Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2006-08-30 13:21:02
|
Revision: 2001 Author: ssmalley Date: 2006-08-30 06:20:52 -0700 (Wed, 30 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=2001&view=rev Log Message: ----------- Move tag to temporary location so that we can restructure it. Direct move to subdirectory not allowed. Added Paths: ----------- tags/libsepol_1_12_25_tmp/ Removed Paths: ------------- tags/libsepol_1_12_25/ Copied: tags/libsepol_1_12_25_tmp (from rev 2000, tags/libsepol_1_12_25) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <ssm...@us...> - 2006-08-30 13:24:27
|
Revision: 2003 Author: ssmalley Date: 2006-08-30 06:24:12 -0700 (Wed, 30 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=2003&view=rev Log Message: ----------- Move into place. Added Paths: ----------- tags/libsepol_1_12_25/libsepol/ Removed Paths: ------------- tags/libsepol_1_12_25_tmp/ Copied: tags/libsepol_1_12_25/libsepol (from rev 2002, tags/libsepol_1_12_25_tmp) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <ssm...@us...> - 2006-08-30 13:26:13
|
Revision: 2004 Author: ssmalley Date: 2006-08-30 06:26:04 -0700 (Wed, 30 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=2004&view=rev Log Message: ----------- Move aside so we can restructure. Added Paths: ----------- tags/libselinux_1_30_27_tmp/ Removed Paths: ------------- tags/libselinux_1_30_27/ Copied: tags/libselinux_1_30_27_tmp (from rev 2003, tags/libselinux_1_30_27) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <ssm...@us...> - 2006-08-30 13:27:05
|
Revision: 2006 Author: ssmalley Date: 2006-08-30 06:26:56 -0700 (Wed, 30 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=2006&view=rev Log Message: ----------- Move into place. Added Paths: ----------- tags/libselinux_1_30_27/libselinux/ Removed Paths: ------------- tags/libselinux_1_30_27_tmp/ Copied: tags/libselinux_1_30_27/libselinux (from rev 2005, tags/libselinux_1_30_27_tmp) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <ssm...@us...> - 2006-08-30 13:28:16
|
Revision: 2007 Author: ssmalley Date: 2006-08-30 06:28:10 -0700 (Wed, 30 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=2007&view=rev Log Message: ----------- Move aside for restructuring. Added Paths: ----------- tags/policycoreutils_1_30_27_tmp/ Removed Paths: ------------- tags/policycoreutils_1_30_27/ Copied: tags/policycoreutils_1_30_27_tmp (from rev 2006, tags/policycoreutils_1_30_27) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <ssm...@us...> - 2006-08-30 13:29:10
|
Revision: 2009 Author: ssmalley Date: 2006-08-30 06:29:02 -0700 (Wed, 30 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=2009&view=rev Log Message: ----------- Move into place. Added Paths: ----------- tags/policycoreutils_1_30_27/policycoreutils/ Removed Paths: ------------- tags/policycoreutils_1_30_27_tmp/ Copied: tags/policycoreutils_1_30_27/policycoreutils (from rev 2008, tags/policycoreutils_1_30_27_tmp) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mad...@us...> - 2006-09-05 14:49:57
|
Revision: 2023
http://svn.sourceforge.net/selinux/?rev=2023&view=rev
Author: madmethod
Date: 2006-09-05 07:49:43 -0700 (Tue, 05 Sep 2006)
Log Message:
-----------
remove broken tags
Removed Paths:
-------------
tags/checkpolicy_1_30_11/
tags/libsepol_1_12_26/
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2006-09-05 14:57:26
|
Revision: 2026
http://svn.sourceforge.net/selinux/?rev=2026&view=rev
Author: madmethod
Date: 2006-09-05 07:57:13 -0700 (Tue, 05 Sep 2006)
Log Message:
-----------
Tag for libsepol 1.12.26
Added Paths:
-----------
tags/libsepol_1_12_26/
tags/libsepol_1_12_26/libsepol/
Copied: tags/libsepol_1_12_26/libsepol (from rev 2022, trunk/libsepol)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2006-09-13 15:14:09
|
Revision: 2029
http://svn.sourceforge.net/selinux/?rev=2029&view=rev
Author: madmethod
Date: 2006-09-13 08:14:00 -0700 (Wed, 13 Sep 2006)
Log Message:
-----------
tag for libselinux 1.30.28
Added Paths:
-----------
tags/libselinux_1_30_28/
tags/libselinux_1_30_28/libselinux/
tags/libselinux_1_30_28/libselinux/ChangeLog
tags/libselinux_1_30_28/libselinux/VERSION
tags/libselinux_1_30_28/libselinux/src/setrans_client.c
Removed Paths:
-------------
tags/libselinux_1_30_28/libselinux/ChangeLog
tags/libselinux_1_30_28/libselinux/VERSION
tags/libselinux_1_30_28/libselinux/src/setrans_client.c
Copied: tags/libselinux_1_30_28/libselinux (from rev 2026, trunk/libselinux)
Deleted: tags/libselinux_1_30_28/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2006-09-05 14:57:13 UTC (rev 2026)
+++ tags/libselinux_1_30_28/libselinux/ChangeLog 2006-09-13 15:14:00 UTC (rev 2029)
@@ -1,550 +0,0 @@
-1.30.27 2006-08-24
- * Merged patch to not log avc stats upon a reset from Steve Grubb.
- * Applied patch to revert compat_net setting upon policy load.
-
-1.30.26 2006-08-11
- * Merged file context homedir and local path functions from
- Chris PeBenito.
-
-1.30.25 2006-08-11
- * Rework functions that access /proc/pid/attr to access the
- per-thread nodes, and unify the code to simplify maintenance.
-
-1.30.24 2006-08-10
- * Merged return value fix for *getfilecon() from Dan Walsh.
-
-1.30.23 2006-08-10
- * Merged sockcreate interfaces from Eric Paris.
-
-1.30.22 2006-08-03
- * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
-
-1.30.21 2006-08-03
- * Merged netfilter_contexts support patch from Chris PeBenito.
-
-1.30.20 2006-08-01
- * Merged context_*_set errno patch from Jim Meyering.
-
-1.30.19 2006-06-29
- * Lindent.
-
-1.30.18 2006-06-27
- * Merged {get,set}procattrcon patch set from Eric Paris.
- * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
-
-1.30.17 2006-06-27
- * Regenerated Flask headers from refpolicy.
-
-1.30.16 2006-06-26
- * Merged patch from Dan Walsh with:
- - Added selinux_file_context_{cmp,verify}.
- - Added selinux_lsetfilecon_default.
- - Delay translation of contexts in matchpathcon.
-
-1.30.15 2006-06-16
- * Merged patch from Dan Walsh with:
- * Added selinux_getpolicytype() function.
- * Modified setrans code to skip processing if !mls_enabled.
-
-1.30.14 2006-06-16
- * Set errno in the !selinux_mnt case.
-
-1.30.13 2006-06-02
- * Allocate large buffers from the heap, not on stack.
- Affects is_context_customizable, selinux_init_load_policy,
- and selinux_getenforcemode.
-
-1.30.12 2006-06-02
- * Merged !selinux_mnt checks from Ian Kent.
-
-1.30.11 2006-05-24
- * Merged matchmediacon and trans_to_raw_context fixes from
- Serge Hallyn.
-
-1.30.10 2006-05-22
- * Merged simple setrans client cache from Dan Walsh.
- Merged avcstat patch from Russell Coker.
-
-1.30.9 2006-05-22
- * Modified selinux_mkload_policy() to also set /selinux/compat_net
- appropriately for the loaded policy.
-
-1.30.8 2006-05-17
- * Added matchpathcon_fini() function to free memory allocated by
- matchpathcon_init().
-
-1.30.7 2006-05-16
- * Merged setrans client cleanup patch from Steve Grubb.
-
-1.30.6 2006-05-08
- * Merged getfscreatecon man page fix from Dan Walsh.
- * Updated booleans(8) man page to drop references to the old
- booleans file and to note that setsebool can be used to set
- the boot-time defaults via -P.
-
-1.30.5 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.30.4 2006-05-05
- * Merged setrans client support from Dan Walsh.
- This removes use of libsetrans.
- * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
- * Merged swig typemap fixes from Glauber de Oliveira Costa.
-
-1.30.3 2006-04-12
- * Added distclean target to Makefile.
- * Regenerated swig files.
-
-1.30.2 2006-04-11
- * Changed matchpathcon_init to verify that the spec file is
- a regular file.
- * Merged python binding t_output_helper removal patch from Dan Walsh.
-
-1.30.1 2006-03-20
- * Merged Makefile PYLIBVER definition patch from Dan Walsh.
-
-1.30 2006-03-14
- * Updated version for release.
-
-1.29.8 2006-02-27
- * Altered rpm_execcon fallback logic for permissive mode to also
- handle case where /selinux/enforce is not available.
-
-1.29.7 2006-01-20
- * Merged install-pywrap Makefile patch from Joshua Brindle.
-
-1.29.6 2006-01-18
- * Merged pywrap Makefile patch from Dan Walsh.
-
-1.29.5 2006-01-11
- * Added getseuser test program.
