diff --git a/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch b/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch deleted file mode 100644 index 57b31bd..0000000 --- a/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 252b7c8bf311d615164a20f4f402767e5859d972 Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Tue, 20 Sep 2011 15:40:28 -0400 -Subject: [PATCH 3/6] Since-we-do-not-ship-neverallow-rules-all-always-fail - ---- - libqpol/src/avrule_query.c | 5 +++-- - 1 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libqpol/src/avrule_query.c b/libqpol/src/avrule_query.c -index 749565b..76dcaa3 100644 ---- a/libqpol/src/avrule_query.c -+++ b/libqpol/src/avrule_query.c -@@ -57,8 +57,9 @@ int qpol_policy_get_avrule_iter(const qpol_policy_t * policy, uint32_t rule_type - - if ((rule_type_mask & QPOL_RULE_NEVERALLOW) && !qpol_policy_has_capability(policy, QPOL_CAP_NEVERALLOW)) { - ERR(policy, "%s", "Cannot get avrules: Neverallow rules requested but not available"); -- errno = ENOTSUP; -- return STATUS_ERR; -+/* errno = ENOTSUP; -+ return STATUS_ERR; */ -+ return STATUS_SUCCESS; - } - - db = &policy->p->p; --- -1.7.6.2 - diff --git a/0006-Changes-to-support-named-file_trans-rules.patch b/0006-Changes-to-support-named-file_trans-rules.patch deleted file mode 100644 index 39dbf4a..0000000 --- a/0006-Changes-to-support-named-file_trans-rules.patch +++ /dev/null @@ -1,1491 +0,0 @@ -From 287f507657e162bc09b5c186bbd580901fbc942a Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Tue, 20 Sep 2011 15:47:28 -0400 -Subject: [PATCH 6/6] Changes to support named file_trans rules - ---- - libapol/include/apol/ftrule-query.h | 198 +++++++++++++++++++ - libapol/include/apol/policy-query.h | 1 + - libapol/src/Makefile.am | 1 + - libapol/src/ftrule-query.c | 363 +++++++++++++++++++++++++++++++++++ - libapol/src/libapol.map | 1 + - libqpol/include/qpol/ftrule_query.h | 116 +++++++++++ - libqpol/include/qpol/policy.h | 1 + - libqpol/src/Makefile.am | 1 + - libqpol/src/ftrule_query.c | 277 ++++++++++++++++++++++++++ - libqpol/src/libqpol.map | 1 + - libqpol/src/module_compiler.c | 12 ++ - libqpol/src/policy_define.c | 186 ++++++++++++++++++- - libqpol/src/policy_parse.y | 13 +- - libqpol/src/policy_scan.l | 1 + - secmds/sesearch.c | 101 ++++++++++ - 15 files changed, 1270 insertions(+), 3 deletions(-) - create mode 100644 libapol/include/apol/ftrule-query.h - create mode 100644 libapol/src/ftrule-query.c - create mode 100644 libqpol/include/qpol/ftrule_query.h - create mode 100644 libqpol/src/ftrule_query.c - -Index: setools-3.3.7/libapol/include/apol/ftrule-query.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ setools-3.3.7/libapol/include/apol/ftrule-query.h 2013-04-03 20:03:20.687277526 +0200 -@@ -0,0 +1,198 @@ -+/** -+ * @file -+ * -+ * Routines to query filename_transition rules of a -+ * policy. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef APOL_FILENAMERULE_QUERY_H -+#define APOL_FILENAMERULE_QUERY_H -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+#include "policy.h" -+#include "vector.h" -+#include -+ -+ typedef struct apol_filename_trans_query apol_filename_trans_query_t; -+ -+ -+/******************** filename_transition queries ********************/ -+ -+/** -+ * Execute a query against all filename_transition rules within the -+ * policy. -+ * -+ * @param p Policy within which to look up filename_transition rules. -+ * @param r Structure containing parameters for query. If this is -+ * NULL then return all filename_transition rules. -+ * @param v Reference to a vector of qpol_filename_trans_t. The vector -+ * will be allocated by this function. The caller must call -+ * apol_vector_destroy() afterwards. This will be set to NULL upon no -+ * results or upon error. -+ * -+ * @return 0 on success (including none found), negative on error. -+ */ -+ extern int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * r, apol_vector_t ** v); -+ -+/** -+ * Allocate and return a new filename trans query structure. All fields -+ * are initialized, such that running this blank query results in -+ * returning all filename_transitions within the policy. The caller must -+ * call apol_filename_trans_query_destroy() upon the return value -+ * afterwards. -+ * -+ * @return An initialized filename trans query structure, or NULL upon -+ * error. -+ */ -+ extern apol_filename_trans_query_t *apol_filename_trans_query_create(void); -+ -+/** -+ * Deallocate all memory associated with the referenced filename trans -+ * query, and then set it to NULL. This function does nothing if the -+ * query is already NULL. -+ * -+ * @param r Reference to a filename trans query structure to destroy. -+ */ -+ extern void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r); -+ -+/** -+ * Set a filename_trans query to return rules whose source symbol matches -+ * symbol. Symbol may be a type or attribute; if it is an alias then -+ * the query will convert it to its primary prior to searching. If -+ * is_indirect is non-zero then the search will be done indirectly. -+ * If the symbol is a type, then the query matches rules with one of -+ * the type's attributes. If the symbol is an attribute, then it -+ * matches rule with any of the attribute's types. -+ * -+ * @param p Policy handler, to report errors. -+ * @param t TE rule query to set. -+ * @param symbol Limit query to rules with this symbol as their -+ * source, or NULL to unset this field. -+ * @param is_indirect If non-zero, perform indirect matching. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol, -+ int is_indirect); -+ -+/** -+ * Set a filename trans query to return rules with a particular target -+ * symbol. Symbol may be a type or attribute; if it is an alias then -+ * the query will convert it to its primary prior to searching. If -+ * is_indirect is non-zero then the search will be done indirectly. -+ * If the symbol is a type, then the query matches rules with one of -+ * the type's attributes. If the symbol is an attribute, then it -+ * matches rule with any of the attribute's types. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param symbol Limit query to rules with this type or attribute as -+ * their target, or NULL to unset this field. -+ * @param is_indirect If non-zero, perform indirect matching. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *symbol, -+ int is_indirect); -+ -+/** -+ * Set a filename trans query to return rules with a particular default -+ * filename. This field is ignored if -+ * apol_filename_trans_query_set_source_any() is set to non-zero. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param filename Limit query to rules with this filename as their default, or -+ * NULL to unset this field. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename); -+ -+/** -+ * Set at filename_trans query to return rules with this object (non-common) -+ * class. If more than one class are appended to the query, the -+ * rule's class must be one of those appended. (I.e., the rule's -+ * class must be a member of the query's classes.) Pass a NULL to -+ * clear all classes. Note that this performs straight string -+ * comparison, ignoring the regex flag. -+ -+ * -+ * @param p Policy handler, to report errors. -+ * @param t TE rule query to set. -+ * @param obj_class Name of object class to add to search set. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class); -+ -+/** -+ * Set a filename trans query to treat the source filename as any. That is, -+ * use the same symbol for either source or default of a -+ * filename_transition rule. This flag does nothing if the source filename is -+ * not set. Note that a filename_transition's target is a type, so thus -+ * this flag does not affect its searching. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param is_any Non-zero to use source symbol for source or default -+ * field, 0 to keep source as only source. -+ * -+ * @return Always 0. -+ */ -+ extern int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_any); -+ -+/** -+ * Set a filename trans query to use regular expression searching for -+ * source, target, and default fields. Strings will be treated as -+ * regexes instead of literals. For the target type, matching will -+ * occur against the type name or any of its aliases. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param is_regex Non-zero to enable regex searching, 0 to disable. -+ * -+ * @return Always 0. -+ */ -+ extern int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_regex); -+ -+/** -+ * Render a filename_transition rule to a string. -+ * -+ * @param policy Policy handler, to report errors. -+ * @param rule The rule to render. -+ * -+ * @return A newly malloc()'d string representation of the rule, or NULL on -+ * failure; if the call fails, errno will be set. The caller is responsible -+ * for calling free() on the returned string. -+ */ -+ extern char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * rule); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif -Index: setools-3.3.7/libapol/include/apol/policy-query.h -=================================================================== ---- setools-3.3.7.orig/libapol/include/apol/policy-query.h 2013-04-03 20:03:18.404208871 +0200 -+++ setools-3.3.7/libapol/include/apol/policy-query.h 2013-04-03 20:03:20.688277556 +0200 -@@ -71,6 +71,7 @@ extern "C" - #include "terule-query.h" - #include "condrule-query.h" - #include "rbacrule-query.h" -+#include "ftrule-query.h" - #include "range_trans-query.h" - #include "constraint-query.h" - -Index: setools-3.3.7/libapol/src/Makefile.am -=================================================================== ---- setools-3.3.7.orig/libapol/src/Makefile.am 2013-04-03 20:03:18.404208871 +0200 -+++ setools-3.3.7/libapol/src/Makefile.am 2013-04-03 20:03:20.688277556 +0200 -@@ -40,6 +40,7 @@ libapol_a_SOURCES = \ - render.c \ - role-query.c \ - terule-query.c \ -+ ftrule-query.c \ - type-query.c \ - types-relation-analysis.c \ - user-query.c \ -Index: setools-3.3.7/libapol/src/ftrule-query.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ setools-3.3.7/libapol/src/ftrule-query.c 2013-04-03 20:03:20.688277556 +0200 -@@ -0,0 +1,363 @@ -+/** -+ * @file -+ * -+ * Provides a way for setools to make queries about type enforcement -+ * filename_transs within a policy. The caller obtains a query object, fills in -+ * its parameters, and then runs the query; it obtains a vector of -+ * results. Searches are conjunctive -- all fields of the search -+ * query must match for a datum to be added to the results query. