Menu
▾
▴
selinux-commits — Commits to the subversion repo
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(24) |
Sep
(38) |
Oct
(29) |
Nov
(40) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(88) |
Feb
(66) |
Mar
(44) |
Apr
(104) |
May
(35) |
Jun
(34) |
Jul
(12) |
Aug
(42) |
Sep
(84) |
Oct
(34) |
Nov
(30) |
Dec
(22) |
| 2008 |
Jan
(60) |
Feb
(54) |
Mar
(32) |
Apr
(14) |
May
(16) |
Jun
(26) |
Jul
(22) |
Aug
(12) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ssm...@us...> - 2007-09-19 21:17:37
|
Revision: 2575
http://selinux.svn.sourceforge.net/selinux/?rev=2575&view=rev
Author: ssmalley
Date: 2007-09-19 14:17:29 -0700 (Wed, 19 Sep 2007)
Log Message:
-----------
Regenerate swig python bindings.
Modified Paths:
--------------
trunk/libsemanage/src/semanage.py
trunk/libsemanage/src/semanageswig_wrap.c
Modified: trunk/libsemanage/src/semanage.py
===================================================================
--- trunk/libsemanage/src/semanage.py 2007-09-19 21:14:39 UTC (rev 2574)
+++ trunk/libsemanage/src/semanage.py 2007-09-19 21:17:29 UTC (rev 2575)
@@ -1,10 +1,16 @@
-# This file was created automatically by SWIG 1.3.29.
+# This file was automatically generated by SWIG (http://www.swig.org).
+# Version 1.3.31
+#
# Don't modify this file, modify the SWIG interface instead.
# This file is compatible with both classic and new-style classes.
import _semanage
import new
new_instancemethod = new.instancemethod
+try:
+ _swig_property = property
+except NameError:
+ pass # Python < 2.2 doesn't have 'property'.
def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
if (name == "thisown"): return self.this.own(value)
if (name == "this"):
@@ -60,6 +66,7 @@
semanage_set_reload = _semanage.semanage_set_reload
semanage_set_rebuild = _semanage.semanage_set_rebuild
semanage_set_create_store = _semanage.semanage_set_create_store
+semanage_set_disable_dontaudit = _semanage.semanage_set_disable_dontaudit
semanage_is_managed = _semanage.semanage_is_managed
semanage_connect = _semanage.semanage_connect
semanage_disconnect = _semanage.semanage_disconnect
Modified: trunk/libsemanage/src/semanageswig_wrap.c
===================================================================
--- trunk/libsemanage/src/semanageswig_wrap.c 2007-09-19 21:14:39 UTC (rev 2574)
+++ trunk/libsemanage/src/semanageswig_wrap.c 2007-09-19 21:17:29 UTC (rev 2575)
@@ -1,6 +1,6 @@
/* ----------------------------------------------------------------------------
* This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.29
+ * Version 1.3.31
*
* This file is not intended to be easily readable and contains a number of
* coding conventions designed to improve portability and efficiency. Do not make
@@ -103,7 +103,7 @@
#endif
/* Deal with Microsoft's attempt at deprecating C standard runtime functions */
-#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER)
+#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
# define _CRT_SECURE_NO_DEPRECATE
#endif
@@ -120,7 +120,7 @@
/* This should only be incremented when either the layout of swig_type_info changes,
or for whatever reason, the runtime changes incompatibly */
-#define SWIG_RUNTIME_VERSION "2"
+#define SWIG_RUNTIME_VERSION "3"
/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
#ifdef SWIG_TYPE_TABLE
@@ -697,8 +697,6 @@
-/* Python.h has to appear first */
-#include <Python.h>
/* Add PyOS_snprintf for old Pythons */
#if PY_VERSION_HEX < 0x02020000
@@ -779,6 +777,14 @@
}
#endif
+/* Py_ssize_t for old Pythons */
+/* This code is as recommended by: */
+/* http://www.python.org/dev/peps/pep-0353/#conversion-guidelines */
+#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
+typedef int Py_ssize_t;
+# define PY_SSIZE_T_MAX INT_MAX
+# define PY_SSIZE_T_MIN INT_MIN
+#endif
/* -----------------------------------------------------------------------------
* error manipulation
@@ -1172,7 +1178,7 @@
SWIGRUNTIMEINLINE PyObject *
_SWIG_Py_None(void)
{
- PyObject *none = Py_BuildValue("");
+ PyObject *none = Py_BuildValue((char*)"");
Py_DECREF(none);
return none;
}
@@ -2031,7 +2037,7 @@
void *vptr = 0;
/* here we get the method pointer for callbacks */
- char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
+ const char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
const char *desc = doc ? strstr(doc, "swig_ptr: ") : 0;
if (desc) {
desc = ty ? SWIG_UnpackVoidPtr(desc + 10, &vptr, ty->name) : 0;
@@ -2152,7 +2158,7 @@
return;
}
#endif
- dict = PyObject_GetAttrString(inst, "__dict__");
+ dict = PyObject_GetAttrString(inst, (char*)"__dict__");
PyDict_SetItem(dict, SWIG_This(), swig_this);
Py_DECREF(dict);
}
@@ -2293,7 +2299,7 @@
/* The python cached type query */
SWIGRUNTIME PyObject *
-SWIG_Python_TypeCache() {
+SWIG_Python_TypeCache(void) {
static PyObject *SWIG_STATIC_POINTER(cache) = PyDict_New();
return cache;
}
@@ -2505,7 +2511,7 @@
#if (PY_VERSION_HEX <= 0x02000000)
# if !defined(SWIG_PYTHON_CLASSIC)
-# error "This python version requires to use swig with the '-classic' option"
+# error "This python version requires swig to be run with the '-classic' option"
# endif
#endif
@@ -2516,7 +2522,8 @@
#define SWIG_name "_semanage"
-#define SWIGVERSION 0x010329
+#define SWIGVERSION 0x010331
+#define SWIG_VERSION SWIGVERSION
#define SWIG_as_voidptr(a) (void *)((const void *)(a))
@@ -2541,7 +2548,7 @@
SWIGINTERN swig_type_info*
-SWIG_pchar_descriptor()
+SWIG_pchar_descriptor(void)
{
static int init = 0;
static swig_type_info* info = 0;
@@ -2581,7 +2588,7 @@
SWIG_AsCharPtrAndSize(PyObject *obj, char** cptr, size_t* psize, int *alloc)
{
if (PyString_Check(obj)) {
- char *cstr; int len;
+ char *cstr; Py_ssize_t len;
PyString_AsStringAndSize(obj, &cstr, &len);
if (cptr) {
if (alloc) {
@@ -2950,7 +2957,7 @@
}
arg1 = (semanage_handle_t *)(argp1);
result = (char *)semanage_msg_get_channel(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -2972,7 +2979,7 @@
}
arg1 = (semanage_handle_t *)(argp1);
result = (char *)semanage_msg_get_fname(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3075,7 +3082,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_select_store" "', argument " "2"" of type '" "char *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
ecode3 = SWIG_AsVal_int(obj2, &val3);
if (!SWIG_IsOK(ecode3)) {
SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "semanage_select_store" "', argument " "3"" of type '" "enum semanage_connect_type""'");
@@ -3203,6 +3210,36 @@
}
+SWIGINTERN PyObject *_wrap_semanage_set_disable_dontaudit(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+ PyObject *resultobj = 0;
+ semanage_handle_t *arg1 = (semanage_handle_t *) 0 ;
+ int arg2 ;
+ void *argp1 = 0 ;
+ int res1 = 0 ;
+ int val2 ;
+ int ecode2 = 0 ;
+ PyObject * obj0 = 0 ;
+ PyObject * obj1 = 0 ;
+
+ if (!PyArg_ParseTuple(args,(char *)"OO:semanage_set_disable_dontaudit",&obj0,&obj1)) SWIG_fail;
+ res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_semanage_handle, 0 | 0 );
+ if (!SWIG_IsOK(res1)) {
+ SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "semanage_set_disable_dontaudit" "', argument " "1"" of type '" "semanage_handle_t *""'");
+ }
+ arg1 = (semanage_handle_t *)(argp1);
+ ecode2 = SWIG_AsVal_int(obj1, &val2);
+ if (!SWIG_IsOK(ecode2)) {
+ SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "semanage_set_disable_dontaudit" "', argument " "2"" of type '" "int""'");
+ }
+ arg2 = (int)(val2);
+ semanage_set_disable_dontaudit(arg1,arg2);
+ resultobj = SWIG_Py_Void();
+ return resultobj;
+fail:
+ return NULL;
+}
+
+
SWIGINTERN PyObject *_wrap_semanage_is_managed(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *resultobj = 0;
semanage_handle_t *arg1 = (semanage_handle_t *) 0 ;
@@ -3384,7 +3421,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_module_install" "', argument " "2"" of type '" "char *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
ecode3 = SWIG_AsVal_size_t(obj2, &val3);
if (!SWIG_IsOK(ecode3)) {
SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "semanage_module_install" "', argument " "3"" of type '" "size_t""'");
@@ -3427,7 +3464,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_module_upgrade" "', argument " "2"" of type '" "char *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
ecode3 = SWIG_AsVal_size_t(obj2, &val3);
if (!SWIG_IsOK(ecode3)) {
SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "semanage_module_upgrade" "', argument " "3"" of type '" "size_t""'");
@@ -3470,7 +3507,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_module_install_base" "', argument " "2"" of type '" "char *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
ecode3 = SWIG_AsVal_size_t(obj2, &val3);
if (!SWIG_IsOK(ecode3)) {
SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "semanage_module_install_base" "', argument " "3"" of type '" "size_t""'");
@@ -3509,7 +3546,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_module_remove" "', argument " "2"" of type '" "char *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_module_remove(arg1,arg2);
resultobj = SWIG_From_int((int)(result));
if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
@@ -3627,7 +3664,7 @@
}
arg1 = (semanage_module_info_t *)(argp1);
result = (char *)semanage_module_get_name(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3649,7 +3686,7 @@
}
arg1 = (semanage_module_info_t *)(argp1);
result = (char *)semanage_module_get_version(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3671,7 +3708,7 @@
}
arg1 = (semanage_context_t *)(argp1);
result = (char *)semanage_context_get_user((struct semanage_context const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3710,7 +3747,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_context_set_user" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_context_set_user(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -3736,7 +3773,7 @@
}
arg1 = (semanage_context_t *)(argp1);
result = (char *)semanage_context_get_role((struct semanage_context const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3775,7 +3812,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_context_set_role" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_context_set_role(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -3801,7 +3838,7 @@
}
arg1 = (semanage_context_t *)(argp1);
result = (char *)semanage_context_get_type((struct semanage_context const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3840,7 +3877,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_context_set_type" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_context_set_type(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -3866,7 +3903,7 @@
}
arg1 = (semanage_context_t *)(argp1);
result = (char *)semanage_context_get_mls((struct semanage_context const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -3905,7 +3942,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_context_set_mls" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_context_set_mls(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -4034,7 +4071,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_context_from_string" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_context_from_string(arg1,(char const *)arg2,arg3);
resultobj = SWIG_From_int((int)(result));
{
@@ -4116,7 +4153,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_bool_key_create" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_bool_key_create(arg1,(char const *)arg2,arg3);
resultobj = SWIG_From_int((int)(result));
{
@@ -4267,7 +4304,7 @@
}
arg1 = (semanage_bool_t *)(argp1);
result = (char *)semanage_bool_get_name((struct semanage_bool const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -4306,7 +4343,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_bool_set_name" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_bool_set_name(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -5242,7 +5279,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_iface_key_create" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_iface_key_create(arg1,(char const *)arg2,arg3);
resultobj = SWIG_From_int((int)(result));
{
@@ -5331,7 +5368,7 @@
}
arg1 = (semanage_iface_t *)(argp1);
result = (char *)semanage_iface_get_name((struct semanage_iface const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -5370,7 +5407,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_iface_set_name" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_iface_set_name(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -6082,7 +6119,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_user_key_create" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_user_key_create(arg1,(char const *)arg2,arg3);
resultobj = SWIG_From_int((int)(result));
{
@@ -6233,7 +6270,7 @@
}
arg1 = (semanage_user_t *)(argp1);
result = (char *)semanage_user_get_name((struct semanage_user const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -6272,7 +6309,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_user_set_name" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_user_set_name(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -6298,7 +6335,7 @@
}
arg1 = (semanage_user_t *)(argp1);
result = (char *)semanage_user_get_prefix((struct semanage_user const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -6337,7 +6374,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_user_set_prefix" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_user_set_prefix(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -6363,7 +6400,7 @@
}
arg1 = (semanage_user_t *)(argp1);
result = (char *)semanage_user_get_mlslevel((struct semanage_user const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -6402,7 +6439,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_user_set_mlslevel" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_user_set_mlslevel(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -6428,7 +6465,7 @@
}
arg1 = (semanage_user_t *)(argp1);
result = (char *)semanage_user_get_mlsrange((struct semanage_user const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -6467,7 +6504,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_user_set_mlsrange" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_user_set_mlsrange(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -6532,7 +6569,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_user_add_role" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_user_add_role(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -6565,7 +6602,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_user_del_role" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
semanage_user_del_role(arg1,(char const *)arg2);
resultobj = SWIG_Py_Void();
if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
@@ -6599,7 +6636,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_user_has_role" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_user_has_role((struct semanage_user const *)arg1,(char const *)arg2);
resultobj = SWIG_From_int((int)(result));
if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
@@ -7508,7 +7545,7 @@
}
arg1 = (int)(val1);
result = (char *)semanage_port_get_proto_str(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -8333,7 +8370,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_fcontext_key_create" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
ecode3 = SWIG_AsVal_int(obj2, &val3);
if (!SWIG_IsOK(ecode3)) {
SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "semanage_fcontext_key_create" "', argument " "3"" of type '" "int""'");
@@ -8427,7 +8464,7 @@
}
arg1 = (semanage_fcontext_t *)(argp1);
result = (char *)semanage_fcontext_get_expr((struct semanage_fcontext const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -8466,7 +8503,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_fcontext_set_expr" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_fcontext_set_expr(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -8514,7 +8551,7 @@
}
arg1 = (int)(val1);
result = (char *)semanage_fcontext_get_type_str(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -9190,7 +9227,7 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_seuser_key_create" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
result = (int)semanage_seuser_key_create(arg1,(char const *)arg2,arg3);
resultobj = SWIG_From_int((int)(result));
{
@@ -9341,7 +9378,7 @@
}
arg1 = (semanage_seuser_t *)(argp1);
result = (char *)semanage_seuser_get_name((struct semanage_seuser const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -9380,7 +9417,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_seuser_set_name" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_seuser_set_name(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -9406,7 +9443,7 @@
}
arg1 = (semanage_seuser_t *)(argp1);
result = (char *)semanage_seuser_get_sename((struct semanage_seuser const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -9445,7 +9482,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_seuser_set_sename" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_seuser_set_sename(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -9471,7 +9508,7 @@
}
arg1 = (semanage_seuser_t *)(argp1);
result = (char *)semanage_seuser_get_mlsrange((struct semanage_seuser const *)arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -9510,7 +9547,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_seuser_set_mlsrange" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
result = (int)semanage_seuser_set_mlsrange(arg1,arg2,(char const *)arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
@@ -10169,12 +10206,12 @@
if (!SWIG_IsOK(res2)) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "semanage_node_key_create" "', argument " "2"" of type '" "char const *""'");
}
- arg2 = buf2;
+ arg2 = (char *)(buf2);
res3 = SWIG_AsCharPtrAndSize(obj2, &buf3, NULL, &alloc3);
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_node_key_create" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
ecode4 = SWIG_AsVal_int(obj3, &val4);
if (!SWIG_IsOK(ecode4)) {
SWIG_exception_fail(SWIG_ArgError(ecode4), "in method '" "semanage_node_key_create" "', argument " "4"" of type '" "int""'");
@@ -10386,7 +10423,7 @@
if (!SWIG_IsOK(res4)) {
SWIG_exception_fail(SWIG_ArgError(res4), "in method '" "semanage_node_set_addr" "', argument " "4"" of type '" "char const *""'");
}
- arg4 = buf4;
+ arg4 = (char *)(buf4);
result = (int)semanage_node_set_addr(arg1,arg2,arg3,(char const *)arg4);
resultobj = SWIG_From_int((int)(result));
if (alloc4 == SWIG_NEWOBJ) free((char*)buf4);
@@ -10433,7 +10470,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_node_set_addr_bytes" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
ecode4 = SWIG_AsVal_size_t(obj3, &val4);
if (!SWIG_IsOK(ecode4)) {
SWIG_exception_fail(SWIG_ArgError(ecode4), "in method '" "semanage_node_set_addr_bytes" "', argument " "4"" of type '" "size_t""'");
@@ -10580,7 +10617,7 @@
if (!SWIG_IsOK(res4)) {
SWIG_exception_fail(SWIG_ArgError(res4), "in method '" "semanage_node_set_mask" "', argument " "4"" of type '" "char const *""'");
}
- arg4 = buf4;
+ arg4 = (char *)(buf4);
result = (int)semanage_node_set_mask(arg1,arg2,arg3,(char const *)arg4);
resultobj = SWIG_From_int((int)(result));
if (alloc4 == SWIG_NEWOBJ) free((char*)buf4);
@@ -10627,7 +10664,7 @@
if (!SWIG_IsOK(res3)) {
SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "semanage_node_set_mask_bytes" "', argument " "3"" of type '" "char const *""'");
}
- arg3 = buf3;
+ arg3 = (char *)(buf3);
ecode4 = SWIG_AsVal_size_t(obj3, &val4);
if (!SWIG_IsOK(ecode4)) {
SWIG_exception_fail(SWIG_ArgError(ecode4), "in method '" "semanage_node_set_mask_bytes" "', argument " "4"" of type '" "size_t""'");
@@ -10710,7 +10747,7 @@
}
arg1 = (int)(val1);
result = (char *)semanage_node_get_proto_str(arg1);
- resultobj = SWIG_FromCharPtr(result);
+ resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
@@ -11340,6 +11377,7 @@
{ (char *)"semanage_set_reload", _wrap_semanage_set_reload, METH_VARARGS, NULL},
{ (char *)"semanage_set_rebuild", _wrap_semanage_set_rebuild, METH_VARARGS, NULL},
{ (char *)"semanage_set_create_store", _wrap_semanage_set_create_store, METH_VARARGS, NULL},
+ { (char *)"semanage_set_disable_dontaudit", _wrap_semanage_set_disable_dontaudit, METH_VARARGS, NULL},
{ (char *)"semanage_is_managed", _wrap_semanage_is_managed, METH_VARARGS, NULL},
{ (char *)"semanage_connect", _wrap_semanage_connect, METH_VARARGS, NULL},
{ (char *)"semanage_disconnect", _wrap_semanage_disconnect, METH_VARARGS, NULL},
@@ -11827,7 +11865,7 @@
* structures together.
*
* The generated swig_type_info structures are assigned staticly to an initial
- * array. We just loop though that array, and handle each type individually.
+ * array. We just loop through that array, and handle each type individually.