-
-1.29.4 2006-01-06
- * Added format attribute to myprintf in matchpathcon.c and
- removed obsoleted rootlen variable in init_selinux_config().
-
-1.29.3 2006-01-04
- * Merged several fixes and improvements from Ulrich Drepper
- (Red Hat), including:
- - corrected use of getline
- - further calls to __fsetlocking for local files
- - use of strdupa and asprintf
- - proper handling of dirent in booleans code
- - use of -z relro
- - several other optimizations
- * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
-
-1.29.2 2005-12-14
- * Merged call to finish_context_translations from Dan Walsh.
- This eliminates a memory leak from failing to release memory
- allocated by libsetrans.
-
-1.29.1 2005-12-08
- * Merged patch for swig interfaces from Dan Walsh.
-
-1.28 2005-12-07
- * Updated version for release.
-
-1.27.28 2005-12-01
- * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
- modified matchpathcon implementation to make context validation/
- canonicalization optional at matchpathcon_init time, deferring it
- to a successful matchpathcon by default unless the new flag is set
- by the caller.
-
-1.27.27 2005-12-01
- * Added matchpathcon_init_prefix() interface, and
- reworked matchpathcon implementation to support selective
- loading of file contexts entries based on prefix matching
- between the pathname regex stems and the specified path
- prefix (stem must be a prefix of the specified path prefix).
-
-1.27.26 2005-11-29
- * Merged getsebool patch from Dan Walsh.
-
-1.27.25 2005-11-29
- * Added -f file_contexts option to matchpathcon util.
- Fixed warning message in matchpathcon_init().
-
-1.27.24 2005-11-29
- * Merged Makefile python definitions patch from Dan Walsh.
-
-1.27.23 2005-11-28
- * Merged swigify patch from Dan Walsh.
-
-1.27.22 2005-11-15
- * Merged make failure in rpm_execcon non-fatal in permissive mode
- patch from Ivan Gyurdiev.
-
-1.27.21 2005-11-08
- * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
- and modified matchpathcon_init() to skip context translation
- if it is set by the caller.
-
-1.27.20 2005-11-07
- * Added security_canonicalize_context() interface and
- set_matchpathcon_canoncon() interface for obtaining
- canonical contexts. Changed matchpathcon internals
- to obtain canonical contexts by default. Provided
- fallback for kernels that lack extended selinuxfs context
- interface.
-
-1.27.19 2005-11-04
- * Merged seusers parser changes from Ivan Gyurdiev.
- * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
- * Changed seusers parser to reject empty fields.
-
-1.27.18 2005-11-03
- * Merged seusers empty level handling patch from Jonathan Kim (TCS).
-
-1.27.17 2005-10-27
- * Changed default entry for seusers to use __default__ to avoid
- ambiguity with users named "default".
-
-1.27.16 2005-10-27
- * Fixed init_selinux_config() handling of missing /etc/selinux/config
- or missing SELINUXTYPE= definition.
- * Merged selinux_translations_path() patch from Dan Walsh.
-
-1.27.15 2005-10-25
- * Added hidden_proto/def for get_default_context_with_role.
-
-1.27.14 2005-10-25
- * Merged selinux_path() and selinux_homedir_context_path()
- functions from Joshua Brindle.
-
-1.27.13 2005-10-19
- * Merged fixes for make DESTDIR= builds from Joshua Brindle.
-
-1.27.12 2005-10-18
- * Merged get_default_context_with_rolelevel and man pages from
- Dan Walsh (Red Hat).
-
-1.27.11 2005-10-18
- * Updated call to sepol_policydb_to_image for sepol changes.
-
-1.27.10 2005-10-17
- * Changed getseuserbyname to ignore empty lines and to handle
- no matching entry in the same manner as no seusers file.
-
-1.27.9 2005-10-13
- * Changed selinux_mkload_policy to try downgrading the
- latest policy version available to the kernel-supported version.
-
-1.27.8 2005-10-11
- * Changed selinux_mkload_policy to fall back to the maximum
- policy version supported by libsepol if the kernel policy version
- falls outside of the supported range.
-
-1.27.7 2005-10-06
- * Changed getseuserbyname to fall back to the Linux username and
- NULL level if seusers config file doesn't exist unless
- REQUIRESEUSERS=1 is set in /etc/selinux/config.
- * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
-
-1.27.6 2005-10-06
- * Added selinux_init_load_policy() function as an even higher level
- interface for the initial policy load by /sbin/init. This obsoletes
- the load_policy() function in the sysvinit-selinux.patch.
-
-1.27.5 2005-10-06
- * Added selinux_mkload_policy() function as a higher level interface
- for loading policy than the security_load_policy() interface.
-
-1.27.4 2005-10-05
- * Merged fix for matchpathcon (regcomp error checking) from Johan
- Fischer. Also added use of regerror to obtain the error string
- for inclusion in the error message.
-
-1.27.3 2005-10-03
- * Changed getseuserbyname to not require (and ignore if present)
- the MLS level in seusers.conf if MLS is disabled, setting *level
- to NULL in this case.
-
-1.27.2 2005-09-30
- * Merged getseuserbyname patch from Dan Walsh.
-
-1.27.1 2005-09-19
- * Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
- This allows file_contexts with MLS fields to be processed on
- non-MLS-enabled systems with policies that are otherwise
- identical (e.g. same type definitions).
- * Merged get_ordered_context_list_with_level() function from
- Dan Walsh, and added get_default_context_with_level().
- This allows MLS level selection for users other than the
- default level.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.7 2005-09-01
- * Merged modified form of patch to avoid dlopen/dlclose by
- the static libselinux from Dan Walsh. Users of the static libselinux
- will not have any context translation by default.
-
-1.25.6 2005-08-31
- * Added public functions to export context translation to
- users of libselinux (selinux_trans_to_raw_context,
- selinux_raw_to_trans_context).
-
-1.25.5 2005-08-26
- * Remove special definition for context_range_set; use
- common code.
-
-1.25.4 2005-08-25
- * Hid translation-related symbols entirely and ensured that
- raw functions have hidden definitions for internal use.
- * Allowed setting NULL via context_set* functions.
- * Allowed whitespace in MLS component of context.
- * Changed rpm_execcon to use translated functions to workaround
- lack of MLS level on upgraded systems.
-
-1.25.3 2005-08-23
- * Merged context translation patch, originally by TCS,
- with modifications by Dan Walsh (Red Hat).
-
-1.25.2 2005-08-11
- * Merged several fixes for error handling paths in the
- AVC sidtab, matchpathcon, booleans, context, and get_context_list
- code from Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.25.1 2005-08-10
- * Removed setupns; migrated to pam.
- * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
- Original symbol is temporarily retained for compatibility until
- all callers are updated.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.12 2005-06-13
- * Merged security_setupns() from Chad Sellers.
-
-1.23.11 2005-05-19
- * Merged avcstat and selinux man page from Dan Walsh.
- * Changed security_load_booleans to process booleans.local
- even if booleans file doesn't exist.
-
-1.23.10 2005-04-29
- * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
-
-1.23.9 2005-04-26
- * Rewrote get_ordered_context_list and helpers, including
- changing logic to allow variable MLS fields.
-
-1.23.8 2005-04-25
- * Merged matchpathcon and man page patch from Dan Walsh.
-
-1.23.7 2005-04-12
- * Changed boolean functions to return -1 with errno ENOENT
- rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
- mounted).
-
-1.23.6 2005-04-08
- * Fixed bug in matchpathcon_filespec_destroy.
-
-1.23.5 2005-04-05
- * Fixed bug in rpm_execcon error handling path.
-
-1.23.4 2005-04-04
- * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
- * Merged fix for getconlist utility from Andreas Steinmetz.
-
-1.23.3 2005-03-29
- * Merged security_set_boolean_list patch from Dan Walsh.
- This introduces booleans.local support for setsebool.
-
-1.23.2 2005-03-17
- * Merged destructors patch from Tomas Mraz.
-
-1.23.1 2005-03-16
- * Added set_matchpathcon_flags() function for setting flags
- controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
- means only process the base file_contexts file, not
- file_contexts.homedirs or file_contexts.local, and is for use by
- setfiles -c.
- * Updated matchpathcon.3 man page.
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21.13 2005-03-08
- * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
-
-1.21.12 2005-03-01
- * Changed matchpathcon_common to ignore any non-format bits in the mode.
-
-1.21.11 2005-02-22
- * Merged several fixes from Ulrich Drepper.
-
-1.21.10 2005-02-17
- * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
- * Added selinux_users_path() for path to directory containing
- system.users and local.users.
-
-1.21.9 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.21.8 2005-02-07
- * Regenerated av_permissions.h.
-
-1.21.7 2005-02-01
- * Modified avc_dump_av to explicitly check for any permissions that
- cannot be mapped to string names and display them as a hex value.
-
-1.21.6 2005-01-31
- * Regenerated av_permissions.h.
-
-1.21.5 2005-01-28
- * Generalized matchpathcon internals, exported more interfaces,
- and moved additional code from setfiles into libselinux so that
- setfiles can directly use matchpathcon.
-
-1.21.4 2005-01-27
- * Prevent overflow of spec array in matchpathcon.
