Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at Tue Mar 9 16:17:49 CET 2010. -------- --- checkpolicy/checkpolicy.changes 2009-06-23 12:29:54.000000000 +0200 +++ /mounts/work_src_done/STABLE/checkpolicy/checkpolicy.changes 2010-02-25 15:52:37.000000000 +0100 @@ -1,0 +2,8 @@ +Thu Feb 25 14:51:44 UTC 2010 - prusnak@suse.cz + +- updated to 2.0.21 + * Add support for building Xen policies from Paul Nuzzi. + * Add long options to checkpolicy and checkmodule by Guido + Trentalancia <guido@trentalancia.com> + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- checkpolicy-2.0.19.tar.bz2 New: ---- checkpolicy-2.0.21.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.q8COL3/_old 2010-03-09 16:17:42.000000000 +0100 +++ /var/tmp/diff_new_pack.q8COL3/_new 2010-03-09 16:17:42.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package checkpolicy (Version 2.0.19) +# spec file for package checkpolicy (Version 2.0.21) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,16 +17,16 @@ # norootforbuild -%define libsepol_ver 2.0.35 +%define libsepol_ver 2.0.39 BuildRequires: bison flex-old BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: libselinux-devel Name: checkpolicy -Version: 2.0.19 +Version: 2.0.21 Release: 1 Url: http://www.nsa.gov/selinux/ -License: GPL v2 or later +License: GPLv2+ Group: Productivity/Security Summary: SELinux policy compiler Source: %{name}-%{version}.tar.bz2 ++++++ checkpolicy-2.0.19.tar.bz2 -> checkpolicy-2.0.21.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/ChangeLog new/checkpolicy-2.0.21/ChangeLog --- old/checkpolicy-2.0.19/ChangeLog 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/ChangeLog 2009-12-01 21:47:18.000000000 +0100 @@ -1,3 +1,10 @@ +2.0.21 2009-11-27 + * Add long options to checkpolicy and checkmodule by Guido + Trentalancia <guido@trentalancia.com> + +2.0.20 2009-10-14 + * Add support for building Xen policies from Paul Nuzzi. + 2.0.19 2009-02-18 * Fix alias field in module format, caused by boundary format change from Caleb Case. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/VERSION new/checkpolicy-2.0.21/VERSION --- old/checkpolicy-2.0.19/VERSION 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/VERSION 2009-12-01 21:47:18.000000000 +0100 @@ -1 +1 @@ -2.0.19 +2.0.21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/checkmodule.8 new/checkpolicy-2.0.21/checkmodule.8 --- old/checkpolicy-2.0.19/checkmodule.8 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/checkmodule.8 2009-12-01 21:47:18.000000000 +0100 @@ -21,23 +21,26 @@ .SH OPTIONS .TP -.B -b +.B -b,--binary Read an existing binary policy module file rather than a source policy module file. This option is a development/debugging aid. .TP .B -m Generate a non-base policy module. .TP -.B -M +.B -M,--mls Enable the MLS/MCS support when checking and compiling the policy module. .TP -.B -V +.B -V,--version Show policy versions created by this program .TP -.B -o filename +.B -o,--output filename Write a binary policy module file to the specified filename. Otherwise, checkmodule will only check the syntax of the module source file and will not generate a binary module at all. +.TP +.B -U,--handle-unknown <action> +Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). .SH EXAMPLE .nf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/checkmodule.c new/checkpolicy-2.0.21/checkmodule.c --- old/checkpolicy-2.0.19/checkmodule.c 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/checkmodule.c 2009-12-01 21:47:18.000000000 +0100 @@ -163,8 +163,18 @@ int ch; int show_version = 0; policydb_t modpolicydb; + struct option long_options[] = { + {"help", no_argument, NULL, 'h'}, + {"output", required_argument, NULL, 'o'}, + {"binary", no_argument, NULL, 'b'}, + {"version", no_argument, NULL, 'V'}, + {"handle-unknown", optional_argument, NULL, 'U'}, + {"debug", no_argument, NULL, 'd'}, + {"mls", no_argument, NULL, 'M'}, + {NULL, 0, NULL, 0} + }; - while ((ch = getopt(argc, argv, "ho:dbVU:mM")) != EOF) { + while ((ch = getopt_long(argc, argv, "ho:bVU:mM", long_options, NULL)) != -1) { switch (ch) { case 'h': usage(argv[0]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/checkpolicy.8 new/checkpolicy-2.0.21/checkpolicy.8 --- old/checkpolicy-2.0.19/checkpolicy.8 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/checkpolicy.8 2009-12-01 