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include "policy-query-internal.h" -+ -+#include -+#include -+ -+struct apol_filename_trans_query -+{ -+ char *source, *target, *default_type, *name; -+ apol_vector_t *classes; -+ unsigned int flags; -+}; -+ -+ -+/******************** filename_transition queries ********************/ -+ -+int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v) -+{ -+ apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL; -+ int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans; -+ char *bool_name = NULL; -+ *v = NULL; -+ unsigned int flags = 0; -+ qpol_iterator_t *iter = NULL, *type_iter = NULL; -+ -+ if (t != NULL) { -+ flags = t->flags; -+ is_regex = t->flags & APOL_QUERY_REGEX; -+ if (t->source != NULL && -+ (source_list = -+ apol_query_create_candidate_type_list(p, t->source, is_regex, -+ t->flags & APOL_QUERY_SOURCE_INDIRECT, -+ ((t->flags & (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE)) / -+ APOL_QUERY_SOURCE_TYPE))) == NULL) { -+ goto cleanup; -+ } -+ -+ if ((t->flags & APOL_QUERY_SOURCE_AS_ANY) && t->source != NULL) { -+ default_list = target_list = source_list; -+ source_as_any = 1; -+ } else { -+ if (t->target != NULL && -+ (target_list = -+ apol_query_create_candidate_type_list(p, t->target, is_regex, -+ t->flags & APOL_QUERY_TARGET_INDIRECT, -+ ((t-> -+ flags & (APOL_QUERY_TARGET_TYPE | APOL_QUERY_TARGET_ATTRIBUTE)) -+ / APOL_QUERY_TARGET_TYPE))) == NULL) { -+ goto cleanup; -+ } -+ if (t->default_type != NULL && -+ (default_list = -+ apol_query_create_candidate_type_list(p, t->default_type, is_regex, 0, -+ APOL_QUERY_SYMBOL_IS_TYPE)) == NULL) { -+ goto cleanup; -+ } -+ } -+ if (t->classes != NULL && -+ apol_vector_get_size(t->classes) > 0 && -+ (class_list = apol_query_create_candidate_class_list(p, t->classes)) == NULL) { -+ goto cleanup; -+ } -+ } -+ -+ if (qpol_policy_get_filename_trans_iter(p->p, &iter) < 0) { -+ return -1; -+ } -+ -+ if ((*v = apol_vector_create(NULL)) == NULL) { -+ ERR(p, "%s", strerror(errno)); -+ goto cleanup; -+ } -+ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ qpol_filename_trans_t *filename_trans; -+ if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) { -+ goto cleanup; -+ } -+ int match_source = 0, match_target = 0, match_default = 0, match_bool = 0; -+ size_t i; -+ -+ if (source_list == NULL) { -+ match_source = 1; -+ } else { -+ const qpol_type_t *source_type; -+ if (qpol_filename_trans_get_source_type(p->p, filename_trans, &source_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(source_list, source_type, NULL, NULL, &i) == 0) { -+ match_source = 1; -+ } -+ } -+ -+ /* if source did not match, but treating source symbol -+ * as any field, then delay rejecting this filename_trans until -+ * the target and default have been checked */ -+ if (!source_as_any && !match_source) { -+ continue; -+ } -+ -+ if (target_list == NULL || (source_as_any && match_source)) { -+ match_target = 1; -+ } else { -+ const qpol_type_t *target_type; -+ if (qpol_filename_trans_get_target_type(p->p, filename_trans, &target_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(target_list, target_type, NULL, NULL, &i) == 0) { -+ match_target = 1; -+ } -+ } -+ -+ if (!source_as_any && !match_target) { -+ continue; -+ } -+ -+ if (default_list == NULL || (source_as_any && match_source) || (source_as_any && match_target)) { -+ match_default = 1; -+ } else { -+ const qpol_type_t *default_type; -+ if (qpol_filename_trans_get_default_type(p->p, filename_trans, &default_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(default_list, default_type, NULL, NULL, &i) == 0) { -+ match_default = 1; -+ } -+ } -+ -+ if (!source_as_any && !match_default) { -+ continue; -+ } -+ /* at least one thing must match if source_as_any was given */ -+ if (source_as_any && (!match_source && !match_target && !match_default)) { -+ continue; -+ } -+ -+ if (class_list != NULL) { -+ const qpol_class_t *obj_class; -+ if (qpol_filename_trans_get_object_class(p->p, filename_trans, &obj_class) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(class_list, obj_class, NULL, NULL, &i) < 0) { -+ continue; -+ } -+ } -+ -+ if (apol_vector_append(*v, filename_trans)) { -+ ERR(p, "%s", strerror(ENOMEM)); -+ goto cleanup; -+ } -+ } -+ -+ retval = 0; -+ cleanup: -+ if (retval != 0) { -+ apol_vector_destroy(v); -+ } -+ apol_vector_destroy(&source_list); -+ if (!source_as_any) { -+ apol_vector_destroy(&target_list); -+ apol_vector_destroy(&default_list); -+ } -+ apol_vector_destroy(&class_list); -+ return retval; -+} -+ -+apol_filename_trans_query_t *apol_filename_trans_query_create(void) -+{ -+ apol_filename_trans_query_t *t = calloc(1, sizeof(apol_filename_trans_query_t)); -+ if (t != NULL) { -+ t->flags = -+ (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE | APOL_QUERY_TARGET_TYPE | -+ APOL_QUERY_TARGET_ATTRIBUTE); -+ } -+ return t; -+} -+ -+void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r) -+{ -+ if (r != NULL && *r != NULL) { -+ free((*r)->source); -+ free((*r)->target); -+ free((*r)->default_type); -+ free((*r)->name); -+ free(*r); -+ *r = NULL; -+ } -+} -+ -+int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect) -+{ -+ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); -+ return apol_query_set(p, &t->source, NULL, filename); -+} -+ -+int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect) -+{ -+ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); -+ return apol_query_set(p, &t->target, NULL, type); -+} -+ -+int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol) -+{ -+ return apol_query_set(p, &t->default_type, NULL, symbol); -+} -+ -+int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class) -+{ -+ char *s = NULL; -+ if (obj_class == NULL) { -+ apol_vector_destroy(&t->classes); -+ } else if ((s = strdup(obj_class)) == NULL || (t->classes == NULL && (t->classes = apol_vector_create(free)) == NULL) -+ || apol_vector_append(t->classes, s) < 0) { -+ ERR(p, "%s", strerror(errno)); -+ free(s); -+ return -1; -+ } -+ return 0; -+} -+ -+int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename) -+{ -+ return apol_query_set(p, &t->name, NULL, filename); -+} -+ -+int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_any) -+{ -+ return apol_query_set_flag(p, &t->flags, is_any, APOL_QUERY_SOURCE_AS_ANY); -+} -+ -+int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_regex) -+{ -+ return apol_query_set_regex(p, &t->flags, is_regex); -+} -+ -+char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * filename_trans) -+{ -+ char *tmp = NULL; -+ const char *tmp_name = NULL; -+ const char *filename_trans_type_str; -+ int error = 0; -+ size_t tmp_sz = 0; -+ uint32_t filename_trans_type = 0; -+ const qpol_type_t *type = NULL; -+ const qpol_class_t *obj_class = NULL; -+ -+ if (!policy || !filename_trans) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return NULL; -+ } -+ -+ /* source type */ -+ if (qpol_filename_trans_get_source_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "transition_type %s ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* target type */ -+ if (qpol_filename_trans_get_target_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s : ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* object class */ -+ if (qpol_filename_trans_get_object_class(policy->p, filename_trans, &obj_class)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_class_get_name(policy->p, obj_class, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* default type */ -+ if (qpol_filename_trans_get_default_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ if (qpol_filename_trans_get_filename(policy->p, filename_trans, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ -+ if (apol_str_appendf(&tmp, &tmp_sz, " %s", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ if (apol_str_appendf(&tmp, &tmp_sz, ";")) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ return tmp; -+ -+ err: -+ free(tmp); -+ errno = error; -+ return NULL; -+} -Index: setools-3.3.7/libapol/src/libapol.map -=================================================================== ---- setools-3.3.7.orig/libapol/src/libapol.map 2013-04-03 20:03:18.405208901 +0200 -+++ setools-3.3.7/libapol/src/libapol.map 2013-04-03 20:03:20.688277556 +0200 -@@ -34,6 +34,7 @@ VERS_4.0{ - apol_protocol_to_str; - apol_qpol_context_render; - apol_range_trans_*; -+ apol_filename_trans_*; - apol_relabel_*; - apol_role_*; - apol_role_allow_*; -Index: setools-3.3.7/libqpol/include/qpol/ftrule_query.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ setools-3.3.7/libqpol/include/qpol/ftrule_query.h 2013-04-03 20:03:20.689277586 +0200 -@@ -0,0 +1,116 @@ -+/** -+ * @file -+ * Defines public interface for iterating over FTRULE rules. -+ * -+ * @author Kevin Carr kcarr@tresys.com -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef QPOL_FTRULERULE_QUERY -+#define QPOL_FTRULERULE_QUERY -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+#include -+#include -+ -+ typedef struct qpol_filename_trans qpol_filename_trans_t; -+ -+/** -+ * Get an iterator over all filename transition rules in the policy. -+ * @param policy Policy from which to create the iterator. -+ * @param iter Iterator over items of type qpol_filename_trans_t returned. -+ * The caller is responsible for calling qpol_iterator_destroy() -+ * to free memory used by this iterator. -+ * It is important to note that this iterator is only valid as long as -+ * the policy is unmodifed. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *iter will be NULL. -+ */ -+ extern int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); -+ -+/** -+ * Get the source type from a filename transition rule. -+ * @param policy The policy from which the rule comes. -+ * @param rule The rule from which to get the source type. -+ * @param source Pointer in which to store the source type. -+ * The caller should not free this pointer. -+ * @return 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *source will be NULL. -+ */ -+ extern int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** source); -+ -+/** -+ * Get the target type from a filename transition rule. -+ * @param policy The policy from which the rule comes. -+ * @param rule The rule from which to get the target type. -+ * @param target Pointer in which to store the target type. -+ * The caller should not free this pointer. -+ * @return 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *target will be NULL. -+ */ -+ extern int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** target); -+ -+/** -+ * Get the default type from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the default type. -+ * @param dflt Pointer in which to store the default type. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *dflt will be NULL. -+ */ -+ extern int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** dflt); -+ -+/** -+ * Get the object class from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the object class. -+ * @param obj_class Pointer in which to store the object class. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *obj_class will be NULL. -+ */ -+ extern int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_class_t ** obj_class); -+ -+/** -+ * Get the transition filename type from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the transition filename. -+ * @param target Pointer in which to store the transition filename. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *target will be NULL. -+ */ -+ extern int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const char ** name); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* QPOL_FTRULERULE_QUERY */ -Index: setools-3.3.7/libqpol/include/qpol/policy.h -=================================================================== ---- setools-3.3.7.orig/libqpol/include/qpol/policy.h 2013-04-03 20:03:18.406208931 +0200 -+++ setools-3.3.7/libqpol/include/qpol/policy.h 2013-04-03 20:03:20.689277586 +0200 -@@ -55,6 +55,7 @@ extern "C" - #include - #include - #include -+#include - #include - #include - #include -Index: setools-3.3.7/libqpol/src/Makefile.am -=================================================================== ---- setools-3.3.7.orig/libqpol/src/Makefile.am 2013-04-03 20:03:18.406208931 +0200 -+++ setools-3.3.7/libqpol/src/Makefile.am 2013-04-03 20:03:20.689277586 +0200 -@@ -48,6 +48,7 @@ libqpol_a_SOURCES = \ - syn_rule_internal.h \ - syn_rule_query.c \ - terule_query.c \ -+ ftrule_query.c \ - type_query.c \ - user_query.c \ - util.c \ -Index: setools-3.3.7/libqpol/src/ftrule_query.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ setools-3.3.7/libqpol/src/ftrule_query.c 2013-04-03 20:03:20.689277586 +0200 -@@ -0,0 +1,277 @@ -+/** -+ * @file -+ * Defines public interface for iterating over RBAC rules. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include -+#include -+#include -+#include -+#include "iterator_internal.h" -+#include "qpol_internal.h" -+#include -+ -+typedef struct filename_trans_state -+{ -+ filename_trans_t *head; -+ filename_trans_t *cur; -+} filename_trans_state_t; -+ -+static int filename_trans_state_end(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ return fts->cur ? 0 : 1; -+} -+ -+static void *filename_trans_state_get_cur(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || filename_trans_state_end(iter)) { -+ errno = EINVAL; -+ return NULL; -+ } -+ -+ return fts->cur; -+} -+ -+static int filename_trans_state_next(qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ if (filename_trans_state_end(iter)) { -+ errno = ERANGE; -+ return STATUS_ERR; -+ } -+ -+ fts->cur = fts->cur->next; -+ -+ return STATUS_SUCCESS; -+} -+ -+static size_t filename_trans_state_size(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ filename_trans_t *tmp = NULL; -+ size_t count = 0; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ for (tmp = fts->head; tmp; tmp = tmp->next) -+ count++; -+ -+ return count; -+} -+ -+int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter) -+{ -+ policydb_t *db = NULL; -+ filename_trans_state_t *fts = NULL; -+ int error = 0; -+ -+ if (iter) -+ *iter = NULL; -+ -+ if (!policy || !iter) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ -+ fts = calloc(1, sizeof(filename_trans_state_t)); -+ if (!fts) { -+ /* errno set by calloc */ -+ ERR(policy, "%s", strerror(errno)); -+ return STATUS_ERR; -+ } -+ fts->head = fts->cur = db->filename_trans; -+ -+ if (qpol_iterator_create -+ (policy, (void *)fts, filename_trans_state_get_cur, filename_trans_state_next, filename_trans_state_end, filename_trans_state_size, -+ free, iter)) { -+ error = errno; -+ free(fts); -+ errno = error; -+ return STATUS_ERR; -+ } -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** source) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (source) { -+ *source = NULL; -+ } -+ -+ if (!policy || !rule || !source) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *source = (qpol_type_t *) db->type_val_to_struct[ft->stype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** target) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (target) { -+ *target = NULL; -+ } -+ -+ if (!policy || !rule || !target) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *target = (qpol_type_t *) db->type_val_to_struct[ft->ttype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_class_t ** obj_class) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (obj_class) { -+ *obj_class = NULL; -+ } -+ -+ if (!policy || !rule || !obj_class) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *obj_class = (qpol_class_t *) db->class_val_to_struct[ft->tclass - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_trans_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** output_type) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (output_type) { -+ *output_type = NULL; -+ } -+ -+ if (!policy || !rule || !output_type) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *output_type = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** dflt) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (dflt) { -+ *dflt = NULL; -+ } -+ -+ if (!policy || !rule || !dflt) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *dflt = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (name) { -+ *name = NULL; -+ } -+ -+ if (!policy || !rule || !name) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *name = ft->name; -+ -+ return STATUS_SUCCESS; -+} -+ -Index: setools-3.3.7/libqpol/src/libqpol.map -=================================================================== ---- setools-3.3.7.orig/libqpol/src/libqpol.map 2013-04-03 20:03:18.406208931 +0200 -+++ setools-3.3.7/libqpol/src/libqpol.map 2013-04-03 20:03:20.690277616 +0200 -@@ -34,6 +34,7 @@ VERS_1.2 { - qpol_policy_reevaluate_conds; - qpol_portcon_*; - qpol_range_trans_*; -+ qpol_filename_trans_*; - qpol_role_*; - qpol_syn_avrule_*; - qpol_syn_terule_*; -Index: setools-3.3.7/libqpol/src/module_compiler.c -=================================================================== ---- setools-3.3.7.orig/libqpol/src/module_compiler.c 2013-04-03 20:03:18.407208961 +0200 -+++ setools-3.3.7/libqpol/src/module_compiler.c 2013-04-03 20:03:20.690277616 +0200 -@@ -1256,6 +1256,18 @@ void append_role_allow(role_allow_rule_t - } - - /* this doesn't actually append, but really prepends it */ -+void append_filename_trans(filename_trans_rule_t * filename_trans_rules) -+{ -+ avrule_decl_t *decl = stack_top->decl; -+ -+ /* filename transitions are not allowed within conditionals */ -+ assert(stack_top->type == 1); -+ -+ filename_trans_rules->next = decl->filename_trans_rules; -+ decl->filename_trans_rules = filename_trans_rules; -+} -+ -+/* this doesn't actually append, but really prepends it */ - void append_range_trans(range_trans_rule_t * range_tr_rules) - { - avrule_decl_t *decl = stack_top->decl; -Index: setools-3.3.7/libqpol/src/policy_define.c -=================================================================== ---- setools-3.3.7.orig/libqpol/src/policy_define.c 2013-04-03 20:03:13.729068283 +0200 -+++ setools-3.3.7/libqpol/src/policy_define.c 2013-04-03 20:05:00.843289193 +0200 -@@ -2227,6 +2227,190 @@ int define_role_allow(void) - return 0; - } - -+avrule_t *define_cond_filename_trans(void) -+{ -+ yyerror("type transitions with a filename not allowed inside " -+ "conditionals\n"); -+ return COND_ERR; -+} -+ -+int define_filename_trans(void) -+{ -+ char *id, *name = NULL; -+ type_set_t stypes, ttypes; -+ ebitmap_t e_stypes, e_ttypes; -+ ebitmap_t e_tclasses; -+ ebitmap_node_t *snode, *tnode, *cnode; -+ filename_trans_t *ft; -+ filename_trans_rule_t *ftr; -+ class_datum_t *cladatum; -+ type_datum_t *typdatum; -+ uint32_t otype; -+ unsigned int c, s, t; -+ int add; -+ -+ if (pass == 1) { -+ /* stype */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* ttype */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* tclass */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* otype */ -+ id = queue_remove(id_queue); -+ free(id); -+ /* name */ -+ id = queue_remove(id_queue); -+ free(id); -+ return 0; -+ } -+ -+ -+ add = 1; -+ type_set_init(&stypes); -+ while ((id = queue_remove(id_queue))) { -+ if (set_types(&stypes, id, &add, 0)) -+ goto bad; -+ } -+ -+ add =1; -+ type_set_init(&ttypes); -+ while ((id = queue_remove(id_queue))) { -+ if (set_types(&ttypes, id, &add, 0)) -+ goto bad; -+ } -+ -+ ebitmap_init(&e_tclasses); -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ free(id); -+ goto bad; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ goto bad; -+ } -+ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { -+ yyerror("Out of memory"); -+ goto bad; -+ } -+ free(id); -+ } -+ -+ id = (char *)queue_remove(id_queue); -+ if (!id) { -+ yyerror("no otype in transition definition?"); -+ goto bad; -+ } -+ if (!is_id_in_scope(SYM_TYPES, id)) { -+ yyerror2("type %s is not within scope", id); -+ free(id); -+ goto bad; -+ } -+ typdatum = hashtab_search(policydbp->p_types.table, id); -+ if (!typdatum) { -+ yyerror2("unknown type %s used in transition definition", id); -+ goto bad; -+ } -+ free(id); -+ otype = typdatum->s.value; -+ -+ name = queue_remove(id_queue); -+ if (!name) { -+ yyerror("no pathname specified in filename_trans definition?"); -+ goto bad; -+ } -+ -+ /* We expand the class set into seperate rules. We expand the types -+ * just to make sure there are not duplicates. They will get turned -+ * into seperate rules later */ -+ ebitmap_init(&e_stypes); -+ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) -+ goto bad; -+ -+ ebitmap_init(&e_ttypes); -+ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) -+ goto bad; -+ -+ ebitmap_for_each_bit(&e_tclasses, cnode, c) { -+ if (!ebitmap_node_get_bit(cnode, c)) -+ continue; -+ ebitmap_for_each_bit(&e_stypes, snode, s) { -+ if (!ebitmap_node_get_bit(snode, s)) -+ continue; -+ ebitmap_for_each_bit(&e_ttypes, tnode, t) { -+ if (!ebitmap_node_get_bit(tnode, t)) -+ continue; -+ -+ for (ft = policydbp->filename_trans; ft; ft = ft->next) { -+ if (ft->stype == (s + 1) && -+ ft->ttype == (t + 1) && -+ ft->tclass == (c + 1) && -+ !strcmp(ft->name, name)) { -+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", -+ name, -+ policydbp->p_type_val_to_name[s], -+ policydbp->p_type_val_to_name[t], -+ policydbp->p_class_val_to_name[c]); -+ goto bad; -+ } -+ } -+ -+ ft = malloc(sizeof(*ft)); -+ if (!ft) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ memset(ft, 0, sizeof(*ft)); -+ -+ ft->next = policydbp->filename_trans; -+ policydbp->filename_trans = ft; -+ -+ ft->name = strdup(name); -+ if (!ft->name) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ ft->stype = s + 1; -+ ft->ttype = t + 1; -+ ft->tclass = c + 1; -+ ft->otype = otype; -+ } -+ } -+ -+ /* Now add the real rule since we didn't find any duplicates */ -+ ftr = malloc(sizeof(*ftr)); -+ if (!ftr) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ filename_trans_rule_init(ftr); -+ append_filename_trans(ftr); -+ -+ ftr->name = strdup(name); -+ ftr->stypes = stypes; -+ ftr->ttypes = ttypes; -+ ftr->tclass = c + 1; -+ ftr->otype = otype; -+ } -+ -+ free(name); -+ ebitmap_destroy(&e_stypes); -+ ebitmap_destroy(&e_ttypes); -+ ebitmap_destroy(&e_tclasses); -+ -+ return 0; -+ -+bad: -+ free(name); -+ return -1; -+} -+ - static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) - { - constraint_expr_t *h = NULL, *l = NULL, *e, *newe; -Index: setools-3.3.7/libqpol/src/policy_parse.y -=================================================================== ---- setools-3.3.7.orig/libqpol/src/policy_parse.y 2013-04-03 20:03:18.409209021 +0200 -+++ setools-3.3.7/libqpol/src/policy_parse.y 2013-04-03 20:03:20.691277646 +0200 -@@ -98,6 +98,7 @@ extern char *qpol_src_inputlim;/* end of - %type require_decl_def - - %token PATH -+%token FILENAME - %token CLONE - %token COMMON - %token CLASS -@@ -360,7 +361,10 @@ cond_rule_def : cond_transitio - | require_block - { $$ = NULL; } - ; --cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+ { $$ = define_cond_filename_trans() ; -+ if ($$ == COND_ERR) return -1;} -+ | TYPE_TRANSITION names names ':' names identifier ';' - { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; - if ($$ == COND_ERR) return -1;} - | TYPE_MEMBER names names ':' names identifier ';' -@@ -395,7 +399,9 @@ cond_dontaudit_def : DONTAUDIT names nam - { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); - if ($$ == COND_ERR) return -1; } - ; --transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+ {if (define_filename_trans()) return -1; } -+ | TYPE_TRANSITION names names ':' names identifier ';' - {if (define_compute_type(AVRULE_TRANSITION)) return -1;} - | TYPE_MEMBER names names ':' names identifier ';' - {if (define_compute_type(AVRULE_MEMBER)) return -1;} -@@ -752,6 +758,9 @@ identifier : IDENTIFIER - path : PATH - { if (insert_id(yytext,0)) return -1; } - ; -+filename : FILENAME -+ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } -+ ; - number : NUMBER - { $$ = strtoul(yytext,NULL,0); } - ; -Index: setools-3.3.7/libqpol/src/policy_scan.l -=================================================================== ---- setools-3.3.7.orig/libqpol/src/policy_scan.l 2013-04-03 20:03:18.409209021 +0200 -+++ setools-3.3.7/libqpol/src/policy_scan.l 2013-04-03 20:03:20.692277676 +0200 -@@ -235,6 +235,7 @@ POLICYCAP { return(POLICYCAP); } - permissive | - PERMISSIVE { return(PERMISSIVE); } - "/"({alnum}|[_\.\-/])* { return(PATH); } -+\"({alnum}|[_\.\-])+\" { return(FILENAME); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } - {digit}+|0x{hexval}+ { return(NUMBER); } - {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } -Index: setools-3.3.7/secmds/sesearch.c -=================================================================== ---- setools-3.3.7.orig/secmds/sesearch.c 2013-04-03 20:03:18.410209051 +0200 -+++ setools-3.3.7/secmds/sesearch.c 2013-04-03 20:03:20.692277676 +0200 -@@ -575,6 +575,95 @@ static void print_te_results(const apol_ - free(expr); - } - -+static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) -+{ -+ apol_filename_trans_query_t *ftq = NULL; -+ int error = 0; -+ -+ if (!policy || !opt || !v) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return -1; -+ } -+ -+ if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) { -+ *v = NULL; -+ return 0; /* no search to do */ -+ } -+ -+ ftq = apol_filename_trans_query_create(); -+ if (!ftq) { -+ ERR(policy, "%s", strerror(ENOMEM)); -+ errno = ENOMEM; -+ return -1; -+ } -+ -+ apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); -+ if (opt->src_name) { -+ if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) { -+ error = errno; -+ goto err; -+ } -+ } -+ if (opt->tgt_name) { -+ if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { -+ error = errno; -+ goto err; -+ } -+ } -+ -+ if (apol_filename_trans_get_by_query(policy, ftq, v)) { -+ error = errno; -+ goto err; -+ } -+ -+ apol_filename_trans_query_destroy(&ftq); -+ return 0; -+ -+ err: -+ apol_vector_destroy(v); -+ apol_filename_trans_query_destroy(&ftq); -+ ERR(policy, "%s", strerror(error)); -+ errno = error; -+ return -1; -+} -+ -+static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) -+{ -+ qpol_policy_t *q = apol_policy_get_qpol(policy); -+ size_t i, num_rules = 0; -+ const qpol_filename_trans_t *rule = NULL; -+ char *tmp = NULL, *rule_str = NULL, *expr = NULL; -+ char enable_char = ' ', branch_char = ' '; -+ qpol_iterator_t *iter = NULL; -+ const qpol_cond_t *cond = NULL; -+ uint32_t enabled = 0, list = 0; -+ -+ if (!(num_rules = apol_vector_get_size(v))) -+ goto cleanup; -+ -+ fprintf(stdout, "Found %zd named file transition rules:\n", num_rules); -+ -+ for (i = 0; i < num_rules; i++) { -+ enable_char = branch_char = ' '; -+ if (!(rule = apol_vector_get_element(v, i))) -+ goto cleanup; -+ -+ if (!(rule_str = apol_filename_trans_render(policy, rule))) -+ goto cleanup; -+ fprintf(stdout, "%s %s\n", rule_str, expr ? expr : ""); -+ free(rule_str); -+ rule_str = NULL; -+ free(expr); -+ expr = NULL; -+ } -+ -+ cleanup: -+ free(tmp); -+ free(rule_str); -+ free(expr); -+} -+ - static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) - { - apol_role_allow_query_t *raq = NULL; -@@ -1128,6 +1217,18 @@ int main(int argc, char **argv) - print_te_results(policy, &cmd_opts, v); - fprintf(stdout, "\n"); - } -+ -+ if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) { -+ apol_vector_destroy(&v); -+ if (perform_ft_query(policy, &cmd_opts, &v)) { -+ rt = 1; -+ goto cleanup; -+ } -+ -+ print_ft_results(policy, &cmd_opts, v); -+ fprintf(stdout, "\n"); -+ } -+ - apol_vector_destroy(&v); - if (perform_ra_query(policy, &cmd_opts, &v)) { - rt = 1; -Index: setools-3.3.7/libapol/include/apol/Makefile.am -=================================================================== ---- setools-3.3.7.orig/libapol/include/apol/Makefile.am 2013-04-03 20:03:18.412209111 +0200 -+++ setools-3.3.7/libapol/include/apol/Makefile.am 2013-04-03 20:03:20.693277706 +0200 -@@ -27,6 +27,7 @@ apol_HEADERS = \ - relabel-analysis.h \ - render.h \ - role-query.h \ -+ ftrule-query.h \ - terule-query.h \ - type-query.h \ - types-relation-analysis.h \ -Index: setools-3.3.7/libqpol/include/qpol/Makefile.am -=================================================================== ---- setools-3.3.7.orig/libqpol/include/qpol/Makefile.am 2013-04-03 20:03:18.412209111 +0200 -+++ setools-3.3.7/libqpol/include/qpol/Makefile.am 2013-04-03 20:03:20.693277706 +0200 -@@ -25,6 +25,7 @@ qpol_HEADERS = \ - role_query.h \ - syn_rule_query.h \ - terule_query.h \ -+ ftrule_query.h \ - type_query.h \ - user_query.h \ - util.h diff --git a/0007-Remove-unused-variables.patch b/0007-Remove-unused-variables.patch deleted file mode 100644 index 9d1ec8f..0000000 --- a/0007-Remove-unused-variables.patch +++ /dev/null @@ -1,277 +0,0 @@ -From e30036e358b8f1c3f56048b467e8646fa3bfffb6 Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Tue, 20 Sep 2011 16:40:26 -0400 -Subject: [PATCH 7/7] Remove unused variables - ---- - libapol/src/ftrule-query.c | 11 ++---- - libqpol/src/ftrule_query.c | 2 - - secmds/sesearch.c | 86 +++++++++++++++++++++++++++++++++----------- - 3 files changed, 68 insertions(+), 31 deletions(-) - -diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c -index dc248de..9c7a23b 100644 ---- a/libapol/src/ftrule-query.c -+++ b/libapol/src/ftrule-query.c -@@ -45,14 +45,11 @@ struct apol_filename_trans_query - int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v) - { - apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL; -- int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans; -- char *bool_name = NULL; -+ int retval = -1, source_as_any = 0, is_regex = 0; - *v = NULL; -- unsigned int flags = 0; -- qpol_iterator_t *iter = NULL, *type_iter = NULL; -+ qpol_iterator_t *iter = NULL; - - if (t != NULL) { -- flags = t->flags; - is_regex = t->flags & APOL_QUERY_REGEX; - if (t->source != NULL && - (source_list = -@@ -104,7 +101,7 @@ int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filenam - if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) { - goto cleanup; - } -- int match_source = 0, match_target = 0, match_default = 0, match_bool = 0; -+ int match_source = 0, match_target = 0, match_default = 0; - size_t i; - - if (source_list == NULL) { -@@ -265,10 +262,8 @@ char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filena - { - char *tmp = NULL; - const char *tmp_name = NULL; -- const char *filename_trans_type_str; - int error = 0; - size_t tmp_sz = 0; -- uint32_t filename_trans_type = 0; - const qpol_type_t *type = NULL; - const qpol_class_t *obj_class = NULL; - -diff --git a/libqpol/src/ftrule_query.c b/libqpol/src/ftrule_query.c -index d6db848..3148d30 100644 ---- a/libqpol/src/ftrule_query.c -+++ b/libqpol/src/ftrule_query.c -@@ -254,7 +254,6 @@ int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpo - - int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name) - { -- policydb_t *db = NULL; - filename_trans_t *ft = NULL; - - if (name) { -@@ -267,7 +266,6 @@ int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_fi - return STATUS_ERR; - } - -- db = &policy->p->p; - ft = (filename_trans_t *) rule; - - *name = ft->name; -diff --git a/secmds/sesearch.c b/secmds/sesearch.c -index e44b3bc..319ffe7 100644 ---- a/secmds/sesearch.c -+++ b/secmds/sesearch.c -@@ -72,6 +72,7 @@ static struct option const longopts[] = { - - {"source", required_argument, NULL, 's'}, - {"target", required_argument, NULL, 't'}, -+ {"default", required_argument, NULL, 'D'}, - {"role_source", required_argument, NULL, EXPR_ROLE_SOURCE}, - {"role_target", required_argument, NULL, EXPR_ROLE_TARGET}, - {"class", required_argument, NULL, 'c'}, -@@ -92,6 +93,7 @@ typedef struct options - { - char *src_name; - char *tgt_name; -+ char *default_name; - char *src_role_name; - char *tgt_role_name; - char *class_name; -@@ -293,7 +295,8 @@ static void print_syn_av_results(const apol_policy_t * policy, const options_t * - tmp = apol_cond_expr_render(policy, cond); - enable_char = (enabled ? 'E' : 'D'); - branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); -- asprintf(&expr, "[ %s ]", tmp); -+ if (asprintf(&expr, "[ %s ]", tmp) < 0) -+ goto cleanup; - free(tmp); - tmp = NULL; - if (!expr) -@@ -356,7 +359,8 @@ static void print_av_results(const apol_policy_t * policy, const options_t * opt - qpol_iterator_destroy(&iter); - enable_char = (enabled ? 'E' : 'D'); - branch_char = (list ? 'T' : 'F'); -- asprintf(&expr, "[ %s ]", tmp); -+ if (asprintf(&expr, "[ %s ]", tmp) < 0) -+ goto cleanup; - free(tmp); - tmp = NULL; - if (!expr) -@@ -488,7 +492,8 @@ static void print_syn_te_results(const apol_policy_t * policy, const options_t * - tmp = apol_cond_expr_render(policy, cond); - enable_char = (enabled ? 'E' : 'D'); - branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); -- asprintf(&expr, "[ %s ]", tmp); -+ if (asprintf(&expr, "[ %s ]", tmp) < 0) -+ goto cleanup; - free(tmp); - tmp = NULL; - if (!expr) -@@ -553,7 +558,8 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt - qpol_iterator_destroy(&iter); - enable_char = (enabled ? 'E' : 'D'); - branch_char = (list ? 