* First we lookup if this type has been already loaded, and if so, use the
* loaded structure instead of the generated one. Then we have to fill in the
* cast linked list. The cast data is initially stored in something like a
@@ -11865,30 +11903,47 @@
#define SWIGRUNTIME_DEBUG
#endif
+
SWIGRUNTIME void
SWIG_InitializeModule(void *clientdata) {
size_t i;
- swig_module_info *module_head;
- static int init_run = 0;
+ swig_module_info *module_head, *iter;
+ int found;
clientdata = clientdata;
- if (init_run) return;
- init_run = 1;
+ /* check to see if the circular list has been setup, if not, set it up */
+ if (swig_module.next==0) {
+ /* Initialize the swig_module */
+ swig_module.type_initial = swig_type_initial;
+ swig_module.cast_initial = swig_cast_initial;
+ swig_module.next = &swig_module;
+ }
- /* Initialize the swig_module */
- swig_module.type_initial = swig_type_initial;
- swig_module.cast_initial = swig_cast_initial;
-
/* Try and load any already created modules */
module_head = SWIG_GetModule(clientdata);
- if (module_head) {
+ if (!module_head) {
+ /* This is the first module loaded for this interpreter */
+ /* so set the swig module into the interpreter */
+ SWIG_SetModule(clientdata, &swig_module);
+ module_head = &swig_module;
+ } else {
+ /* the interpreter has loaded a SWIG module, but has it loaded this one? */
+ found=0;
+ iter=module_head;
+ do {
+ if (iter==&swig_module) {
+ found=1;
+ break;
+ }
+ iter=iter->next;
+ } while (iter!= module_head);
+
+ /* if the is found in the list, then all is done and we may leave */
+ if (found) return;
+ /* otherwise we must add out module into the list */
swig_module.next = module_head->next;
module_head->next = &swig_module;
- } else {
- /* This is the first module loaded */
- swig_module.next = &swig_module;
- SWIG_SetModule(clientdata, &swig_module);
}
/* Now work on filling in swig_module.types */
@@ -12201,7 +12256,7 @@
}
SWIGINTERN PyObject *
- SWIG_globals() {
+ SWIG_globals(void) {
static PyObject *_SWIG_globals = 0;
if (!_SWIG_globals) _SWIG_globals = SWIG_newvarlink();
return _SWIG_globals;
@@ -12246,11 +12301,11 @@
swig_type_info **types_initial) {
size_t i;
for (i = 0; methods[i].ml_name; ++i) {
- char *c = methods[i].ml_doc;
+ const char *c = methods[i].ml_doc;
if (c && (c = strstr(c, "swig_ptr: "))) {
int j;
swig_const_info *ci = 0;
- char *name = c + 10;
+ const char *name = c + 10;
for (j = 0; const_table[j].type; ++j) {
if (strncmp(const_table[j].name, name,
strlen(const_table[j].name)) == 0) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-19 21:14:45
|
Revision: 2574
http://selinux.svn.sourceforge.net/selinux/?rev=2574&view=rev
Author: ssmalley
Date: 2007-09-19 14:14:39 -0700 (Wed, 19 Sep 2007)
Log Message:
-----------
updated libsemanage to version 2.0.8
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2007-09-19 21:13:57 UTC (rev 2573)
+++ trunk/libsemanage/ChangeLog 2007-09-19 21:14:39 UTC (rev 2574)
@@ -1,3 +1,7 @@
+2.0.8 2007-09-19
+ * Clear errno on non-fatal errors to avoid reporting them upon a
+ later error that does not set errno.
+
2.0.7 2007-09-19
* Improve reporting of system errors, e.g. full filesystem or read-only filesystem from Stephen Smalley.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2007-09-19 21:13:57 UTC (rev 2573)
+++ trunk/libsemanage/VERSION 2007-09-19 21:14:39 UTC (rev 2574)
@@ -1 +1 @@
-2.0.7
+2.0.8
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-19 21:14:03
|
Revision: 2573
http://selinux.svn.sourceforge.net/selinux/?rev=2573&view=rev
Author: ssmalley
Date: 2007-09-19 14:13:57 -0700 (Wed, 19 Sep 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsemanage, semodule: Improve error reporting
Date: Wed, 19 Sep 2007 16:48:58 -0400
A follow-up patch based on some more testing of the first one, applies
on top.
Clear errno in several locations when we are ignoring a non-fatal
error in libsemanage, so that we do not end up reporting it upon
a later ERR() call for another reason.
Modified Paths:
--------------
trunk/libsemanage/src/direct_api.c
trunk/libsemanage/src/semanage_store.c
Modified: trunk/libsemanage/src/direct_api.c
===================================================================
--- trunk/libsemanage/src/direct_api.c 2007-09-19 18:44:09 UTC (rev 2572)
+++ trunk/libsemanage/src/direct_api.c 2007-09-19 21:13:57 UTC (rev 2573)
@@ -32,6 +32,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include <limits.h>
+#include <errno.h>
#include "user_internal.h"
#include "seuser_internal.h"
@@ -540,6 +541,7 @@
* checking is done because this is likely to fail because
* the file does not exist - which is not an error. */
unlink(linked_filename);
+ errno = 0;
}
/* ==================== File-backed ================== */
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2007-09-19 18:44:09 UTC (rev 2572)
+++ trunk/libsemanage/src/semanage_store.c 2007-09-19 21:13:57 UTC (rev 2573)
@@ -574,6 +574,7 @@
ERR(sh, "Error scanning directory %s.", sandbox);
return -1;
}
+ errno = 0;
} else {
/* remove the old sandbox */
if (semanage_remove_directory(sandbox) != 0) {
@@ -1096,6 +1097,7 @@
store_fc_loc);
goto cleanup;
}
+ errno = 0;
snprintf(store_seusers, PATH_MAX, "%s%s", storepath, running_seusers);
if (semanage_copy_file
@@ -1105,6 +1107,7 @@
store_seusers);
goto cleanup;
}
+ errno = 0;
snprintf(store_nc, PATH_MAX, "%s%s", storepath, running_nc);
if (semanage_copy_file(active_nc, store_nc, sh->conf->file_mode) == -1
@@ -1112,6 +1115,7 @@
ERR(sh, "Could not copy %s to %s.", active_nc, store_nc);
goto cleanup;
}
+ errno = 0;
if (!sh->do_reload)
goto skip_reload;
@@ -1133,8 +1137,10 @@
goto skip_reload;
}
} else if (errno == ENOENT &&
- strcmp(really_active_store, storepath) != 0)
+ strcmp(really_active_store, storepath) != 0) {
+ errno = 0;
goto skip_reload;
+ }
if (semanage_reload_policy(sh)) {
goto cleanup;
@@ -1470,6 +1476,7 @@
if (errno == ENOENT) {
/* the commit number file does not exist yet,
* so assume that the number is 0 */
+ errno = 0;
return 0;
} else {
ERR(sh, "Could not open commit number file %s.",
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-19 18:44:18
|
Revision: 2572
http://selinux.svn.sourceforge.net/selinux/?rev=2572&view=rev
Author: ssmalley
Date: 2007-09-19 11:44:09 -0700 (Wed, 19 Sep 2007)
Log Message:
-----------
updated policycoreutils to version 2.0.27
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2007-09-19 18:43:34 UTC (rev 2571)
+++ trunk/policycoreutils/ChangeLog 2007-09-19 18:44:09 UTC (rev 2572)
@@ -1,3 +1,6 @@
+2.0.27 2007-09-19
+ * Improve semodule reporting of system errors from Stephen Smalley.
+
2.0.26 2007-09-18
* Fix setfiles selabel option flag setting for 64-bit from Stephen Smalley.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2007-09-19 18:43:34 UTC (rev 2571)
+++ trunk/policycoreutils/VERSION 2007-09-19 18:44:09 UTC (rev 2572)
@@ -1 +1 @@
-2.0.26
+2.0.27
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-19 18:43:35
|
Revision: 2571
http://selinux.svn.sourceforge.net/selinux/?rev=2571&view=rev
Author: ssmalley
Date: 2007-09-19 11:43:34 -0700 (Wed, 19 Sep 2007)
Log Message:
-----------
updated libsemanage to version 2.0.7
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2007-09-19 18:42:25 UTC (rev 2570)
+++ trunk/libsemanage/ChangeLog 2007-09-19 18:43:34 UTC (rev 2571)
@@ -1,3 +1,6 @@
+2.0.7 2007-09-19
+ * Improve reporting of system errors, e.g. full filesystem or read-only filesystem from Stephen Smalley.
+
2.0.6 2007-09-10
* Change to use getpw* function calls to the _r versions from Todd Miller.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2007-09-19 18:42:25 UTC (rev 2570)
+++ trunk/libsemanage/VERSION 2007-09-19 18:43:34 UTC (rev 2571)
@@ -1 +1 @@
-2.0.6
+2.0.7
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-19 18:42:26
|
Revision: 2570
http://selinux.svn.sourceforge.net/selinux/?rev=2570&view=rev
Author: ssmalley
Date: 2007-09-19 11:42:25 -0700 (Wed, 19 Sep 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsemanage, semodule: Improve error reporting
Date: Wed, 19 Sep 2007 14:29:40 -0400
Change libsemanage to save errno values appropriately so they aren't lost
on cleanup paths and to include the strerror output in error messages.
Also change semodule to include strerror output as appropriate on some common error cases.
In particular, this yields useful error messages when invoking semodule
on a full filesystem or a read-only filesystem. Erich Schubert reported this
as a bug a year ago.
Also fixes a couple of bugs in write() error checking in libsemanage.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsemanage/src/debug.c
trunk/libsemanage/src/semanage_store.c
trunk/policycoreutils/semodule/semodule.c
Modified: trunk/libsemanage/src/debug.c
===================================================================
--- trunk/libsemanage/src/debug.c 2007-09-18 19:46:46 UTC (rev 2569)
+++ trunk/libsemanage/src/debug.c 2007-09-19 18:42:25 UTC (rev 2570)
@@ -23,6 +23,8 @@
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
+#include <errno.h>
+#include <string.h>
#include "handle.h"
#include "debug.h"
@@ -55,10 +57,12 @@
{
FILE *stream = NULL;
+ int errsv = 0;
switch (semanage_msg_get_level(handle)) {
case SEMANAGE_MSG_ERR:
+ errsv = errno;
case SEMANAGE_MSG_WARN:
stream = stderr;
break;
@@ -77,6 +81,9 @@
vfprintf(stream, fmt, ap);
va_end(ap);
+ if (errsv)
+ fprintf(stream, " %s.", strerror(errsv));
+
fprintf(stream, "\n");
varg = NULL;
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2007-09-18 19:46:46 UTC (rev 2569)
+++ trunk/libsemanage/src/semanage_store.c 2007-09-19 18:42:25 UTC (rev 2570)
@@ -437,7 +437,7 @@
* overwrite it. Returns 0 on success, -1 on error. */
static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
{
- int in, out, retval = 0, amount_read, n;
+ int in, out, retval = 0, amount_read, n, errsv = errno;
char tmp[PATH_MAX];
char buf[4192];
@@ -453,23 +453,32 @@
mode = S_IRUSR | S_IWUSR;
if ((out = open(tmp, O_WRONLY | O_CREAT | O_TRUNC, mode)) == -1) {
+ errsv = errno;
close(in);
- return -1;
+ retval = -1;
+ goto out;
}
while (retval == 0 && (amount_read = read(in, buf, sizeof(buf))) > 0) {
- if (write(out, buf, amount_read) != amount_read) {
+ if (write(out, buf, amount_read) < 0) {
+ errsv = errno;
retval = -1;
}
}
- if (amount_read < 0)
+ if (amount_read < 0) {
+ errsv = errno;
retval = -1;
+ }
close(in);
- if (close(out) < 0)
+ if (close(out) < 0) {
+ errsv = errno;
retval = -1;
+ }
if (!retval && rename(tmp, dst) == -1)
return -1;
+out:
+ errno = errsv;
return retval;
}
@@ -558,6 +567,7 @@
{
const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL);
struct stat buf;
+ int errsv;
if (stat(sandbox, &buf) == -1) {
if (errno != ENOENT) {
@@ -582,7 +592,9 @@
return 0;
cleanup:
+ errsv = errno;
semanage_remove_directory(sandbox);
+ errno = errsv;
return -1;
}
@@ -973,14 +985,14 @@
if (!strncmp(buf, "HOME_DIR", 8) ||
!strncmp(buf, "HOME_ROOT", 9) || strstr(buf, "ROLE")) {
/* This contains one of the template variables, write it to homedir.template */
- if (write(hd, buf, strlen(buf)) == 0) {
+ if (write(hd, buf, strlen(buf)) < 0) {
ERR(sh, "Write to %s failed.",
semanage_path(SEMANAGE_TMP,
SEMANAGE_HOMEDIR_TMPL));
goto cleanup;
}
} else {
- if (write(fc, buf, strlen(buf)) == 0) {
+ if (write(fc, buf, strlen(buf)) < 0) {
ERR(sh, "Write to %s failed.",
semanage_path(SEMANAGE_TMP, SEMANAGE_FC));
goto cleanup;
@@ -1226,6 +1238,7 @@
/* note that if an error occurs during the next three
* function then the store will be left in an
* inconsistent state */
+ int errsv = errno;
if (rename(active, sandbox) < 0)
ERR(sh, "Error while renaming %s back to %s.", active,
sandbox);
@@ -1234,16 +1247,19 @@
active);
else
semanage_install_active(sh);
+ errno = errsv;
retval = -1;
goto cleanup;
}
if (!sh->conf->save_previous) {
+ int errsv = errno;
retval = semanage_remove_directory(backup);
if (retval < 0) {
ERR(sh, "Could not delete previous directory %s.", backup);
goto cleanup;
}
+ errno = errsv;
}
cleanup:
@@ -1409,22 +1425,26 @@
* there. */
void semanage_release_trans_lock(semanage_handle_t * sh)
{
+ int errsv = errno;
if (sh->u.direct.translock_file_fd >= 0) {
flock(sh->u.direct.translock_file_fd, LOCK_UN);
close(sh->u.direct.translock_file_fd);
sh->u.direct.translock_file_fd = -1;
}
+ errno = errsv;
}
/* Releases the read lock. Does nothing if there was not one already
* there. */
void semanage_release_active_lock(semanage_handle_t * sh)
{
+ int errsv = errno;
if (sh->u.direct.activelock_file_fd >= 0) {
flock(sh->u.direct.activelock_file_fd, LOCK_UN);
close(sh->u.direct.activelock_file_fd);
sh->u.direct.activelock_file_fd = -1;
}
+ errno = errsv;
}
/* Read the current commit number from the commit number file which
Modified: trunk/policycoreutils/semodule/semodule.c
===================================================================
--- trunk/policycoreutils/semodule/semodule.c 2007-09-18 19:46:46 UTC (rev 2569)
+++ trunk/policycoreutils/semodule/semodule.c 2007-09-19 18:42:25 UTC (rev 2570)
@@ -329,8 +329,8 @@
if (build) {
if ((result = semanage_begin_transaction(sh)) < 0) {
- fprintf(stderr, "%s: Could not begin transaction\n",
- argv[0]);
+ fprintf(stderr, "%s: Could not begin transaction: %s\n",
+ argv[0], errno ? strerror(errno) : "");
goto cleanup;
}
}
@@ -343,8 +343,8 @@
if (mode == INSTALL_M || mode == UPGRADE_M || mode == BASE_M) {
if ((data_len = map_file(mode_arg, &data)) == 0) {
fprintf(stderr,
- "%s: Could not read file '%s':\n",
- argv[0], mode_arg);
+ "%s: Could not read file '%s': %s\n",
+ argv[0], mode_arg, errno ? strerror(errno) : "");
goto cleanup;
}
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:46:49
|
Revision: 2569
http://selinux.svn.sourceforge.net/selinux/?rev=2569&view=rev
Author: ssmalley
Date: 2007-09-18 12:46:46 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
updated checkpolicy to version 2.0.4
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-09-18 19:45:14 UTC (rev 2568)
+++ trunk/checkpolicy/ChangeLog 2007-09-18 19:46:46 UTC (rev 2569)
@@ -1,3 +1,8 @@
+2.0.4 2007-09-18
+ * Merged handle unknown policydb flag support from Eric Paris.
+ Adds new command line options -U {allow, reject, deny} for selecting
+ the flag when a base module or kernel policy is built.
+
2.0.3 2007-05-31
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-09-18 19:45:14 UTC (rev 2568)
+++ trunk/checkpolicy/VERSION 2007-09-18 19:46:46 UTC (rev 2569)
@@ -1 +1 @@
-2.0.3
+2.0.4
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:45:15
|
Revision: 2568
http://selinux.svn.sourceforge.net/selinux/?rev=2568&view=rev
Author: ssmalley
Date: 2007-09-18 12:45:14 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
updated libsepol to version 2.0.10
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-09-18 19:44:10 UTC (rev 2567)
+++ trunk/libsepol/ChangeLog 2007-09-18 19:45:14 UTC (rev 2568)
@@ -1,3 +1,6 @@
+2.0.10 2007-09-18
+ * Merged support for the handle_unknown policydb flag from Eric Paris.
+
2.0.9 2007-08-29
* Moved next_entry and put_entry out-of-line to reduce code size from Ulrich Drepper.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-09-18 19:44:10 UTC (rev 2567)
+++ trunk/libsepol/VERSION 2007-09-18 19:45:14 UTC (rev 2568)
@@ -1 +1 @@
-2.0.9
+2.0.10
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:44:15
|
Revision: 2567
http://selinux.svn.sourceforge.net/selinux/?rev=2567&view=rev
Author: ssmalley
Date: 2007-09-18 12:44:10 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: checkpolicy: implement handling of unknown classes and permissions
Date: Thu, 06 Sep 2007 14:26:26 -0400
Add a new command line options, -U (allow,reject,deny), to checkmodule
and checkpolicy which sets the handle_unknown config flag. Default to
deny unknowns which is how things have been in the past. Also add
dismod and dispol support.
-Eric
Modified Paths:
--------------
trunk/checkpolicy/checkmodule.c
trunk/checkpolicy/checkpolicy.c
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/test/dismod.c
trunk/checkpolicy/test/dispol.c
Modified: trunk/checkpolicy/checkmodule.c
===================================================================
--- trunk/checkpolicy/checkmodule.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/checkmodule.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -39,6 +39,7 @@
static sidtab_t sidtab;
extern int mlspol;
+extern int handle_unknown;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -121,6 +122,7 @@
p->policy_type = policy_type;
p->policyvers = policyvers;
+ p->handle_unknown = handle_unknown;
pf.type = PF_USE_STDIO;
pf.fp = outfp;
@@ -135,13 +137,17 @@
static void usage(char *progname)
{
- printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+ printf("usage: %s [-V] [-b] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
txtfile);
printf(" -V show policy versions created by this program\n");
printf(" -b treat input as a binary policy file\n");
+ printf(" -U OPTION How to handle unknown classes and permissions\n");
+ printf(" deny: Deny unknown kernel checks\n");
+ printf(" reject: Reject loading of policy with unknowns\n");
+ printf(" allow: Allow unknown kernel checks\n");
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
@@ -156,7 +162,7 @@
int show_version = 0;
policydb_t modpolicydb;
- while ((ch = getopt(argc, argv, "ho:dbVmM")) != EOF) {
+ while ((ch = getopt(argc, argv, "ho:dbVU:mM")) != EOF) {
switch (ch) {
case 'h':
usage(argv[0]);
@@ -171,6 +177,20 @@
case 'V':
show_version = 1;
break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
case 'm':
policy_type = POLICY_MOD;
policyvers = MOD_POLICYDB_VERSION_MAX;
@@ -189,6 +209,12 @@
exit(0);
}
+ if (handle_unknown && (policy_type != POLICY_BASE)) {
+ printf("Handling of unknown classes and permissions is only ");
+ printf("valid in the base module\n");
+ exit(1);
+ }
+
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
@@ -214,6 +240,7 @@
modpolicydb.policy_type = policy_type;
modpolicydb.mls = mlspol;
+ modpolicydb.handle_unknown = handle_unknown;
if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
exit(1);
Modified: trunk/checkpolicy/checkpolicy.c
===================================================================
--- trunk/checkpolicy/checkpolicy.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/checkpolicy.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -90,6 +90,7 @@
extern policydb_t *policydbp;
extern int mlspol;
+extern int handle_unknown;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -99,7 +100,7 @@
void usage(char *progname)
{
printf
- ("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
+ ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject) [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
@@ -390,7 +391,7 @@
int show_version = 0;
struct policy_file pf;
- while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
+ while ((ch = getopt(argc, argv, "o:dbU:MVc:")) != EOF) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -405,6 +406,20 @@
case 'V':
show_version = 1;
break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
case 'M':
mlspol = 1;
break;
@@ -515,6 +530,7 @@
/* Let sepol know if we are dealing with MLS support */
parse_policy.mls = mlspol;
+ parse_policy.handle_unknown = handle_unknown;
policydbp = &parse_policy;
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/policy_parse.y 2007-09-18 19:44:10 UTC (rev 2567)
@@ -67,6 +67,7 @@
static unsigned int pass;
char *curfile = 0;
int mlspol = 0;
+int handle_unknown = 0;
extern unsigned long policydb_lineno;
extern unsigned long source_lineno;
Modified: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk/checkpolicy/test/dismod.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/test/dismod.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -665,6 +665,17 @@
return 0;
}
+int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+{
+ if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and perms\n");
+ else if (policydb->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and perms\n");
+ else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and perms\n");
+ return 0;
+}
+
static int read_policy(char *filename, policydb_t * policy)
{
FILE *in_fp;
@@ -771,6 +782,7 @@
printf("a) Display avrule requirements\n");
printf("b) Display avrule declarations\n");
printf("l) Link in a module\n");
+ printf("u) Display the unknown handling setting\n");
printf("\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -879,6 +891,10 @@
fprintf(out_fp, "avrule block declarations:\n");
display_avblock(6, 0, &policydb, out_fp);
break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/test/dispol.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -273,6 +273,17 @@
return 1;
}
+int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+{
+ if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and permisions\n");
+ else if (policydb->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and permisions\n");
+ else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and permisions\n");
+ return 0;
+}
+
int change_bool(char *name, int state, policydb_t * p, FILE * fp)
{
cond_bool_datum_t *bool;
@@ -298,6 +309,7 @@
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("\n");
+ printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
printf("q) quit\n");
@@ -409,6 +421,10 @@
change_bool(name, state, &policydb, out_fp);
free(name);
break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:43:39
|
Revision: 2566
http://selinux.svn.sourceforge.net/selinux/?rev=2566&view=rev
Author: ssmalley
Date: 2007-09-18 12:43:38 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: libsepol: support the handle_unknown config flag
Date: Wed, 01 Aug 2007 11:52:28 -0400
Update the policydb definition to contain a handle_unknown flag. Change
libsepol to copy the handle_unknown config flag from the base policy to
the final binary policy. Also makes libsepol properly read and write
the flag which dealing with policy modules.
