalsh@redhat.com> 1.10-3
- Add BuildRequires flex

* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-2
- Add BuildRequires byacc

* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-1
- Upgrade to the latest from NSA

* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
- Upgrade to the latest from NSA

* Tue Feb 24 2004 Dan Walsh <dwalsh@redhat.com> 1.6-1
- Upgrade to the latest from NSA

* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt

* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-6
- Add typealias patch

* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-5
- Update excludetypes with negset-final patch

* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-4
- Add excludetypes patch

* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-3
- Add Colin Walter's lineno patch

* Wed Jan 7 2004 Dan Walsh <dwalsh@redhat.com> 1.4-2
- Remove check for roles transition

* Sat Dec 6 2003 Dan Walsh <dwalsh@redhat.com> 1.4-1
- upgrade to 1.4

* Wed Oct 1 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
- upgrade to 1.2

* Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.1-2
- upgrade to 1.1

* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
- Initial version
Write Preview
Loading…
Cancel
Save