-
-1.21.3 2005-01-26
- * Fixed several uses of internal functions to avoid relocations.
- * Changed rpm_execcon to check is_selinux_enabled() and fallback to
- a regular execve if not enabled (or unable to determine due to a lack
- of /proc, e.g. chroot'd environment).
-
-
-1.21.2 2005-01-24
- * Merged minor fix for avcstat from Dan Walsh.
-
-1.21.1 2005-01-19
- * Merged patch from Dan Walsh, including:
- - new is_context_customizable function
- - changed matchpathcon to also use file_contexts.local if present
- - man page cleanups
-
-1.20 2005-01-04
- * Changed matchpathcon to return -1 with errno ENOENT for
- <<none>> entries, and also for an empty file_contexts configuration.
- * Removed some trivial utils that were not useful or redundant.
- * Changed BINDIR default to /usr/sbin to match change in Fedora.
- * Added security_compute_member.
- * Added man page for setcon.
- * Merged more man pages from Dan Walsh.
- * Merged avcstat from James Morris.
- * Merged build fix for mips from Manoj Srivastava.
- * Merged C++ support from John Ramsdell of MITRE.
- * Merged setcon() function from Darrel Goeddel of TCS.
- * Merged setsebool/togglesebool enhancement from Steve Grubb.
- * Merged cleanup patches from Steve Grubb.
-
-1.18 2004-11-01
- * Merged cleanup patches from Steve Grubb.
- * Added rpm_execcon.
- * Merged setenforce and removable context patch from Dan Walsh.
- * Merged build fix for alpha from Ulrich Drepper.
- * Removed copyright/license from selinux_netlink.h - definitions only.
- * Merged matchmediacon from Dan Walsh.
- * Regenerated headers for new nscd permissions.
- * Added get_default_context_with_role.
- * Added set_matchpathcon_printf.
- * Reworked av_inherit.h to allow easier re-use by kernel.
- * Changed avc_has_perm_noaudit to not fail on netlink errors.
- * Changed avc netlink code to check pid based on patch by Steve Grubb.
- * Merged second optimization patch from Ulrich Drepper.
- * Changed matchpathcon to skip invalid file_contexts entries.
- * Made string tables private to libselinux.
- * Merged strcat->stpcpy patch from Ulrich Drepper.
- * Merged matchpathcon man page from Dan Walsh.
- * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
- * Autobind netlink socket.
- * Dropped compatibility code from security_compute_user.
- * Merged fix for context_range_set from Chad Hanson.
- * Merged allocation failure checking patch from Chad Hanson.
- * Merged avc netlink error message patch from Colin Walters.
-
-1.16 2004-08-19
- * Regenerated headers for nscd class.
- * Merged man pages from Dan Walsh.
- * Merged context_new bug fix for MLS ranges from Chad Hanson.
- * Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
- * Renamed change_bool and show_bools to setsebool and getsebool.
- * Merged security_load_booleans() function from Dan Walsh.
- * Added selinux_booleans_path() function.
- * Changed avc_init function prototype to use const.
- * Regenerated headers for crontab permission.
- * Added checkAccess from Dan Walsh.
- * Merged getenforce patch from Dan Walsh.
- * Regenerated headers for dbus classes.
-
-1.14 2004-06-16
- * Regenerated headers for fine-grained netlink classes.
- * Merged selinux_config bug fix from Dan Walsh.
- * Added userspace AVC man pages.
- * Added man links for API calls to existing man pages documenting them.
- * Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
- * Merged patch to determine config file paths at runtime to support
- reorganized layout.
- * Regenerated flask headers with stable ordering.
- * Merged patch for man pages from Russell Coker.
-
-1.12 2004-05-10
- * Updated flask files to include new SE-X security classes.
- * Added security_disable function for runtime disable of SELinux prior
- to initial policy load (for /sbin/init).
- * Changed get_ordered_context_list to omit any reachable contexts
- that are not explicitly listed in default_contexts, unless there
- are no matches.
- * Merged man pages from Russell Coker and Dan Walsh.
- * Merged memory leak fixes from Dan Walsh.
- * Merged policyvers errno patch from Chris PeBenito.
-
-1.10 2004-04-05
- * Merged getenforce patch from Dan Walsh.
- * Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
- the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
- Based on a patch by Russell Coker.
- * Merged matchpathcon buffer size fix from Dan Walsh.
-
-1.8 2004-03-09
- * Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
- * Added matchpathcon function.
- * Updated userspace AVC to handle netlink selinux notifications.
-
-1.6 2004-02-18
- * Merged conditional policy extensions from Tresys Technology.
- * Added userspace avc and SID table implementation.
- * Fixed type on size in getpeercon per Thorsten Kukuk's advice.
- * Fixed use of getpwnam_r per Thorsten Kukuk's advice.
- * Changed to use getpwnam_r rather than getpwnam internally to
- avoid clobbering any existing pwd struct obtained by the caller.
- * Added getpeercon function to encapsulate getsockopt SO_PEERSEC
- and handle allocation ala getfilecon.
- * Changed is_selinux_enabled to return -1 on errors.
- * Changed to discover selinuxfs mount point via /proc/mounts
- so that the mount point can be changed without rebuilding.
-
-1.4 2003-12-01
- * Merged another cleanup patch from Bastian Blank and Joerg Hoh.
- * Regenerate headers for new permissions.
- * Merged static lib build patch from Bastian Blank and Joerg Hoh.
- * Export SELINUXMNT definition, add SELINUXPOLICY definition.
- * Add functions to provide access to enforce and policyvers.
- * Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
- * Fixed type for 'size' in *getfilecon.
- * Dropped -lattr and changed #include's to <sys/xattr.h>
- * Merged patch to move shared library to /lib from Dan Walsh.
- * Changed get_ordered_context_list to support a failsafe context.
- * Added selinuxenabled utility.
- * Merged const patch from Thorsten Kukuk.
-
-1.2 2003-09-30
- * Change is_selinux_enabled to fail if policy isn't loaded.
- * Changed Makefiles to allow non-root rpm builds.
- * Added -lattr for libselinux.so to ensure proper binding.
-
-1.1 2003-08-13
- * Ensure that context strings are padded with a null byte
- in case the kernel didn't include one.
- * Regenerate headers, update helpers.c for code cleanup.
- * Pass soname flag to linker (Colin Walters).
- * Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
-
-1.0 2003-07-11
- * Initial public release.
Copied: tags/libselinux_1_30_28/libselinux/ChangeLog (from rev 2028, trunk/libselinux/ChangeLog)
===================================================================
--- tags/libselinux_1_30_28/libselinux/ChangeLog (rev 0)
+++ tags/libselinux_1_30_28/libselinux/ChangeLog 2006-09-13 15:14:00 UTC (rev 2029)
@@ -0,0 +1,553 @@
+1.30.28 2006-09-13
+ * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
+
+1.30.27 2006-08-24
+ * Merged patch to not log avc stats upon a reset from Steve Grubb.
+ * Applied patch to revert compat_net setting upon policy load.
+
+1.30.26 2006-08-11
+ * Merged file context homedir and local path functions from
+ Chris PeBenito.
+
+1.30.25 2006-08-11
+ * Rework functions that access /proc/pid/attr to access the
+ per-thread nodes, and unify the code to simplify maintenance.
+
+1.30.24 2006-08-10
+ * Merged return value fix for *getfilecon() from Dan Walsh.
+
+1.30.23 2006-08-10
+ * Merged sockcreate interfaces from Eric Paris.
+
+1.30.22 2006-08-03
+ * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
+
+1.30.21 2006-08-03
+ * Merged netfilter_contexts support patch from Chris PeBenito.
+
+1.30.20 2006-08-01
+ * Merged context_*_set errno patch from Jim Meyering.
+
+1.30.19 2006-06-29
+ * Lindent.
+
+1.30.18 2006-06-27
+ * Merged {get,set}procattrcon patch set from Eric Paris.
+ * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
+
+1.30.17 2006-06-27
+ * Regenerated Flask headers from refpolicy.
+
+1.30.16 2006-06-26
+ * Merged patch from Dan Walsh with:
+ - Added selinux_file_context_{cmp,verify}.
+ - Added selinux_lsetfilecon_default.
+ - Delay translation of contexts in matchpathcon.
+
+1.30.15 2006-06-16
+ * Merged patch from Dan Walsh with:
+ * Added selinux_getpolicytype() function.
+ * Modified setrans code to skip processing if !mls_enabled.
+
+1.30.14 2006-06-16
+ * Set errno in the !selinux_mnt case.
+
+1.30.13 2006-06-02
+ * Allocate large buffers from the heap, not on stack.
+ Affects is_context_customizable, selinux_init_load_policy,
+ and selinux_getenforcemode.
+
+1.30.12 2006-06-02
+ * Merged !selinux_mnt checks from Ian Kent.
+
+1.30.11 2006-05-24
+ * Merged matchmediacon and trans_to_raw_context fixes from
+ Serge Hallyn.
+
+1.30.10 2006-05-22
+ * Merged simple setrans client cache from Dan Walsh.
+ Merged avcstat patch from Russell Coker.