Signed-off-by: Eric Paris <ep...@re...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2007-09-18 19:43:38 UTC (rev 2566)
@@ -469,6 +469,8 @@
ebitmap_t *attr_type_map; /* not saved in the binary policy */
unsigned policyvers;
+
+ unsigned handle_unknown;
} policydb_t;
struct sepol_policydb {
@@ -599,6 +601,13 @@
#define POLICYDB_CONFIG_MLS 1
+/* the config flags related to unknown classes/perms are bits 2 and 3 */
+#define DENY_UNKNOWN 0x00000000
+#define REJECT_UNKNOWN 0x00000002
+#define ALLOW_UNKNOWN 0x00000004
+
+#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
+
#define OBJECT_R "object_r"
#define OBJECT_R_VAL 1
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/src/expand.c 2007-09-18 19:43:38 UTC (rev 2566)
@@ -2250,6 +2250,7 @@
/* Copy mls state from base to out */
out->mls = base->mls;
+ out->handle_unknown = base->handle_unknown;
if ((state.typemap =
(uint32_t *) calloc(state.base->p_types.nprim,
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/src/policydb.c 2007-09-18 19:43:38 UTC (rev 2566)
@@ -3077,6 +3077,8 @@
p->mls = 0;
}
+ p->handle_unknown = buf[bufindex] & POLICYDB_CONFIG_UNKNOWN_MASK;
+
bufindex++;
info = policydb_lookup_compat(r_policyvers, policy_type);
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/src/write.c 2007-09-18 19:43:38 UTC (rev 2566)
@@ -1534,6 +1534,8 @@
if (p->mls)
config |= POLICYDB_CONFIG_MLS;
+ config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
+
/* Write the magic number and string identifiers. */
items = 0;
if (p->policy_type == POLICY_KERN) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:41:22
|
Revision: 2565
http://selinux.svn.sourceforge.net/selinux/?rev=2565&view=rev
Author: ssmalley
Date: 2007-09-18 12:41:20 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
updated policycoreutils to version 2.0.26
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2007-09-18 19:40:38 UTC (rev 2564)
+++ trunk/policycoreutils/ChangeLog 2007-09-18 19:41:20 UTC (rev 2565)
@@ -1,3 +1,6 @@
+2.0.26 2007-09-18
+ * Fix setfiles selabel option flag setting for 64-bit from Stephen Smalley.
+
2.0.25 2007-08-23
* Remove genhomedircon script (functionality is now provided
within libsemanage) from Todd Miller.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2007-09-18 19:40:38 UTC (rev 2564)
+++ trunk/policycoreutils/VERSION 2007-09-18 19:41:20 UTC (rev 2565)
@@ -1 +1 @@
-2.0.25
+2.0.26
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:40:39
|
Revision: 2564
http://selinux.svn.sourceforge.net/selinux/?rev=2564&view=rev
Author: ssmalley
Date: 2007-09-18 12:40:38 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
updated libselinux to version 2.0.34
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-09-18 19:40:06 UTC (rev 2563)
+++ trunk/libselinux/ChangeLog 2007-09-18 19:40:38 UTC (rev 2564)
@@ -1,3 +1,6 @@
+2.0.34 2007-09-18
+ * Fix selabel option flag setting for 64-bit from Stephen Smalley.
+
2.0.33 2007-09-12
* Re-map a getxattr return value of 0 to a getfilecon return value of -1 with errno EOPNOTSUPP from Stephen Smalley.
* Fall back to the compat code for security_class_to_string and security_av_perm_to_string from Stephen Smalley.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-09-18 19:40:06 UTC (rev 2563)
+++ trunk/libselinux/VERSION 2007-09-18 19:40:38 UTC (rev 2564)
@@ -1 +1 @@
-2.0.33
+2.0.34
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:40:10
|
Revision: 2563
http://selinux.svn.sourceforge.net/selinux/?rev=2563&view=rev
Author: ssmalley
Date: 2007-09-18 12:40:06 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux, setfiles: fix selabel option flag setting
Date: Tue, 18 Sep 2007 14:20:48 -0400
Fix selabel option flag setting to eliminate a build error on 64-bit.
Modified Paths:
--------------
trunk/libselinux/src/matchpathcon.c
trunk/policycoreutils/setfiles/setfiles.c
Modified: trunk/libselinux/src/matchpathcon.c
===================================================================
--- trunk/libselinux/src/matchpathcon.c 2007-09-18 14:26:11 UTC (rev 2562)
+++ trunk/libselinux/src/matchpathcon.c 2007-09-18 19:40:06 UTC (rev 2563)
@@ -119,10 +119,10 @@
memset(options, 0, sizeof(options));
i = SELABEL_OPT_BASEONLY;
options[i].type = i;
- options[i].value = (char *)(flags & MATCHPATHCON_BASEONLY);
+ options[i].value = (flags & MATCHPATHCON_BASEONLY) ? (char*)1 : NULL;
i = SELABEL_OPT_VALIDATE;
options[i].type = i;
- options[i].value = (char *)(flags & MATCHPATHCON_VALIDATE);
+ options[i].value = (flags & MATCHPATHCON_VALIDATE) ? (char*)1 : NULL;
notrans = flags & MATCHPATHCON_NOTRANS;
}
Modified: trunk/policycoreutils/setfiles/setfiles.c
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.c 2007-09-18 14:26:11 UTC (rev 2562)
+++ trunk/policycoreutils/setfiles/setfiles.c 2007-09-18 19:40:06 UTC (rev 2563)
@@ -967,8 +967,8 @@
}
/* Load the file contexts configuration and check it. */
- opts[0].value = (char *)ctx_validate;
- opts[1].value = (char *)base_only;
+ opts[0].value = (ctx_validate ? (char*)1 : NULL);
+ opts[1].value = (base_only ? (char *)1 : NULL);
opts[2].value = altpath;
hnd = selabel_open(SELABEL_CTX_FILE, opts, 3);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2007-09-18 14:26:14
|
Revision: 2562
http://selinux.svn.sourceforge.net/selinux/?rev=2562&view=rev
Author: madmethod
Date: 2007-09-18 07:26:11 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
This patchset removes module support from libsepol. This
patchset is in support of the policyrep work.
Patch one removes the files that are solely for supporting modular
policies.
Patch two eliminates the various structures that supported modular
policies. All functional changes occur in this patch.
Patch three puts dispol in libsepol's utils directory.
Dispol was not modified in this move.
-mdg
Signed-off-by: Joshua Brindle <jbr...@tr...>
Modified Paths:
--------------
branches/policyrep/libsepol/include/sepol/policydb/avrule_block.h
branches/policyrep/libsepol/include/sepol/policydb/conditional.h
branches/policyrep/libsepol/include/sepol/policydb/constraint.h
branches/policyrep/libsepol/include/sepol/policydb/flask_types.h
branches/policyrep/libsepol/include/sepol/policydb/policydb.h
branches/policyrep/libsepol/include/sepol/policydb.h
branches/policyrep/libsepol/include/sepol/users.h
branches/policyrep/libsepol/src/assertion.c
branches/policyrep/libsepol/src/avrule_block.c
branches/policyrep/libsepol/src/conditional.c
branches/policyrep/libsepol/src/constraint.c
branches/policyrep/libsepol/src/genusers.c
branches/policyrep/libsepol/src/hierarchy.c
branches/policyrep/libsepol/src/libsepol.map
branches/policyrep/libsepol/src/policydb.c
branches/policyrep/libsepol/src/policydb_public.c
branches/policyrep/libsepol/src/private.h
branches/policyrep/libsepol/src/services.c
branches/policyrep/libsepol/src/users.c
branches/policyrep/libsepol/src/write.c
branches/policyrep/libsepol/utils/Makefile
Added Paths:
-----------
branches/policyrep/libsepol/utils/dispol.c
Removed Paths:
-------------
branches/policyrep/libsepol/include/sepol/module.h
branches/policyrep/libsepol/include/sepol/policydb/expand.h
branches/policyrep/libsepol/include/sepol/policydb/link.h
branches/policyrep/libsepol/include/sepol/policydb/module.h
branches/policyrep/libsepol/src/expand.c
branches/policyrep/libsepol/src/link.c
branches/policyrep/libsepol/src/module.c
Deleted: branches/policyrep/libsepol/include/sepol/module.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/module.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/module.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -1,82 +0,0 @@
-#ifndef _SEPOL_MODULE_H_
-#define _SEPOL_MODULE_H_
-
-#include <stddef.h>
-#include <stdio.h>
-#include <stdint.h>
-
-#include <sepol/handle.h>
-#include <sepol/policydb.h>
-
-struct sepol_module_package;
-typedef struct sepol_module_package sepol_module_package_t;
-
-/* Module package public interfaces. */
-
-extern int sepol_module_package_create(sepol_module_package_t ** p);
-
-extern void sepol_module_package_free(sepol_module_package_t * p);
-
-extern char *sepol_module_package_get_file_contexts(sepol_module_package_t * p);
-
-extern size_t sepol_module_package_get_file_contexts_len(sepol_module_package_t
- * p);
-
-extern int sepol_module_package_set_file_contexts(sepol_module_package_t * p,
- char *data, size_t len);
-
-extern char *sepol_module_package_get_seusers(sepol_module_package_t * p);
-
-extern size_t sepol_module_package_get_seusers_len(sepol_module_package_t * p);
-
-extern int sepol_module_package_set_seusers(sepol_module_package_t * p,
- char *data, size_t len);
-
-extern char *sepol_module_package_get_user_extra(sepol_module_package_t * p);
-
-extern size_t sepol_module_package_get_user_extra_len(sepol_module_package_t *
- p);
-
-extern int sepol_module_package_set_user_extra(sepol_module_package_t * p,
- char *data, size_t len);
-
-extern char *sepol_module_package_get_netfilter_contexts(sepol_module_package_t
- * p);
-
-extern size_t
-sepol_module_package_get_netfilter_contexts_len(sepol_module_package_t * p);
-
-extern int sepol_module_package_set_netfilter_contexts(sepol_module_package_t *
- p, char *data,
- size_t len);
-
-extern sepol_policydb_t *sepol_module_package_get_policy(sepol_module_package_t
- * p);
-
-extern int sepol_link_packages(sepol_handle_t * handle,
- sepol_module_package_t * base,
- sepol_module_package_t ** modules,
- int num_modules, int verbose);
-
-extern int sepol_module_package_read(sepol_module_package_t * mod,
- struct sepol_policy_file *file,
- int verbose);
-
-extern int sepol_module_package_info(struct sepol_policy_file *file,
- int *type, char **name, char **version);
-
-extern int sepol_module_package_write(sepol_module_package_t * p,
- struct sepol_policy_file *file);
-
-/* Module linking/expanding public interfaces. */
-
-extern int sepol_link_modules(sepol_handle_t * handle,
- sepol_policydb_t * base,
- sepol_policydb_t ** modules,
- size_t len, int verbose);
-
-extern int sepol_expand_module(sepol_handle_t * handle,
- sepol_policydb_t * base,
- sepol_policydb_t * out, int verbose, int check);
-
-#endif
Modified: branches/policyrep/libsepol/include/sepol/policydb/avrule_block.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/avrule_block.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/avrule_block.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -22,16 +22,6 @@
#include <sepol/policydb/policydb.h>
-extern avrule_block_t *avrule_block_create(void);
-extern void avrule_block_destroy(avrule_block_t * x);
-extern avrule_decl_t *avrule_decl_create(uint32_t decl_id);
-extern void avrule_decl_destroy(avrule_decl_t * x);
-extern void avrule_block_list_destroy(avrule_block_t * x);
-extern avrule_decl_t *get_avrule_decl(policydb_t * p, uint32_t decl_id);
-extern cond_list_t *get_decl_cond_list(policydb_t * p,
- avrule_decl_t * decl,
- cond_list_t * cond);
-extern int is_id_enabled(char *id, policydb_t * p, int symbol_table);
extern int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p);
#endif
Modified: branches/policyrep/libsepol/include/sepol/policydb/conditional.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/conditional.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/conditional.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -77,9 +77,6 @@
/* these true/false lists point into te_avtab when that is used */
cond_av_list_t *true_list;
cond_av_list_t *false_list;
- /* and these are using during parsing and for modules */
- avrule_t *avtrue_list;
- avrule_t *avfalse_list;
/* these fields are not written to binary policy */
unsigned int nbools;
uint32_t bool_ids[COND_MAX_BOOLS];
@@ -112,6 +109,9 @@
extern void cond_av_list_destroy(cond_av_list_t * list);
+extern int expand_cond_av_list(policydb_t *p, cond_av_list_t *l,
+ cond_av_list_t ** newl, avtab_t * expa);
+
extern void cond_optimize_lists(cond_list_t * cl);
extern int cond_policydb_init(policydb_t * p);
Modified: branches/policyrep/libsepol/include/sepol/policydb/constraint.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/constraint.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/constraint.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -56,7 +56,7 @@
uint32_t op; /* operator */
ebitmap_t names; /* names */
- struct type_set *type_names;
+ ebitmap_t *type_names;
struct constraint_expr *next; /* next expression */
} constraint_expr_t;
Deleted: branches/policyrep/libsepol/include/sepol/policydb/expand.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/expand.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/expand.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -1,78 +0,0 @@
-/* Authors: Jason Tang <jt...@tr...>
- * Joshua Brindle <jbr...@tr...>
- * Karl MacMillan <kma...@tr...>
- *
- * A set of utility functions that aid policy decision when dealing
- * with hierarchal items.
- *
- * Copyright (C) 2005 Tresys Technology, LLC
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#ifndef _SEPOL_POLICYDB_EXPAND_H
-#define _SEPOL_POLICYDB_EXPAND_H
-
-#include <stddef.h>
-#include <sepol/handle.h>
-#include <sepol/policydb/conditional.h>
-
-/*
- * Expand only the avrules for a module. It is valid for this function
- * to expand base into itself (i.e. base == out); the typemap for
- * this special case should map type[i] to i+1. Likewise the boolmap
- * should map bool[i] to i + 1. This function optionally expands
- * neverallow rules. If neverallow rules are expanded, there is no
- * need to copy them and doing so could cause duplicate entries when
- * base == out. If the neverallow rules are not expanded, they are
- * just copied to the destination policy so that assertion checking
- * can be performed after expand. No assertion or hierarchy checking
- * is performed by this function.
- */
-extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
- policydb_t * out, uint32_t * typemap, uint32_t * boolmap,
- int verbose, int expand_neverallow);
-/*
- * Expand all parts of a module. Neverallow rules are not expanded (only
- * copied). It is not valid to expand base into itself. If check is non-zero,
- * performs hierarchy and assertion checking.
- */
-extern int expand_module(sepol_handle_t * handle,
- policydb_t * base, policydb_t * out,
- int verbose, int check);
-extern int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst,
- uint32_t * typemap);
-extern int expand_convert_type_set(policydb_t * p, uint32_t * typemap,
- type_set_t * set, ebitmap_t * types,
- unsigned char alwaysexpand);
-extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
- unsigned char alwaysexpand);
-extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
-extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
- policydb_t *p, sepol_handle_t *h);
-extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
- policydb_t *p, sepol_handle_t *h);
-extern int expand_rule(sepol_handle_t * handle,
- policydb_t * source_pol,
- avrule_t * source_rule, avtab_t * dest_avtab,
- cond_av_list_t ** cond, cond_av_list_t ** other,
- int enabled);
-
-extern int expand_avtab(policydb_t * p, avtab_t * a, avtab_t * expa);
-
-extern int expand_cond_av_list(policydb_t * p, cond_av_list_t * l,
- cond_av_list_t ** newl, avtab_t * expa);
-
-#endif
Modified: branches/policyrep/libsepol/include/sepol/policydb/flask_types.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/flask_types.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/flask_types.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -46,7 +46,6 @@
#define SEPOL_SECCLASS_NULL 0x0000 /* no class */
#define SELINUX_MAGIC 0xf97cff8c
-#define SELINUX_MOD_MAGIC 0xf97cff8d
typedef uint32_t sepol_security_id_t;
#define SEPOL_SECSID_NULL 0
Deleted: branches/policyrep/libsepol/include/sepol/policydb/link.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/link.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/link.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -1,20 +0,0 @@
-/* Authors: Jason Tang <jt...@tr...>
- * Joshua Brindle <jbr...@tr...>
- * Karl MacMillan <kma...@me...>
- */
-
-#ifndef _SEPOL_POLICYDB_LINK_H
-#define _SEPOL_POLICYDB_LINK_H
-
-#include <sepol/handle.h>
-#include <sepol/errcodes.h>
-#include <sepol/policydb/policydb.h>
-
-
-#include <stddef.h>
-
-extern int link_modules(sepol_handle_t * handle,
- policydb_t * b, policydb_t ** mods, int len,
- int verbose);
-
-#endif
Deleted: branches/policyrep/libsepol/include/sepol/policydb/module.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/module.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/module.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -1,48 +0,0 @@
-/* Author: Karl MacMillan <kma...@tr...>
- *
- * Copyright (C) 2004-2005 Tresys Technology, LLC
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#ifndef _SEPOL_POLICYDB_MODULE_H_
-#define _SEPOL_POLICYDB_MODULE_H_
-
-#include <stdlib.h>
-#include <stddef.h>
-
-#include <sepol/module.h>
-
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/conditional.h>
-
-#define SEPOL_MODULE_PACKAGE_MAGIC 0xf97cff8f
-
-struct sepol_module_package {
- sepol_policydb_t *policy;
- uint32_t version;
- char *file_contexts;
- size_t file_contexts_len;
- char *seusers;
- size_t seusers_len;
- char *user_extra;
- size_t user_extra_len;
- char *netfilter_contexts;
- size_t netfilter_contexts_len;
-};
-
-extern int sepol_module_package_init(sepol_module_package_t * p);
-
-#endif
Modified: branches/policyrep/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb/policydb.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb/policydb.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -76,21 +76,7 @@
* users, roles, types, sensitivities, categories, etc.
