From 2bc870cb5682f40b9b5a05caf977e15bb6f8b5d8 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Apr 05 2012 16:19:37 +0000 Subject: Allow checkpolicy to use + in a file name --- diff --git a/.gitignore b/.gitignore index bd8d998..c3246a7 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,4 @@ checkpolicy-2.0.22.tgz /checkpolicy-2.1.6.tgz /checkpolicy-2.1.7.tgz /checkpolicy-2.1.8.tgz +/checkpolicy-2.1.9.tgz diff --git a/checkpolicy-filesystem.patch b/checkpolicy-filesystem.patch deleted file mode 100644 index c1f2442..0000000 --- a/checkpolicy-filesystem.patch +++ /dev/null @@ -1,65 +0,0 @@ - policy_parse.y | 14 ++++++++++---- - policy_scan.l | 1 + - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y -index 8d1bc37..0777238 100644 ---- a/checkpolicy/policy_parse.y -+++ b/checkpolicy/policy_parse.y -@@ -138,6 +138,7 @@ typedef int (* require_func_t)(); - %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL - %token POLICYCAP - %token PERMISSIVE -+%token FILESYSTEM - - %left OR - %left XOR -@@ -637,7 +638,7 @@ opt_fs_uses : fs_uses - fs_uses : fs_use_def - | fs_uses fs_use_def - ; --fs_use_def : FSUSEXATTR identifier security_context_def ';' -+fs_use_def : FSUSEXATTR filesystem security_context_def ';' - {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;} - | FSUSETASK identifier security_context_def ';' - {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;} -@@ -650,11 +651,11 @@ opt_genfs_contexts : genfs_contexts - genfs_contexts : genfs_context_def - | genfs_contexts genfs_context_def - ; --genfs_context_def : GENFSCON identifier path '-' identifier security_context_def -+genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def - {if (define_genfs_context(1)) return -1;} -- | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def -+ | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def - {if (define_genfs_context(1)) return -1;} -- | GENFSCON identifier path security_context_def -+ | GENFSCON filesystem path security_context_def - {if (define_genfs_context(0)) return -1;} - ; - ipv4_addr_def : IPV4_ADDR -@@ -728,6 +729,11 @@ nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } - identifier : IDENTIFIER - { if (insert_id(yytext,0)) return -1; } - ; -+filesystem : FILESYSTEM -+ { if (insert_id(yytext,0)) return -1; } -+ | IDENTIFIER -+ { if (insert_id(yytext,0)) return -1; } -+ ; - path : PATH - { if (insert_id(yytext,0)) return -1; } - ; -diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l -index 48128a8..65aff8d 100644 ---- a/checkpolicy/policy_scan.l -+++ b/checkpolicy/policy_scan.l -@@ -217,6 +217,7 @@ permissive | - PERMISSIVE { return(PERMISSIVE); } - "/"({alnum}|[_\.\-/])* { return(PATH); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } -+{alnum}*{letter}{alnum}* { return(FILESYSTEM); } - {digit}+|0x{hexval}+ { return(NUMBER); } - {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } - {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } - diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index 196f0cb..87748ca 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,232 +1,13 @@ -diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 -index 473f642..40f73c5 100644 ---- a/checkpolicy/checkmodule.8 -+++ b/checkpolicy/checkmodule.8 -@@ -53,7 +53,7 @@ $ checkmodule -M -m httpd.te -o httpd.mod - - .SH "SEE ALSO" - .B semodule(8), semodule_package(8) --SELinux documentation at http://www.nsa.gov/selinux, -+SELinux documentation at http://www.nsa.gov/research/selinux, - especially "Configuring the SELinux Policy". - - -diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 -index f79239e..6826938 100644 ---- a/checkpolicy/checkpolicy.8 -+++ b/checkpolicy/checkpolicy.8 -@@ -46,7 +46,7 @@ Show version information. - Show usage information. - - .SH "SEE ALSO" --SELinux documentation at http://www.nsa.gov/selinux, -+SELinux documentation at http://www.nsa.gov/research/selinux, - especially "Configuring the SELinux Policy". - - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index d19fc61..a86c6b3 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -351,6 +351,102 @@ static int read_classes(ebitmap_t *e_classes) - return 0; - } - -+int define_default_user(int which) -+{ -+ char *id; -+ class_datum_t *cladatum; -+ -+ if (pass == 1) { -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ return 0; -+ } -+ -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ return -1; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ return -1; -+ } -+ if (cladatum->default_user && cladatum->default_user != which) { -+ yyerror2("conflicting default user information for class %s", id); -+ return -1; -+ } -+ cladatum->default_user = which; -+ free(id); -+ } -+ -+ return 0; -+} -+ -+int define_default_role(int which) -+{ -+ char *id; -+ class_datum_t *cladatum; -+ -+ if (pass == 1) { -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ return 0; -+ } -+ -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ return -1; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ return -1; -+ } -+ if (cladatum->default_role && cladatum->default_role != which) { -+ yyerror2("conflicting default role information for class %s", id); -+ return -1; -+ } -+ cladatum->default_role = which; -+ free(id); -+ } -+ -+ return 0; -+} -+ -+int define_default_range(int which) -+{ -+ char *id; -+ class_datum_t *cladatum; -+ -+ if (pass == 1) { -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ return 0; -+ } -+ -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ return -1; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ return -1; -+ } -+ if (cladatum->default_range && cladatum->default_range != which) { -+ yyerror2("conflicting default range information for class %s", id); -+ return -1; -+ } -+ cladatum->default_range = which; -+ free(id); -+ } -+ -+ return 0; -+} -+ - int define_common_perms(void) - { - char *id = 0, *perm = 0; -diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h -index 92a9be7..ccbe56f 100644 ---- a/checkpolicy/policy_define.h -+++ b/checkpolicy/policy_define.h -@@ -24,6 +24,9 @@ int define_av_perms(int inherits); - int define_bool_tunable(int is_tunable); - int define_category(void); - int define_class(void); -+int define_default_user(int which); -+int define_default_role(int which); -+int define_default_range(int which); - int define_common_perms(void); - int define_compute_type(int which); - int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); -diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y -index d808111..d92cc32 100644 ---- a/checkpolicy/policy_parse.y -+++ b/checkpolicy/policy_parse.y -@@ -143,6 +143,8 @@ typedef int (* require_func_t)(); - %token POLICYCAP - %token PERMISSIVE - %token FILESYSTEM -+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE -+%token LOW_HIGH LOW HIGH - - %left OR - %left XOR -@@ -157,7 +159,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } - classes initial_sids access_vectors - { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } - else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} -- opt_mls te_rbac users opt_constraints -+ opt_default_rules opt_mls te_rbac users opt_constraints - { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} - else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts -@@ -195,6 +197,39 @@ av_perms_def : CLASS identifier '{' identifier_list '}' - | CLASS identifier INHERITS identifier '{' identifier_list '}' - {if (define_av_perms(TRUE)) return -1;} - ; -+opt_default_rules : default_rules -+ | -+ ; -+default_rules : default_user_def -+ | default_role_def -+ | default_range_def -+ | default_rules default_user_def -+ | default_rules default_role_def -+ | default_rules default_range_def -+ ; -+default_user_def : DEFAULT_USER names SOURCE ';' -+ {if (define_default_user(DEFAULT_SOURCE)) return -1; } -+ | DEFAULT_USER names TARGET ';' -+ {if (define_default_user(DEFAULT_TARGET)) return -1; } -+ ; -+default_role_def : DEFAULT_ROLE names SOURCE ';' -+ {if (define_default_role(DEFAULT_SOURCE)) return -1; } -+ | DEFAULT_ROLE names TARGET ';' -+ {if (define_default_role(DEFAULT_TARGET)) return -1; } -+ ; -+default_range_def : DEFAULT_RANGE names SOURCE LOW ';' -+ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } -+ | DEFAULT_RANGE names SOURCE HIGH ';' -+ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; } -+ | DEFAULT_RANGE names SOURCE LOW_HIGH ';' -+ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; } -+ | DEFAULT_RANGE names TARGET LOW ';' -+ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; } -+ | DEFAULT_RANGE names TARGET HIGH ';' -+ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } -+ | DEFAULT_RANGE names TARGET LOW_HIGH ';' -+ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } -+ ; - opt_mls : mls - | - ; diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l -index 9b24db5..e767b5f 100644 +index e767b5f..143e797 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l -@@ -221,6 +221,18 @@ policycap | - POLICYCAP { return(POLICYCAP); } - permissive | - PERMISSIVE { return(PERMISSIVE); } -+default_user | -+DEFAULT_USER { return(DEFAULT_USER); } -+default_role | -+DEFAULT_ROLE { return(DEFAULT_ROLE); } -+default_range | -+DEFAULT_RANGE { return(DEFAULT_RANGE); } -+low-high | -+LOW-HIGH { return(LOW_HIGH); } -+high | -+HIGH { return(HIGH); } -+low | -+LOW { return(LOW); } +@@ -234,7 +234,7 @@ HIGH { return(HIGH); } + low | + LOW { return(LOW); } "/"({alnum}|[_\.\-/])* { return(PATH); } - \"({alnum}|[_\.\-\~])+\" { return(FILENAME); } +-\"({alnum}|[_\.\-\~])+\" { return(FILENAME); } ++\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } + {alnum}*{letter}{alnum}* { return(FILESYSTEM); } + {digit}+|0x{hexval}+ { return(NUMBER); } diff --git a/sources b/sources index 53c482d..eb07af5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b2c0d0a07a0ea1bab8e4014be0054010 checkpolicy-2.1.8.tgz +bf89762f257f145244a77d58ca31b95b checkpolicy-2.1.9.tgz