+
+1.30.9 2006-05-22
+ * Modified selinux_mkload_policy() to also set /selinux/compat_net
+ appropriately for the loaded policy.
+
+1.30.8 2006-05-17
+ * Added matchpathcon_fini() function to free memory allocated by
+ matchpathcon_init().
+
+1.30.7 2006-05-16
+ * Merged setrans client cleanup patch from Steve Grubb.
+
+1.30.6 2006-05-08
+ * Merged getfscreatecon man page fix from Dan Walsh.
+ * Updated booleans(8) man page to drop references to the old
+ booleans file and to note that setsebool can be used to set
+ the boot-time defaults via -P.
+
+1.30.5 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.4 2006-05-05
+ * Merged setrans client support from Dan Walsh.
+ This removes use of libsetrans.
+ * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
+ * Merged swig typemap fixes from Glauber de Oliveira Costa.
+
+1.30.3 2006-04-12
+ * Added distclean target to Makefile.
+ * Regenerated swig files.
+
+1.30.2 2006-04-11
+ * Changed matchpathcon_init to verify that the spec file is
+ a regular file.
+ * Merged python binding t_output_helper removal patch from Dan Walsh.
+
+1.30.1 2006-03-20
+ * Merged Makefile PYLIBVER definition patch from Dan Walsh.
+
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.8 2006-02-27
+ * Altered rpm_execcon fallback logic for permissive mode to also
+ handle case where /selinux/enforce is not available.
+
+1.29.7 2006-01-20
+ * Merged install-pywrap Makefile patch from Joshua Brindle.
+
+1.29.6 2006-01-18
+ * Merged pywrap Makefile patch from Dan Walsh.
+
+1.29.5 2006-01-11
+ * Added getseuser test program.
+
+1.29.4 2006-01-06
+ * Added format attribute to myprintf in matchpathcon.c and
+ removed obsoleted rootlen variable in init_selinux_config().
+
+1.29.3 2006-01-04
+ * Merged several fixes and improvements from Ulrich Drepper
+ (Red Hat), including:
+ - corrected use of getline
+ - further calls to __fsetlocking for local files
+ - use of strdupa and asprintf
+ - proper handling of dirent in booleans code
+ - use of -z relro
+ - several other optimizations
+ * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
+
+1.29.2 2005-12-14
+ * Merged call to finish_context_translations from Dan Walsh.
+ This eliminates a memory leak from failing to release memory
+ allocated by libsetrans.
+
+1.29.1 2005-12-08
+ * Merged patch for swig interfaces from Dan Walsh.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.28 2005-12-01
+ * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
+ modified matchpathcon implementation to make context validation/
+ canonicalization optional at matchpathcon_init time, deferring it
+ to a successful matchpathcon by default unless the new flag is set
+ by the caller.
+
+1.27.27 2005-12-01
+ * Added matchpathcon_init_prefix() interface, and
+ reworked matchpathcon implementation to support selective
+ loading of file contexts entries based on prefix matching
+ between the pathname regex stems and the specified path
+ prefix (stem must be a prefix of the specified path prefix).
+
+1.27.26 2005-11-29
+ * Merged getsebool patch from Dan Walsh.
+
+1.27.25 2005-11-29
+ * Added -f file_contexts option to matchpathcon util.
+ Fixed warning message in matchpathcon_init().
+
+1.27.24 2005-11-29
+ * Merged Makefile python definitions patch from Dan Walsh.
+
+1.27.23 2005-11-28
+ * Merged swigify patch from Dan Walsh.
+
+1.27.22 2005-11-15
+ * Merged make failure in rpm_execcon non-fatal in permissive mode
+ patch from Ivan Gyurdiev.
+
+1.27.21 2005-11-08
+ * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
+ and modified matchpathcon_init() to skip context translation
+ if it is set by the caller.
+
+1.27.20 2005-11-07
+ * Added security_canonicalize_context() interface and
+ set_matchpathcon_canoncon() interface for obtaining
+ canonical contexts. Changed matchpathcon internals
+ to obtain canonical contexts by default. Provided
+ fallback for kernels that lack extended selinuxfs context
+ interface.
+
+1.27.19 2005-11-04
+ * Merged seusers parser changes from Ivan Gyurdiev.
+ * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
+ * Changed seusers parser to reject empty fields.
+
+1.27.18 2005-11-03
+ * Merged seusers empty level handling patch from Jonathan Kim (TCS).
+
+1.27.17 2005-10-27
+ * Changed default entry for seusers to use __default__ to avoid
+ ambiguity with users named "default".
+
+1.27.16 2005-10-27
+ * Fixed init_selinux_config() handling of missing /etc/selinux/config
+ or missing SELINUXTYPE= definition.
+ * Merged selinux_translations_path() patch from Dan Walsh.
+
+1.27.15 2005-10-25
+ * Added hidden_proto/def for get_default_context_with_role.
+
+1.27.14 2005-10-25
+ * Merged selinux_path() and selinux_homedir_context_path()
+ functions from Joshua Brindle.
+
+1.27.13 2005-10-19
+ * Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+1.27.12 2005-10-18
+ * Merged get_default_context_with_rolelevel and man pages from
+ Dan Walsh (Red Hat).
+
+1.27.11 2005-10-18
+ * Updated call to sepol_policydb_to_image for sepol changes.
+
+1.27.10 2005-10-17
+ * Changed getseuserbyname to ignore empty lines and to handle
+ no matching entry in the same manner as no seusers file.
+
+1.27.9 2005-10-13
+ * Changed selinux_mkload_policy to try downgrading the
+ latest policy version available to the kernel-supported version.
+
+1.27.8 2005-10-11
+ * Changed selinux_mkload_policy to fall back to the maximum
+ policy version supported by libsepol if the kernel policy version
+ falls outside of the supported range.
+
+1.27.7 2005-10-06
+ * Changed getseuserbyname to fall back to the Linux username and
+ NULL level if seusers config file doesn't exist unless
+ REQUIRESEUSERS=1 is set in /etc/selinux/config.
+ * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
+
+1.27.6 2005-10-06
+ * Added selinux_init_load_policy() function as an even higher level
+ interface for the initial policy load by /sbin/init. This obsoletes
+ the load_policy() function in the sysvinit-selinux.patch.
+
+1.27.5 2005-10-06
+ * Added selinux_mkload_policy() function as a higher level interface
+ for loading policy than the security_load_policy() interface.
+
+1.27.4 2005-10-05
+ * Merged fix for matchpathcon (regcomp error checking) from Johan
+ Fischer. Also added use of regerror to obtain the error string
+ for inclusion in the error message.
+
+1.27.3 2005-10-03
+ * Changed getseuserbyname to not require (and ignore if present)
+ the MLS level in seusers.conf if MLS is disabled, setting *level
+ to NULL in this case.
+
+1.27.2 2005-09-30
+ * Merged getseuserbyname patch from Dan Walsh.
+
+1.27.1 2005-09-19
+ * Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
+ This allows file_contexts with MLS fields to be processed on
+ non-MLS-enabled systems with policies that are otherwise
+ identical (e.g. same type definitions).
+ * Merged get_ordered_context_list_with_level() function from
+ Dan Walsh, and added get_default_context_with_level().
+ This allows MLS level selection for users other than the
+ default level.
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.7 2005-09-01
+ * Merged modified form of patch to avoid dlopen/dlclose by
+ the static libselinux from Dan Walsh. Users of the static libselinux
+ will not have any context translation by default.
+
+1.25.6 2005-08-31
+ * Added public functions to export context translation to
+ users of libselinux (selinux_trans_to_raw_context,
+ selinux_raw_to_trans_context).
+
+1.25.5 2005-08-26
+ * Remove special definition for context_range_set; use
+ common code.
+
+1.25.4 2005-08-25
+ * Hid translation-related symbols entirely and ensured that
+ raw functions have hidden definitions for internal use.
+ * Allowed setting NULL via context_set* functions.
+ * Allowed whitespace in MLS component of context.
+ * Changed rpm_execcon to use translated functions to workaround
+ lack of MLS level on upgraded systems.
+
+1.25.3 2005-08-23
+ * Merged context translation patch, originally by TCS,
+ with modifications by Dan Walsh (Red Hat).
+
+1.25.2 2005-08-11
+ * Merged several fixes for error handling paths in the
+ AVC sidtab, matchpathcon, booleans, context, and get_context_list
+ code from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.25.1 2005-08-10
+ * Removed setupns; migrated to pam.
+ * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
+ Original symbol is temporarily retained for compatibility until
+ all callers are updated.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.12 2005-06-13
+ * Merged security_setupns() from Chad Sellers.
+
+1.23.11 2005-05-19
+ * Merged avcstat and selinux man page from Dan Walsh.
+ * Changed security_load_booleans to process booleans.local
+ even if booleans file doesn't exist.
+
+1.23.10 2005-04-29
+ * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
+
+1.23.9 2005-04-26
+ * Rewrote get_ordered_context_list and helpers, including
+ changing logic to allow variable MLS fields.
+
+1.23.8 2005-04-25
+ * Merged matchpathcon and man page patch from Dan Walsh.
+
+1.23.7 2005-04-12
+ * Changed boolean functions to return -1 with errno ENOENT
+ rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
+ mounted).