*/
-/* type set preserves data needed by modules such as *, ~ and attributes */
-typedef struct type_set {
- ebitmap_t types;
- ebitmap_t negset;
-#define TYPE_STAR 1
-#define TYPE_COMP 2
- uint32_t flags;
-} type_set_t;
-typedef struct role_set {
- ebitmap_t roles;
-#define ROLE_STAR 1
-#define ROLE_COMP 2
- uint32_t flags;
-} role_set_t;
/* Permission attributes */
typedef struct perm_datum {
@@ -117,7 +103,7 @@
typedef struct role_datum {
symtab_datum_t s;
ebitmap_t dominates; /* set of roles dominated by this role */
- type_set_t types; /* set of authorized types for role */
+ ebitmap_t types; /* set of authorized types for role */
ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
} role_datum_t;
@@ -148,7 +134,7 @@
/* User attributes */
typedef struct user_datum {
symtab_datum_t s;
- role_set_t roles; /* set of authorized roles for user */
+ ebitmap_t roles; /* set of authorized roles for user */
mls_semantic_range_t range; /* MLS range (min. - max.) for user */
mls_semantic_level_t dfltlevel; /* default login MLS level for user */
ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
@@ -188,57 +174,6 @@
typedef struct cond_node cond_list_t;
struct cond_av_list;
-typedef struct class_perm_node {
- uint32_t class;
- uint32_t data; /* permissions or new type */
- struct class_perm_node *next;
-} class_perm_node_t;
-
-typedef struct avrule {
-/* these typedefs are almost exactly the same as those in avtab.h - they are
- * here because of the need to include neverallow and dontaudit messages */
-#define AVRULE_ALLOWED 1
-#define AVRULE_AUDITALLOW 2
-#define AVRULE_AUDITDENY 4
-#define AVRULE_DONTAUDIT 8
-#define AVRULE_NEVERALLOW 128
-#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
-#define AVRULE_TRANSITION 16
-#define AVRULE_MEMBER 32
-#define AVRULE_CHANGE 64
-#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
- uint32_t specified;
-#define RULE_SELF 1
- uint32_t flags;
- type_set_t stypes;
- type_set_t ttypes;
- class_perm_node_t *perms;
- unsigned long line; /* line number from policy.conf where
- * this rule originated */
- struct avrule *next;
-} avrule_t;
-
-typedef struct role_trans_rule {
- role_set_t roles; /* current role */
- type_set_t types; /* program executable type */
- uint32_t new_role; /* new role */
- struct role_trans_rule *next;
-} role_trans_rule_t;
-
-typedef struct role_allow_rule {
- role_set_t roles; /* current role */
- role_set_t new_roles; /* new roles */
- struct role_allow_rule *next;
-} role_allow_rule_t;
-
-typedef struct range_trans_rule {
- type_set_t stypes;
- type_set_t ttypes;
- ebitmap_t tclasses;
- mls_semantic_range_t trange;
- struct range_trans_rule *next;
-} range_trans_rule_t;
-
/*
* The configuration data includes security contexts for
* initial SIDs, unlabeled file systems, TCP and UDP port numbers,
@@ -301,92 +236,12 @@
/* section: module information */
-/* scope_index_t holds all of the symbols that are in scope in a
- * particular situation. The bitmaps are indices (and thus must
- * subtract one) into the global policydb->scope array. */
-typedef struct scope_index {
- ebitmap_t scope[SYM_NUM];
-#define p_classes_scope scope[SYM_CLASSES]
-#define p_roles_scope scope[SYM_ROLES]
-#define p_types_scope scope[SYM_TYPES]
-#define p_users_scope scope[SYM_USERS]
-#define p_bools_scope scope[SYM_BOOLS]
-#define p_sens_scope scope[SYM_LEVELS]
-#define p_cat_scope scope[SYM_CATS]
- /* this array maps from class->value to the permissions within
- * scope. if bit (perm->value - 1) is set in map
- * class_perms_map[class->value - 1] then that permission is
- * enabled for this class within this decl. */
- ebitmap_t *class_perms_map;
- /* total number of classes in class_perms_map array */
- uint32_t class_perms_len;
-} scope_index_t;
-/* a list of declarations for a particular avrule_decl */
-/* These two structs declare a block of policy that has TE and RBAC
- * statements and declarations. The root block (the global policy)
- * can never have an ELSE branch. */
-typedef struct avrule_decl {
- uint32_t decl_id;
- uint32_t enabled; /* whether this block is enabled */
- cond_list_t *cond_list;
- avrule_t *avrules;
- role_trans_rule_t *role_tr_rules;
- role_allow_rule_t *role_allow_rules;
- range_trans_rule_t *range_tr_rules;
- scope_index_t required; /* symbols needed to activate this block */
- scope_index_t declared; /* symbols declared within this block */
-
- /* for additive statements (type attribute, roles, and users) */
- symtab_t symtab[SYM_NUM];
-
- /* In a linked module this will contain the name of the module
- * from which this avrule_decl originated. */
- char *module_name;
-
- struct avrule_decl *next;
-} avrule_decl_t;
-
-typedef struct avrule_block {
- avrule_decl_t *branch_list;
- avrule_decl_t *enabled; /* pointer to which branch is enabled. this is
- used in linking and never written to disk */
-#define AVRULE_OPTIONAL 1
- uint32_t flags; /* any flags for this block, currently just optional */
- struct avrule_block *next;
-} avrule_block_t;
-
-/* Every identifier has its own scope datum. The datum describes if
- * the item is to be included into the final policy during
- * expansion. */
-typedef struct scope_datum {
-/* Required for this decl */
-#define SCOPE_REQ 1
-/* Declared in this decl */
-#define SCOPE_DECL 2
- uint32_t scope;
- uint32_t *decl_ids;
- uint32_t decl_ids_len;
- /* decl_ids is a list of avrule_decl's that declare/require
- * this symbol. If scope==SCOPE_DECL then this is a list of
- * declarations. If the symbol may only be declared once
- * (types, bools) then decl_ids_len will be exactly 1. For
- * implicitly declared things (roles, users) then decl_ids_len
- * will be at least 1. */
-} scope_datum_t;
-
/* The policy database */
typedef struct policydb {
-#define POLICY_KERN SEPOL_POLICY_KERN
-#define POLICY_BASE SEPOL_POLICY_BASE
-#define POLICY_MOD SEPOL_POLICY_MOD
- uint32_t policy_type;
- char *name;
- char *version;
-
/* Set when the policydb is modified such that writing is unsupported */
int unsupported_format;
@@ -421,19 +276,6 @@
user_datum_t **user_val_to_struct;
type_datum_t **type_val_to_struct;
- /* module stuff section -- used in parsing and for modules */
-
- /* keep track of the scope for every identifier. these are
- * hash tables, where the key is the identifier name and value
- * a scope_datum_t. as a convenience, one may use the
- * p_*_macros (cf. struct scope_index_t declaration). */
- symtab_t scope[SYM_NUM];
-
- /* module rule storage */
- avrule_block_t *global;
- /* avrule_decl index used for link/expand */
- avrule_decl_t **decl_val_to_struct;
-
/* compiled storage of rules - use for the kernel policy */
/* type enforcement access vectors and transitions */
@@ -502,32 +344,12 @@
const context_struct_t * c);
extern void symtabs_destroy(symtab_t * symtab);
-extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p);
typedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d,
void *args);
extern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num);
-extern void class_perm_node_init(class_perm_node_t * x);
-extern void type_set_init(type_set_t * x);
-extern void type_set_destroy(type_set_t * x);
-extern int type_set_cpy(type_set_t * dst, type_set_t * src);
-extern int type_set_or_eq(type_set_t * dst, type_set_t * other);
-extern void role_set_init(role_set_t * x);
-extern void role_set_destroy(role_set_t * x);
-extern void avrule_init(avrule_t * x);
-extern void avrule_destroy(avrule_t * x);
-extern void avrule_list_destroy(avrule_t * x);
-extern void role_trans_rule_init(role_trans_rule_t * x);
-extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
-
extern void role_datum_init(role_datum_t * x);
extern void role_datum_destroy(role_datum_t * x);
-extern void role_allow_rule_init(role_allow_rule_t * x);
-extern void role_allow_rule_destroy(role_allow_rule_t * x);
-extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
-extern void range_trans_rule_init(range_trans_rule_t *x);
-extern void range_trans_rule_destroy(range_trans_rule_t *x);
-extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
extern void type_datum_init(type_datum_t * x);
extern void type_datum_destroy(type_datum_t * x);
extern void user_datum_init(user_datum_t * x);
@@ -537,12 +359,8 @@
extern void cat_datum_init(cat_datum_t * x);
extern void cat_datum_destroy(cat_datum_t * x);
-extern int check_assertions(sepol_handle_t * handle,
- policydb_t * p, avrule_t * avrules);
-
extern int symtab_insert(policydb_t * x, uint32_t sym,
hashtab_key_t key, hashtab_datum_t datum,
- uint32_t scope, uint32_t avrule_decl_id,
uint32_t * value);
/* A policy "file" may be a memory region referenced by a (data, len) pair
@@ -566,11 +384,11 @@
extern int policydb_read(policydb_t * p, struct policy_file *fp,
unsigned int verbose);
-extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
- struct policy_file *fp);
extern int policydb_write(struct policydb *p, struct policy_file *pf);
+extern int expand_avtab(policydb_t *p, avtab_t *a, avtab_t *expa);
+
#define PERM_SYMTAB_SIZE 32
/* Identify specific policy version changes */
@@ -587,16 +405,6 @@
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
-/* Module versions and specific changes*/
-#define MOD_POLICYDB_VERSION_BASE 4
-#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
-#define MOD_POLICYDB_VERSION_MLS 5
-#define MOD_POLICYDB_VERSION_RANGETRANS 6
-#define MOD_POLICYDB_VERSION_MLS_USERS 6
-
-#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
-
#define POLICYDB_CONFIG_MLS 1
#define OBJECT_R "object_r"
@@ -604,8 +412,6 @@
#define POLICYDB_MAGIC SELINUX_MAGIC
#define POLICYDB_STRING "SE Linux"
-#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
-#define POLICYDB_MOD_STRING "SE Linux Module"
#endif /* _POLICYDB_H_ */
Modified: branches/policyrep/libsepol/include/sepol/policydb.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/policydb.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/policydb.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -56,11 +56,6 @@
extern int sepol_policydb_create(sepol_policydb_t ** p);
extern void sepol_policydb_free(sepol_policydb_t * p);
-/* Legal types of policies that the policydb can represent. */
-#define SEPOL_POLICY_KERN 0
-#define SEPOL_POLICY_BASE 1
-#define SEPOL_POLICY_MOD 2
-
/*
* Range of policy versions for the kernel policy type supported
* by this library.
@@ -74,7 +69,7 @@
* policy type.
* Returns -1 if the policy type is not legal.
*/
-extern int sepol_policydb_set_typevers(sepol_policydb_t * p, unsigned int type);
+extern int sepol_policydb_set_typevers(sepol_policydb_t * p);
/*
* Set the policy version to a different value.
Modified: branches/policyrep/libsepol/include/sepol/users.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/users.h 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/include/sepol/users.h 2007-09-18 14:26:11 UTC (rev 2562)
@@ -23,12 +23,6 @@
/*--------end compatibility----------*/
-/* Modify the user, or add it, if the key is not found */
-extern int sepol_user_modify(sepol_handle_t * handle,
- sepol_policydb_t * policydb,
- const sepol_user_key_t * key,
- const sepol_user_t * data);
-
/* Return the number of users */
extern int sepol_user_count(sepol_handle_t * handle,
const sepol_policydb_t * p, unsigned int *response);
Modified: branches/policyrep/libsepol/src/assertion.c
===================================================================
--- branches/policyrep/libsepol/src/assertion.c 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/src/assertion.c 2007-09-18 14:26:11 UTC (rev 2562)
@@ -22,121 +22,6 @@
#include <sepol/policydb/avtab.h>
#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/expand.h>
#include <sepol/policydb/util.h>
#include "debug.h"
-
-static int check_assertion_helper(sepol_handle_t * handle,
- policydb_t * p,
- avtab_t * te_avtab, avtab_t * te_cond_avtab,
- unsigned int stype, unsigned int ttype,
- class_perm_node_t * perm, unsigned long line)
-{
- avtab_key_t avkey;
- avtab_ptr_t node;
- class_perm_node_t *curperm;
-
- for (curperm = perm; curperm != NULL; curperm = curperm->next) {
- avkey.source_type = stype + 1;
- avkey.target_type = ttype + 1;
- avkey.target_class = curperm->class;
- avkey.specified = AVTAB_ALLOWED;
- for (node = avtab_search_node(te_avtab, &avkey);
- node != NULL;
- node = avtab_search_node_next(node, avkey.specified)) {
- if (node->datum.data & curperm->data)
- goto err;
- }
- for (node = avtab_search_node(te_cond_avtab, &avkey);
- node != NULL;
- node = avtab_search_node_next(node, avkey.specified)) {
- if (node->datum.data & curperm->data)
- goto err;
- }
- }
-
- return 0;
-
- err:
- ERR(handle, "assertion on line %lu violated by allow %s %s:%s {%s };",
- line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype],
- p->p_class_val_to_name[curperm->class - 1],
- sepol_av_to_string(p, curperm->class,
- node->datum.data & curperm->data));
- return -1;
-}
-
-int check_assertions(sepol_handle_t * handle, policydb_t * p,
- avrule_t * avrules)
-{
- avrule_t *a;
- avtab_t te_avtab, te_cond_avtab;
- ebitmap_node_t *snode, *tnode;
- unsigned int i, j;
- int errors = 0;
-
- if (!avrules) {
- /* Since assertions are stored in avrules, if it is NULL
- there won't be any to check. This also prevents an invalid
- free if the avtabs are never initialized */
- return 0;
- }
-
- if (avrules) {
- if (avtab_init(&te_avtab))
- goto oom;
- if (avtab_init(&te_cond_avtab)) {
- avtab_destroy(&te_avtab);
- goto oom;
- }
- if (expand_avtab(p, &p->te_avtab, &te_avtab) ||
- expand_avtab(p, &p->te_cond_avtab, &te_cond_avtab)) {
- avtab_destroy(&te_avtab);
- avtab_destroy(&te_cond_avtab);
- goto oom;
- }
- }
-
- for (a = avrules; a != NULL; a = a->next) {
- ebitmap_t *stypes = &a->stypes.types;
- ebitmap_t *ttypes = &a->ttypes.types;
-
- if (!(a->specified & AVRULE_NEVERALLOW))
- continue;
-
- ebitmap_for_each_bit(stypes, snode, i) {
- if (!ebitmap_node_get_bit(snode, i))
- continue;
- if (a->flags & RULE_SELF) {
- if (check_assertion_helper
- (handle, p, &te_avtab, &te_cond_avtab, i, i,
- a->perms, a->line))
- errors++;
- }
- ebitmap_for_each_bit(ttypes, tnode, j) {
- if (!ebitmap_node_get_bit(tnode, j))
- continue;
- if (check_assertion_helper
- (handle, p, &te_avtab, &te_cond_avtab, i, j,
- a->perms, a->line))
- errors++;
- }
- }
- }
-
- if (errors) {
- ERR(handle, "%d assertion violations occured", errors);
- avtab_destroy(&te_avtab);
- avtab_destroy(&te_cond_avtab);
- return -1;
- }
-
- avtab_destroy(&te_avtab);
- avtab_destroy(&te_cond_avtab);
- return 0;
-
- oom:
- ERR(handle, "Out of memory - unable to check assertions");
- return -1;
-}
Modified: branches/policyrep/libsepol/src/avrule_block.c
===================================================================
--- branches/policyrep/libsepol/src/avrule_block.c 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/src/avrule_block.c 2007-09-18 14:26:11 UTC (rev 2562)
@@ -26,176 +26,3 @@
#include <assert.h>
#include <stdlib.h>
-
-/* It is anticipated that there be less declarations within an avrule
- * block than the global policy. Thus the symbol table sizes are
- * smaller than those listed in policydb.c */
-static unsigned int symtab_sizes[SYM_NUM] = {
- 2,
- 4,
- 8,
- 32,
- 16,
- 4,
- 2,
- 2,
-};
-
-avrule_block_t *avrule_block_create(void)
-{
- avrule_block_t *block;
- if ((block = calloc(1, sizeof(*block))) == NULL) {
- return NULL;
- }
- return block;
-}
-
-avrule_decl_t *avrule_decl_create(uint32_t decl_id)
-{
- avrule_decl_t *decl;
- int i;
- if ((decl = calloc(1, sizeof(*decl))) == NULL) {
- return NULL;
- }
- decl->decl_id = decl_id;
- for (i = 0; i < SYM_NUM; i++) {
- if (symtab_init(&decl->symtab[i], symtab_sizes[i])) {
- avrule_decl_destroy(decl);
- free(decl);
- return NULL;
- }
- }
-
- for (i = 0; i < SYM_NUM; i++) {
- ebitmap_init(&decl->required.scope[i]);
- ebitmap_init(&decl->declared.scope[i]);
- }
- return decl;
-}
-
-/* note that unlike the other destroy functions, this one does /NOT/
- * destroy the pointer itself */
-static void scope_index_destroy(scope_index_t * scope)
-{
- unsigned int i;
- if (scope == NULL) {
- return;
- }
- for (i = 0; i < SYM_NUM; i++) {
- ebitmap_destroy(scope->scope + i);
- }
- for (i = 0; i < scope->class_perms_len; i++) {
- ebitmap_destroy(scope->class_perms_map + i);
- }
- free(scope->class_perms_map);
-}
-
-void avrule_decl_destroy(avrule_decl_t * x)
-{
- if (x == NULL) {
- return;
- }
- cond_list_destroy(x->cond_list);
- avrule_list_destroy(x->avrules);
- role_trans_rule_list_destroy(x->role_tr_rules);
- role_allow_rule_list_destroy(x->role_allow_rules);
- range_trans_rule_list_destroy(x->range_tr_rules);
- scope_index_destroy(&x->required);
- scope_index_destroy(&x->declared);
- symtabs_destroy(x->symtab);
- free(x->module_name);
- free(x);
-}
-
-void avrule_block_destroy(avrule_block_t * x)
-{
- avrule_decl_t *decl;
- if (x == NULL) {
- return;
- }
- decl = x->branch_list;
- while (decl != NULL) {
- avrule_decl_t *next_decl = decl->next;
- avrule_decl_destroy(decl);
- decl = next_decl;
- }
- free(x);
-}
-
-void avrule_block_list_destroy(avrule_block_t * x)
-{
- while (x != NULL) {
- avrule_block_t *next = x->next;
- avrule_block_destroy(x);
- x = next;
- }
-}
-
-/* Get a conditional node from a avrule_decl with the same expression.
- * If that expression does not exist then create one. */
-cond_list_t *get_decl_cond_list(policydb_t * p, avrule_decl_t * decl,
- cond_list_t * cond)
-{
- cond_list_t *result;
- int was_created;
- result = cond_node_find(p, cond, decl->cond_list, &was_created);
- if (result != NULL && was_created) {
- result->next = decl->cond_list;
- decl->cond_list = result;
- }
- return result;
-}
-
-/* Look up an identifier in a policy's scoping table. If it is there,
- * marked as SCOPE_DECL, and any of its declaring block has been enabled,
- * then return 1. Otherwise return 0. Can only be called after the
- * decl_val_to_struct index has been created */
-int is_id_enabled(char *id, policydb_t * p, int symbol_table)
-{
- scope_datum_t *scope =
- (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id);
- uint32_t i;
- if (scope == NULL) {
- return 0;
- }
- if (scope->scope != SCOPE_DECL) {
- return 0;
- }
- for (i = 0; i < scope->decl_ids_len; i++) {
- avrule_decl_t *decl =
- p->decl_val_to_struct[scope->decl_ids[i] - 1];
- if (decl != NULL && decl->enabled) {
- return 1;
- }
- }
- return 0;
-}
-
-/* Check if a particular permission is present within the given class,
- * and that the class is enabled. Returns 1 if both conditions are
- * true, 0 if neither could be found or if the class id disabled. */
-int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p)
-{
- class_datum_t *cladatum;
- perm_datum_t *perm;
- if (!is_id_enabled(class_id, p, SYM_CLASSES)) {
- return 0;
- }
- cladatum =
- (class_datum_t *) hashtab_search(p->p_classes.table, class_id);
- if (cladatum == NULL) {
- return 0;
- }
- perm = hashtab_search(cladatum->permissions.table, perm_id);
- if (perm == NULL && cladatum->comdatum != 0) {
- /* permission was not in this class. before giving
- * up, check the class's parent */
- perm =
- hashtab_search(cladatum->comdatum->permissions.table,
- perm_id);
- }
- if (perm == NULL) {
- return 0;
- }
- return 1;
-}
Modified: branches/policyrep/libsepol/src/conditional.c
===================================================================
--- branches/policyrep/libsepol/src/conditional.c 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/src/conditional.c 2007-09-18 14:26:11 UTC (rev 2562)
@@ -336,109 +336,6 @@
return 0;
}
-/* precompute and simplify an expression if possible. If left with !expression, change
- * to expression and switch t and f. precompute expression for expressions with limited
- * number of bools.
