rpms/libsepol/devel .cvsignore, 1.118, 1.119 libsepol-rhat.patch, 1.15, 1.16 libsepol.spec, 1.157, 1.158 sources, 1.119, 1.120

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Sat Aug 11 11:02:15 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/libsepol/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9729

Modified Files:
	.cvsignore libsepol-rhat.patch libsepol.spec sources 
Log Message:
* Fri Aug 10 2007 Dan Walsh <dwalsh at redhat.com> 2.0.5-1
- Upgrade to latest from NSA
 	  * Fix sepol_context_clone to handle a NULL context correctly.
          This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL)
	  to set the file context entry to "<<none>>".
- Apply patch from Joshua Brindle to disable dontaudit rules



Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/libsepol/devel/.cvsignore,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -r1.118 -r1.119
--- .cvsignore	21 Jun 2007 14:42:58 -0000	1.118
+++ .cvsignore	11 Aug 2007 11:01:41 -0000	1.119
@@ -118,3 +118,4 @@
 libsepol-2.0.2.tgz
 libsepol-2.0.3.tgz
 libsepol-2.0.4.tgz
+libsepol-2.0.5.tgz

libsepol-rhat.patch:

Index: libsepol-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/libsepol/devel/libsepol-rhat.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- libsepol-rhat.patch	28 Mar 2007 18:55:21 -0000	1.15
+++ libsepol-rhat.patch	11 Aug 2007 11:01:41 -0000	1.16
@@ -1,237 +1,77 @@
-diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/policydb/conditional.h libsepol-2.0.1/include/sepol/policydb/conditional.h
---- nsalibsepol/include/sepol/policydb/conditional.h	2006-11-16 17:14:15.000000000 -0500
-+++ libsepol-2.0.1/include/sepol/policydb/conditional.h	2007-03-28 14:13:02.000000000 -0400
-@@ -100,6 +100,8 @@
- 				   cond_node_t * needle, cond_node_t * haystack,
- 				   int *was_created);
- 
-+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
-+
- extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
- 				     cond_node_t * cn);
- 
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/conditional.c libsepol-2.0.1/src/conditional.c
---- nsalibsepol/src/conditional.c	2006-11-16 17:14:24.000000000 -0500
-+++ libsepol-2.0.1/src/conditional.c	2007-03-28 14:13:02.000000000 -0400
-@@ -26,9 +26,6 @@
- 
- #include "private.h"
- 
--#undef min
--#define min(a,b) (((a) < (b)) ? (a) : (b))
--
- /* move all type rules to top of t/f lists to help kernel on evaluation */
- static void cond_optimize(cond_av_list_t ** l)
- {
-@@ -136,6 +133,38 @@
- 	return 1;
- }
- 
-+/* Create a new conditional node, optionally copying
-+ * the conditional expression from an existing node.
-+ * If node is NULL then a new node will be created
-+ * with no conditional expression.
-+ */
-+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
-+{
-+	cond_node_t *new_node;
-+	unsigned int i;
-+
-+	new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
-+	if (!new_node) {
-+		return NULL;
-+	}
-+	memset(new_node, 0, sizeof(cond_node_t));
-+
-+	if (node) {
-+		new_node->expr = cond_copy_expr(node->expr);
-+		if (!new_node->expr) {
-+			free(new_node);
-+			return NULL;
-+		}
-+		new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
-+		new_node->nbools = node->nbools;
-+		for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
-+			new_node->bool_ids[i] = node->bool_ids[i];
-+		new_node->expr_pre_comp = node->expr_pre_comp;
-+	}
-+
-+	return new_node;
-+}
-+
- /* Find a conditional (the needle) within a list of existing ones (the
-  * haystack) that has a matching expression.  If found, return a
-  * pointer to the existing node, setting 'was_created' to 0.
-@@ -145,9 +174,6 @@
- 			    cond_node_t * needle, cond_node_t * haystack,
- 			    int *was_created)
- {
--	cond_node_t *new_node;
--	unsigned int i;
--
- 	while (haystack) {
- 		if (cond_expr_equal(needle, haystack)) {
- 			*was_created = 0;
-@@ -156,26 +182,8 @@
- 		haystack = haystack->next;
- 	}
- 	*was_created = 1;
--	new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
--	if (!new_node) {
--		return NULL;
--	}
--	memset(new_node, 0, sizeof(cond_node_t));
--	new_node->expr = cond_copy_expr(needle->expr);
--	if (!new_node->expr) {
--		free(new_node);
--		return NULL;
--	}
--	new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
--	new_node->nbools = needle->nbools;
--	for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++)
--		new_node->bool_ids[i] = needle->bool_ids[i];
--	new_node->expr_pre_comp = needle->expr_pre_comp;
--	new_node->true_list = NULL;
--	new_node->false_list = NULL;
--	new_node->avtrue_list = NULL;
--	new_node->avfalse_list = NULL;
--	return new_node;
-+
-+	return cond_node_create(p, needle);
- }
- 
- /* return either a pre-existing matching node or create a new node */
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.1/src/expand.c
---- nsalibsepol/src/expand.c	2007-02-07 12:11:48.000000000 -0500
-+++ libsepol-2.0.1/src/expand.c	2007-03-28 14:13:02.000000000 -0400
-@@ -35,10 +35,12 @@
- #include <assert.h>
- 
+diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/handle.h libsepol-2.0.5/include/sepol/handle.h
+--- nsalibsepol/include/sepol/handle.h	2007-07-16 14:20:40.000000000 -0400
++++ libsepol-2.0.5/include/sepol/handle.h	2007-08-10 09:42:16.000000000 -0400
+@@ -7,6 +7,10 @@
+ /* Create and return a sepol handle. */
+ sepol_handle_t *sepol_handle_create(void);
+ 
++/* Set whether or not to disable dontaudits, 0 is default and does 
++ * not disable dontaudits, 1 disables them */
++void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
++
+ /* Destroy a sepol handle. */
+ void sepol_handle_destroy(sepol_handle_t *);
+ 
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.5/src/expand.c
+--- nsalibsepol/src/expand.c	2007-07-16 14:20:41.000000000 -0400
++++ libsepol-2.0.5/src/expand.c	2007-08-10 09:42:16.000000000 -0400
+@@ -1367,6 +1367,8 @@
+ 	} else if (specified & AVRULE_AUDITDENY) {
+ 		spec = AVTAB_AUDITDENY;
+ 	} else if (specified & AVRULE_DONTAUDIT) {
++		if (handle->disable_dontaudit)
++			return EXPAND_RULE_SUCCESS;
+ 		spec = AVTAB_AUDITDENY;
+ 	} else if (specified & AVRULE_NEVERALLOW) {
+ 		spec = AVTAB_NEVERALLOW;
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.c libsepol-2.0.5/src/handle.c
+--- nsalibsepol/src/handle.c	2007-07-16 14:20:41.000000000 -0400
++++ libsepol-2.0.5/src/handle.c	2007-08-10 09:42:16.000000000 -0400
+@@ -1,4 +1,5 @@
+ #include <stdlib.h>
++#include <assert.h>
+ #include "handle.h"
  #include "debug.h"
-+#include "private.h"
  