+
+1.23.6 2005-04-08
+ * Fixed bug in matchpathcon_filespec_destroy.
+
+1.23.5 2005-04-05
+ * Fixed bug in rpm_execcon error handling path.
+
+1.23.4 2005-04-04
+ * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
+ * Merged fix for getconlist utility from Andreas Steinmetz.
+
+1.23.3 2005-03-29
+ * Merged security_set_boolean_list patch from Dan Walsh.
+ This introduces booleans.local support for setsebool.
+
+1.23.2 2005-03-17
+ * Merged destructors patch from Tomas Mraz.
+
+1.23.1 2005-03-16
+ * Added set_matchpathcon_flags() function for setting flags
+ controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
+ means only process the base file_contexts file, not
+ file_contexts.homedirs or file_contexts.local, and is for use by
+ setfiles -c.
+ * Updated matchpathcon.3 man page.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.13 2005-03-08
+ * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
+
+1.21.12 2005-03-01
+ * Changed matchpathcon_common to ignore any non-format bits in the mode.
+
+1.21.11 2005-02-22
+ * Merged several fixes from Ulrich Drepper.
+
+1.21.10 2005-02-17
+ * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
+ * Added selinux_users_path() for path to directory containing
+ system.users and local.users.
+
+1.21.9 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.8 2005-02-07
+ * Regenerated av_permissions.h.
+
+1.21.7 2005-02-01
+ * Modified avc_dump_av to explicitly check for any permissions that
+ cannot be mapped to string names and display them as a hex value.
+
+1.21.6 2005-01-31
+ * Regenerated av_permissions.h.
+
+1.21.5 2005-01-28
+ * Generalized matchpathcon internals, exported more interfaces,
+ and moved additional code from setfiles into libselinux so that
+ setfiles can directly use matchpathcon.
+
+1.21.4 2005-01-27
+ * Prevent overflow of spec array in matchpathcon.
+
+1.21.3 2005-01-26
+ * Fixed several uses of internal functions to avoid relocations.
+ * Changed rpm_execcon to check is_selinux_enabled() and fallback to
+ a regular execve if not enabled (or unable to determine due to a lack
+ of /proc, e.g. chroot'd environment).
+
+
+1.21.2 2005-01-24
+ * Merged minor fix for avcstat from Dan Walsh.
+
+1.21.1 2005-01-19
+ * Merged patch from Dan Walsh, including:
+ - new is_context_customizable function
+ - changed matchpathcon to also use file_contexts.local if present
+ - man page cleanups
+
+1.20 2005-01-04
+ * Changed matchpathcon to return -1 with errno ENOENT for
+ <<none>> entries, and also for an empty file_contexts configuration.
+ * Removed some trivial utils that were not useful or redundant.
+ * Changed BINDIR default to /usr/sbin to match change in Fedora.
+ * Added security_compute_member.
+ * Added man page for setcon.
+ * Merged more man pages from Dan Walsh.
+ * Merged avcstat from James Morris.
+ * Merged build fix for mips from Manoj Srivastava.
+ * Merged C++ support from John Ramsdell of MITRE.
+ * Merged setcon() function from Darrel Goeddel of TCS.
+ * Merged setsebool/togglesebool enhancement from Steve Grubb.
+ * Merged cleanup patches from Steve Grubb.
+
+1.18 2004-11-01
+ * Merged cleanup patches from Steve Grubb.
+ * Added rpm_execcon.
+ * Merged setenforce and removable context patch from Dan Walsh.
+ * Merged build fix for alpha from Ulrich Drepper.
+ * Removed copyright/license from selinux_netlink.h - definitions only.
+ * Merged matchmediacon from Dan Walsh.
+ * Regenerated headers for new nscd permissions.
+ * Added get_default_context_with_role.
+ * Added set_matchpathcon_printf.
+ * Reworked av_inherit.h to allow easier re-use by kernel.
+ * Changed avc_has_perm_noaudit to not fail on netlink errors.
+ * Changed avc netlink code to check pid based on patch by Steve Grubb.
+ * Merged second optimization patch from Ulrich Drepper.
+ * Changed matchpathcon to skip invalid file_contexts entries.
+ * Made string tables private to libselinux.
+ * Merged strcat->stpcpy patch from Ulrich Drepper.
+ * Merged matchpathcon man page from Dan Walsh.
+ * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+1.16 2004-08-19
+ * Regenerated headers for nscd class.
+ * Merged man pages from Dan Walsh.
+ * Merged context_new bug fix for MLS ranges from Chad Hanson.
+ * Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
+ * Renamed change_bool and show_bools to setsebool and getsebool.
+ * Merged security_load_booleans() function from Dan Walsh.
+ * Added selinux_booleans_path() function.
+ * Changed avc_init function prototype to use const.
+ * Regenerated headers for crontab permission.
+ * Added checkAccess from Dan Walsh.
+ * Merged getenforce patch from Dan Walsh.
+ * Regenerated headers for dbus classes.
+
+1.14 2004-06-16
+ * Regenerated headers for fine-grained netlink classes.
+ * Merged selinux_config bug fix from Dan Walsh.
+ * Added userspace AVC man pages.
+ * Added man links for API calls to existing man pages documenting them.
+ * Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
+ * Merged patch to determine config file paths at runtime to support
+ reorganized layout.
+ * Regenerated flask headers with stable ordering.
+ * Merged patch for man pages from Russell Coker.
+
+1.12 2004-05-10
+ * Updated flask files to include new SE-X security classes.
+ * Added security_disable function for runtime disable of SELinux prior
+ to initial policy load (for /sbin/init).
+ * Changed get_ordered_context_list to omit any reachable contexts
+ that are not explicitly listed in default_contexts, unless there
+ are no matches.
+ * Merged man pages from Russell Coker and Dan Walsh.
+ * Merged memory leak fixes from Dan Walsh.
+ * Merged policyvers errno patch from Chris PeBenito.
+
+1.10 2004-04-05
+ * Merged getenforce patch from Dan Walsh.
+ * Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
+ the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
+ Based on a patch by Russell Coker.
+ * Merged matchpathcon buffer size fix from Dan Walsh.
+
+1.8 2004-03-09
+ * Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
+ * Added matchpathcon function.
+ * Updated userspace AVC to handle netlink selinux notifications.
+
+1.6 2004-02-18
+ * Merged conditional policy extensions from Tresys Technology.
+ * Added userspace avc and SID table implementation.
+ * Fixed type on size in getpeercon per Thorsten Kukuk's advice.
+ * Fixed use of getpwnam_r per Thorsten Kukuk's advice.
+ * Changed to use getpwnam_r rather than getpwnam internally to
+ avoid clobbering any existing pwd struct obtained by the caller.
+ * Added getpeercon function to encapsulate getsockopt SO_PEERSEC
+ and handle allocation ala getfilecon.
+ * Changed is_selinux_enabled to return -1 on errors.
+ * Changed to discover selinuxfs mount point via /proc/mounts
+ so that the mount point can be changed without rebuilding.
+
+1.4 2003-12-01
+ * Merged another cleanup patch from Bastian Blank and Joerg Hoh.
+ * Regenerate headers for new permissions.
+ * Merged static lib build patch from Bastian Blank and Joerg Hoh.
+ * Export SELINUXMNT definition, add SELINUXPOLICY definition.
+ * Add functions to provide access to enforce and policyvers.
+ * Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
+ * Fixed type for 'size' in *getfilecon.
+ * Dropped -lattr and changed #include's to <sys/xattr.h>
+ * Merged patch to move shared library to /lib from Dan Walsh.
+ * Changed get_ordered_context_list to support a failsafe context.
+ * Added selinuxenabled utility.
+ * Merged const patch from Thorsten Kukuk.
+
+1.2 2003-09-30
+ * Change is_selinux_enabled to fail if policy isn't loaded.
+ * Changed Makefiles to allow non-root rpm builds.
+ * Added -lattr for libselinux.so to ensure proper binding.
+
+1.1 2003-08-13
+ * Ensure that context strings are padded with a null byte
+ in case the kernel didn't include one.
+ * Regenerate headers, update helpers.c for code cleanup.
+ * Pass soname flag to linker (Colin Walters).
+ * Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
+
+1.0 2003-07-11
+ * Initial public release.
Deleted: tags/libselinux_1_30_28/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2006-09-05 14:57:13 UTC (rev 2026)
+++ tags/libselinux_1_30_28/libselinux/VERSION 2006-09-13 15:14:00 UTC (rev 2029)
@@ -1 +0,0 @@
-1.30.27
Copied: tags/libselinux_1_30_28/libselinux/VERSION (from rev 2028, trunk/libselinux/VERSION)
===================================================================
--- tags/libselinux_1_30_28/libselinux/VERSION (rev 0)
+++ tags/libselinux_1_30_28/libselinux/VERSION 2006-09-13 15:14:00 UTC (rev 2029)
@@ -0,0 +1 @@
+1.30.28
Deleted: tags/libselinux_1_30_28/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c 2006-09-05 14:57:13 UTC (rev 2026)
+++ tags/libselinux_1_30_28/libselinux/src/setrans_client.c 2006-09-13 15:14:00 UTC (rev 2029)
@@ -1,322 +0,0 @@
-/* Copyright (c) 2006 Trusted Computer Solutions, Inc. */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <netdb.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include "dso.h"
-#include "selinux_internal.h"
-#include "setrans_internal.h"
-
-static int mls_enabled = -1;
-
-// Simple cache
-static __thread security_context_t prev_t2r_trans = NULL;
-static __thread security_context_t prev_t2r_raw = NULL;
-static __thread security_context_t prev_r2t_trans = NULL;
-static __thread security_context_t prev_r2t_raw = NULL;
-
-int cache_trans hidden = 1;
-
-/*
- * setransd_open
- *
- * This function opens a socket to the setransd.