'T' : 'F'); -- asprintf(&expr, "[ %s ]", tmp); -+ if (asprintf(&expr, "[ %s ]", tmp) < 0) -+ goto cleanup; - free(tmp); - tmp = NULL; - if (!expr) -@@ -586,7 +592,7 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, - return -1; - } - -- if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) { -+ if (!opt->type && !opt->all) { - *v = NULL; - return 0; /* no search to do */ - } -@@ -600,17 +606,44 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, - - apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); - if (opt->src_name) { -- if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) { -+ if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name, opt->indirect)) { - error = errno; - goto err; - } - } -+ - if (opt->tgt_name) { - if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { - error = errno; - goto err; - } - } -+ if (opt->default_name) { -+ if (apol_filename_trans_query_set_default(policy, ftq, opt->default_name)) { -+ error = errno; -+ goto err; -+ } -+ } -+ -+ if (opt->class_name) { -+ if (opt->class_vector == NULL) { -+ if (apol_filename_trans_query_append_class(policy, ftq, opt->class_name)) { -+ error = errno; -+ goto err; -+ } -+ } else { -+ for (size_t i = 0; i < apol_vector_get_size(opt->class_vector); ++i) { -+ char *class_name; -+ class_name = apol_vector_get_element(opt->class_vector, i); -+ if (!class_name) -+ continue; -+ if (apol_filename_trans_query_append_class(policy, ftq, class_name)) { -+ error = errno; -+ goto err; -+ } -+ } -+ } -+ } - - if (apol_filename_trans_get_by_query(policy, ftq, v)) { - error = errno; -@@ -630,37 +663,36 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, - - static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) - { -- qpol_policy_t *q = apol_policy_get_qpol(policy); -- size_t i, num_rules = 0; -- const qpol_filename_trans_t *rule = NULL; -- char *tmp = NULL, *rule_str = NULL, *expr = NULL; -+ size_t i, num_filename_trans = 0; -+ const qpol_filename_trans_t *filename_trans = NULL; -+ char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL; - char enable_char = ' ', branch_char = ' '; - qpol_iterator_t *iter = NULL; - const qpol_cond_t *cond = NULL; - uint32_t enabled = 0, list = 0; - -- if (!(num_rules = apol_vector_get_size(v))) -+ if (!(num_filename_trans = apol_vector_get_size(v))) - goto cleanup; - -- fprintf(stdout, "Found %zd named file transition rules:\n", num_rules); -+ fprintf(stdout, "Found %zd named file transition filename_trans:\n", num_filename_trans); - -- for (i = 0; i < num_rules; i++) { -+ for (i = 0; i < num_filename_trans; i++) { - enable_char = branch_char = ' '; -- if (!(rule = apol_vector_get_element(v, i))) -+ if (!(filename_trans = apol_vector_get_element(v, i))) - goto cleanup; - -- if (!(rule_str = apol_filename_trans_render(policy, rule))) -+ if (!(filename_trans_str = apol_filename_trans_render(policy, filename_trans))) - goto cleanup; -- fprintf(stdout, "%s %s\n", rule_str, expr ? expr : ""); -- free(rule_str); -- rule_str = NULL; -+ fprintf(stdout, "%s %s\n", filename_trans_str, expr ? expr : ""); -+ free(filename_trans_str); -+ filename_trans_str = NULL; - free(expr); - expr = NULL; - } - - cleanup: - free(tmp); -- free(rule_str); -+ free(filename_trans_str); - free(expr); - } - -@@ -930,7 +962,7 @@ int main(int argc, char **argv) - - memset(&cmd_opts, 0, sizeof(cmd_opts)); - cmd_opts.indirect = true; -- while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dRnSChV", longopts, NULL)) != -1) { -+ while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) { - switch (optc) { - case 0: - break; -@@ -946,6 +978,18 @@ int main(int argc, char **argv) - exit(1); - } - break; -+ case 'D': /* source */ -+ if (optarg == 0) { -+ usage(argv[0], 1); -+ printf("Missing source default type for -D (--default)\n"); -+ exit(1); -+ } -+ cmd_opts.default_name = strdup(optarg); -+ if (!cmd_opts.default_name) { -+ -+ exit(1); -+ } -+ break; - case 't': /* target */ - if (optarg == 0) { - usage(argv[0], 1); -@@ -1218,7 +1262,7 @@ int main(int argc, char **argv) - fprintf(stdout, "\n"); - } - -- if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) { -+ if (cmd_opts.all || cmd_opts.type) { - apol_vector_destroy(&v); - if (perform_ft_query(policy, &cmd_opts, &v)) { - rt = 1; --- -1.7.6.2 - diff --git a/setools-3.3.7.tar.bz2 b/setools-3.3.7.tar.bz2 deleted file mode 100644 index 00e3f09..0000000 --- a/setools-3.3.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2bfa0918746bdcc910b16b26a51109a4ffd07404c306141ada584cb36e3c895a -size 940657 diff --git a/setools-3.3.8.tar.gz b/setools-3.3.8.tar.gz new file mode 100644 index 0000000..3d2111b --- /dev/null +++ b/setools-3.3.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:49494d15d61516ba0c09bfaf5fdc069954ed1ae1e014213254e7d545e97552df +size 1184419 diff --git a/setools-3.3.6-libsepol.patch b/setools-libsepol.patch similarity index 68% rename from setools-3.3.6-libsepol.patch rename to setools-libsepol.patch index 0e6e5dc..74770f5 100644 --- a/setools-3.3.6-libsepol.patch +++ b/setools-libsepol.patch @@ -29,16 +29,4 @@ Index: setools-3.3.6/configure.ac }])], AC_MSG_RESULT([yes]), AC_MSG_ERROR([this version of libsepol is incompatible with SETools])) -Index: setools-3.3.6/libqpol/src/policy_define.c -=================================================================== ---- setools-3.3.6.orig/libqpol/src/policy_define.c -+++ setools-3.3.6/libqpol/src/policy_define.c -@@ -2031,7 +2031,7 @@ int define_role_trans(void) - - /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */ - #ifdef HAVE_SEPOL_USER_ROLE_MAPPING -- if (role_set_expand(&roles, &e_roles, policydbp, NULL)) -+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) - #else - if (role_set_expand(&roles, &e_roles, policydbp)) - #endif + diff --git a/setools-python.patch b/setools-python.patch deleted file mode 100644 index c3a146a..0000000 --- a/setools-python.patch +++ /dev/null @@ -1,1311 +0,0 @@ -Index: setools-3.3.6/configure.ac -=================================================================== ---- setools-3.3.6.orig/configure.ac -+++ setools-3.3.6/configure.ac -@@ -216,6 +216,9 @@ if test "x${enable_jswig}" = xyes; then - do_swigify_java=yes - do_swigify=yes - fi -+ -+AM_PATH_PYTHON(2.6) -+ - AC_ARG_ENABLE(swig-python, - AC_HELP_STRING([--enable-swig-python], - [build SWIG interfaces for Python]), -@@ -224,7 +227,6 @@ if test "x${enable_pyswig}" = xyes; then - if test ${do_swigify} = no; then - AC_PROG_SWIG(1.3.28) - fi -- AM_PATH_PYTHON(2.3) - SWIG_PYTHON - do_swigify_python=yes - do_swigify=yes -@@ -873,6 +875,8 @@ AC_CONFIG_FILES([Makefile VERSION \ - sediff/Makefile \ - man/Makefile \ - debian/Makefile \ -+ python/Makefile \ -+ python/setools/Makefile \ - packages/Makefile packages/rpm/Makefile \ - packages/libqpol.pc packages/libapol.pc packages/libpoldiff.pc packages/libseaudit.pc packages/libsefs.pc]) - -Index: setools-3.3.6/Makefile.am -=================================================================== ---- setools-3.3.6.orig/Makefile.am -+++ setools-3.3.6/Makefile.am -@@ -10,7 +10,7 @@ if BUILD_GUI - endif - # sediffx is also built conditionally, from sediffx/Makefile.am - --SUBDIRS = libqpol libapol libsefs libpoldiff libseaudit secmds sechecker sediff man packages debian $(MAYBE_APOL) $(MAYBE_GUI) -+SUBDIRS = libqpol libapol libsefs libpoldiff libseaudit secmds sechecker sediff man packages debian $(MAYBE_APOL) $(MAYBE_GUI) python - - #old indent opts - #INDENT_OPTS = -npro -nbad -bap -sob -ss -l132 -di1 -nbc -br -nbbb -c40 -cd40 -ncdb -ce -cli0 -cp40 -ncs -d0 -nfc1 -nfca -i8 -ts8 -ci8 -lp -ip0 -npcs -npsl -sc -Index: setools-3.3.6/python/Makefile.am -=================================================================== ---- /dev/null -+++ setools-3.3.6/python/Makefile.am -@@ -0,0 +1 @@ -+SUBDIRS = setools -Index: setools-3.3.6/python/setools/__init__.py -=================================================================== ---- /dev/null -+++ setools-3.3.6/python/setools/__init__.py -@@ -0,0 +1,49 @@ -+#!/usr/bin/env python -+ -+# Author: Thomas Liu -+ -+import _sesearch -+import _seinfo -+import types -+ -+TYPE = _seinfo.TYPE -+ROLE = _seinfo.ROLE -+ATTRIBUTE = _seinfo.ATTRIBUTE -+USER = _seinfo.USER -+ -+ALLOW = 'allow' -+AUDITALLOW = 'auditallow' -+NEVERALLOW = 'neverallow' -+DONTAUDIT = 'dontaudit' -+SCONTEXT = 'scontext' -+TCONTEXT = 'tcontext' -+PERMS = 'permlist' -+CLASS = 'class' -+ -+def sesearch(types, info): -+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT] -+ for type in types: -+ if type not in valid_types: -+ raise ValueError("Type has to be in %s" % valid_types) -+ info[type] = True -+ -+ perms = [] -+ if PERMS in info: -+ perms = info[PERMS] -+ info[PERMS] = ",".join(info[PERMS]) -+ -+ -+ dict_list = _sesearch.sesearch(info) -+ if len(perms) != 0: -+ dict_list = filter(lambda x: dict_has_perms(x, perms), dict_list) -+ return dict_list -+ -+def dict_has_perms(dict, perms): -+ for perm in perms: -+ if perm not in dict[PERMS]: -+ return False -+ return True -+ -+def seinfo(setype, name=None): -+ dict_list = _seinfo.seinfo(setype, name) -+ return dict_list -Index: setools-3.3.6/python/setools/Makefile.am -=================================================================== ---- /dev/null -+++ setools-3.3.6/python/setools/Makefile.am -@@ -0,0 +1,36 @@ -+EXTRA_DIST = \ -+ sesearch.c \ -+ seinfo.c \ -+ __init__.py \ -+ setup.py \ -+ $(NULL) -+ -+AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ -+ @QPOL_CFLAGS@ @APOL_CFLAGS@ -+AM_CXXFLAGS = @DEBUGCXXFLAGS@ @WARNCXXFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ -+ @QPOL_CFLAGS@ @APOL_CFLAGS@ @SEFS_CFLAGS@ -+AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS@ @PROFILELDFLAGS@ -+ -+LDADD = @SELINUX_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@ -+DEPENDENCIES = $(top_builddir)/libapol/src/libapol.so $(top_builddir)/libqpol/src/libqpol.so -+all-am: python-build -+ -+seinfo_SOURCES = seinfo.c -+ -+sesearch_SOURCES = sesearch.c -+ -+python-build: sesearch.c seinfo.c -+ @mkdir -p setools -+ @cp __init__.py setools -+ LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build -+ -+install-exec-hook: -+ $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ -+uninstall-hook: -+ $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ -+clean-local: -+ $(PYTHON) setup.py clean -a -+ rm -f *~ -+ -Index: setools-3.3.6/python/setools/seinfo.c -=================================================================== ---- /dev/null -+++ setools-3.3.6/python/setools/seinfo.c -@@ -0,0 +1,649 @@ -+/** -+ * @file -+ * Command line tool to search TE rules. -+ * -+ * @author Frank Mayer mayerf@tresys.com -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Paul Rosenfeld prosenfeld@tresys.com -+ * @author Thomas Liu -+ * @author Dan Walsh -+ * -+ * Copyright (C) 2003-2008 Tresys Technology, LLC -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+/** -+ * This is a modified version of seinfo to be used as part of a library for -+ * Python bindings. -+ */ -+ -+#include "Python.h" -+ -+/* libapol */ -+#include -+#include -+#include -+#include -+#include -+ -+/* libqpol */ -+#include -+#include -+ -+/* other */ -+#include -+#include -+#include -+#include -+#include -+ -+#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" -+static char *policy_file = NULL; -+ -+enum input -+{ -+ TYPE, ATTRIBUTE, ROLE, USER -+}; -+ -+/** -+ * Gets a textual representation of an attribute, and -+ * all