21:47:18.000000000 +0100 @@ -18,20 +18,32 @@ .SH OPTIONS .TP -.B -b +.B -b,--binary Read an existing binary policy file rather than a source policy.conf file. .TP -.B -d +.B -d,--debug Enter debug mode after loading the policy. .TP -.B -M +.B -M,--mls Enable the MLS policy when checking and compiling the policy. .TP -.B -o filename +.B -o,--output filename Write a binary policy file to the specified filename. .TP .B -c policyvers Specify the policy version, defaults to the latest. +.TP +.B -t,--target +Specify the target platform (selinux or xen). +.TP +.B -U,--handle-unknown <action> +Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). +.TP +.B -V,--version +Show version information. +.TP +.B -h,--help +Show usage information. .SH "SEE ALSO" SELinux documentation at http://www.nsa.gov/selinux, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/checkpolicy.c new/checkpolicy-2.0.21/checkpolicy.c --- old/checkpolicy-2.0.19/checkpolicy.c 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/checkpolicy.c 2009-12-01 21:47:18.000000000 +0100 @@ -100,7 +100,9 @@ void usage(char *progname) { printf - ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject) [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", + ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject)] [-M]" + "[-c policyvers (%d-%d)] [-o output_file] [-t target_platform (selinux,xen)]" + "[input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); } @@ -381,7 +383,7 @@ unsigned int protocol, port; unsigned int binary = 0, debug = 0; struct val_to_name v; - int ret, ch, fd; + int ret, ch, fd, target = SEPOL_TARGET_SELINUX; unsigned int nel, uret; struct stat sb; void *map; @@ -390,12 +392,34 @@ int state; int show_version = 0; struct policy_file pf; + struct option long_options[] = { + {"output", required_argument, NULL, 'o'}, + {"target", required_argument, NULL, 't'}, + {"binary", no_argument, NULL, 'b'}, + {"debug", no_argument, NULL, 'd'}, + {"version", no_argument, NULL, 'V'}, + {"handle-unknown", optional_argument, NULL, 'U'}, + {"mls", no_argument, NULL, 'M'}, + {"help", no_argument, NULL, 'h'}, + {NULL, 0, NULL, 0} + }; - while ((ch = getopt(argc, argv, "o:dbU:MVc:")) != EOF) { + while ((ch = getopt_long(argc, argv, "o:t:dbU:MVc:h", long_options, NULL)) != -1) { switch (ch) { case 'o': outfile = optarg; break; + case 't': + if (!strcasecmp(optarg, "Xen")) + target = SEPOL_TARGET_XEN; + else if (!strcasecmp(optarg, "SELinux")) + target = SEPOL_TARGET_SELINUX; + else{ + fprintf(stderr, "%s: Unknown target platform:" + "%s\n", argv[0], optarg); + exit(1); + } + break; case 'b': binary = 1; file = binfile; @@ -445,6 +469,7 @@ policyvers = n; break; } + case 'h': default: usage(argv[0]); } @@ -528,6 +553,7 @@ exit(1); /* We build this as a base policy first since that is all the parser understands */ parse_policy.policy_type = POLICY_BASE; + policydb_set_target_platform(&parse_policy, target); /* Let sepol know if we are dealing with MLS support */ parse_policy.mls = mlspol; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/policy_define.c new/checkpolicy-2.0.21/policy_define.c --- old/checkpolicy-2.0.19/policy_define.c 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/policy_define.c 2009-12-01 21:47:18.000000000 +0100 @@ -3320,6 +3320,11 @@ { ocontext_t *newc, *c, *head; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("fscon not supported for target"); + return -1; + } + if (pass == 1) { parse_security_context(NULL); parse_security_context(NULL); @@ -3372,12 +3377,254 @@ return 0; } +int define_pirq_context(unsigned int pirq) +{ + ocontext_t *newc, *c, *l, *head; + char *id; + + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("pirqcon not supported for target"); + return -1; + } + + if (pass == 1) { + id = (char *) queue_remove(id_queue); + free(id); + parse_security_context(NULL); + return 0; + } + + newc = malloc(sizeof(ocontext_t)); + if (!newc) { + yyerror("out of memory"); + return -1; + } + memset(newc, 0, sizeof(ocontext_t)); + + newc->u.pirq = pirq; + + if (parse_security_context(&newc->context[0])) { + free(newc); + return -1; + } + + head = policydbp->ocontexts[OCON_XEN_PIRQ]; + for (l = NULL, c = head; c; l = c, c = c->next) { + unsigned int pirq2; + + pirq2 = c->u.pirq; + if (pirq == pirq2) { + yyerror2("duplicate pirqcon entry for %d ", pirq); + goto