- * Returns: on success, a file descriptor ( >= 0 ) to the socket
- * on error, a negative value
- */
-static int setransd_open(void)
-{
- struct sockaddr_un addr;
- int fd;
-
- fd = socket(PF_UNIX, SOCK_STREAM, 0);
- if (fd < 0) {
- return -1;
- }
-
- memset(&addr, 0, sizeof(addr));
- addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path));
- if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
- close(fd);
- return -1;
- }
-
- return fd;
-}
-
-/* Returns: 0 on success, <0 on failure */
-static int
-send_request(int fd, uint32_t function, const char *data1, const char *data2)
-{
- struct iovec req_hdr[3];
- uint32_t data1_size;
- uint32_t data2_size;
- struct iovec req_data[2];
- ssize_t count;
-
- if (fd < 0)
- return -1;
-
- if (!data1)
- data1 = "";
- if (!data2)
- data2 = "";
-
- data1_size = strlen(data1) + 1;
- data2_size = strlen(data2) + 1;
-
- req_hdr[0].iov_base = &function;
- req_hdr[0].iov_len = sizeof(function);
- req_hdr[1].iov_base = &data1_size;
- req_hdr[1].iov_len = sizeof(data1_size);
- req_hdr[2].iov_base = &data2_size;
- req_hdr[2].iov_len = sizeof(data2_size);
-
- while (((count = writev(fd, req_hdr, 3)) < 0) && (errno == EINTR)) ;
- if (count != (sizeof(function) + sizeof(data1_size) +
- sizeof(data2_size))) {
- return -1;
- }
-
- req_data[0].iov_base = (char *)data1;
- req_data[0].iov_len = data1_size;
- req_data[1].iov_base = (char *)data2;
- req_data[1].iov_len = data2_size;
-
- while (((count = writev(fd, req_data, 2)) < 0) && (errno == EINTR)) ;
- if (count < 0 || (uint32_t) count != (data1_size + data2_size)) {
- return -1;
- }
-
- return 0;
-}
-
-/* Returns: 0 on success, <0 on failure */
-static int
-receive_response(int fd, uint32_t function, char **outdata, int32_t * ret_val)
-{
- struct iovec resp_hdr[3];
- uint32_t func;
- uint32_t data_size;
- char *data;
- struct iovec resp_data;
- ssize_t count;
-
- if (fd < 0)
- return -1;
-
- resp_hdr[0].iov_base = &func;
- resp_hdr[0].iov_len = sizeof(func);
- resp_hdr[1].iov_base = &data_size;
- resp_hdr[1].iov_len = sizeof(data_size);
- resp_hdr[2].iov_base = ret_val;
- resp_hdr[2].iov_len = sizeof(*ret_val);
-
- while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
- if (count != (sizeof(func) + sizeof(data_size) + sizeof(*ret_val))) {
- return -1;
- }
-
- if (func != function || !data_size || data_size > MAX_DATA_BUF) {
- return -1;
- }
-
- data = malloc(data_size);
- if (!data) {
- return -1;
- }
-
- resp_data.iov_base = data;
- resp_data.iov_len = data_size;
-
- while (((count = readv(fd, &resp_data, 1))) < 0 && (errno == EINTR)) ;
- if (count < 0 || (uint32_t) count != data_size ||
- data[data_size - 1] != '\0') {
- free(data);
- return -1;
- }
- *outdata = data;
- return 0;
-}
-
-static int raw_to_trans_context(char *raw, char **transp)
-{
- int ret;
- int32_t ret_val;
- int fd;
-
- *transp = NULL;
-
- fd = setransd_open();
- if (fd < 0)
- return fd;
-
- ret = send_request(fd, RAW_TO_TRANS_CONTEXT, raw, NULL);
- if (ret)
- goto out;
-
- ret = receive_response(fd, RAW_TO_TRANS_CONTEXT, transp, &ret_val);
- if (ret)
- goto out;
-
- ret = ret_val;
- out:
- close(fd);
- return ret;
-}
-
-static int trans_to_raw_context(char *trans, char **rawp)
-{
- int ret;
- int32_t ret_val;
- int fd;
-
- *rawp = NULL;
-
- fd = setransd_open();
- if (fd < 0)
- return fd;
- ret = send_request(fd, TRANS_TO_RAW_CONTEXT, trans, NULL);
- if (ret)
- goto out;
-
- ret = receive_response(fd, TRANS_TO_RAW_CONTEXT, rawp, &ret_val);
- if (ret)
- goto out;
-
- ret = ret_val;
- out:
- close(fd);
- return ret;
-}
-
-hidden void fini_context_translations(void)
-{
- if (cache_trans) {
- free(prev_r2t_trans);
- free(prev_r2t_raw);
- free(prev_t2r_trans);
- free(prev_t2r_raw);
- }
-}
-
-hidden int init_context_translations(void)
-{
- int ret, fd;
- int32_t ret_val;
- char *out = NULL;
-
- mls_enabled = is_selinux_mls_enabled();
- if (!mls_enabled)
- return 0;
-
- fd = setransd_open();
- if (fd < 0)
- return fd;
-
- ret = send_request(fd, SETRANS_INIT, NULL, NULL);
- if (ret)
- goto out;
-
- ret = receive_response(fd, SETRANS_INIT, &out, &ret_val);
- free(out);
- if (!ret)
- ret = ret_val;
- out:
- close(fd);
- return ret;
-}
-
-int selinux_trans_to_raw_context(security_context_t trans,
- security_context_t * rawp)
-{
- if (!trans) {
- *rawp = NULL;
- return 0;
- }
-
- if (!mls_enabled) {
- *rawp = strdup(trans);
- goto out;
- }
-
- if (cache_trans) {
- if (prev_t2r_trans && strcmp(prev_t2r_trans, trans) == 0) {
- *rawp = strdup(prev_t2r_raw);
- } else {
- free(prev_t2r_trans);
- prev_t2r_trans = NULL;
- free(prev_t2r_raw);
- prev_t2r_raw = NULL;
- if (trans_to_raw_context(trans, rawp))
- *rawp = strdup(trans);
- if (*rawp) {
- prev_t2r_trans = strdup(trans);
- if (!prev_t2r_trans)
- goto out;
- prev_t2r_raw = strdup(*rawp);
- if (!prev_t2r_raw) {
- free(prev_t2r_trans);
- prev_t2r_trans = NULL;
- }
- }
- }
- } else if (trans_to_raw_context(trans, rawp))
- *rawp = strdup(trans);
- out:
- return *rawp ? 0 : -1;
-}
-
-hidden_def(selinux_trans_to_raw_context)
-
-int selinux_raw_to_trans_context(security_context_t raw,
- security_context_t * transp)
-{
- if (!raw) {
- *transp = NULL;
- return 0;
- }
-
- if (!mls_enabled) {
- *transp = strdup(raw);
- goto out;
- }
-
- if (cache_trans) {
- if (prev_r2t_raw && strcmp(prev_r2t_raw, raw) == 0) {
- *transp = strdup(prev_r2t_trans);
- } else {
- free(prev_r2t_raw);
- prev_r2t_raw = NULL;
- free(prev_r2t_trans);
- prev_r2t_trans = NULL;
- if (raw_to_trans_context(raw, transp))
- *transp = strdup(raw);
- if (*transp) {
- prev_r2t_raw = strdup(raw);
- if (!prev_r2t_raw)
- goto out;
- prev_r2t_trans = strdup(*transp);
- if (!prev_r2t_trans) {
- free(prev_r2t_raw);
- prev_r2t_raw = NULL;
- }
- }
- }
- } else if (raw_to_trans_context(raw, transp))
- *transp = strdup(raw);
- out:
- return *transp ? 0 : -1;
-}
-
-hidden_def(selinux_raw_to_trans_context)
Copied: tags/libselinux_1_30_28/libselinux/src/setrans_client.c (from rev 2027, trunk/libselinux/src/setrans_client.c)
===================================================================
--- tags/libselinux_1_30_28/libselinux/src/setrans_client.c (rev 0)
+++ tags/libselinux_1_30_28/libselinux/src/setrans_client.c 2006-09-13 15:14:00 UTC (rev 2029)
@@ -0,0 +1,322 @@
+/* Copyright (c) 2006 Trusted Computer Solutions, Inc. */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <netdb.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include "dso.h"
+#include "selinux_internal.h"
+#include "setrans_internal.h"
+
+static int mls_enabled = -1;
+
+// Simple cache
+static __thread security_context_t prev_t2r_trans = NULL;
+static __thread security_context_t prev_t2r_raw = NULL;
+static __thread security_context_t prev_r2t_trans = NULL;
+static __thread security_context_t prev_r2t_raw = NULL;
+
+int cache_trans hidden = 1;
+
+/*
+ * setransd_open
+ *
+ * This function opens a socket to the setransd.