- */
-int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
-{
- cond_expr_t *ne, *e;
- cond_av_list_t *tmp;
- unsigned int i, j, orig_value[COND_MAX_BOOLS];
- int k;
- uint32_t test = 0x0;
- avrule_t *tmp2;
-
- cn->nbools = 0;
-
- memset(cn->bool_ids, 0, sizeof(cn->bool_ids));
- cn->expr_pre_comp = 0x0;
-
- /* take care of !expr case */
- ne = NULL;
- e = cn->expr;
-
- /* becuase it's RPN look at last element */
- while (e->next != NULL) {
- ne = e;
- e = e->next;
- }
- if (e->expr_type == COND_NOT) {
- if (ne) {
- ne->next = NULL;
- } else { /* ne should never be NULL */
- printf
- ("Found expr with no bools and only a ! - this should never happen.\n");
- return -1;
- }
- /* swap the true and false lists */
- tmp = cn->true_list;
- cn->true_list = cn->false_list;
- cn->false_list = tmp;
- tmp2 = cn->avtrue_list;
- cn->avtrue_list = cn->avfalse_list;
- cn->avfalse_list = tmp2;
-
- /* free the "not" node in the list */
- free(e);
- }
-
- /* find all the bools in the expression */
- for (e = cn->expr; e != NULL; e = e->next) {
- switch (e->expr_type) {
- case COND_BOOL:
- i = 0;
- /* see if we've already seen this bool */
- if (!bool_present(e->bool, cn->bool_ids, cn->nbools)) {
- /* count em all but only record up to COND_MAX_BOOLS */
- if (cn->nbools < COND_MAX_BOOLS)
- cn->bool_ids[cn->nbools++] = e->bool;
- else
- cn->nbools++;
- }
- break;
- default:
- break;
- }
- }
-
- /* only precompute for exprs with <= COND_AX_BOOLS */
- if (cn->nbools <= COND_MAX_BOOLS) {
- /* save the default values for the bools so we can play with them */
- for (i = 0; i < cn->nbools; i++) {
- orig_value[i] =
- p->bool_val_to_struct[cn->bool_ids[i] - 1]->state;
- }
-
- /* loop through all possible combinations of values for bools in expression */
- for (test = 0x0; test < (0x1U << cn->nbools); test++) {
- /* temporarily set the value for all the bools in the
- * expression using the corr. bit in test */
- for (j = 0; j < cn->nbools; j++) {
- p->bool_val_to_struct[cn->bool_ids[j] -
- 1]->state =
- (test & (0x1 << j)) ? 1 : 0;
- }
- k = cond_evaluate_expr(p, cn->expr);
- if (k == -1) {
- printf
- ("While testing expression, expression result "
- "was undefined - this should never happen.\n");
- return -1;
- }
- /* set the bit if expression evaluates true */
- if (k)
- cn->expr_pre_comp |= 0x1 << test;
- }
-
- /* restore bool default values */
- for (i = 0; i < cn->nbools; i++)
- p->bool_val_to_struct[cn->bool_ids[i] - 1]->state =
- orig_value[i];
- }
- return 0;
-}
-
int evaluate_conds(policydb_t * p)
{
int ret;
@@ -491,8 +388,6 @@
return;
cond_expr_destroy(node->expr);
- avrule_list_destroy(node->avtrue_list);
- avrule_list_destroy(node->avfalse_list);
cond_av_list_destroy(node->true_list);
cond_av_list_destroy(node->false_list);
}
@@ -797,18 +692,11 @@
last = expr;
}
- if (p->policy_type == POLICY_KERN) {
- if (cond_read_av_list(p, fp, &node->true_list, NULL) != 0)
- goto err;
- if (cond_read_av_list(p, fp, &node->false_list, node->true_list)
- != 0)
- goto err;
- } else {
- if (avrule_read_list(p, &node->avtrue_list, fp))
- goto err;
- if (avrule_read_list(p, &node->avfalse_list, fp))
- goto err;
- }
+ if (cond_read_av_list(p, fp, &node->true_list, NULL) != 0)
+ goto err;
+ if (cond_read_av_list(p, fp, &node->false_list, node->true_list)
+ != 0)
+ goto err;
return 0;
err:
@@ -899,3 +787,138 @@
return NULL;
}
+
+static int expand_cond_insert(cond_av_list_t ** l,
+ avtab_t * expa,
+ avtab_key_t * k, avtab_datum_t * d)
+{
+ avtab_ptr_t node;
+ avtab_datum_t *avd;
+ cond_av_list_t *nl;
+
+ node = avtab_search_node(expa, k);
+ if (!node ||
+ (k->specified & AVTAB_ENABLED) !=
+ (node->key.specified & AVTAB_ENABLED)) {
+ node = avtab_insert_nonunique(expa, k, d);
+ if (!node) {
+ fprintf(stderr, "Out of memory!");
+ return -1;
+ }
+ node->parse_context = (void *)1;
+ nl = (cond_av_list_t *) malloc(sizeof(*nl));
+ if (!nl) {
+ fprintf(stderr, "Out of memory!");
+ return -1;
+ }
+ memset(nl, 0, sizeof(*nl));
+ nl->node = node;
+ nl->next = *l;
+ *l = nl;
+ return 0;
+ }
+
+ avd = &node->datum;
+ switch (k->specified & ~AVTAB_ENABLED) {
+ case AVTAB_ALLOWED:
+ case AVTAB_AUDITALLOW:
+ avd->data |= d->data;
+ break;
+ case AVTAB_AUDITDENY:
+ avd->data &= d->data;
+ break;
+ default:
+ fprintf(stderr, "Type conflict!");
+ return -1;
+ }
+
+ return 0;
+}
+
+int expand_cond_av_node(policydb_t * p,
+ avtab_ptr_t node,
+ cond_av_list_t ** newl, avtab_t * expa)
+{
+ avtab_key_t *k = &node->key;
+ avtab_datum_t *d = &node->datum;
+ type_datum_t *stype = p->type_val_to_struct[k->source_type - 1];
+ type_datum_t *ttype = p->type_val_to_struct[k->target_type - 1];
+ ebitmap_t *sattr = &p->attr_type_map[k->source_type - 1];
+ ebitmap_t *tattr = &p->attr_type_map[k->target_type - 1];
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
+ avtab_key_t newkey;
+ int rc;
+
+ newkey.target_class = k->target_class;
+ newkey.specified = k->specified;
+
+ if (stype && ttype) {
+ /* Both are individual types, no expansion required. */
+ return expand_cond_insert(newl, expa, k, d);
+ }
+
+ if (stype) {
+ /* Source is an individual type, target is an attribute. */
+ newkey.source_type = k->source_type;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ newkey.target_type = j + 1;
+ rc = expand_cond_insert(newl, expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ return 0;
+ }
+
+ if (ttype) {
+ /* Target is an individual type, source is an attribute. */
+ newkey.target_type = k->target_type;
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ newkey.source_type = i + 1;
+ rc = expand_cond_insert(newl, expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ return 0;
+ }
+
+ /* Both source and target type are attributes. */
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ newkey.source_type = i + 1;
+ newkey.target_type = j + 1;
+ rc = expand_cond_insert(newl, expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int expand_cond_av_list(policydb_t * p, cond_av_list_t * l,
+ cond_av_list_t ** newl, avtab_t * expa)
+{
+ cond_av_list_t *cur;
+ avtab_ptr_t node;
+ int rc;
+
+ *newl = NULL;
+ for (cur = l; cur; cur = cur->next) {
+ node = cur->node;
+ rc = expand_cond_av_node(p, node, newl, expa);
+ if (rc)
+ return rc;
+ }
+
+ return 0;
+}
+
Modified: branches/policyrep/libsepol/src/constraint.c
===================================================================
--- branches/policyrep/libsepol/src/constraint.c 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/src/constraint.c 2007-09-18 14:26:11 UTC (rev 2562)
@@ -19,7 +19,6 @@
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/constraint.h>
-#include <sepol/policydb/expand.h>
#include <sepol/policydb/flask_types.h>
#include <assert.h>
@@ -32,7 +31,7 @@
if ((expr->type_names = malloc(sizeof(*expr->type_names))) == NULL) {
return -1;
}
- type_set_init(expr->type_names);
+ ebitmap_init(expr->type_names);
return 0;
}
@@ -40,7 +39,7 @@
{
if (expr != NULL) {
ebitmap_destroy(&expr->names);
- type_set_destroy(expr->type_names);
+ ebitmap_destroy(expr->type_names);
free(expr->type_names);
free(expr);
}
Deleted: branches/policyrep/libsepol/src/expand.c
===================================================================
--- branches/policyrep/libsepol/src/expand.c 2007-09-12 15:50:45 UTC (rev 2561)
+++ branches/policyrep/libsepol/src/expand.c 2007-09-18 14:26:11 UTC (rev 2562)
@@ -1,2681 +0,0 @@
-/* Authors: Karl MacMillan <kma...@me...>
- * Jason Tang <jt...@tr...>
- * Joshua Brindle <jbr...@tr...>
- *
- * Copyright (C) 2004-2005 Tresys Technology, LLC
- * Copyright (C) 2007 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#include "context.h"
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/conditional.h>
-#include <sepol/policydb/hashtab.h>
-#include <sepol/policydb/expand.h>
-#include <sepol/policydb/hierarchy.h>
-#include <sepol/policydb/avrule_block.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-
-#include "debug.h"
-#include "private.h"
-
-typedef struct expand_state {
- int verbose;
- uint32_t *typemap;
- uint32_t *boolmap;
- policydb_t *base;
- policydb_t *out;
- sepol_handle_t *handle;
- int expand_neverallow;
-} expand_state_t;
-
-static void expand_state_init(expand_state_t * state)
-{
- memset(state, 0, sizeof(expand_state_t));
-}
-
-static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id, *new_id;
- type_datum_t *type, *new_type;
- expand_state_t *state;
-
- id = (char *)key;
- type = (type_datum_t *) datum;
- state = (expand_state_t *) data;
-
- if ((type->flavor == TYPE_TYPE && !type->primary)
- || type->flavor == TYPE_ALIAS) {
- /* aliases are handled later */
- return 0;
- }
- if (!is_id_enabled(id, state->base, SYM_TYPES)) {
- /* identifier's scope is not enabled */
- return 0;
- }
-
- if (state->verbose)
- INFO(state->handle, "copying type or attribute %s", id);
-
- new_id = strdup(id);
- if (new_id == NULL) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- new_type = (type_datum_t *) malloc(sizeof(type_datum_t));
- if (!new_type) {
- ERR(state->handle, "Out of memory!");
- free(new_id);
- return SEPOL_ENOMEM;
- }
- memset(new_type, 0, sizeof(type_datum_t));
-
- new_type->flavor = type->flavor;
- new_type->s.value = ++state->out->p_types.nprim;
- if (new_type->s.value > UINT16_MAX) {
- free(new_id);
- free(new_type);
- ERR(state->handle, "type space overflow");
- return -1;
- }
- new_type->primary = 1;
- state->typemap[type->s.value - 1] = new_type->s.value;
-
- ret = hashtab_insert(state->out->p_types.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_type);
- if (ret) {
- free(new_id);
- free(new_type);
- ERR(state->handle, "hashtab overflow");
- return -1;
- }
-
- return 0;
-}
-
-static int attr_convert_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *id;
- type_datum_t *type, *new_type;
- expand_state_t *state;
- ebitmap_t tmp_union;
-
- id = (char *)key;
- type = (type_datum_t *) datum;
- state = (expand_state_t *) data;
-
- if (type->flavor != TYPE_ATTRIB)
- return 0;
-
- if (!is_id_enabled(id, state->base, SYM_TYPES)) {
- /* identifier's scope is not enabled */
- return 0;
- }
-
- if (state->verbose)
- INFO(state->handle, "converting attribute %s", id);
-
- new_type = hashtab_search(state->out->p_types.table, id);
- if (!new_type) {
- ERR(state->handle, "attribute %s vanished!", id);
- return -1;
- }
- if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
- ERR(state->handle, "out of memory");
- return -1;
- }
-
- /* then union tmp_union onto &new_type->types */
- if (ebitmap_union(&new_type->types, &tmp_union)) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
- ebitmap_destroy(&tmp_union);
-
- return 0;
-}
-
-static int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id, *new_id;
- symtab_t *s;
- perm_datum_t *perm, *new_perm;
-
- id = key;
- perm = (perm_datum_t *) datum;
- s = (symtab_t *) data;
-
- new_perm = (perm_datum_t *) malloc(sizeof(perm_datum_t));
- if (!new_perm) {
- return -1;
- }
- memset(new_perm, 0, sizeof(perm_datum_t));
-
- new_id = strdup(id);
- if (!new_id) {
- free(new_perm);
- return -1;
- }
-
- new_perm->s.value = perm->s.value;
- s->nprim++;
-
- ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
- if (ret) {
- free(new_id);
- free(new_perm);
- return -1;
- }
-
- return 0;
-}
-
-static int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id, *new_id;
- common_datum_t *common, *new_common;
- expand_state_t *state;
-
- id = (char *)key;
- common = (common_datum_t *) datum;
- state = (expand_state_t *) data;
-
- if (state->verbose)
- INFO(state->handle, "copying common %s", id);
-
- new_common = (common_datum_t *) malloc(sizeof(common_datum_t));
- if (!new_common) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
- memset(new_common, 0, sizeof(common_datum_t));
- if (symtab_init(&new_common->permissions, PERM_SYMTAB_SIZE)) {
- ERR(state->handle, "Out of memory!");
- free(new_common);
- return -1;
- }
-
- new_id = strdup(id);
- if (!new_id) {
- ERR(state->handle, "Out of memory!");
- free(new_common);
- return -1;
- }
-
- new_common->s.value = common->s.value;
- state->out->p_commons.nprim++;
-
- ret =
- hashtab_insert(state->out->p_commons.table, new_id,
- (hashtab_datum_t *) new_common);
- if (ret) {
- ERR(state->handle, "hashtab overflow");
- free(new_common);
- free(new_id);
- return -1;
- }
-
- if (hashtab_map
- (common->permissions.table, perm_copy_callback,
- &new_common->permissions)) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- return 0;
-}
-
-static int constraint_node_clone(constraint_node_t ** dst,
- constraint_node_t * src,
- expand_state_t * state)
-{
- constraint_node_t *new_con = NULL, *last_new_con = NULL;
- constraint_expr_t *new_expr = NULL;
- *dst = NULL;
- while (src != NULL) {
- constraint_expr_t *expr, *expr_l = NULL;
- new_con =
- (constraint_node_t *) malloc(sizeof(constraint_node_t));
- if (!new_con) {
- goto out_of_mem;
- }
- memset(new_con, 0, sizeof(constraint_node_t));
- new_con->permissions = src->permissions;
- for (expr = src->expr; expr; expr = expr->next) {
- if ((new_expr = calloc(1, sizeof(*new_expr))) == NULL) {
- goto out_of_mem;
- }
- if (constraint_expr_init(new_expr) == -1) {
- goto out_of_mem;
- }
- new_expr->expr_type = expr->expr_type;
- new_expr->attr = expr->attr;
- new_expr->op = expr->op;
- if (new_expr->expr_type == CEXPR_NAMES) {
- if (new_expr->attr & CEXPR_TYPE) {
- /* Type sets require expansion and conversion. */
- if (expand_convert_type_set(state->out,
- state->
- typemap,
- expr->
- type_names,
- &new_expr->
- names, 1)) {
- goto out_of_mem;
- }
- } else {
- /* Other kinds of sets do not. */
- if (ebitmap_cpy(&new_expr->names,
- &expr->names)) {
- goto out_of_mem;
- }
- }
- }
- if (expr_l) {
- expr_l->next = new_expr;
- } else {
- new_con->expr = new_expr;
- }
- expr_l = new_expr;
- new_expr = NULL;
- }
- if (last_new_con == NULL) {
- *dst = new_con;
- } else {
- last_new_con->next = new_con;
- }
- last_new_con = new_con;
- src = src->next;
- }
-
- return 0;
- out_of_mem:
- ERR(state->handle, "Out of memory!");
- if (new_con)
- free(new_con);
- constraint_expr_destroy(new_expr);
- return -1;
-}
-
-static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id, *new_id;
- class_datum_t *class, *new_class;
- expand_state_t *state;
-
- id = (char *)key;
- class = (class_datum_t *) datum;
- state = (expand_state_t *) data;
-
- if (!is_id_enabled(id, state->base, SYM_CLASSES)) {
- /* identifier's scope is not enabled */
- return 0;
- }
-
- if (state->verbose)
- INFO(state->handle, "copying class %s", id);
-
- new_class = (class_datum_t *) malloc(sizeof(class_datum_t));
- if (!new_class) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
- memset(new_class, 0, sizeof(class_datum_t));
- if (symtab_init(&new_class->permissions, PERM_SYMTAB_SIZE)) {
- ERR(state->handle, "Out of memory!");
- free(new_class);
- return -1;
- }
-
- new_class->s.value = class->s.value;
- state->out->p_classes.nprim++;
-
- new_id = strdup(id);
- if (!new_id) {
- ERR(state->handle, "Out of memory!");
- free(new_class);
- return -1;
- }
-
- ret =
- hashtab_insert(state->out->p_classes.table, new_id,
- (hashtab_datum_t *) new_class);
- if (ret) {
- ERR(state->handle, "hashtab overflow");
- free(new_class);
- free(new_id);
- return -1;
- }
-
- if (hashtab_map
- (class->permissions.table, perm_copy_callback,
- &new_class->permissions)) {
- ERR(state->handle, "hashtab overflow");
- return -1;
- }
-
- if (class->comkey) {
- new_class->comkey = strdup(class->comkey);
- if (!new_class->comkey) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- new_class->comdatum =
- hashtab_search(state->out->p_commons.table,
- new_class->comkey);
- if (!new_class->comdatum) {
- ERR(state->handle, "could not find common datum %s",
- new_class->comkey);
- return -1;
- }
- new_class->permissions.nprim +=
- new_class->comdatum->permissions.nprim;
- }
-
- return 0;
-}
-
-static int constraint_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *id;
- class_datum_t *class, *new_class;
- expand_state_t *state;
-
- id = (char *)key;
- class = (class_datum_t *) datum;
- state = (expand_state_t *) data;
-
- new_class = hashtab_search(state->out->p_classes.table, id);
- if (!new_class) {
- ERR(state->handle, "class %s vanished", id);
- return -1;
- }
-
- /* constraints */
- if (constraint_node_clone
- (&new_class->constraints, class->constraints, state) == -1
- || constraint_node_clone(&new_class->validatetrans,
- class->validatetrans, state) == -1) {
- return -1;
- }
- return 0;
-}
-
-/* The aliases have to be copied after the types and attributes to be certain that
- * the out symbol table will have the type that the alias refers. Otherwise, we
- * won't be able to find the type value for the alias. We can't depend on the
- * declaration ordering because of the hash table.