of that attribute's types. -+ * -+ * @param type_datum Reference to sepol type_datum -+ * @param policydb Reference to a policy -+ */ -+static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t * policydb) -+{ -+ int retval = -1; -+ PyObject *dict = PyDict_New(); -+ const qpol_type_t *attr_datum = NULL; -+ qpol_iterator_t *iter = NULL; -+ const char *attr_name = NULL, *type_name = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ unsigned char isattr; -+ -+ if (qpol_type_get_name(q, type_datum, &attr_name)) -+ goto cleanup; -+ PyObject *obj = PyString_FromString(attr_name); -+ PyDict_SetItemString(dict, "name", obj); -+ Py_DECREF(obj); -+ -+ /* get an iterator over all types this attribute has */ -+ if (qpol_type_get_isattr(q, type_datum, &isattr)) -+ goto cleanup; -+ if (isattr) { /* sanity check */ -+ if (qpol_type_get_type_iter(q, type_datum, &iter)) -+ goto cleanup; -+ PyObject *list = PyList_New(0); -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&attr_datum)) -+ goto cleanup; -+ if (qpol_type_get_name(q, attr_datum, &type_name)) -+ goto cleanup; -+ PyObject *obj = PyString_FromString(type_name); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ qpol_iterator_destroy(&iter); -+ PyDict_SetItemString(dict, "types", list); -+ Py_DECREF(list); -+ } else /* this should never happen */ -+ goto cleanup; -+ -+ retval = 0; -+cleanup: -+ qpol_iterator_destroy(&iter); -+ if (retval) { -+ Py_DECREF(dict); -+ return NULL; -+ } -+ return dict; -+} -+ -+/** -+ * Gets statistics regarding a policy's attributes. -+ * If this function is given a name, it will attempt to -+ * get statistics about a particular attribute; otherwise -+ * the function gets statistics about all of the policy's -+ * attributes. -+ * -+ * @param name Reference to an attribute's name; if NULL, -+ * all object classes will be considered -+ * @param policydb Reference to a policy -+ * -+ * @return 0 on success, < 0 on error. -+ */ -+static PyObject* get_attribs(const char *name, const apol_policy_t * policydb) -+{ -+ int retval = -1; -+ PyObject *list = PyList_New(0); -+ apol_attr_query_t *attr_query = NULL; -+ apol_vector_t *v = NULL; -+ const qpol_type_t *type_datum = NULL; -+ size_t n_attrs, i; -+ -+ /* we are only getting information about 1 attribute */ -+ if (name != NULL) { -+ attr_query = apol_attr_query_create(); -+ if (!attr_query) -+ goto cleanup; -+ if (apol_attr_query_set_attr(policydb, attr_query, name)) -+ goto cleanup; -+ if (apol_attr_get_by_query(policydb, attr_query, &v)) -+ goto cleanup; -+ apol_attr_query_destroy(&attr_query); -+ if (apol_vector_get_size(v) == 0) { -+ apol_vector_destroy(&v); -+ errno = EINVAL; -+ goto cleanup; -+ } -+ -+ type_datum = apol_vector_get_element(v, (size_t) 0); -+ PyObject *obj = get_attr(type_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } else { -+ attr_query = apol_attr_query_create(); -+ if (!attr_query) -+ goto cleanup; -+ if (apol_attr_get_by_query(policydb, attr_query, &v)) -+ goto cleanup; -+ apol_attr_query_destroy(&attr_query); -+ n_attrs = apol_vector_get_size(v); -+ -+ for (i = 0; i < n_attrs; i++) { -+ /* get qpol_type_t* item from vector */ -+ type_datum = (qpol_type_t *) apol_vector_get_element(v, (size_t) i); -+ if (!type_datum) -+ goto cleanup; -+ PyObject *obj = get_attr(type_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ } -+ apol_vector_destroy(&v); -+ -+ retval = 0; -+ cleanup: -+ apol_attr_query_destroy(&attr_query); -+ apol_vector_destroy(&v); -+ if (retval) { -+ Py_DECREF(list); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ return list; -+} -+ -+/** -+ * Get a textual representation of a type, and -+ * all of that type's attributes. -+ * -+ * @param type_datum Reference to sepol type_datum -+ * @param policydb Reference to a policy -+ */ -+static PyObject* get_type_attrs(const qpol_type_t * type_datum, const apol_policy_t * policydb) -+{ -+ qpol_iterator_t *iter = NULL; -+ const char *attr_name = NULL; -+ const qpol_type_t *attr_datum = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ -+ if (qpol_type_get_attr_iter(q, type_datum, &iter)) -+ goto cleanup; -+ PyObject *list = PyList_New(0); -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&attr_datum)) -+ goto cleanup; -+ if (qpol_type_get_name(q, attr_datum, &attr_name)) -+ goto cleanup; -+ PyObject *obj = PyString_FromString(attr_name); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ -+ cleanup: -+ qpol_iterator_destroy(&iter); -+ return list; -+} -+ -+static PyObject* get_type( const qpol_type_t * type_datum, const apol_policy_t * policydb) { -+ -+ PyObject *dict = PyDict_New(); -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ const char *type_name = NULL; -+ -+ unsigned char isalias, ispermissive, isattr; -+ -+ if (qpol_type_get_name(q, type_datum, &type_name)) -+ goto cleanup; -+ if (qpol_type_get_isalias(q, type_datum, &isalias)) -+ goto cleanup; -+ if (qpol_type_get_isattr(q, type_datum, &isattr)) -+ goto cleanup; -+ if (qpol_type_get_ispermissive(q, type_datum, &ispermissive)) -+ goto cleanup; -+ -+ PyObject *obj = PyString_FromString(type_name); -+ PyDict_SetItemString(dict, "name", obj); -+ Py_DECREF(obj); -+ obj = PyBool_FromLong(ispermissive); -+ PyDict_SetItemString(dict, "permissive", obj); -+ Py_DECREF(obj); -+ if (!isattr && !isalias) { -+ obj = get_type_attrs(type_datum, policydb); -+ PyDict_SetItemString(dict, "attributes", obj); -+ Py_DECREF(obj); -+ } -+ return dict; -+cleanup: -+ Py_DECREF(dict); -+ return NULL; -+} -+ -+/** -+ * Gets a textual representation of a user, and -+ * all of that user's roles. -+ * -+ * @param type_datum Reference to sepol type_datum -+ * @param policydb Reference to a policy -+ * roles -+ */ -+static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t * policydb) -+{ -+ PyObject *dict = NULL; -+ const qpol_role_t *role_datum = NULL; -+ qpol_iterator_t *iter = NULL; -+ const qpol_mls_range_t *range = NULL; -+ const qpol_mls_level_t *dflt_level = NULL; -+ apol_mls_level_t *ap_lvl = NULL; -+ apol_mls_range_t *ap_range = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ char *tmp; -+ const char *user_name, *role_name; -+ -+ if (qpol_user_get_name(q, user_datum, &user_name)) -+ goto cleanup; -+ -+ dict = PyDict_New(); -+ PyObject *obj = PyString_FromString(user_name); -+ PyDict_SetItemString(dict, "name", obj); -+ Py_DECREF(obj); -+ -+ if (qpol_policy_has_capability(q, QPOL_CAP_MLS)) { -+ if (qpol_user_get_dfltlevel(q, user_datum, &dflt_level)) -+ goto cleanup; -+ ap_lvl = apol_mls_level_create_from_qpol_mls_level(policydb, dflt_level); -+ tmp = apol_mls_level_render(policydb, ap_lvl); -+ if (!tmp) -+ goto cleanup; -+ obj = PyString_FromString(tmp); -+ PyDict_SetItemString(dict, "level", obj); -+ Py_DECREF(obj); -+ free(tmp); -+ /* print default range */ -+ if (qpol_user_get_range(q, user_datum, &range)) -+ goto cleanup; -+ ap_range = apol_mls_range_create_from_qpol_mls_range(policydb, range); -+ tmp = apol_mls_range_render(policydb, ap_range); -+ if (!tmp) -+ goto cleanup; -+ obj = PyString_FromString(tmp); -+ PyDict_SetItemString(dict, "range", obj); -+ Py_DECREF(obj); -+ free(tmp); -+ } -+ -+ if (qpol_user_get_role_iter(q, user_datum, &iter)) -+ goto cleanup; -+ PyObject *list = PyList_New(0); -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&role_datum)) { -+ Py_DECREF(list); -+ goto cleanup; -+ } -+ if (qpol_role_get_name(q, role_datum, &role_name)) { -+ Py_DECREF(list); -+ goto cleanup; -+ } -+ PyObject *obj = PyString_FromString(role_name); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ PyDict_SetItemString(dict, "roles", list); -+ Py_DECREF(list); -+ -+cleanup: -+ qpol_iterator_destroy(&iter); -+ apol_mls_level_destroy(&ap_lvl); -+ apol_mls_range_destroy(&ap_range); -+ return dict; -+} -+ -+/** -+ * Gets statistics regarding a policy's users. -+ * If this function is given a name, it will attempt to -+ * get statistics about a particular user; otherwise -+ * the function gets statistics about all of the policy's -+ * users. -+ * -+ * @param name Reference to a user's name; if NULL, -+ * all users will be considered -+ * @param policydb Reference to a policy -+ * -+ * @return 0 on success, < 0 on error. -+ */ -+static PyObject* get_users(const char *name, const apol_policy_t * policydb) -+{ -+ int retval = -1; -+ PyObject *list = PyList_New(0); -+ qpol_iterator_t *iter = NULL; -+ const qpol_user_t *user_datum = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ -+ if (name != NULL) { -+ if (qpol_policy_get_user_by_name(q, name, &user_datum)) { -+ errno = EINVAL; -+ goto cleanup; -+ } -+ PyObject *obj = get_user(user_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } else { -+ if (qpol_policy_get_user_iter(q, &iter)) -+ goto cleanup; -+ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&user_datum)) -+ goto cleanup; -+ PyObject *obj = get_user(user_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ qpol_iterator_destroy(&iter); -+ } -+ -+ retval = 0; -+ cleanup: -+ qpol_iterator_destroy(&iter); -+ if (retval) { -+ Py_DECREF(list); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ return list; -+} -+ -+/** -+ * get a textual representation of a role, and -+ * all of that role's types. -+ * -+ * @param type_datum Reference to sepol type_datum -+ * @param policydb Reference to a policy -+ * types -+ */ -+static PyObject* get_role(const qpol_role_t * role_datum, const apol_policy_t * policydb) -+{ -+ int retval = -1; -+ PyObject *dict = PyDict_New(); -+ const char *role_name = NULL, *type_name = NULL; -+ const qpol_role_t *dom_datum = NULL; -+ const qpol_type_t *type_datum = NULL; -+ qpol_iterator_t *iter = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ size_t n_dom = 0, n_types = 0; -+ -+ if (qpol_role_get_name(q, role_datum, &role_name)) -+ goto cleanup; -+ -+ PyObject *obj = PyString_FromString(role_name); -+ PyDict_SetItemString(dict, "name", obj); -+ Py_DECREF(obj); -+ -+ if (qpol_role_get_dominate_iter(q, role_datum, &iter)) -+ goto cleanup; -+ if (qpol_iterator_get_size(iter, &n_dom)) -+ goto cleanup; -+ if ((int)n_dom > 0) { -+ PyObject *list = PyList_New(0); -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&dom_datum)) -+ goto cleanup; -+ if (qpol_role_get_name(q, dom_datum, &role_name)) -+ goto cleanup; -+ PyObject *obj = PyString_FromString(role_name); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ PyDict_SetItemString(dict, "dominate", list); -+ Py_DECREF(list); -+ } -+ qpol_iterator_destroy(&iter); -+ -+ if (qpol_role_get_type_iter(q, role_datum, &iter)) -+ goto cleanup; -+ if (qpol_iterator_get_size(iter, &n_types)) -+ goto cleanup; -+ if ((int)n_types > 0) { -+ PyObject *list = PyList_New(0); -+ /* print types */ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&type_datum)) -+ goto cleanup; -+ if (qpol_type_get_name(q, type_datum, &type_name)) -+ goto cleanup; -+ PyObject *obj = PyString_FromString(type_name); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ PyDict_SetItemString(dict, "types", list); -+ Py_DECREF(list); -+ } -+ -+ retval = 