+ * Returns: on success, a file descriptor ( >= 0 ) to the socket
+ * on error, a negative value
+ */
+static int setransd_open(void)
+{
+ struct sockaddr_un addr;
+ int fd;
+
+ fd = socket(PF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0) {
+ return -1;
+ }
+
+ memset(&addr, 0, sizeof(addr));
+ addr.sun_family = AF_UNIX;
+ strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path));
+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+ close(fd);
+ return -1;
+ }
+
+ return fd;
+}
+
+/* Returns: 0 on success, <0 on failure */
+static int
+send_request(int fd, uint32_t function, const char *data1, const char *data2)
+{
+ struct msghdr msgh;
+ struct iovec iov[5];
+ uint32_t data1_size;
+ uint32_t data2_size;
+ ssize_t count, expected;
+ unsigned int i;
+
+ if (fd < 0)
+ return -1;
+
+ if (!data1)
+ data1 = "";
+ if (!data2)
+ data2 = "";
+
+ data1_size = strlen(data1) + 1;
+ data2_size = strlen(data2) + 1;
+
+ iov[0].iov_base = &function;
+ iov[0].iov_len = sizeof(function);
+ iov[1].iov_base = &data1_size;
+ iov[1].iov_len = sizeof(data1_size);
+ iov[2].iov_base = &data2_size;
+ iov[2].iov_len = sizeof(data2_size);
+ iov[3].iov_base = (char *)data1;
+ iov[3].iov_len = data1_size;
+ iov[4].iov_base = (char *)data2;
+ iov[4].iov_len = data2_size;
+ memset(&msgh, 0, sizeof(msgh));
+ msgh.msg_iov = iov;
+ msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
+
+ expected = 0;
+ for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
+ expected += iov[i].iov_len;
+
+ while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) && (errno == EINTR)) ;
+ if (count < 0 || count != expected)
+ return -1;
+
+ return 0;
+}
+
+/* Returns: 0 on success, <0 on failure */
+static int
+receive_response(int fd, uint32_t function, char **outdata, int32_t * ret_val)
+{
+ struct iovec resp_hdr[3];
+ uint32_t func;
+ uint32_t data_size;
+ char *data;
+ struct iovec resp_data;
+ ssize_t count;
+
+ if (fd < 0)
+ return -1;
+
+ resp_hdr[0].iov_base = &func;
+ resp_hdr[0].iov_len = sizeof(func);
+ resp_hdr[1].iov_base = &data_size;
+ resp_hdr[1].iov_len = sizeof(data_size);
+ resp_hdr[2].iov_base = ret_val;
+ resp_hdr[2].iov_len = sizeof(*ret_val);
+
+ while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
+ if (count != (sizeof(func) + sizeof(data_size) + sizeof(*ret_val))) {
+ return -1;
+ }
+
+ if (func != function || !data_size || data_size > MAX_DATA_BUF) {
+ return -1;
+ }
+
+ data = malloc(data_size);
+ if (!data) {
+ return -1;
+ }
+
+ resp_data.iov_base = data;
+ resp_data.iov_len = data_size;
+
+ while (((count = readv(fd, &resp_data, 1))) < 0 && (errno == EINTR)) ;
+ if (count < 0 || (uint32_t) count != data_size ||
+ data[data_size - 1] != '\0') {
+ free(data);
+ return -1;
+ }
+ *outdata = data;
+ return 0;
+}
+
+static int raw_to_trans_context(char *raw, char **transp)
+{
+ int ret;
+ int32_t ret_val;
+ int fd;
+
+ *transp = NULL;
+
+ fd = setransd_open();
+ if (fd < 0)
+ return fd;
+
+ ret = send_request(fd, RAW_TO_TRANS_CONTEXT, raw, NULL);
+ if (ret)
+ goto out;
+
+ ret = receive_response(fd, RAW_TO_TRANS_CONTEXT, transp, &ret_val);
+ if (ret)
+ goto out;
+
+ ret = ret_val;
+ out:
+ close(fd);
+ return ret;
+}
+
+static int trans_to_raw_context(char *trans, char **rawp)
+{
+ int ret;
+ int32_t ret_val;
+ int fd;
+
+ *rawp = NULL;
+
+ fd = setransd_open();
+ if (fd < 0)
+ return fd;
+ ret = send_request(fd, TRANS_TO_RAW_CONTEXT, trans, NULL);
+ if (ret)
+ goto out;
+
+ ret = receive_response(fd, TRANS_TO_RAW_CONTEXT, rawp, &ret_val);
+ if (ret)
+ goto out;
+
+ ret = ret_val;
+ out:
+ close(fd);
+ return ret;
+}
+
+hidden void fini_context_translations(void)
+{
+ if (cache_trans) {
+ free(prev_r2t_trans);
+ free(prev_r2t_raw);
+ free(prev_t2r_trans);
+ free(prev_t2r_raw);
+ }
+}
+
+hidden int init_context_translations(void)
+{
+ int ret, fd;
+ int32_t ret_val;
+ char *out = NULL;
+
+ mls_enabled = is_selinux_mls_enabled();
+ if (!mls_enabled)
+ return 0;
+
+ fd = setransd_open();
+ if (fd < 0)
+ return fd;
+
+ ret = send_request(fd, SETRANS_INIT, NULL, NULL);
+ if (ret)
+ goto out;
+
+ ret = receive_response(fd, SETRANS_INIT, &out, &ret_val);
+ free(out);
+ if (!ret)
+ ret = ret_val;
+ out:
+ close(fd);
+ return ret;
+}
+
+int selinux_trans_to_raw_context(security_context_t trans,
+ security_context_t * rawp)
+{
+ if (!trans) {
+ *rawp = NULL;
+ return 0;
+ }
+
+ if (!mls_enabled) {
+ *rawp = strdup(trans);
+ goto out;
+ }
+
+ if (cache_trans) {
+ if (prev_t2r_trans && strcmp(prev_t2r_trans, trans) == 0) {
+ *rawp = strdup(prev_t2r_raw);
+ } else {
+ free(prev_t2r_trans);
+ prev_t2r_trans = NULL;
+ free(prev_t2r_raw);
+ prev_t2r_raw = NULL;
+ if (trans_to_raw_context(trans, rawp))
+ *rawp = strdup(trans);
+ if (*rawp) {
+ prev_t2r_trans = strdup(trans);
+ if (!prev_t2r_trans)
+ goto out;
+ prev_t2r_raw = strdup(*rawp);
+ if (!prev_t2r_raw) {
+ free(prev_t2r_trans);
+ prev_t2r_trans = NULL;
+ }
+ }
+ }
+ } else if (trans_to_raw_context(trans, rawp))
+ *rawp = strdup(trans);
+ out:
+ return *rawp ? 0 : -1;
+}
+
+hidden_def(selinux_trans_to_raw_context)
+
+int selinux_raw_to_trans_context(security_context_t raw,
+ security_context_t * transp)
+{
+ if (!raw) {
+ *transp = NULL;
+ return 0;
+ }
+
+ if (!mls_enabled) {
+ *transp = strdup(raw);
+ goto out;
+ }
+
+ if (cache_trans) {
+ if (prev_r2t_raw && strcmp(prev_r2t_raw, raw) == 0) {
+ *transp = strdup(prev_r2t_trans);
+ } else {
+ free(prev_r2t_raw);
+ prev_r2t_raw = NULL;
+ free(prev_r2t_trans);
+ prev_r2t_trans = NULL;
+ if (raw_to_trans_context(raw, transp))
+ *transp = strdup(raw);
+ if (*transp) {
+ prev_r2t_raw = strdup(raw);
+ if (!prev_r2t_raw)
+ goto out;
+ prev_r2t_trans = strdup(*transp);
+ if (!prev_r2t_trans) {
+ free(prev_r2t_raw);
+ prev_r2t_raw = NULL;
+ }
+ }
+ }
+ } else if (raw_to_trans_context(raw, transp))
+ *transp = strdup(raw);
+ out:
+ return *transp ? 0 : -1;
+}
+
+hidden_def(selinux_raw_to_trans_context)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2006-09-13 21:31:40
|
Revision: 2031
http://svn.sourceforge.net/selinux/?rev=2031&view=rev
Author: madmethod
Date: 2006-09-13 14:31:24 -0700 (Wed, 13 Sep 2006)
Log Message:
-----------
tag for policycoreutils 1.30.29
Added Paths:
-----------
tags/policycoreutils_1_30_29/
tags/policycoreutils_1_30_29/policycoreutils/
tags/policycoreutils_1_30_29/policycoreutils/ChangeLog
tags/policycoreutils_1_30_29/policycoreutils/VERSION
tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow
tags/policycoreutils_1_30_29/policycoreutils/audit2allow/avc.py
tags/policycoreutils_1_30_29/policycoreutils/restorecond/restorecond.init
tags/policycoreutils_1_30_29/policycoreutils/scripts/chcat
tags/policycoreutils_1_30_29/policycoreutils/scripts/genhomedircon
tags/policycoreutils_1_30_29/policycoreutils/secon/Makefile
tags/policycoreutils_1_30_29/policycoreutils/semanage/semanage
tags/policycoreutils_1_30_29/policycoreutils/semanage/semanage.8
tags/policycoreutils_1_30_29/policycoreutils/semanage/seobject.py
tags/policycoreutils_1_30_29/policycoreutils/semodule_link/semodule_link.8
tags/policycoreutils_1_30_29/policycoreutils/semodule_package/semodule_package.8
Removed Paths:
-------------
tags/policycoreutils_1_30_29/policycoreutils/ChangeLog
tags/policycoreutils_1_30_29/policycoreutils/VERSION
tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow
tags/policycoreutils_1_30_29/policycoreutils/audit2allow/avc.py
tags/policycoreutils_1_30_29/policycoreutils/restorecond/restorecond.init
tags/policycoreutils_1_30_29/policycoreutils/scripts/chcat
tags/policycoreutils_1_30_29/policycoreutils/scripts/genhomedircon
tags/policycoreutils_1_30_29/policycoreutils/secon/Makefile
tags/policycoreutils_1_30_29/policycoreutils/semanage/semanage
tags/policycoreutils_1_30_29/policycoreutils/semanage/semanage.8
tags/policycoreutils_1_30_29/policycoreutils/semanage/seobject.py
tags/policycoreutils_1_30_29/policycoreutils/semodule_link/semodule_link.8
tags/policycoreutils_1_30_29/policycoreutils/semodule_package/semodule_package.8
Copied: tags/policycoreutils_1_30_29/policycoreutils (from rev 2026, trunk/policycoreutils)
Deleted: tags/policycoreutils_1_30_29/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2006-09-05 14:57:13 UTC (rev 2026)
+++ tags/policycoreutils_1_30_29/policycoreutils/ChangeLog 2006-09-13 21:31:24 UTC (rev 2031)
@@ -1,643 +0,0 @@
-1.30.28 2006-09-01
- * Merged fix for restorecon // handling from Erich Schubert.