bad; + } + } + + if (l) + l->next = newc; + else + policydbp->ocontexts[OCON_XEN_PIRQ] = newc; + + return 0; + +bad: + free(newc); + return -1; +} + +int define_iomem_context(unsigned long low, unsigned long high) +{ + ocontext_t *newc, *c, *l, *head; + char *id; + + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("iomemcon not supported for target"); + return -1; + } + + if (pass == 1) { + id = (char *)queue_remove(id_queue); + free(id); + parse_security_context(NULL); + return 0; + } + + newc = malloc(sizeof(ocontext_t)); + if (!newc) { + yyerror("out of memory"); + return -1; + } + memset(newc, 0, sizeof(ocontext_t)); + + newc->u.iomem.low_iomem = low; + newc->u.iomem.high_iomem = high; + + if (low > high) { + yyerror2("low memory 0x%x exceeds high memory 0x%x", low, high); + free(newc); + return -1; + } + + if (parse_security_context(&newc->context[0])) { + free(newc); + return -1; + } + + head = policydbp->ocontexts[OCON_XEN_IOMEM]; + for (l = NULL, c = head; c; l = c, c = c->next) { + unsigned int low2, high2; + + low2 = c->u.iomem.low_iomem; + high2 = c->u.iomem.high_iomem; + if (low <= high2 && low2 <= high) { + yyerror2("iomemcon entry for 0x%x-0x%x overlaps with " + "earlier entry 0x%x-0x%x", low, high, + low2, high2); + goto bad; + } + } + + if (l) + l->next = newc; + else + policydbp->ocontexts[OCON_XEN_IOMEM] = newc; + + return 0; + +bad: + free(newc); + return -1; +} + +int define_ioport_context(unsigned long low, unsigned long high) +{ + ocontext_t *newc, *c, *l, *head; + char *id; + + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("ioportcon not supported for target"); + return -1; + } + + if (pass == 1) { + id = (char *)queue_remove(id_queue); + free(id); + parse_security_context(NULL); + return 0; + } + + newc = malloc(sizeof(ocontext_t)); + if (!newc) { + yyerror("out of memory"); + return -1; + } + memset(newc, 0, sizeof(ocontext_t)); + + newc->u.ioport.low_ioport = low; + newc->u.ioport.high_ioport = high; + + if (low > high) { + yyerror2("low ioport 0x%x exceeds high ioport 0x%x", low, high); + free(newc); + return -1; + } + + if (parse_security_context(&newc->context[0])) { + free(newc); + return -1; + } + + head = policydbp->ocontexts[OCON_XEN_IOPORT]; + for (l = NULL, c = head; c; l = c, c = c->next) { + unsigned int low2, high2; + + low2 = c->u.ioport.low_ioport; + high2 = c->u.ioport.high_ioport; + if (low <= high2 && low2 <= high) { + yyerror2("ioportcon entry for 0x%x-0x%x overlaps with" + "earlier entry 0x%x-0x%x", low, high, + low2, high2); + goto bad; + } + } + + if (l) + l->next = newc; + else + policydbp->ocontexts[OCON_XEN_IOPORT] = newc; + + return 0; + +bad: + free(newc); + return -1; +} + +int define_pcidevice_context(unsigned long device) +{ + ocontext_t *newc, *c, *l, *head; + char *id; + + if (policydbp->target_platform != SEPOL_TARGET_XEN) { + yyerror("pcidevicecon not supported for target"); + return -1; + } + + if (pass == 1) { + id = (char *) queue_remove(id_queue); + free(id); + parse_security_context(NULL); + return 0; + } + + newc = malloc(sizeof(ocontext_t)); + if (!newc) { + yyerror("out of memory"); + return -1; + } + memset(newc, 0, sizeof(ocontext_t)); + + newc->u.device = device; + + if (parse_security_context(&newc->context[0])) { + free(newc); + return -1; + } + + head = policydbp->ocontexts[OCON_XEN_PCIDEVICE]; + for (l = NULL, c = head; c; l = c, c = c->next) { + unsigned int device2; + + device2 = c->u.device; + if (device == device2) { + yyerror2("duplicate pcidevicecon entry for 0x%x ", + device); + goto bad; + } + } + + if (l) + l->next = newc; + else + policydbp->ocontexts[OCON_XEN_PCIDEVICE] = newc; + + return 0; + +bad: + free(newc); + return -1; +} + int define_port_context(unsigned int low, unsigned int high) { ocontext_t *newc, *c, *l, *head; unsigned int protocol; char *id; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("portcon not supported for target"); + return -1; + } + if (pass == 1) { id = (char *)queue_remove(id_queue); free(id); @@ -3460,6 +3707,11 @@ { ocontext_t *newc, *c, *head; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("netifcon not supported for target"); + return -1; + } + if (pass == 1) { free(queue_remove(id_queue)); parse_security_context(NULL); @@ -3516,6 +3768,11 @@ struct in_addr addr, mask; ocontext_t *newc, *c, *l, *head; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("nodecon not supported for target"); + return -1; + } + if (pass == 1) { free(queue_remove(id_queue)); free(queue_remove(id_queue)); @@ -3597,6 +3854,11 @@ struct in6_addr addr, mask; ocontext_t *newc, *c, *l, *head; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("nodecon not supported for target"); + return -1; + } + if (pass == 1) { free(queue_remove(id_queue)); free(queue_remove(id_queue)); @@ -3677,6 +3939,11 @@ { ocontext_t *newc, *c, *head; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("fsuse not supported for target"); + return -1; + } + if (pass == 1) { free(queue_remove(id_queue)); parse_security_context(NULL); @@ -3727,6 +3994,11 @@ char *type = NULL; int len, len2; + if (policydbp->target_platform != SEPOL_TARGET_SELINUX) { + yyerror("genfs not supported for target"); + return -1; + } + if (pass == 1) { free(fstype); free(queue_remove(id_queue)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/policy_define.h new/checkpolicy-2.0.21/policy_define.h --- old/checkpolicy-2.0.19/policy_define.h 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/policy_define.h 2009-12-01 21:47:18.000000000 +0100 @@ -39,6 +39,10 @@ int define_permissive(void); int define_polcap(void); int define_port_context(unsigned int low, unsigned int high); +int define_pirq_context(unsigned int pirq); +int define_iomem_context(unsigned long low, unsigned long high); +int define_ioport_context(unsigned long low, unsigned long high); +int define_pcidevice_context(unsigned long device); int define_range_trans(int class_specified); int define_role_allow(void); int define_role_trans(void); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/policy_parse.y new/checkpolicy-2.0.21/policy_parse.y --- old/checkpolicy-2.0.19/policy_parse.y 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/policy_parse.y 2009-12-01 21:47:18.000000000 +0100 @@ -123,6 +123,7 @@ %token TARGET %token SAMEUSER %token FSCON PORTCON NETIFCON NODECON +%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON %token FSUSEXATTR FSUSETASK FSUSETRANS %token GENFSCON %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 @@ -154,7 +155,7 @@ opt_mls te_rbac users opt_constraints { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts ; classes : class_def | classes class_def @@ -562,6 +563,32 @@ initial_sid_context_def : SID identifier security_context_def {if (define_initial_sid_context()) return -1;} ; +opt_dev_contexts : dev_contexts | + ; +dev_contexts : dev_context_def + | dev_contexts dev_context_def + ; +dev_context_def : pirq_context_def | + iomem_context_def | + ioport_context_def | + pci_context_def + ; +pirq_context_def : PIRQCON number security_context_def + {if (define_pirq_context($2)) return -1;} + ; +iomem_context_def : IOMEMCON number security_context_def + {if (define_iomem_context($2,$2)) return -1;} + | IOMEMCON number '-' number security_context_def + {if (define_iomem_context($2,$4)) return -1;} + ; +ioport_context_def : IOPORTCON number security_context_def + {if (define_ioport_context($2,$2)) return -1;} + | IOPORTCON number '-' number security_context_def + {if (define_ioport_context($2,$4)) return -1;} + ; +pci_context_def : PCIDEVICECON number security_context_def + {if (define_pcidevice_context($2)) return -1;} + ; opt_fs_contexts : fs_contexts | ; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.0.19/policy_scan.l new/checkpolicy-2.0.21/policy_scan.l --- old/checkpolicy-2.0.19/policy_scan.l 2009-02-18 22:45:19.000000000 +0100 +++ new/checkpolicy-2.0.21/policy_scan.l 2009-12-01 21:47:18.000000000 +0100 @@ -169,6 +169,14 @@ NETIFCON { return(NETIFCON);} nodecon | NODECON { return(NODECON);} +pirqcon | +PIRQCON { return(PIRQCON);} +iomemcon | +IOMEMCON { return(IOMEMCON);} +ioportcon | +IOPORTCON { return(IOPORTCON);} +pcidevicecon | +PCIDEVICECON { return(PCIDEVICECON);} fs_use_xattr | FS_USE_XATTR { return(FSUSEXATTR);} fs_use_task | @@ -209,7 +217,7 @@ PERMISSIVE { return(PERMISSIVE); } "/"({alnum}|[_.-/])* { return(PATH); } {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); } -{digit}+ { return(NUMBER); } +{digit}+|0x{hexval}+ { return(NUMBER); } {digit}{1,3}(.{digit}{1,3}){3} { return(IPV4_ADDR); } {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } {digit}+(.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org