Update to checkpolicy 2.1.11. Requires libsepol 2.1.8.
Change-Id: I8e0399b6fcaf2466cf7c911a0514bb4f5000857d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/ChangeLog b/ChangeLog
index 96b1de8..7dc7d76 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2.1.11 2012-09-13
+ * fd leak reading policy
+ * check return code on ebitmap_set_bit
+
+2.1.10 2012-06-28
+ * sepolgen: We need to support files that have a + in them
+ * Android/MacOS X build support
+
+2.1.9 2012-03-28
+ * implement new default labeling behaviors for usr, role, range
+ * Fix dead links to www.nsa.gov/selinux
+
2.1.8 2011-12-21
* add new helper to translate class sets into bitmaps
diff --git a/VERSION b/VERSION
index ebf14b4..a39c0b7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.8
+2.1.11
diff --git a/checkmodule.8 b/checkmodule.8
index 473f642..40f73c5 100644
--- a/checkmodule.8
+++ b/checkmodule.8
@@ -53,7 +53,7 @@
.SH "SEE ALSO"
.B semodule(8), semodule_package(8)
-SELinux documentation at http://www.nsa.gov/selinux,
+SELinux documentation at http://www.nsa.gov/research/selinux,
especially "Configuring the SELinux Policy".
diff --git a/checkmodule.c b/checkmodule.c
index 47603e0..cb58cf0 100644
--- a/checkmodule.c
+++ b/checkmodule.c
@@ -63,10 +63,12 @@
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
file, strerror(errno));
+ close(fd);
return -1;
}
map =
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ close(fd);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
return -1;
diff --git a/checkpolicy.8 b/checkpolicy.8
index f79239e..6826938 100644
--- a/checkpolicy.8
+++ b/checkpolicy.8
@@ -46,7 +46,7 @@
Show usage information.
.SH "SEE ALSO"
-SELinux documentation at http://www.nsa.gov/selinux,
+SELinux documentation at http://www.nsa.gov/research/selinux,
especially "Configuring the SELinux Policy".
diff --git a/policy_define.c b/policy_define.c
index 9f1e5d5..2c12447 100644
--- a/policy_define.c
+++ b/policy_define.c
@@ -351,6 +351,102 @@
return 0;
}
+int define_default_user(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_user && cladatum->default_user != which) {
+ yyerror2("conflicting default user information for class %s", id);
+ return -1;
+ }
+ cladatum->default_user = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_role(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_role && cladatum->default_role != which) {
+ yyerror2("conflicting default role information for class %s", id);
+ return -1;
+ }
+ cladatum->default_role = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_range(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_range && cladatum->default_range != which) {
+ yyerror2("conflicting default range information for class %s", id);
+ return -1;
+ }
+ cladatum->default_range = which;
+ free(id);
+ }
+
+ return 0;
+}
+
int define_common_perms(void)
{
char *id = 0, *perm = 0;
@@ -2245,7 +2341,10 @@
return -1;
}
- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
}
id = (char *)queue_remove(id_queue);
diff --git a/policy_define.h b/policy_define.h
index 92a9be7..ccbe56f 100644
--- a/policy_define.h
+++ b/policy_define.h
@@ -24,6 +24,9 @@
int define_bool_tunable(int is_tunable);
int define_category(void);
int define_class(void);
+int define_default_user(int which);
+int define_default_role(int which);
+int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
diff --git a/policy_parse.y b/policy_parse.y
index d808111..d92cc32 100644
--- a/policy_parse.y
+++ b/policy_parse.y
@@ -143,6 +143,8 @@
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
+%token LOW_HIGH LOW HIGH
%left OR
%left XOR
@@ -157,7 +159,7 @@
classes initial_sids access_vectors
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
- opt_mls te_rbac users opt_constraints
+ opt_default_rules opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
@@ -195,6 +197,39 @@
| CLASS identifier INHERITS identifier '{' identifier_list '}'
{if (define_av_perms(TRUE)) return -1;}
;
+opt_default_rules : default_rules
+ |
+ ;
+default_rules : default_user_def
+ | default_role_def
+ | default_range_def
+ | default_rules default_user_def
+ | default_rules default_role_def
+ | default_rules default_range_def
+ ;
+default_user_def : DEFAULT_USER names SOURCE ';'
+ {if (define_default_user(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_USER names TARGET ';'
+ {if (define_default_user(DEFAULT_TARGET)) return -1; }
+ ;
+default_role_def : DEFAULT_ROLE names SOURCE ';'
+ {if (define_default_role(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_ROLE names TARGET ';'
+ {if (define_default_role(DEFAULT_TARGET)) return -1; }
+ ;
+default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
+ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
+ | DEFAULT_RANGE names SOURCE HIGH ';'
+ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
+ | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
+ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
+ | DEFAULT_RANGE names TARGET LOW ';'
+ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
+ | DEFAULT_RANGE names TARGET HIGH ';'
+ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
+ | DEFAULT_RANGE names TARGET LOW_HIGH ';'
+ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
+ ;
opt_mls : mls
|
;
diff --git a/policy_scan.l b/policy_scan.l
index 22b91a3..62d03f0 100644
--- a/policy_scan.l
+++ b/policy_scan.l
@@ -225,8 +225,20 @@
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
+default_user |
+DEFAULT_USER { return(DEFAULT_USER); }
+default_role |
+DEFAULT_ROLE { return(DEFAULT_ROLE); }
+default_range |
+DEFAULT_RANGE { return(DEFAULT_RANGE); }
+low-high |
+LOW-HIGH { return(LOW_HIGH); }
+high |
+HIGH { return(HIGH); }
+low |
+LOW { return(LOW); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
-\"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
+\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}+|0x{hexval}+ { return(NUMBER); }