- typedef struct expand_state {
- 	int verbose;
- 	uint32_t *typemap;
-+	uint32_t *boolmap;
- 	policydb_t *base;
- 	policydb_t *out;
- 	sepol_handle_t *handle;
-@@ -791,8 +793,8 @@
- 		return -1;
- 	}
- 
--	new_bool->s.value = bool->s.value;
- 	state->out->p_bools.nprim++;
-+	new_bool->s.value = state->out->p_bools.nprim;
- 
- 	ret = hashtab_insert(state->out->p_bools.table,
- 			     (hashtab_key_t) new_id,
-@@ -804,6 +806,8 @@
- 		return -1;
- 	}
+@@ -13,9 +14,18 @@
+ 	sh->msg_callback = sepol_msg_default_handler;
+ 	sh->msg_callback_arg = NULL;
  
-+	state->boolmap[bool->s.value - 1] = new_bool->s.value;
++	/* by default do not disable dontaudits */
++	sh->disable_dontaudit = 0;
 +
- 	new_bool->state = bool->state;
- 
- 	return 0;
-@@ -1555,12 +1559,35 @@
- 	return 0;
+ 	return sh;
  }
  
-+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
++void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
 +{
-+	cond_expr_t *cur;
-+	unsigned int i;
-+
-+	cur = cn->expr;
-+	while (cur) {
-+		if (cur->bool)
-+			cur->bool = state->boolmap[cur->bool - 1];
-+		cur = cur->next;
-+	}
-+
-+	for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
-+		cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
-+
-+	if (cond_normalize_expr(state->out, cn)) {
-+		ERR(state->handle, "Error while normalizing conditional");
-+		return -1;
-+	}
-+
-+	return 0;
++	assert(sh !=NULL);
++	sh->disable_dontaudit = disable_dontaudit;
 +}
 +
- /* copy the nodes in *reverse* order -- the result is that the last
-  * given conditional appears first in the policy, so as to match the
-  * behavior of the upstream compiler */
- static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
+ void sepol_handle_destroy(sepol_handle_t * sh)
  {
--	cond_node_t *new_cond;
-+	cond_node_t *new_cond, *tmp;
- 
- 	if (cn == NULL) {
- 		return 0;
-@@ -1573,11 +1600,26 @@
- 		return -1;
- 	}
- 
--	new_cond = cond_node_search(state->out, state->out->cond_list, cn);
-+	/* create a new temporary conditional node with the booleans
-+	 * mapped */
-+	tmp = cond_node_create(state->base, cn);
-+	if (!tmp) {
-+		ERR(state->handle, "Out of memory");
-+		return -1;
-+	}
-+
-+	if (cond_node_map_bools(state, tmp)) {
-+		ERR(state->handle, "Error mapping booleans");
-+		return -1;
-+	}
+ 	free(sh);
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.h libsepol-2.0.5/src/handle.h
+--- nsalibsepol/src/handle.h	2007-07-16 14:20:40.000000000 -0400
++++ libsepol-2.0.5/src/handle.h	2007-08-10 09:42:16.000000000 -0400
+@@ -14,6 +14,9 @@
+ 	void (*msg_callback) (void *varg,
+ 			      sepol_handle_t * handle, const char *fmt, ...);
+ 	void *msg_callback_arg;
 +
-+	new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
- 	if (!new_cond) {
-+		cond_node_destroy(tmp);
- 		ERR(state->handle, "Out of memory!");
- 		return -1;
- 	}
-+	cond_node_destroy(tmp);
- 
- 	if (cond_avrule_list_copy
- 	    (state->out, cn->avtrue_list, &state->out->te_cond_avtab,
-@@ -2210,6 +2252,12 @@