0; -+cleanup: -+ qpol_iterator_destroy(&iter); -+ if (retval) { -+ Py_DECREF(dict); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ return dict; -+} -+ -+/** -+ * Get statistics regarding a policy's roles. -+ * If this function is given a name, it will attempt to -+ * get statistics about a particular role; otherwise -+ * the function get statistics about all of the policy's roles. -+ * -+ * @param name Reference to an role's name; if NULL, -+ * all roles will be considered -+ * @param policydb Reference to a policy -+ * -+ * @return 0 on success, < 0 on error. -+ */ -+static PyObject* get_roles(const char *name, const apol_policy_t * policydb) -+{ -+ int retval = -1; -+ PyObject *list = PyList_New(0); -+ const qpol_role_t *role_datum = NULL; -+ qpol_iterator_t *iter = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ -+ if (name != NULL) { -+ if (qpol_policy_get_role_by_name(q, name, &role_datum)) { -+ errno = EINVAL; -+ goto cleanup; -+ } -+ PyObject *obj = get_role(role_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } else { -+ if (qpol_policy_get_role_iter(q, &iter)) -+ goto cleanup; -+ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&role_datum)) -+ goto cleanup; -+ PyObject *obj = get_role(role_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ qpol_iterator_destroy(&iter); -+ } -+ -+ retval = 0; -+ cleanup: -+ qpol_iterator_destroy(&iter); -+ if (retval) { -+ Py_DECREF(list); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ return list; -+} -+ -+/** -+ * Get statistics regarding a policy's types. -+ * If this function is given a name, it will attempt to -+ * print statistics about a particular type; otherwise -+ * the function prints statistics about all of the policy's types. -+ * -+ * @param name Reference to a type's name; if NULL, -+ * all object classes will be considered -+ * @param policydb Reference to a policy -+ * -+ * @return 0 on success, < 0 on error. -+ */ -+static PyObject* get_types(const char *name, const apol_policy_t * policydb) -+{ -+ int retval = -1; -+ PyObject *list = PyList_New(0); -+ const qpol_type_t *type_datum = NULL; -+ qpol_iterator_t *iter = NULL; -+ qpol_policy_t *q = apol_policy_get_qpol(policydb); -+ -+ /* if name was provided, only print that name */ -+ if (name != NULL) { -+ if (qpol_policy_get_type_by_name(q, name, &type_datum)) { -+ errno = EINVAL; -+ goto cleanup; -+ } -+ PyObject *obj = get_type(type_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } else { -+ if (qpol_policy_get_type_iter(q, &iter)) -+ goto cleanup; -+ /* Print all type names */ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ if (qpol_iterator_get_item(iter, (void **)&type_datum)) -+ goto cleanup; -+ PyObject *obj = get_type(type_datum, policydb); -+ PyList_Append(list, obj); -+ Py_DECREF(obj); -+ } -+ } -+ retval = 0; -+cleanup: -+ qpol_iterator_destroy(&iter); -+ if (retval) { -+ Py_DECREF(list); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ return list; -+} -+ -+PyObject* seinfo(int type, const char *name) -+{ -+ int rt = -1; -+ -+ apol_policy_t *policydb = NULL; -+ apol_policy_path_t *pol_path = NULL; -+ apol_vector_t *mod_paths = NULL; -+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; -+ PyObject* output = NULL; -+ -+ rt = qpol_default_policy_find(&policy_file); -+ if (rt != 0) { -+ PyErr_SetString(PyExc_RuntimeError,"No default policy found."); -+ return NULL; -+ } -+ -+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); -+ if (!pol_path) { -+ free(policy_file); -+ apol_vector_destroy(&mod_paths); -+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); -+ return NULL; -+ } -+ apol_vector_destroy(&mod_paths); -+ -+ int policy_load_options = 0; -+ policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM; -+ policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL); -+ if (!policydb) { -+ free(policy_file); -+ apol_policy_path_destroy(&pol_path); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ free(policy_file); -+ -+ /* display requested info */ -+ if (type == TYPE) -+ output = get_types(name, policydb); -+ -+ if (type == ATTRIBUTE) -+ output = get_attribs(name, policydb); -+ -+ if (type == ROLE) -+ output = get_roles(name, policydb); -+ -+ if (type == USER) -+ output = get_users(name, policydb); -+ -+ apol_policy_destroy(&policydb); -+ apol_policy_path_destroy(&pol_path); -+ return output; -+} -+ -+PyObject *wrap_seinfo(PyObject *self, PyObject *args){ -+ unsigned int type; -+ char *name; -+ -+ if (!PyArg_ParseTuple(args, "iz", &type, &name)) -+ return NULL; -+ -+ return Py_BuildValue("O",seinfo(type, name)); -+ -+} -+ -+static PyMethodDef methods[] = { -+ {"seinfo", (PyCFunction) wrap_seinfo, METH_VARARGS}, -+ {NULL, NULL, 0, NULL} -+}; -+ -+void init_seinfo(){ -+ PyObject *m; -+ m = Py_InitModule("_seinfo", methods); -+ PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE); -+ PyModule_AddIntConstant(m, "ROLE", ROLE); -+ PyModule_AddIntConstant(m, "TYPE", TYPE); -+ PyModule_AddIntConstant(m, "USER", USER); -+} -Index: setools-3.3.6/python/setools/sesearch.c -=================================================================== ---- /dev/null -+++ setools-3.3.6/python/setools/sesearch.c -@@ -0,0 +1,477 @@ -+// Author: Thomas Liu -+ -+/** -+ * @file -+ * Command line tool to search TE rules. -+ * -+ * @author Frank Mayer mayerf@tresys.com -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Paul Rosenfeld prosenfeld@tresys.com -+ * @author Thomas Liu -+ * -+ * Copyright (C) 2003-2008 Tresys Technology, LLC -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+/** -+ * This is a modified version of sesearch to be used as part of a library for -+ * Python bindings. -+ */ -+ -+#include "Python.h" -+ -+/* libapol */ -+#include -+#include -+#include -+#include -+#include -+ -+/* libqpol*/ -+#include -+#include -+#include -+#include -+ -+/* other */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" -+static char *policy_file = NULL; -+ -+enum opt_values -+{ -+ RULE_NEVERALLOW = 256, RULE_AUDIT, RULE_AUDITALLOW, RULE_DONTAUDIT, -+ RULE_ROLE_ALLOW, RULE_ROLE_TRANS, RULE_RANGE_TRANS, RULE_ALL, -+ EXPR_ROLE_SOURCE, EXPR_ROLE_TARGET -+}; -+ -+; -+ -+typedef struct options -+{ -+ char *src_name; -+ char *tgt_name; -+ char *src_role_name; -+ char *tgt_role_name; -+ char *class_name; -+ char *permlist; -+ char *bool_name; -+ apol_vector_t *class_vector; -+ bool all; -+ bool lineno; -+ bool semantic; -+ bool indirect; -+ bool allow; -+ bool nallow; -+ bool auditallow; -+ bool dontaudit; -+ bool type; -+ bool rtrans; -+ bool role_allow; -+ bool role_trans; -+ bool useregex; -+ bool show_cond; -+ apol_vector_t *perm_vector; -+} options_t; -+ -+static int perform_av_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) -+{ -+ apol_avrule_query_t *avq = NULL; -+ unsigned int rules = 0; -+ int error = 0; -+ char *tmp = NULL, *tok = NULL, *s = NULL; -+ -+ if (!policy || !opt || !v) { -+ PyErr_SetString(PyExc_RuntimeError,strerror(EINVAL)); -+ errno = EINVAL; -+ return -1; -+ } -+ -+ if (!opt->all && !opt->allow && !opt->nallow && !opt->auditallow && !opt->dontaudit) { -+ *v = NULL; -+ return 0; /* no search to do */ -+ } -+ -+ avq = apol_avrule_query_create(); -+ if (!avq) { -+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); -+ errno = ENOMEM; -+ return -1; -+ } -+ -+ if (opt->allow || opt->all) -+ rules |= QPOL_RULE_ALLOW; -+ if ((opt->nallow || opt->all) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_NEVERALLOW)) -+ rules |= QPOL_RULE_NEVERALLOW; -+ if (opt->auditallow || opt->all) -+ rules |= QPOL_RULE_AUDITALLOW; -+ if (opt->dontaudit || opt->all) -+ rules |= QPOL_RULE_DONTAUDIT; -+ apol_avrule_query_set_rules(policy, avq, rules); -+ apol_avrule_query_set_regex(policy, avq, opt->useregex); -+ if (opt->src_name) -+ apol_avrule_query_set_source(policy, avq, opt->src_name, opt->indirect); -+ if (opt->tgt_name) -+ apol_avrule_query_set_target(policy, avq, opt->tgt_name, opt->indirect); -+ if (opt->bool_name) -+ apol_avrule_query_set_bool(policy, avq, opt->bool_name); -+ if (opt->class_name) { -+ if (opt->class_vector == NULL) { -+ if (apol_avrule_query_append_class(policy, avq, opt->class_name)) { -+ error = errno; -+ goto err; -+ } -+ } else { -+ size_t i; -+ for (i = 0; i < apol_vector_get_size(opt->class_vector); ++i) { -+ char *class_name; -+ class_name = apol_vector_get_element(opt->class_vector, i); -+ if (!class_name) -+ continue; -+ if (apol_avrule_query_append_class(policy, avq, class_name)) { -+ error = errno; -+ goto err; -+ } -+ } -+ } -+ } -+ -+ if (opt->permlist) { -+ tmp = strdup(opt->permlist); -+ for (tok = strtok(tmp, ","); tok; tok = strtok(NULL, ",")) { -+ if (apol_avrule_query_append_perm(policy, avq, tok)) { -+ error = errno; -+ goto err; -+ } -+ if ((s = strdup(tok)) == NULL || apol_vector_append(opt->perm_vector, s) < 0) { -+ error = errno; -+ goto err; -+ } -+ s = NULL; -+ } -+ free(tmp); -+ } -+ -+ if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) { -+ if (apol_syn_avrule_get_by_query(policy, avq, v)) { -+ error = errno; -+ goto err; -+ } -+ } else { -+ if (apol_avrule_get_by_query(policy, avq, v)) { -+ error = errno; -+ goto err; -+ } -+ } -+ -+ apol_avrule_query_destroy(&avq); -+ return 0; -+ -+ err: -+ apol_vector_destroy(v); -+ apol_avrule_query_destroy(&avq); -+ free(tmp); -+ free(s); -+ PyErr_SetString(PyExc_RuntimeError,strerror(error)); -+ errno = error; -+ return -1; -+} -+ -+ -+ -+static PyObject* get_av_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) -+{ -+ int retval = -1; -+ PyObject *list = PyList_New(0); -+ qpol_policy_t *q = apol_policy_get_qpol(policy); -+ size_t i, num_rules = 0; -+ const qpol_avrule_t *rule = NULL; -+ char *tmp = NULL, *rule_str = NULL, *expr = NULL; -+ char enable_char = ' ', branch_char = ' '; -+ qpol_iterator_t *iter = NULL; -+ uint32_t enabled = 0; -+ -+ if (!policy || !v) -+ return NULL; -+ -+ if (!(num_rules = apol_vector_get_size(v))) -+ return NULL; -+ -+ for (i = 0; i < num_rules; i++) { -+ enable_char = branch_char = ' '; -+ if (!