- */
-static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id, *new_id;
- type_datum_t *alias, *new_alias;
- expand_state_t *state;
-
- id = (char *)key;
- alias = (type_datum_t *) datum;
- state = (expand_state_t *) data;
-
- /* ignore regular types */
- if (alias->flavor == TYPE_TYPE && alias->primary)
- return 0;
-
- /* ignore attributes */
- if (alias->flavor == TYPE_ATTRIB)
- return 0;
-
- if (state->verbose)
- INFO(state->handle, "copying alias %s", id);
-
- new_id = strdup(id);
- if (!new_id) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- new_alias = (type_datum_t *) malloc(sizeof(type_datum_t));
- if (!new_alias) {
- ERR(state->handle, "Out of memory!");
- free(new_id);
- return SEPOL_ENOMEM;
- }
- memset(new_alias, 0, sizeof(type_datum_t));
- if (alias->flavor == TYPE_TYPE)
- new_alias->s.value = state->typemap[alias->s.value - 1];
- else if (alias->flavor == TYPE_ALIAS)
- new_alias->s.value = state->typemap[alias->primary - 1];
- else
- assert(0); /* unreachable */
-
- ret = hashtab_insert(state->out->p_types.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_alias);
-
- if (ret) {
- ERR(state->handle, "hashtab overflow");
- free(new_alias);
- free(new_id);
- return -1;
- }
-
- state->typemap[alias->s.value - 1] = new_alias->s.value;
- return 0;
-}
-
-static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id, *new_id;
- role_datum_t *role;
- role_datum_t *new_role;
- expand_state_t *state;
- ebitmap_t tmp_union_types;
-
- id = key;
- role = (role_datum_t *) datum;
- state = (expand_state_t *) data;
-
- if (strcmp(id, OBJECT_R) == 0)
- return 0;
-
- if (!is_id_enabled(id, state->base, SYM_ROLES)) {
- /* identifier's scope is not enabled */
- return 0;
- }
-
- if (state->verbose)
- INFO(state->handle, "copying role %s", id);
-
- new_role =
- (role_datum_t *) hashtab_search(state->out->p_roles.table, id);
- if (!new_role) {
- new_role = (role_datum_t *) malloc(sizeof(role_datum_t));
- if (!new_role) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
- memset(new_role, 0, sizeof(role_datum_t));
-
- new_id = strdup(id);
- if (!new_id) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- new_role->s.value = role->s.value;
- state->out->p_roles.nprim++;
- ret = hashtab_insert(state->out->p_roles.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_role);
-
- if (ret) {
- ERR(state->handle, "hashtab overflow");
- free(new_role);
- free(new_id);
- return -1;
- }
- }
-
- if (!(&new_role->dominates.node)) {
- ebitmap_init(&new_role->dominates);
- }
-
- if (ebitmap_union(&new_role->dominates, &role->dominates)) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- ebitmap_init(&tmp_union_types);
-
- /* convert types in the role datum in the global symtab */
- if (expand_convert_type_set
- (state->out, state->typemap, &role->types, &tmp_union_types, 1)) {
- ebitmap_destroy(&tmp_union_types);
- ERR(state->handle, "Out of memory!");
- return -1;
- }
-
- if (!(&new_role->types.types.node)) {
- ebitmap_init(&new_role->types.types);
- }
-
- if (ebitmap_union(&new_role->types.types, &tmp_union_types)) {
- ERR(state->handle, "Out of memory!");
- ebitmap_destroy(&tmp_union_types);
- return -1;
- }
- ebitmap_destroy(&tmp_union_types);
-
- return 0;
-}
-
-int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
- policydb_t * p, sepol_handle_t * h)
-{
- mls_semantic_cat_t *cat;
- level_datum_t *levdatum;
- unsigned int i;
-
- mls_level_init(l);
-
- if (!p->mls)
- return 0;
-
- l->sens = sl->sens;
- levdatum = (level_datum_t *) hashtab_search(p->p_levels.table,
- p->p_sens_val_to_name[l->
- sens -
- 1]);
- for (cat = sl->cat; cat; cat = cat->next) {
- if (cat->low > cat->high) {
- ERR(h, "Category range is not valid %s.%s",
- p->p_cat_val_to_name[cat->low - 1],
- p->p_cat_val_to_name[cat->high - 1]);
- return -1;
- }
- for (i = cat->low - 1; i < cat->high; i++) {
- if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
- ERR(h, "Category %s can not be associate with "
- "level %s",
- p->p_cat_val_to_name[i],
- p->p_sens_val_to_name[l->sens - 1]);
- }
- if (ebitmap_set_bit(&l->cat, i, 1)) {
- ERR(h, "Out of memory!");
- return -1;
- }
- }
- }
-
- return 0;
-}
-
-int mls_semantic_range_expand(mls_semantic_range_t * sr, mls_range_t * r,
- policydb_t * p, sepol_handle_t * h)
-{
- if (mls_semantic_level_expand(&sr->level[0], &r->level[0], p, h) < 0)
- return -1;
-
- if (mls_semantic_level_expand(&sr->level[1], &r->level[1], p, h) < 0) {
- mls_semantic_level_destroy(&sr->level[0]);
- return -1;
- }
-
- if (!mls_level_dom(&r->level[1], &r->level[0])) {
- mls_range_destroy(r);
- ERR(h, "MLS range high level does not dominate low level");
- return -1;
- }
-
- return 0;
-}
-
-static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- expand_state_t *state;
- user_datum_t *user;
- user_datum_t *new_user;
- char *id, *new_id;
- ebitmap_t tmp_union;
-
- id = key;
- user = (user_datum_t *) datum;
- state = (expand_state_t *) data;
-
- if (!is_id_enabled(id, state->base, SYM_USERS)) {
- /* identifier's scope is not enabled */
- return 0;
- }
-
...
[truncated message content] |
|
From: <ssm...@us...> - 2007-09-12 15:50:49
|
Revision: 2561
http://selinux.svn.sourceforge.net/selinux/?rev=2561&view=rev
Author: ssmalley
Date: 2007-09-12 08:50:45 -0700 (Wed, 12 Sep 2007)
Log Message:
-----------
updated libselinux to version 1.34.12
Modified Paths:
--------------
branches/stable/1_0/libselinux/ChangeLog
branches/stable/1_0/libselinux/VERSION
Modified: branches/stable/1_0/libselinux/ChangeLog
===================================================================
--- branches/stable/1_0/libselinux/ChangeLog 2007-09-12 15:49:33 UTC (rev 2560)
+++ branches/stable/1_0/libselinux/ChangeLog 2007-09-12 15:50:45 UTC (rev 2561)
@@ -1,3 +1,6 @@
+1.34.12 2007-09-12
+ * Further fix for getfilecon() handling of zero-length contexts from Stephen Smalley.
+
1.34.11 2007-07-09
* Merged fix for getfilecon() handling of zero-length contexts from
Stephen Smalley.
Modified: branches/stable/1_0/libselinux/VERSION
===================================================================
--- branches/stable/1_0/libselinux/VERSION 2007-09-12 15:49:33 UTC (rev 2560)
+++ branches/stable/1_0/libselinux/VERSION 2007-09-12 15:50:45 UTC (rev 2561)
@@ -1 +1 @@
-1.34.11
+1.34.12
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-12 15:49:35
|
Revision: 2560
http://selinux.svn.sourceforge.net/selinux/?rev=2560&view=rev
Author: ssmalley
Date: 2007-09-12 08:49:33 -0700 (Wed, 12 Sep 2007)
Log Message:
-----------
updated libselinux to version 2.0.33
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-09-12 15:47:39 UTC (rev 2559)
+++ trunk/libselinux/ChangeLog 2007-09-12 15:49:33 UTC (rev 2560)
@@ -1,3 +1,7 @@
+2.0.33 2007-09-12
+ * Re-map a getxattr return value of 0 to a getfilecon return value of -1 with errno EOPNOTSUPP from Stephen Smalley.
+ * Fall back to the compat code for security_class_to_string and security_av_perm_to_string from Stephen Smalley.
+
2.0.32 2007-09-10
* Fix swig binding for rpm_execcon from James Athey.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-09-12 15:47:39 UTC (rev 2559)
+++ trunk/libselinux/VERSION 2007-09-12 15:49:33 UTC (rev 2560)
@@ -1 +1 @@
-2.0.32
+2.0.33
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-12 15:47:40
|
Revision: 2559
http://selinux.svn.sourceforge.net/selinux/?rev=2559&view=rev
Author: ssmalley
Date: 2007-09-12 08:47:39 -0700 (Wed, 12 Sep 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: Class/permission discovery
Date: Wed, 12 Sep 2007 10:57:50 -0400
https://bugzilla.redhat.com/show_bug.cgi?id=283231
When a legacy userspace object manager like dbusd invokes the AVC with
numeric class and permission values on a kernel that supports object
class and permission discovery, the AVC ultimately calls the
integer-to-string mapping functions, but the class information has not
yet been cached by libselinux (currently triggered upon a
string_to_security_class() call, requires the string name to look up the
entry in /selinux/class), so the lookup fails.
At least as a short term fix, fall back to the compat functions in this
case.
Modified Paths:
--------------
trunk/libselinux/src/stringrep.c
Modified: trunk/libselinux/src/stringrep.c
===================================================================
--- trunk/libselinux/src/stringrep.c 2007-09-12 15:46:46 UTC (rev 2558)
+++ trunk/libselinux/src/stringrep.c 2007-09-12 15:47:39 UTC (rev 2559)
@@ -471,10 +471,9 @@
tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
- if (node == NULL) {
- errno = EINVAL;
- return NULL;
- } else
+ if (node == NULL)
+ return security_class_to_string_compat(tclass);
+ else
return node->name;
}
@@ -495,8 +494,7 @@
if ((1<<i) & av)
return node->perms[i];
- errno = EINVAL;
- return NULL;
+ return security_av_perm_to_string_compat(tclass,av);
}
int security_av_string(security_class_t tclass, access_vector_t av, char **res)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-12 15:46:50
|
Revision: 2558
http://selinux.svn.sourceforge.net/selinux/?rev=2558&view=rev
Author: ssmalley
Date: 2007-09-12 08:46:46 -0700 (Wed, 12 Sep 2007)
Log Message:
-----------
applied r2556:2557 from trunk
Modified Paths:
--------------
branches/stable/1_0/libselinux/src/fgetfilecon.c
branches/stable/1_0/libselinux/src/getfilecon.c
branches/stable/1_0/libselinux/src/lgetfilecon.c
Modified: branches/stable/1_0/libselinux/src/fgetfilecon.c
===================================================================
--- branches/stable/1_0/libselinux/src/fgetfilecon.c 2007-09-12 15:45:09 UTC (rev 2557)
+++ branches/stable/1_0/libselinux/src/fgetfilecon.c 2007-09-12 15:46:46 UTC (rev 2558)
@@ -37,6 +37,11 @@
ret = fgetxattr(fd, XATTR_NAME_SELINUX, buf, size - 1);
}
out:
+ if (ret == 0) {
+ /* Re-map empty attribute values to errors. */
+ errno = EOPNOTSUPP;
+ ret = -1;
+ }
if (ret < 0)
free(buf);
else
Modified: branches/stable/1_0/libselinux/src/getfilecon.c
===================================================================
--- branches/stable/1_0/libselinux/src/getfilecon.c 2007-09-12 15:45:09 UTC (rev 2557)
+++ branches/stable/1_0/libselinux/src/getfilecon.c 2007-09-12 15:46:46 UTC (rev 2558)
@@ -37,6 +37,11 @@
ret = getxattr(path, XATTR_NAME_SELINUX, buf, size - 1);
}
out:
+ if (ret == 0) {
+ /* Re-map empty attribute values to errors. */
+ errno = EOPNOTSUPP;
+ ret = -1;
+ }
if (ret < 0)
free(buf);
else
Modified: branches/stable/1_0/libselinux/src/lgetfilecon.c
===================================================================
--- branches/stable/1_0/libselinux/src/lgetfilecon.c 2007-09-12 15:45:09 UTC (rev 2557)
+++ branches/stable/1_0/libselinux/src/lgetfilecon.c 2007-09-12 15:46:46 UTC (rev 2558)
@@ -37,6 +37,11 @@
ret = lgetxattr(path, XATTR_NAME_SELINUX, buf, size - 1);
}
out:
+ if (ret == 0) {
+ /* Re-map empty attribute values to errors. */
+ errno = EOPNOTSUPP;
+ ret = -1;
+ }
if (ret < 0)
free(buf);
else
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-12 15:45:13
|
Revision: 2557
http://selinux.svn.sourceforge.net/selinux/?rev=2557&view=rev
Author: ssmalley
Date: 2007-09-12 08:45:09 -0700 (Wed, 12 Sep 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: getfilecon return code
Date: Mon, 09 Jul 2007 14:42:35 -0400
On Mon, 2007-07-09 at 14:30 -0400, Stephen Smalley wrote:
> On Mon, 2007-07-09 at 14:07 -0400, John D. Ramsdell wrote:
> > I hadn't carefully read the manual page for getfilecon until now, but
> > I notice it states that a positive number is returned indicating the
> > number of bytes malloc'd for the context, and -1 is returned
> > indicating failure and that errno is set. I would have guessed from
> > the description that zero is never an allowed return value. In fact,
> > I wrote code that freecon'd a context whenever the return value was
> > not -1.
>
> freecon(NULL) is perfectly legal and harmless, like free(NULL), so that
> part is ok.
>
> It is possible to set extended attributes with no values, e.g.
> $ setfattr -n user.foo /path/to/foo
> $ getfattr -n user.foo /path/to/foo
> and directly calling getxattr() on that file will return 0.
>
> So technically this is a possible case, even if it is unusual and was
> introduced in this case by the proc sysctl rewrite in the kernel leaving
> us with "private" /proc/sys inodes.
>
> I'd be inclined to change security_inode_getsecurity() in the kernel to
> return -EOPNOTSUPP in the IS_PRIVATE(inode) case. But that won't help
> with current kernels, of course.
>
> libselinux could remap a zero return from getxattr to a -1 return with
> errno EOPNOTSUPP in the meantime if we want to present this behavior to
> applications now.
Like so:
Modified Paths:
--------------
trunk/libselinux/src/fgetfilecon.c
trunk/libselinux/src/getfilecon.c
trunk/libselinux/src/lgetfilecon.c
Modified: trunk/libselinux/src/fgetfilecon.c
===================================================================
--- trunk/libselinux/src/fgetfilecon.c 2007-09-10 19:30:31 UTC (rev 2556)
+++ trunk/libselinux/src/fgetfilecon.c 2007-09-12 15:45:09 UTC (rev 2557)
@@ -37,6 +37,11 @@
ret = fgetxattr(fd, XATTR_NAME_SELINUX, buf, size - 1);
}
out:
+ if (ret == 0) {
+ /* Re-map empty attribute values to errors. */
+ errno = EOPNOTSUPP;
+ ret = -1;
+ }
if (ret < 0)
free(buf);
else
Modified: trunk/libselinux/src/getfilecon.c
===================================================================
--- trunk/libselinux/src/getfilecon.c 2007-09-10 19:30:31 UTC (rev 2556)
+++ trunk/libselinux/src/getfilecon.c 2007-09-12 15:45:09 UTC (rev 2557)
@@ -37,6 +37,11 @@
ret = getxattr(path, XATTR_NAME_SELINUX, buf, size - 1);
}
out:
+ if (ret == 0) {
+ /* Re-map empty attribute values to errors. */
+ errno = EOPNOTSUPP;
+ ret = -1;
+ }
if (ret < 0)
free(buf);
else
Modified: trunk/libselinux/src/lgetfilecon.c
===================================================================
--- trunk/libselinux/src/lgetfilecon.c 2007-09-10 19:30:31 UTC (rev 2556)
+++ trunk/libselinux/src/lgetfilecon.c 2007-09-12 15:45:09 UTC (rev 2557)
@@ -37,6 +37,11 @@
ret = lgetxattr(path, XATTR_NAME_SELINUX, buf, size - 1);
}
out:
+ if (ret == 0) {
+ /* Re-map empty attribute values to errors. */
+ errno = EOPNOTSUPP;
+ ret = -1;
+ }
if (ret < 0)
free(buf);
else
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-10 19:30:31
|
Revision: 2556
http://selinux.svn.sourceforge.net/selinux/?rev=2556&view=rev
Author: ssmalley
Date: 2007-09-10 12:30:31 -0700 (Mon, 10 Sep 2007)
Log Message:
-----------
updated libsemanage to version 2.0.6
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2007-09-10 19:29:37 UTC (rev 2555)
+++ trunk/libsemanage/ChangeLog 2007-09-10 19:30:31 UTC (rev 2556)
@@ -1,3 +1,6 @@
+2.0.6 2007-09-10
+ * Change to use getpw* function calls to the _r versions from Todd Miller.
+
2.0.5 2007-08-23
* Replace genhomedircon script with equivalent functionality within
libsemanage and introduce disable-genhomedircon option in
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2007-09-10 19:29:37 UTC (rev 2555)
+++ trunk/libsemanage/VERSION 2007-09-10 19:30:31 UTC (rev 2556)
@@ -1 +1 @@
-2.0.5
+2.0.6
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-10 19:29:39
|
Revision: 2555
http://selinux.svn.sourceforge.net/selinux/?rev=2555&view=rev
Author: ssmalley
Date: 2007-09-10 12:29:37 -0700 (Mon, 10 Sep 2007)
Log Message:
-----------
Author: "Todd C. Miller"
Email: tm...@tr...
Subject: libsemanage: genhomedircon replacement
Date: Thu, 6 Sep 2007 15:16:24 -0400 (EDT)
Stephen Smalley wrote:
> BTW, the C code shouldn't be using getpwnam or getpwent - it should be
> using the _r versions of those functions since it is a library.
Below is a diff to use the _r versions. I sent this out some time ago
but apparently it didn't make it to the list.
- todd
genhomedircon.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
Modified Paths:
--------------
trunk/libsemanage/src/genhomedircon.c
Modified: trunk/libsemanage/src/genhomedircon.c
===================================================================
--- trunk/libsemanage/src/genhomedircon.c 2007-09-10 19:25:54 UTC (rev 2554)
+++ trunk/libsemanage/src/genhomedircon.c 2007-09-10 19:29:37 UTC (rev 2555)
@@ -41,6 +41,7 @@
#include <fcntl.h>
#include <pwd.h>
#include <errno.h>
+#include <unistd.h>
/* paths used in get_home_dirs() */
#define PATH_ETC_USERADD "/etc/default/useradd"
@@ -145,11 +146,13 @@
{
semanage_list_t *homedir_list = NULL;
semanage_list_t *shells = NULL;
+ char *rbuf = NULL;
char *path = NULL;
+ long rbuflen;
size_t minuid = 0;
size_t minuid_set = 0;
size_t temp;
- struct passwd *pwbuf;
+ struct passwd pwstorage, *pwbuf;
struct stat buf;
shells = get_shell_list();
@@ -215,8 +218,14 @@
minuid_set = 1;
}
+ rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (rbuflen <= 0)
+ goto fail;
+ rbuf = malloc(rbuflen);
+ if (rbuf == NULL)
+ goto fail;
setpwent();
- for (errno = 0; (pwbuf = getpwent()); errno = 0) {
+ for (errno = 0; getpwent_r(&pwstorage, rbuf, rbuflen, &pwbuf) == 0; errno = 0) {
if (pwbuf->pw_uid < minuid)
continue;
if (!semanage_list_find(shells, pwbuf->pw_shell))
@@ -244,6 +253,7 @@
"Returning list so far.");
}
endpwent();
+ free(rbuf);
semanage_list_destroy(&shells);
if (semanage_list_sort(&homedir_list))
goto fail;
@@ -251,6 +261,8 @@
return homedir_list;
fail:
+ endpwent();
+ free(rbuf);
semanage_list_destroy(&homedir_list);
semanage_list_destroy(&shells);
return NULL;
@@ -496,8 +508,10 @@
const char *name = NULL;
const char *seuname = NULL;
const char *prefix = NULL;
- struct passwd *pwent = NULL;
+ struct passwd pwstorage, *pwent = NULL;
unsigned int i;
+ long rbuflen;
+ char *rbuf = NULL;
int retval;
*errors = 0;
@@ -514,6 +528,14 @@
qsort(user_list, nusers, sizeof(semanage_user_t *),
(int (*)(const void *, const void *))&user_sort_func);
+ /* Allocate space for the getpwnam_r buffer */
+ rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (rbuflen <= 0)
+ goto cleanup;
+ rbuf = malloc(rbuflen);
+ if (rbuf == NULL)
+ goto cleanup;
+
for (i = 0; i < nseusers; i++) {
name = semanage_seuser_get_name(seuser_list[i]);
seuname = semanage_seuser_get_sename(seuser_list[i]);
@@ -536,8 +558,7 @@
}
errno = 0;
- pwent = getpwnam(name);
- if (!pwent) {
+ if (getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent) != 0) {
if (errno != 0) {
*errors = STATUS_ERR;
goto cleanup;
@@ -561,6 +582,7 @@
}
cleanup:
+ free(rbuf);
if (*errors) {
for (; head; pop_user_entry(&head)) {
/* the pop function takes care of all the cleanup
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-10 19:25:56
|
Revision: 2554
http://selinux.svn.sourceforge.net/selinux/?rev=2554&view=rev
Author: ssmalley
Date: 2007-09-10 12:25:54 -0700 (Mon, 10 Sep 2007)
Log Message:
-----------
updated libselinux to version 2.0.32
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-09-10 19:24:47 UTC (rev 2553)
+++ trunk/libselinux/ChangeLog 2007-09-10 19:25:54 UTC (rev 2554)
@@ -1,3 +1,6 @@
+2.0.32 2007-09-10
+ * Fix swig binding for rpm_execcon from James Athey.
+
2.0.31 2007-08-23
* Fix file_contexts.homedirs path from Todd Miller.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-09-10 19:24:47 UTC (rev 2553)
+++ trunk/libselinux/VERSION 2007-09-10 19:25:54 UTC (rev 2554)
@@ -1 +1 @@
-2.0.31
+2.0.32
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-10 19:24:50
|
Revision: 2553
http://selinux.svn.sourceforge.net/selinux/?rev=2553&view=rev
Author: ssmalley
Date: 2007-09-10 12:24:47 -0700 (Mon, 10 Sep 2007)
Log Message:
-----------
Author: James Athey
Email: ja...@tr...