- 		goto cleanup;
- 	}
- 
-+	state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
-+	if (!state.boolmap) {
-+		ERR(handle, "Out of memory!");
-+		goto cleanup;
-+	}
++	int disable_dontaudit;
 +
- 	/* order is important - types must be first */
+ };
  
- 	/* copy types */
-@@ -2364,6 +2412,7 @@
- 
-       cleanup:
- 	free(state.typemap);
-+	free(state.boolmap);
- 	return retval;
- }
- 
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/private.h libsepol-2.0.1/src/private.h
---- nsalibsepol/src/private.h	2007-02-07 12:11:48.000000000 -0500
-+++ libsepol-2.0.1/src/private.h	2007-03-28 14:13:02.000000000 -0400
-@@ -24,6 +24,9 @@
- #define le64_to_cpu(x) bswap_64(x)
  #endif
- 
-+#undef min
-+#define min(a,b) (((a) < (b)) ? (a) : (b))
-+
- /* Policy compatibility information. */
- struct policydb_compat_info {
- 	unsigned int type;
+diff --exclude-from=exclude -N -u -r nsalibsepol/src/libsepol.map libsepol-2.0.5/src/libsepol.map
+--- nsalibsepol/src/libsepol.map	2007-07-16 14:20:41.000000000 -0400
++++ libsepol-2.0.5/src/libsepol.map	2007-08-10 09:42:16.000000000 -0400
+@@ -12,5 +12,6 @@
+ 	sepol_policydb_*; sepol_set_policydb_from_file; 
+ 	sepol_policy_kern_*;
+ 	sepol_policy_file_*;
++	sepol_set_disable_dontaudit;
+   local: *;
+ };


Index: libsepol.spec
===================================================================
RCS file: /cvs/extras/rpms/libsepol/devel/libsepol.spec,v
retrieving revision 1.157
retrieving revision 1.158
diff -u -r1.157 -r1.158
--- libsepol.spec	21 Jun 2007 14:42:58 -0000	1.157
+++ libsepol.spec	11 Aug 2007 11:01:41 -0000	1.158
@@ -1,10 +1,12 @@
+
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
-Version: 2.0.4
+Version: 2.0.5
 Release: 1%{?dist}
 License: GPL
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
+Patch: libsepol-rhat.patch
 
 Prefix: %{_prefix}
 BuildRoot: %{_tmppath}/%{name}-buildroot
@@ -37,6 +39,7 @@
 
 %prep
 %setup -q
+%patch -p1 -b .rhat
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile
@@ -85,6 +88,14 @@
 /%{_lib}/libsepol.so.1
 
 %changelog
+* Fri Aug 10 2007 Dan Walsh <dwalsh at redhat.com> 2.0.5-1
+- Upgrade to latest from NSA
+ 	  * Fix sepol_context_clone to handle a NULL context correctly.
+          This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL)
+	  to set the file context entry to "<<none>>".
+- Apply patch from Joshua Brindle to disable dontaudit rules
+
+
 * Thu Jun 21 2007 Dan Walsh <dwalsh at redhat.com> 2.0.4-1
 - Upgrade to latest from NSA
 	* Merged error handling patch from Eamon Walsh.


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/libsepol/devel/sources,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -r1.119 -r1.120
--- sources	21 Jun 2007 14:42:58 -0000	1.119
+++ sources	11 Aug 2007 11:01:41 -0000	1.120
@@ -1 +1 @@
-ccb82efce867a164184168be77e4f427  libsepol-2.0.4.tgz
+dba7b7efc17e1521e6513a303f01bd3f  libsepol-2.0.5.tgz

More information about the fedora-extras-commits mailing list