(rule = apol_vector_get_element(v, i))) -+ goto cleanup; -+ -+ if (qpol_avrule_get_is_enabled(q, rule, &enabled)) -+ goto cleanup; -+ if (!enabled) -+ continue; -+ -+ const qpol_type_t *type; -+ const char *tmp_name; -+ uint32_t rule_type = 0; -+ -+ const qpol_class_t *obj_class = NULL; -+ -+ PyObject *dict = PyDict_New(); -+ -+ qpol_avrule_get_rule_type(q, rule, &rule_type); -+ tmp_name = apol_rule_type_to_str(rule_type); -+ PyObject *obj = PyString_FromString(tmp_name); -+ PyDict_SetItemString(dict, "type", obj); -+ Py_DECREF(obj); -+ // source -+ qpol_avrule_get_source_type(q, rule, &type); -+ qpol_type_get_name(q, type, &tmp_name); -+ obj = PyString_FromString(tmp_name); -+ PyDict_SetItemString(dict, "scontext", obj); -+ Py_DECREF(obj); -+ -+ qpol_avrule_get_target_type(q, rule, &type); -+ qpol_type_get_name(q, type, &tmp_name); -+ obj = PyString_FromString(tmp_name); -+ PyDict_SetItemString(dict, "tcontext", obj); -+ Py_DECREF(obj); -+ -+ qpol_avrule_get_object_class(q, rule, &obj_class); -+ qpol_type_get_name(q, type, &tmp_name); -+ obj = PyString_FromString(tmp_name); -+ PyDict_SetItemString(dict, "class", obj); -+ Py_DECREF(obj); -+ qpol_avrule_get_perm_iter(q, rule, &iter); -+ PyObject *permlist = PyList_New(0); -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ const char *perm_name = NULL; -+ qpol_iterator_get_item(iter, (void **)&perm_name); -+ obj = PyString_FromString(perm_name); -+ PyList_Append(permlist, obj); -+ Py_DECREF(obj); -+ } -+ PyDict_SetItemString(dict, "permlist", permlist); -+ Py_DECREF(permlist); -+ PyList_Append(list, dict); -+ Py_DECREF(dict); -+ -+ free(rule_str); -+ rule_str = NULL; -+ free(expr); -+ expr = NULL; -+ } -+ retval = 0; -+ cleanup: -+ free(tmp); -+ free(rule_str); -+ free(expr); -+ if (retval) { -+ Py_DECREF(list); -+ return NULL; -+ } -+ return list; -+} -+ -+ -+PyObject* sesearch(bool allow, -+ bool neverallow, -+ bool auditallow, -+ bool dontaudit, -+ const char *src_name, -+ const char *tgt_name, -+ const char *class_name, -+ const char *permlist -+ ) -+{ -+ options_t cmd_opts; -+ int rt = -1; -+ PyObject *output = NULL; -+ -+ apol_policy_t *policy = NULL; -+ apol_vector_t *v = NULL; -+ apol_policy_path_t *pol_path = NULL; -+ apol_vector_t *mod_paths = NULL; -+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; -+ -+ memset(&cmd_opts, 0, sizeof(cmd_opts)); -+ cmd_opts.indirect = true; -+ cmd_opts.allow = allow; -+ cmd_opts.nallow = neverallow; -+ cmd_opts.auditallow = auditallow; -+ cmd_opts.dontaudit = dontaudit; -+ if (src_name) -+ cmd_opts.src_name = strdup(src_name); -+ if (tgt_name) -+ cmd_opts.tgt_name = strdup(tgt_name); -+ if (class_name) -+ cmd_opts.class_name = strdup(class_name); -+ if (permlist){ -+ cmd_opts.perm_vector = apol_vector_create(free); -+ cmd_opts.permlist = strdup(permlist); -+ } -+ int pol_opt = 0; -+ if (!(cmd_opts.nallow || cmd_opts.all)) -+ pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS; -+ -+ -+ rt = qpol_default_policy_find(&policy_file); -+ if (rt) { -+ PyErr_SetString(PyExc_RuntimeError,"No default policy found."); -+ return NULL; -+ } -+ pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM; -+ -+ if (apol_file_is_policy_path_list(policy_file) > 0) { -+ pol_path = apol_policy_path_create_from_file(policy_file); -+ if (!pol_path) { -+ free(policy_file); -+ PyErr_SetString(PyExc_RuntimeError,"invalid policy list"); -+ return NULL; -+ } -+ } -+ -+ if (!pol_path) -+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); -+ if (!pol_path) { -+ free(policy_file); -+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); -+ return NULL; -+ } -+ free(policy_file); -+ apol_vector_destroy(&mod_paths); -+ -+ policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL); -+ if (!policy) { -+ apol_policy_path_destroy(&pol_path); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } -+ /* handle regex for class name */ -+ if (cmd_opts.useregex && cmd_opts.class_name != NULL) { -+ cmd_opts.class_vector = apol_vector_create(NULL); -+ apol_vector_t *qpol_matching_classes = NULL; -+ apol_class_query_t *regex_match_query = apol_class_query_create(); -+ apol_class_query_set_regex(policy, regex_match_query, 1); -+ apol_class_query_set_class(policy, regex_match_query, cmd_opts.class_name); -+ if (apol_class_get_by_query(policy, regex_match_query, &qpol_matching_classes)) { -+ apol_class_query_destroy(®ex_match_query); -+ PyErr_SetString(PyExc_RuntimeError,"Query failed"); -+ goto cleanup; -+ } -+ const qpol_class_t *class = NULL; -+ size_t i; -+ for (i = 0; i < apol_vector_get_size(qpol_matching_classes); ++i) { -+ const char *class_name; -+ class = apol_vector_get_element(qpol_matching_classes, i); -+ if (!class) -+ break; -+ qpol_class_get_name(apol_policy_get_qpol(policy), class, &class_name); -+ apol_vector_append(cmd_opts.class_vector, (void *)class_name); -+ } -+ if (!apol_vector_get_size(qpol_matching_classes)) { -+ apol_vector_destroy(&qpol_matching_classes); -+ apol_class_query_destroy(®ex_match_query); -+ PyErr_SetString(PyExc_RuntimeError,"No classes match expression"); -+ goto cleanup; -+ } -+ apol_vector_destroy(&qpol_matching_classes); -+ apol_class_query_destroy(®ex_match_query); -+ } -+ -+ if (!cmd_opts.semantic && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) { -+ if (qpol_policy_build_syn_rule_table(apol_policy_get_qpol(policy))) { -+ apol_policy_destroy(&policy); -+ PyErr_SetString(PyExc_RuntimeError,"Query failed"); -+ goto cleanup; -+ } -+ } -+ -+ /* if syntactic rules are not available always do semantic search */ -+ if (!qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) { -+ cmd_opts.semantic = 1; -+ } -+ -+ /* supress line numbers if doing semantic search or not available */ -+ if (cmd_opts.semantic || !qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_LINE_NUMBERS)) { -+ cmd_opts.lineno = 0; -+ } -+ if (perform_av_query(policy, &cmd_opts, &v)) { -+ goto cleanup; -+ } -+ if (v) { -+ output = get_av_results(policy, &cmd_opts, v); -+ } -+ apol_vector_destroy(&v); -+ cleanup: -+ apol_policy_destroy(&policy); -+ apol_policy_path_destroy(&pol_path); -+ free(cmd_opts.src_name); -+ free(cmd_opts.tgt_name); -+ free(cmd_opts.class_name); -+ free(cmd_opts.permlist); -+ free(cmd_opts.bool_name); -+ free(cmd_opts.src_role_name); -+ free(cmd_opts.tgt_role_name); -+ apol_vector_destroy(&cmd_opts.perm_vector); -+ apol_vector_destroy(&cmd_opts.class_vector); -+ -+ return output; -+} -+static int Dict_ContainsInt(PyObject *dict, const char *key){ -+ PyObject *item = PyDict_GetItemString(dict, key); -+ if (item) -+ return PyInt_AsLong(item); -+ return false; -+} -+ -+static const char *Dict_ContainsString(PyObject *dict, const char *key){ -+ PyObject *item = PyDict_GetItemString(dict, key); -+ if (item) -+ return PyString_AsString(item); -+ return NULL; -+} -+ -+PyObject *wrap_sesearch(PyObject *self, PyObject *args){ -+ PyObject *dict; -+ if (!PyArg_ParseTuple(args, "O", &dict)) -+ return NULL; -+ int allow = Dict_ContainsInt(dict, "allow"); -+ int neverallow = Dict_ContainsInt(dict, "neverallow"); -+ int auditallow = Dict_ContainsInt(dict, "auditallow"); -+ int dontaudit = Dict_ContainsInt(dict, "dontaudit"); -+ -+ const char *src_name = Dict_ContainsString(dict, "scontext"); -+ const char *tgt_name = Dict_ContainsString(dict, "tcontext"); -+ const char *class_name = Dict_ContainsString(dict, "class"); -+ const char *permlist = Dict_ContainsString(dict, "permlist"); -+ -+ return Py_BuildValue("O",sesearch(allow, neverallow, auditallow, dontaudit, src_name, tgt_name, class_name, permlist)); -+ -+} -+ -+static PyMethodDef methods[] = { -+ {"sesearch", (PyCFunction) wrap_sesearch, METH_VARARGS}, -+ {NULL, NULL, 0, NULL} -+}; -+ -+void init_sesearch(){ -+ PyObject *m; -+ m = Py_InitModule("_sesearch", methods); -+} -Index: setools-3.3.6/python/setools/setup.py -=================================================================== ---- /dev/null -+++ setools-3.3.6/python/setools/setup.py -@@ -0,0 +1,25 @@ -+#!/usr/bin/env python -+ -+# Author: Thomas Liu -+import os -+from distutils.core import setup, Extension -+LIBS=["apol", "qpol"] -+ -+try: -+ inc=os.getenv("INCLUDES").split(" ") -+ INCLUDES=map(lambda x: x[2:], inc) -+ LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) -+except: -+ INCLUDES="" -+ LIBDIRS="" -+ -+extension_sesearch = Extension("setools._sesearch", [ "sesearch.c"]) -+extension_sesearch.include_dirs=INCLUDES -+extension_sesearch.libraries=LIBS -+extension_sesearch.library_dirs=LIBDIRS -+extension_seinfo = Extension("setools._seinfo", [ "seinfo.c"]) -+extension_seinfo.include_dirs=INCLUDES -+extension_seinfo.libraries=LIBS -+extension_seinfo.library_dirs=LIBDIRS -+ -+setup(name = "setools", version="1.0", description="Python setools bindings", author="Thomas Liu", author_email="tliu@redhat.com", ext_modules=[extension_sesearch, extension_seinfo], packages=["setools"]) diff --git a/setools.changes b/setools.changes index f7a2ed3..0e70e12 100644 --- a/setools.changes +++ b/setools.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Mon Mar 23 02:32:05 UTC 2015 - p.drouand@gmail.com + +- Update to version 3.3.8 + * Fix bug preventing seaudit from starting + * Add python bindings for seinfo and sesearch + * seinfo exits with an error status + * Support for named file transition rules + * Add support for default types in sesearch + * Man page updates for seinfo, seaudit, and sediff + * Fix file type drop down list for open/close Apol query + * Fix compile errors on new parameter in libsepol role_set_expand(). +- Update home project and download Urls +- Remove merged patches + * setools-python.patch + * 0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch + * 0006-Changes-to-support-named-file_trans-rules.patch + * 0007-Remove-unused-variables.patch +- Update setools-3.3.6-libsepol.patch > setools-libsepol.patch +- Remove redundant %clean section + ------------------------------------------------------------------- Mon May 26 20:47:23 CEST 2014 - ro@suse.de diff --git a/setools.spec b/setools.spec index ddc0cdf..90f6249 100644 --- a/setools.spec +++ b/setools.spec @@ -1,7 +1,7 @@ # # spec file for package setools # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,13 +19,13 @@ %define dataversion 3.3 Name: setools -Version: 3.3.7 +Version: 3.3.8 Release: 0 -Url: http://oss.tresys.com/projects/setools/ +Url: https://github.com/TresysTechnology/setools3/wiki Summary: Policy analysis tools for SELinux License: GPL-2.0 Group: System/Base -Source: http://oss.tresys.com/projects/setools/chrome/site/dists/%{name}-%{version}/%{name}-%{version}.tar.bz2 +Source: https://github.com/TresysTechnology/setools3/archive/%{name}-%{version}.tar.gz Source1: setools.pam Source2: apol.desktop Source3: seaudit.desktop @@ -33,15 +33,11 @@ Source4: sediffx.desktop Patch0: %{name}-3.3.5-javacflags.patch Patch1: %{name}-3.3.5-nonvoid.patch Patch2: %{name}-3.3.5-strcmp.patch -Patch4: %{name}-python.patch Patch6: %{name}-setup_py-prefix.patch Patch7: %{name}-swig-2x.patch Patch8: %{name}-swig-2.0.7.patch Patch9: %{name}-am121.patch -Patch10: %{name}-3.3.6-libsepol.patch -Patch11: 0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch -Patch15: 0006-Changes-to-support-named-file_trans-rules.patch -Patch16: 0007-Remove-unused-variables.patch +Patch10: %{name}-libsepol.patch Patch23: add-to-header-define_cond_filename_trans.patch Patch24: setools-3.3.7-libselinux-2.3.patch @@ -224,19 +220,15 @@ This package includes the following graphical tools: %define tcllibdir %{_libdir}/setools %prep -%setup -q +%setup -q -n %{name}3-%{name}-%{version} %patch0 %patch1 %patch2 -%patch4 -p1 %patch6 -p1 %patch7 %patch8 %patch9 -p1 %patch10 -p1 -%patch11 -p1 -%patch15 -p1 -%patch16 -p1 %patch23 -p1 %patch24 -p1 @@ -288,9 +280,6 @@ if [ "%{python_sitelib}" != "%{python_sitearch}" ]; then mv $RPM_BUILD_ROOT%{python_sitelib}/setools/* $RPM_BUILD_ROOT%{python_sitearch}/setools/ fi -%clean -rm -rf $RPM_BUILD_ROOT - %files libs %defattr(-,root,root,-) %doc AUTHORS ChangeLog COPYING COPYING.GPL COPYING.LGPL KNOWN-BUGS NEWS README