Subject: libselinux: fix rpm_execcon in SWIG bindings
Date: Wed, 05 Sep 2007 15:35:22 -0400
On Tue, 2007-09-04 at 10:23 -0400, Daniel J Walsh wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=276121
>
> Bug in refactored SWIG Bindings.
>
>
> #!/usr/bin/python
>
> import selinux
> args = [ "/bin/bash", "--version" ]
> selinux.rpm_execcon(0, args[0], args, [ ])
>
> Produces:
>
> Traceback (most recent call last):
> File "test.py", line 5, in <module>
> selinux.rpm_execcon(0, args[0], args, [ ])
> TypeError: in method 'rpm_execcon', argument 3 of type 'char *const []'
>
> Version-Release number of selected component (if applicable):
> libselinux-2.0.31-3.fc8
>
> James do you have a nice quick fix for this?
It's nice, it's quick, and I think it's a fix, but I'll let you be the
judge of that.
Modified Paths:
--------------
trunk/libselinux/src/selinux.py
trunk/libselinux/src/selinuxswig_python.i
trunk/libselinux/src/selinuxswig_wrap.c
Modified: trunk/libselinux/src/selinux.py
===================================================================
--- trunk/libselinux/src/selinux.py 2007-09-10 19:23:04 UTC (rev 2552)
+++ trunk/libselinux/src/selinux.py 2007-09-10 19:24:47 UTC (rev 2553)
@@ -277,6 +277,7 @@
selinux_file_context_local_path = _selinux.selinux_file_context_local_path
selinux_homedir_context_path = _selinux.selinux_homedir_context_path
selinux_media_context_path = _selinux.selinux_media_context_path
+selinux_x_context_path = _selinux.selinux_x_context_path
selinux_contexts_path = _selinux.selinux_contexts_path
selinux_securetty_types_path = _selinux.selinux_securetty_types_path
selinux_booleans_path = _selinux.selinux_booleans_path
Modified: trunk/libselinux/src/selinuxswig_python.i
===================================================================
--- trunk/libselinux/src/selinuxswig_python.i 2007-09-10 19:23:04 UTC (rev 2552)
+++ trunk/libselinux/src/selinuxswig_python.i 2007-09-10 19:24:47 UTC (rev 2553)
@@ -98,4 +98,41 @@
}
}
+%typemap(in) char * const [] {
+ int i, size;
+ PyObject * s;
+
+ if (!PySequence_Check($input)) {
+ PyErr_SetString(PyExc_ValueError, "Expected a sequence");
+ return NULL;
+ }
+
+ size = PySequence_Size($input);
+
+ $1 = (char**) malloc(size + 1);
+
+ for(i = 0; i < size; i++) {
+ if (!PyString_Check(PySequence_GetItem($input, i))) {
+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings");
+ return NULL;
+ }
+ }
+
+ for(i = 0; i < size; i++) {
+ s = PySequence_GetItem($input, i);
+ $1[i] = (char*) malloc(PyString_Size(s) + 1);
+ strcpy($1[i], PyString_AsString(s));
+ }
+ $1[size] = NULL;
+}
+
+%typemap(freearg,match="in") char * const [] {
+ int i = 0;
+ while($1[i]) {
+ free($1[i]);
+ i++;
+ }
+ free($1);
+}
+
%include "selinuxswig.i"
Modified: trunk/libselinux/src/selinuxswig_wrap.c
===================================================================
--- trunk/libselinux/src/selinuxswig_wrap.c 2007-09-10 19:23:04 UTC (rev 2552)
+++ trunk/libselinux/src/selinuxswig_wrap.c 2007-09-10 19:24:47 UTC (rev 2553)
@@ -6856,6 +6856,19 @@
}
+SWIGINTERN PyObject *_wrap_selinux_x_context_path(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+ PyObject *resultobj = 0;
+ char *result = 0 ;
+
+ if (!PyArg_ParseTuple(args,(char *)":selinux_x_context_path")) SWIG_fail;
+ result = (char *)selinux_x_context_path();
+ resultobj = SWIG_FromCharPtr((const char *)result);
+ return resultobj;
+fail:
+ return NULL;
+}
+
+
SWIGINTERN PyObject *_wrap_selinux_contexts_path(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *resultobj = 0;
char *result = 0 ;
@@ -7078,10 +7091,6 @@
int res2 ;
char *buf2 = 0 ;
int alloc2 = 0 ;
- void *argp3 = 0 ;
- int res3 = 0 ;
- void *argp4 = 0 ;
- int res4 = 0 ;
PyObject * obj0 = 0 ;
PyObject * obj1 = 0 ;
PyObject * obj2 = 0 ;
@@ -7098,22 +7107,98 @@
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "rpm_execcon" "', argument " "2"" of type '" "char const *""'");
}
arg2 = (char *)(buf2);
- res3 = SWIG_ConvertPtr(obj2, &argp3,SWIGTYPE_p_p_char, 0 | 0 );
- if (!SWIG_IsOK(res3)) {
- SWIG_exception_fail(SWIG_ArgError(res3), "in method '" "rpm_execcon" "', argument " "3"" of type '" "char *const []""'");
- }
- arg3 = (char **)(argp3);
- res4 = SWIG_ConvertPtr(obj3, &argp4,SWIGTYPE_p_p_char, 0 | 0 );
- if (!SWIG_IsOK(res4)) {
- SWIG_exception_fail(SWIG_ArgError(res4), "in method '" "rpm_execcon" "', argument " "4"" of type '" "char *const []""'");
- }
- arg4 = (char **)(argp4);
+ {
+ int i, size;
+ PyObject * s;
+
+ if (!PySequence_Check(obj2)) {
+ PyErr_SetString(PyExc_ValueError, "Expected a sequence");
+ return NULL;
+ }
+
+ size = PySequence_Size(obj2);
+
+ arg3 = (char**) malloc(size + 1);
+
+ for(i = 0; i < size; i++) {
+ if (!PyString_Check(PySequence_GetItem(obj2, i))) {
+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings");
+ return NULL;
+ }
+ }
+
+ for(i = 0; i < size; i++) {
+ s = PySequence_GetItem(obj2, i);
+ arg3[i] = (char*) malloc(PyString_Size(s) + 1);
+ strcpy(arg3[i], PyString_AsString(s));
+ }
+ arg3[size] = NULL;
+ }
+ {
+ int i, size;
+ PyObject * s;
+
+ if (!PySequence_Check(obj3)) {
+ PyErr_SetString(PyExc_ValueError, "Expected a sequence");
+ return NULL;
+ }
+
+ size = PySequence_Size(obj3);
+
+ arg4 = (char**) malloc(size + 1);
+
+ for(i = 0; i < size; i++) {
+ if (!PyString_Check(PySequence_GetItem(obj3, i))) {
+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings");
+ return NULL;
+ }
+ }
+
+ for(i = 0; i < size; i++) {
+ s = PySequence_GetItem(obj3, i);
+ arg4[i] = (char*) malloc(PyString_Size(s) + 1);
+ strcpy(arg4[i], PyString_AsString(s));
+ }
+ arg4[size] = NULL;
+ }
result = (int)rpm_execcon(arg1,(char const *)arg2,(char *const (*))arg3,(char *const (*))arg4);
resultobj = SWIG_From_int((int)(result));
if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
+ {
+ int i = 0;
+ while(arg3[i]) {
+ free(arg3[i]);
+ i++;
+ }
+ free(arg3);
+ }
+ {
+ int i = 0;
+ while(arg4[i]) {
+ free(arg4[i]);
+ i++;
+ }
+ free(arg4);
+ }
return resultobj;
fail:
if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
+ {
+ int i = 0;
+ while(arg3[i]) {
+ free(arg3[i]);
+ i++;
+ }
+ free(arg3);
+ }
+ {
+ int i = 0;
+ while(arg4[i]) {
+ free(arg4[i]);
+ i++;
+ }
+ free(arg4);
+ }
return NULL;
}
@@ -8002,6 +8087,7 @@
{ (char *)"selinux_file_context_local_path", _wrap_selinux_file_context_local_path, METH_VARARGS, NULL},
{ (char *)"selinux_homedir_context_path", _wrap_selinux_homedir_context_path, METH_VARARGS, NULL},
{ (char *)"selinux_media_context_path", _wrap_selinux_media_context_path, METH_VARARGS, NULL},
+ { (char *)"selinux_x_context_path", _wrap_selinux_x_context_path, METH_VARARGS, NULL},
{ (char *)"selinux_contexts_path", _wrap_selinux_contexts_path, METH_VARARGS, NULL},
{ (char *)"selinux_securetty_types_path", _wrap_selinux_securetty_types_path, METH_VARARGS, NULL},
{ (char *)"selinux_booleans_path", _wrap_selinux_booleans_path, METH_VARARGS, NULL},
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-10 19:23:06
|
Revision: 2552
http://selinux.svn.sourceforge.net/selinux/?rev=2552&view=rev
Author: ssmalley
Date: 2007-09-10 12:23:04 -0700 (Mon, 10 Sep 2007)
Log Message:
-----------
updated sepolgen to version 1.0.10
Modified Paths:
--------------
trunk/sepolgen/ChangeLog
trunk/sepolgen/VERSION
Modified: trunk/sepolgen/ChangeLog
===================================================================
--- trunk/sepolgen/ChangeLog 2007-09-10 19:21:52 UTC (rev 2551)
+++ trunk/sepolgen/ChangeLog 2007-09-10 19:23:04 UTC (rev 2552)
@@ -1,3 +1,7 @@
+1.0.10 2007-09-10
+ * Expand the sepolgen parser to parse all current refpolicy modules from Karl MacMillan.
+ * Suppress generation of rules for non-denials from Karl MacMillan (take 3).
+
1.0.9 2007-08-16
* Supress generation of rules for non-denials from Karl MacMillan.
Modified: trunk/sepolgen/VERSION
===================================================================
--- trunk/sepolgen/VERSION 2007-09-10 19:21:52 UTC (rev 2551)
+++ trunk/sepolgen/VERSION 2007-09-10 19:23:04 UTC (rev 2552)
@@ -1 +1 @@
-1.0.9
+1.0.10
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-10 19:21:57
|
Revision: 2551
http://selinux.svn.sourceforge.net/selinux/?rev=2551&view=rev
Author: ssmalley
Date: 2007-09-10 12:21:52 -0700 (Mon, 10 Sep 2007)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: Expand sepolgen parser to parse all modules
Date: Mon, 03 Sep 2007 12:21:11 -0400
Expand the sepolgen parser so that it is capable of parsing all of the current
reference policy modules in addition to the headers. The parser likely needs
some more cleanup (it is currently very ambigius, though this doesn't seem to
cause any harm in practice).
Signed-off-by: User "Karl MacMillan <kma...@me...>"
Modified Paths:
--------------
trunk/sepolgen/src/sepolgen/refparser.py
trunk/sepolgen/src/sepolgen/refpolicy.py
Modified: trunk/sepolgen/src/sepolgen/refparser.py
===================================================================
--- trunk/sepolgen/src/sepolgen/refparser.py 2007-09-10 19:20:32 UTC (rev 2550)
+++ trunk/sepolgen/src/sepolgen/refparser.py 2007-09-10 19:21:52 UTC (rev 2551)
@@ -1,6 +1,6 @@
# Authors: Karl MacMillan <kma...@me...>
#
-# Copyright (C) 2006 Red Hat
+# Copyright (C) 2006-2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
@@ -32,6 +32,7 @@
import sys
import os
import re
+import traceback
import refpolicy
import access
@@ -65,7 +66,23 @@
'EXPL',
'EQUAL',
'IDENTIFIER',
+ 'NUMBER',
+ 'PATH',
+ 'IPV6_ADDR',
# reserved words
+ # module
+ 'MODULE',
+ 'POLICY_MODULE',
+ 'REQUIRE',
+ # flask
+ 'SID',
+ 'GENFSCON',
+ 'FS_USE_XATTR',
+ 'FS_USE_TRANS',
+ 'FS_USE_TASK',
+ 'PORTCON',
+ 'NODECON',
+ 'NETIFCON',
# object classes
'CLASS',
# types and attributes
@@ -76,6 +93,8 @@
'TYPEALIAS',
# conditional policy
'BOOL',
+ 'TRUE',
+ 'FALSE',
'IF',
'ELSE',
# users and roles
@@ -85,6 +104,7 @@
'ALLOW',
'DONTAUDIT',
'AUDITALLOW',
+ 'NEVERALLOW',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
@@ -96,6 +116,7 @@
'TUNABLE_POLICY',
'GEN_REQ',
'TEMPLATE',
+ 'GEN_CONTEXT',
# m4
'IFDEF',
'IFNDEF',
@@ -105,6 +126,19 @@
# All reserved keywords - see t_IDENTIFIER for how these are matched in
# the lexer.
reserved = {
+ # module
+ 'module' : 'MODULE',
+ 'policy_module' : 'POLICY_MODULE',
+ 'require' : 'REQUIRE',
+ # flask
+ 'sid' : 'SID',
+ 'genfscon' : 'GENFSCON',
+ 'fs_use_xattr' : 'FS_USE_XATTR',
+ 'fs_use_trans' : 'FS_USE_TRANS',
+ 'fs_use_task' : 'FS_USE_TASK',
+ 'portcon' : 'PORTCON',
+ 'nodecon' : 'NODECON',
+ 'netifcon' : 'NETIFCON',
# object classes
'class' : 'CLASS',
# types and attributes
@@ -115,6 +149,8 @@
'typealias' : 'TYPEALIAS',
# conditional policy
'bool' : 'BOOL',
+ 'true' : 'TRUE',
+ 'false' : 'FALSE',
'if' : 'IF',
'else' : 'ELSE',
# users and roles
@@ -124,6 +160,7 @@
'allow' : 'ALLOW',
'dontaudit' : 'DONTAUDIT',
'auditallow' : 'AUDITALLOW',
+ 'neverallow' : 'NEVERALLOW',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
@@ -135,6 +172,7 @@
'tunable_policy' : 'TUNABLE_POLICY',
'gen_require' : 'GEN_REQ',
'template' : 'TEMPLATE',
+ 'gen_context' : 'GEN_CONTEXT',
# M4
'ifndef' : 'IFNDEF',
'ifdef' : 'IFDEF',
@@ -162,26 +200,34 @@
t_BAR = r'\|'
t_EXPL = r'\!'
t_EQUAL = r'\='
+t_NUMBER = r'[0-9\.]+'
+t_PATH = r'/[a-zA-Z0-9)_\.\*/]*'
+#t_IPV6_ADDR = r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]{0,4}:)*'
# Ignore whitespace - this is a special token for ply that more efficiently
# ignores uninteresting tokens.
t_ignore = " \t"
# More complex tokens
+def t_IPV6_ADDR(t):
+ r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*'
+ # This is a function simply to force it sooner into
+ # the regex list
+ return t
def t_m4comment(t):
r'dnl.*\n'
# Ignore all comments
- t.lineno += 1
+ t.lexer.lineno += 1
def t_refpolicywarn(t):
r'refpolicywarn\(.*\n'
# Ignore refpolicywarn statements - they sometimes
# contain text that we can't parse.
- t.lineno += 1
-
+ t.lexer.lineno += 1
+
def t_IDENTIFIER(t):
- r'[a-zA-Z_\$][a-zA-Z0-9_\.\$\*]*'
+ r'[a-zA-Z_\$][a-zA-Z0-9_\-\.\$\*]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
@@ -189,7 +235,7 @@
def t_comment(t):
r'\#.*\n'
# Ignore all comments
- t.lineno += 1
+ t.lexer.lineno += 1
def t_error(t):
print "Illegal character '%s'" % t.value[0]
@@ -197,7 +243,7 @@
def t_newline(t):
r'\n+'
- t.lineno += len(t.value)
+ t.lexer.lineno += len(t.value)
# :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
@@ -243,137 +289,40 @@
| statements statement
| empty
'''
- if len(p) == 2:
+ if len(p) == 2 and p[1]:
m.children.append(p[1])
- elif len(p) > 2:
+ elif len(p) > 2 and p[2]:
m.children.append(p[2])
def p_statement(p):
'''statement : interface
| template
| obj_perm_set
+ | policy
+ | policy_module_stmt
+ | module_stmt
'''
p[0] = p[1]
-# Basic terminals - identifiers and lists of identifiers. These must
-# be handled somewhat gracefully. Names returns an IdSet and care must
-# be taken that this is _assigned_ to an object to correctly update
-# all of the flags (as opposed to using update). The other terminals
-# return list - this is to preserve ordering if it is important for
-# parsing (for example, interface_call must retain the ordering). Other
-# times the list should be used to update an IdSet.
-
-def p_names(p):
- '''names : identifier
- | nested_id_set
- | asterisk
- | TILDE identifier
- | TILDE nested_id_set
- | IDENTIFIER MINUS IDENTIFIER
- '''
- s = refpolicy.IdSet()
- if len(p) < 3:
- expand(p[1], s)
- elif len(p) == 3:
- expand(p[2], s)
- s.compliment = True
- else:
- expand([p[1]])
- s.add("-" + p[3])
- p[0] = s
-
-def p_identifier(p):
- 'identifier : IDENTIFIER'
- p[0] = [p[1]]
-
-def p_asterisk(p):
- 'asterisk : ASTERISK'
- p[0] = [p[1]]
-
-def p_nested_id_set(p):
- '''nested_id_set : OBRACE nested_id_list CBRACE
- '''
- p[0] = p[2]
-
-def p_nested_id_list(p):
- '''nested_id_list : nested_id_element
- | nested_id_list nested_id_element
- '''
- if len(p) == 2:
- p[0] = p[1]
- else:
- p[0] = p[1] + p[2]
-
-def p_nested_id_element(p):
- '''nested_id_element : identifier
- | MINUS IDENTIFIER
- | nested_id_set
- '''
- if len(p) == 2:
- p[0] = p[1]
- else:
- # For now just leave the '-'
- str = "-" + p[2]
- p[0] = [str]
-
-def p_interface_call_param(p):
- '''interface_call_param : IDENTIFIER
- | IDENTIFIER MINUS IDENTIFIER
- | nested_id_set
- '''
- # Intentionally let single identifiers pass through
- # List means set, non-list identifier
- if len(p) == 2:
- p[0] = p[1]
- else:
- p[0] = [p[1], "-" + p[3]]
-
-def p_interface_call_param_list(p):
- '''interface_call_param_list : interface_call_param
- | interface_call_param_list COMMA interface_call_param
- '''
- if len(p) == 2:
- p[0] = [p[1]]
- else:
- p[0] = p[1] + [p[3]]
-
-
-def p_comma_list(p):
- '''comma_list : nested_id_list
- | comma_list COMMA nested_id_list
- '''
- if len(p) > 2:
- p[1] = p[1] + p[3]
- p[0] = p[1]
-
-def p_optional_semi(p):
- '''optional_semi : SEMI
- | empty'''
- pass
-
-def p_cond_expr(p):
- '''cond_expr : IDENTIFIER
- | EXPL cond_expr
- | cond_expr AMP AMP cond_expr
- | cond_expr BAR BAR cond_expr
- | cond_expr EQUAL EQUAL cond_expr
- | cond_expr EXPL EQUAL cond_expr
- '''
- l = len(p)
- if l == 2:
- p[0] = [p[1]]
- elif l == 3:
- p[0] = [p[1]] + p[2]
- else:
- p[0] = p[1] + [p[2] + p[3]] + p[4]
-
-
def p_empty(p):
'empty :'
pass
+#
# Reference policy language constructs
+#
+# This is for the policy module statement (e.g., policy_module(foo,1.2.0)).
+# We have a separate terminal for either the basic language module statement
+# and interface calls to make it easier to identifier.
+def p_policy_module_stmt(p):
+ 'policy_module_stmt : POLICY_MODULE OPAREN IDENTIFIER COMMA NUMBER CPAREN'
+ m = refpolicy.ModuleDeclaration()
+ m.name = p[3]
+ m.version = p[5]
+ m.refpolicy = True
+ p[0] = m
+
def p_interface(p):
'''interface : INTERFACE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
@@ -389,22 +338,37 @@
collect(p[8], x)
p[0] = x
+def p_define(p):
+ '''define : DEFINE OPAREN TICK IDENTIFIER SQUOTE CPAREN'''
+ # This is for defining single M4 values (to be used later in ifdef statements).
+ # Example: define(`sulogin_no_pam'). We don't currently do anything with these
+ # but we should in the future when we correctly resolve ifdef statements.
+ p[0] = None
+
def p_interface_stmts(p):
'''interface_stmts : policy
| interface_stmts policy
| empty
'''
- if len(p) == 2:
+ if len(p) == 2 and p[1]:
p[0] = p[1]
elif len(p) > 2:
- p[0] = p[1] + p[2]
+ if not p[1]:
+ if p[2]:
+ p[0] = p[2]
+ elif not p[2]:
+ p[0] = p[1]
+ else:
+ p[0] = p[1] + p[2]
def p_optional_policy(p):
+ '''optional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN
+ | OPT_POLICY OPAREN TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN
'''
- optional_policy : OPT_POLICY OPAREN TICK interface_stmts SQUOTE CPAREN
- '''
o = refpolicy.OptionalPolicy()
- o.children = p[4]
+ collect(p[4], o, val=True)
+ if len(p) > 7:
+ collect(p[8], o, val=False)
p[0] = [o]
def p_tunable_policy(p):
@@ -434,19 +398,48 @@
p[0] = [x]
def p_interface_call(p):
- 'interface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN'
+ '''interface_call : IDENTIFIER OPAREN interface_call_param_list CPAREN
+ | IDENTIFIER OPAREN CPAREN
+ | IDENTIFIER OPAREN interface_call_param_list CPAREN SEMI'''
+ # Allow spurious semi-colons at the end of interface calls
i = refpolicy.InterfaceCall(ifname=p[1])
-
- i.args.extend(p[3])
+ if len(p) > 4:
+ i.args.extend(p[3])
p[0] = i
+def p_interface_call_param(p):
+ '''interface_call_param : IDENTIFIER
+ | IDENTIFIER MINUS IDENTIFIER
+ | nested_id_set
+ | TRUE
+ | FALSE
+ '''
+ # Intentionally let single identifiers pass through
+ # List means set, non-list identifier
+ if len(p) == 2:
+ p[0] = p[1]
+ else:
+ p[0] = [p[1], "-" + p[3]]
+
+def p_interface_call_param_list(p):
+ '''interface_call_param_list : interface_call_param
+ | interface_call_param_list COMMA interface_call_param
+ '''
+ if len(p) == 2:
+ p[0] = [p[1]]
+ else:
+ p[0] = p[1] + [p[3]]
+
+
def p_obj_perm_set(p):
'obj_perm_set : DEFINE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK names SQUOTE CPAREN'
s = refpolicy.ObjPermSet(p[4])
s.perms = p[8]
p[0] = s
-
+
+#
# Basic SELinux policy language
+#
def p_policy(p):
'''policy : policy_stmt
@@ -470,11 +463,29 @@
| attribute_def
| range_transition_def
| role_transition_def
+ | bool
+ | define
+ | initial_sid
+ | genfscon
+ | fs_use
+ | portcon
+ | nodecon
+ | netifcon
'''
- p[0] = [p[1]]
+ if p[1]:
+ p[0] = [p[1]]
+def p_module_stmt(p):
+ 'module_stmt : MODULE IDENTIFIER NUMBER SEMI'
+ m = refpolicy.ModuleDeclaration()
+ m.name = p[2]
+ m.version = p[3]
+ m.refpolicy = False
+ p[0] = m
+
def p_gen_require(p):
- 'gen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN'
+ '''gen_require : GEN_REQ OPAREN TICK requires SQUOTE CPAREN
+ | REQUIRE OBRACE requires CBRACE'''
# We ignore the require statements - they are redundant data from our point-of-view.
# Checkmodule will verify them later anyway so we just assume that they match what
# is in the rest of the interface.
@@ -497,6 +508,121 @@
'''
pass
+def p_security_context(p):
+ '''security_context : IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER
+ | IDENTIFIER COLON IDENTIFIER COLON IDENTIFIER COLON mls_range_def'''
+ # This will likely need some updates to handle complex levels
+ s = refpolicy.SecurityContext()
+ s.user = p[1]
+ s.role = p[3]
+ s.type = p[5]
+ if len(p) > 6:
+ s.level = p[7]
+
+ p[0] = s
+
+def p_gen_context(p):
+ '''gen_context : GEN_CONTEXT OPAREN security_context COMMA mls_range_def CPAREN
+ '''
+ # We actually store gen_context statements in a SecurityContext
+ # object - it knows how to output either a bare context or a
+ # gen_context statement.
+ s = p[3]
+ s.level = p[5]
+
+ p[0] = s
+
+def p_context(p):
+ '''context : security_context
+ | gen_context
+ '''
+ p[0] = p[1]
+
+def p_initial_sid(p):
+ '''initial_sid : SID IDENTIFIER context'''
+ s = refpolicy.InitialSid()
+ s.name = p[2]
+ s.context = p[3]
+ p[0] = s
+
+def p_genfscon(p):
+ '''genfscon : GENFSCON IDENTIFIER PATH context'''
+
+ g = refpolicy.GenfsCon()
+ g.filesystem = p[2]
+ g.path = p[3]
+ g.context = p[4]
+
+ p[0] = g
+
+def p_fs_use(p):
+ '''fs_use : FS_USE_XATTR IDENTIFIER context SEMI
+ | FS_USE_TASK IDENTIFIER context SEMI
+ | FS_USE_TRANS IDENTIFIER context SEMI
+ '''
+ f = refpolicy.FilesystemUse()
+ if p[1] == "fs_use_xattr":
+ f.type = refpolicy.FilesystemUse.XATTR
+ elif p[1] == "fs_use_task":
+ f.type = refpolicy.FilesystemUse.TASK
+ elif p[1] == "fs_use_trans":
+ f.type = refpolicy.FilesystemUse.TRANS
+
+ f.filesystem = p[2]
+ f.context = p[3]
+
+ p[0] = f
+
+def p_portcon(p):
+ '''portcon : PORTCON IDENTIFIER NUMBER context
+ | PORTCON IDENTIFIER NUMBER MINUS NUMBER context'''
+ c = refpolicy.PortCon()
+ c.port_type = p[2]
+ if len(p) == 5:
+ c.port_number = p[3]
+ c.context = p[4]
+ else:
+ c.port_number = p[3] + "-" + p[4]
+ c.context = p[5]
+
+ p[0] = c
+
+def p_nodecon(p):
+ '''nodecon : NODECON NUMBER NUMBER context
+ | NODECON IPV6_ADDR IPV6_ADDR context
+ '''
+ n = refpolicy.NodeCon()
+ n.start = p[2]
+ n.end = p[3]
+ n.context = p[4]
+
+ p[0] = n
+
+def p_netifcon(p):
+ 'netifcon : NETIFCON IDENTIFIER context context'
+ n = refpolicy.NetifCon()
+ n.interface = p[2]
+ n.interface_context = p[3]
+ n.packet_context = p[4]
+
+ p[0] = n
+
+def p_mls_range_def(p):
+ '''mls_range_def : mls_level_def MINUS mls_level_def
+ | mls_level_def
+ '''
+ p[0] = p[1]
+ if len(p) > 2:
+ p[0] = p[0] + "-" + p[3]
+
+def p_mls_level_def(p):
+ '''mls_level_def : IDENTIFIER COLON comma_list
+ | IDENTIFIER
+ '''
+ p[0] = p[1]
+ if len(p) > 2:
+ p[0] = p[0] + ":" + ",".join(p[3])
+
def p_type_def(p):
'''type_def : TYPE IDENTIFIER COMMA comma_list SEMI
| TYPE IDENTIFIER SEMI
@@ -528,10 +654,12 @@
p[0] = t
def p_role_def(p):
- 'role_def : ROLE IDENTIFIER TYPES comma_list SEMI'
+ '''role_def : ROLE IDENTIFIER TYPES comma_list SEMI
+ | ROLE IDENTIFIER SEMI'''
r = refpolicy.Role()
r.role = p[2]
- r.types.update(p[4])
+ if len(p) > 4:
+ r.types.update(p[4])
p[0] = r
def p_role_allow(p):
@@ -545,12 +673,15 @@
'''avrule_def : ALLOW names names COLON names names SEMI
| DONTAUDIT names names COLON names names SEMI
| AUDITALLOW names names COLON names names SEMI
+ | NEVERALLOW names names COLON names names SEMI
'''
a = refpolicy.AVRule()
if p[1] == 'dontaudit':
a.rule_type = refpolicy.AVRule.DONTAUDIT
elif p[1] == 'auditallow':
a.rule_type = refpolicy.AVRule.AUDITALLOW
+ elif p[1] == 'neverallow':
+ a.rule_type = refpolicy.AVRule.NEVERALLOW
a.src_types = p[2]
a.tgt_types = p[3]
a.obj_classes = p[5]
@@ -573,6 +704,17 @@
t.dest_type = p[6]
p[0] = t
+def p_bool(p):
+ '''bool : BOOL IDENTIFIER TRUE SEMI
+ | BOOL IDENTIFIER FALSE SEMI'''
+ b = refpolicy.Bool()
+ b.name = p[2]
+ if p[3] == "true":
+ b.state = True
+ else:
+ b.state = False
+ p[0] = b
+
def p_conditional(p):
''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
| IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE
@@ -591,18 +733,6 @@
t.attributes.update(p[3])
p[0] = t
-def p_mls_level_def(p):
- '''mls_level_def : IDENTIFIER COLON comma_list
- | IDENTIFIER'''
- pass
-
-def p_mls_range_def(p):
- '''mls_range_def : mls_level_def MINUS mls_level_def
- | mls_level_def
- '''
- pass
-
-
def p_range_transition_def(p):
'''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
| RANGE_TRANSITION names names names SEMI'''
@@ -612,6 +742,106 @@
'''role_transition_def : ROLE_TRANSITION names names names SEMI'''
pass
+def p_cond_expr(p):
+ '''cond_expr : IDENTIFIER
+ | EXPL cond_expr
+ | cond_expr AMP AMP cond_expr
+ | cond_expr BAR BAR cond_expr
+ | cond_expr EQUAL EQUAL cond_expr
+ | cond_expr EXPL EQUAL cond_expr
+ '''
+ l = len(p)
+ if l == 2:
+ p[0] = [p[1]]
+ elif l == 3:
+ p[0] = [p[1]] + p[2]
+ else:
+ p[0] = p[1] + [p[2] + p[3]] + p[4]
+
+
+#
+# Basic terminals
+#
+
+# Identifiers and lists of identifiers. These must
+# be handled somewhat gracefully. Names returns an IdSet and care must
+# be taken that this is _assigned_ to an object to correctly update
+# all of the flags (as opposed to using update). The other terminals
+# return list - this is to preserve ordering if it is important for
+# parsing (for example, interface_call must retain the ordering). Other
+# times the list should be used to update an IdSet.
+
+def p_names(p):
+ '''names : identifier
+ | nested_id_set
+ | asterisk
+ | TILDE identifier
+ | TILDE nested_id_set
+ | IDENTIFIER MINUS IDENTIFIER
+ '''
+ s = refpolicy.IdSet()
+ if len(p) < 3:
+ expand(p[1], s)
+ elif len(p) == 3:
+ expand(p[2], s)
+ s.compliment = True
+ else:
+ expand([p[1]])
+ s.add("-" + p[3])
+ p[0] = s
+
+def p_identifier(p):
+ 'identifier : IDENTIFIER'
+ p[0] = [p[1]]
+
+def p_asterisk(p):
+ 'asterisk : ASTERISK'
+ p[0] = [p[1]]
+
+def p_nested_id_set(p):
+ '''nested_id_set : OBRACE nested_id_list CBRACE
+ '''
+ p[0] = p[2]
+
+def p_nested_id_list(p):
+ '''nested_id_list : nested_id_element
+ | nested_id_list nested_id_element
+ '''
+ if len(p) == 2:
+ p[0] = p[1]
+ else:
+ p[0] = p[1] + p[2]
+
+def p_nested_id_element(p):
+ '''nested_id_element : identifier
+ | MINUS IDENTIFIER
+ | nested_id_set
+ '''
+ if len(p) == 2:
+ p[0] = p[1]
+ else:
+ # For now just leave the '-'
+ str = "-" + p[2]
+ p[0] = [str]
+
+def p_comma_list(p):
+ '''comma_list : nested_id_list
+ | comma_list COMMA nested_id_list
+ '''
+ if len(p) > 2:
+ p[1] = p[1] + p[3]
+ p[0] = p[1]
+
+def p_optional_semi(p):
+ '''optional_semi : SEMI
+ | empty'''
+ pass
+
+
+#
+# Interface to the parser
+#
+
def p_error(tok):
global error
error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
@@ -624,8 +854,6 @@
for x in spt:
map[x.name] = x
-
-
parser = None
lexer = None
def create_globals(module, support, debug):
@@ -648,12 +876,13 @@
create_globals(module, support, debug)
lexer.lexdata = []
lexer.lexpos = 0
+ lexer.lineno = 1
try:
parser.parse(text, debug=debug)
except Exception, e:
global error
- error = "internal parser error: %s" % str(e)
+ error = "internal parser error: %s" % str(e) + "\n" + traceback.format_exc()
if error is not None:
msg = 'could not parse text: "%s"' % error
@@ -733,7 +962,7 @@
headers.children.append(spt)
# FIXME: Total hack - add in can_exec rather than parse the insanity
- # of misc_macros. We are just going to preten that this is an interface
+ # of misc_macros. We are just going to pretend that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
Modified: trunk/sepolgen/src/sepolgen/refpolicy.py
===================================================================
--- trunk/sepolgen/src/sepolgen/refpolicy.py 2007-09-10 19:20:32 UTC (rev 2550)
+++ trunk/sepolgen/src/sepolgen/refpolicy.py 2007-09-10 19:21:52 UTC (rev 2551)
@@ -49,7 +49,12 @@
# Base Classes
-class Node:
+class PolicyBase:
+ def __init__(self, parent=None):
+ self.parent = None
+ self.comment = None
+
+class Node(PolicyBase):
"""Base class objects produced from parsing the reference policy.
The Node class is used as the base class for any non-leaf
@@ -67,9 +72,8 @@
"""
def __init__(self, parent=None):
- self.parent = parent
+ PolicyBase.__init__(self, parent)
self.children = []
- self.comment = None
def __iter__(self):
return iter(self.children)
@@ -131,9 +135,9 @@
return ""
-class Leaf:
- def __init__(self):
- self.comment = None
+class Leaf(PolicyBase):
+ def __init__(self, parent=None):
+ PolicyBase.__init__(self, parent)
def __str__(self):
if self.comment:
@@ -244,14 +248,14 @@
class SecurityContext(Leaf):
"""An SELinux security context with optional MCS / MLS fields."""
- def __init__(self, context=None):
+ def __init__(self, context=None, parent=None):
"""Create a SecurityContext object, optionally from a string.
Parameters:
[context] - string representing a security context. Same format
as a string passed to the from_string method.
"""
- Leaf.__init__(self)
+ Leaf.__init__(self, parent)
self.user = ""
self.role = ""
self.type = ""
@@ -314,7 +318,7 @@
fields.append(self.level)
return ":".join(fields)
-class ObjectClass:
+class ObjectClass(Leaf):
"""SELinux object class and permissions.
This class is a basic representation of an SELinux object
@@ -322,7 +326,8 @@
just the union of the common and class specific permissions.
It is meant to be convenient for policy generation.
"""
- def __init__(self, name=""):
+ def __init__(self, name="", parent=None):
+ Leaf.__init__(self, parent)
self.name = name
self.perms = IdSet()
@@ -333,8 +338,8 @@
This class represents a typeattribute statement.
"""
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.type = ""
self.attributes = IdSet()
@@ -342,8 +347,8 @@
return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str())
class Role(Leaf):
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.role = ""
self.types = IdSet()
@@ -351,8 +356,8 @@
return "role %s types %s;" % (self.role, self.types.to_comma_str())
class Type(Leaf):
- def __init__(self, name=""):
- Leaf.__init__(self)
+ def __init__(self, name="", parent=None):
+ Leaf.__init__(self, parent)
self.name = name
self.attributes = IdSet()
self.aliases = IdSet()
@@ -366,8 +371,8 @@
return s + ";"
class TypeAlias(Leaf):
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.type = ""
self.aliases = IdSet()
@@ -375,8 +380,8 @@
return "typealias %s alias %s;" % (self.type, self.aliases.to_space_str())
class Attribute(Leaf):
- def __init__(self, name=""):
- Leaf.__init__(self)
+ def __init__(self, name="", parent=None):
+ Leaf.__init__(self, parent)
self.name = name
def to_string(self):
@@ -403,9 +408,10 @@
ALLOW = 0
DONTAUDIT = 1
AUDITALLOW = 2
+ NEVERALLOW = 3
- def __init__(self, av=None):
- Leaf.__init__(self)
+ def __init__(self, av=None, parent=None):
+ Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
@@ -455,8 +461,8 @@
TYPE_CHANGE = 1
TYPE_MEMBER = 2
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
@@ -479,8 +485,8 @@
self.dest_type)
class RoleAllow(Leaf):
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.src_roles = IdSet()
self.tgt_roles = IdSet()
@@ -489,8 +495,8 @@
self.tgt_roles.to_comma_str())
class ModuleDeclaration(Leaf):
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.name = ""
self.version = ""
self.refpolicy = False
@@ -501,8 +507,99 @@
else:
return "module %s %s;" % (self.name, self.version)
+class Conditional(Node):
+ def __init__(self, parent=None):
+ Node.__init__(self, parent)
+ self.cond_expr = []
+ def to_string(self):
+ return "[If %s]" % list_to_space_str(self.cond_expr, cont=("", ""))
+class Bool(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.name = ""
+ self.state = False
+
+ def to_string(self):
+ s = "bool %s " % self.name
+ if s.state:
+ return s + "true"
+ else:
+ return s + "false"
+
+class InitialSid(Leaf):
+ def __init(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.name = ""
+ self.context = None
+
+ def to_string(self):
+ return "sid %s %s" % (self.name, str(self.context))
+
+class GenfsCon(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.filesystem = ""
+ self.path = ""
+ self.context = None
+
+ def to_string(self):
+ return "genfscon %s %s %s" % (self.filesystem, self.path, str(self.context))
+
+class FilesystemUse(Leaf):
+ XATTR = 1
+ TRANS = 2
+ TASK = 3
+
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.type = self.XATTR
+ self.filesystem = ""
+ self.context = None
+
+ def to_string(self):
+ s = ""
+ if self.type == XATTR:
+ s = "fs_use_xattr "
+ elif self.type == TRANS:
+ s = "fs_use_trans "
+ elif self.type == TASK:
+ s = "fs_use_task "
+
+ return "%s %s %s;" % (s, self.filesystem, str(self.context))
+
+class PortCon(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.port_type = ""
+ self.port_number = ""
+ self.context = None
+
+ def to_string(self):
+ return "portcon %s %s %s" % (self.port_type, self.port_number, str(self.context))
+
+class NodeCon(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.start = ""
+ self.end = ""
+ self.context = None
+
+ def to_string(self):
+ return "nodecon %s %s %s" % (self.start, self.end, str(self.context))
+
+class NetifCon(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.interface = ""
+ self.interface_context = None
+ self.packet_context = None
+
+ def to_string(self):
+ return "netifcon %s %s %s" % (self.interface, str(self.interface_context),
+ str(self.packet_context))
+
# Reference policy specific types
def print_tree(head):
@@ -564,17 +661,9 @@
def to_string(self):
return "[Ifdef name: %s]" % self.name
-class Conditional(Node):
- def __init__(self, parent=None):
- Node.__init__(self, parent)
- self.cond_expr = []
-
- def to_string(self):
- return "[If %s]" % list_to_space_str(self.cond_expr, cont=("", ""))
-
class InterfaceCall(Leaf):
- def __init__(self, ifname=""):
- Leaf.__init__(self)
+ def __init__(self, ifname="", parent=None):
+ Leaf.__init__(self, parent)
self.ifname = ifname
self.args = []
self.comments = []
@@ -651,8 +740,8 @@
return self.map.has_key(name)
class Require(Leaf):
- def __init__(self):
- Leaf.__init__(self)
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
self.types = IdSet()
self.obj_classes = { }
self.roles = IdSet()
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