- * Merged translations update and fixfiles fix from Dan Walsh.
-
-1.30.27 2006-08-24
- * Merged fix for restorecon symlink handling from Erich Schubert.
-
-1.30.26 2006-08-11
- * Merged semanage local file contexts patch from Chris PeBenito.
-
-1.30.25 2006-08-03
- * Merged patch from Dan Walsh with:
- * audit2allow: process MAC_POLICY_LOAD events
- * newrole: run shell with - prefix to start a login shell
- * po: po file updates
- * restorecond: bail if SELinux not enabled
- * fixfiles: omit -q
- * genhomedircon: fix exit code if non-root
- * semodule_deps: install man page
-
-1.30.24 2006-08-03
- * Merged secon Makefile fix from Joshua Brindle.
-
-1.30.23 2006-08-03
- * Merged netfilter contexts support patch from Chris PeBenito.
-
-1.30.22 2006-07-28
- * Merged restorecond size_t fix from Joshua Brindle.
-
-1.30.21 2006-07-28
- * Merged secon keycreate patch from Michael LeMay.
-
-1.30.20 2006-07-26
- * Merged restorecond fixes from Dan Walsh.
- Merged updated po files from Dan Walsh.
-
-1.30.19 2006-07-26
- * Merged python gettext patch from Stephen Bennett.
-
-1.30.18 2006-07-25
- * Merged semodule_deps from Karl MacMillan.
-
-1.30.17 2006-06-29
- * Lindent.
-
-1.30.16 2006-06-26
- * Merged patch from Dan Walsh with:
- * -p option (progress) for setfiles and restorecon.
- * disable context translation for setfiles and restorecon.
- * on/off values for setsebool.
-
-1.30.15 2006-06-26
- * Merged setfiles and semodule_link fixes from Joshua Brindle.
-
-1.30.14 2006-06-16
- * Merged fix for setsebool error path from Serge Hallyn.
-
-1.30.13 2006-06-16
- * Merged patch from Dan Walsh with:
- * Updated po files.
- * Fixes for genhomedircon and seobject.
- * Audit message for mass relabel by setfiles.
-
-1.30.12 2006-06-02
- * Updated fixfiles script for new setfiles location in /sbin.
-
-1.30.11 2006-05-26
- * Merged more translations from Dan Walsh.
- * Merged patch to relocate setfiles to /sbin for early relabel
- when /usr might not be mounted from Dan Walsh.
- * Merged semanage/seobject patch to preserve fcontext ordering in list.
- * Merged secon patch from James Antill.
-
-1.30.10 2006-05-22
- * Merged patch with updates to audit2allow, secon, genhomedircon,
- and semanage from Dan Walsh.
-
-1.30.9 2006-05-08
- * Fixed audit2allow and po Makefiles for DESTDIR= builds.
- * Merged .po file patch from Dan Walsh.
- * Merged bug fix for genhomedircon.
-
-1.30.8 2006-05-08
- * Merged patch from Dan Walsh.
- This includes audit2allow changes for analysis plugins,
- internationalization support for several additional programs
- and added po files, some fixes for semanage, and several cleanups.
- It also adds a new secon utility.
-
-1.30.7 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.30.6 2006-04-14
- * Merged semanage prefix support from Russell Coker.
-
-1.30.5 2006-04-11
- * Added a test to setfiles to check that the spec file is
- a regular file.
-
-1.30.4 2006-03-29
- * Merged audit2allow fixes for refpolicy from Dan Walsh.
- * Merged fixfiles patch from Dan Walsh.
- * Merged restorecond daemon from Dan Walsh.
-
-1.30.3 2006-03-29
- * Merged semanage non-MLS fixes from Chris PeBenito.
-
-1.30.2 2006-03-29
- * Merged semanage and semodule man page examples from Thomas Bleher.
-
-1.30.1 2006-03-20
- * Merged semanage labeling prefix patch from Ivan Gyurdiev.
-
-1.30 2006-03-14
- * Updated version for release.
-
-1.29.28 2006-03-13
- * Merged German translations (de.po) by Debian translation team from Manoj Srivastava.
-
-1.29.27 2006-03-08
- * Merged audit2allow -R support, chcat fix, semanage MLS checks
- and semanage audit calls from Dan Walsh.
-
-1.29.26 2006-02-15
- * Merged semanage bug fix patch from Ivan Gyurdiev.
-
-1.29.25 2006-02-14
- * Merged improve bindings patch from Ivan Gyurdiev.
-
-1.29.24 2006-02-14
- * Merged semanage usage patch from Ivan Gyurdiev.
- * Merged use PyList patch from Ivan Gyurdiev.
-
-1.29.23 2006-02-13
- * Merged newrole -V/--version support from Glauber de Oliveira Costa.
-
-1.29.22 2006-02-13
- * Merged genhomedircon prefix patch from Dan Walsh.
-
-1.29.21 2006-02-13
- * Merged optionals in base patch from Joshua Brindle.
-
-1.29.20 2006-02-07
- * Merged seuser/user_extra support patch to semodule_package
- from Joshua Brindle.
-
-1.29.19 2006-02-06
- * Merged getopt type fix for semodule_link/expand and sestatus
- from Chris PeBenito.
-
-1.29.18 2006-02-02
- * Merged clone record on set_con patch from Ivan Gyurdiev.
-
-1.29.17 2006-01-30
- * Merged genhomedircon fix from Dan Walsh.
-
-1.29.16 2006-01-30
- * Merged seusers.system patch from Ivan Gyurdiev.
- * Merged improve port/fcontext API patch from Ivan Gyurdiev.
- * Merged genhomedircon patch from Dan Walsh.
-
-1.29.15 2006-01-27
- * Merged newrole audit patch from Steve Grubb.
-
-1.29.14 2006-01-27
- * Merged seuser -> seuser local rename patch from Ivan Gyurdiev.
-
-1.29.13 2006-01-27
- * Merged semanage and semodule access check patches from Joshua Brindle.
-
-1.29.12 2006-01-26
- * Merged restorecon, chcat, and semanage patches from Dan Walsh.
-
-1.29.11 2006-01-25
- * Modified newrole and run_init to use the loginuid when
- supported to obtain the Linux user identity to re-authenticate,
- and to fall back to real uid. Dropped the use of the SELinux
- user identity, as Linux users are now mapped to SELinux users
- via seusers and the SELinux user identity space is separate.
-
-1.29.10 2006-01-20
- * Merged semanage bug fixes from Ivan Gyurdiev.
- * Merged semanage fixes from Russell Coker.
- * Merged chcat.8 and genhomedircon patches from Dan Walsh.
-
-1.29.9 2006-01-19
- * Merged chcat, semanage, and setsebool patches from Dan Walsh.
-
-1.29.8 2006-01-18
- * Merged semanage fixes from Ivan Gyurdiev.
- * Merged semanage fixes from Russell Coker.
- * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh.
-
-1.29.7 2006-01-13
- * Merged newrole cleanup patch from Steve Grubb.
- * Merged setfiles/restorecon performance patch from Russell Coker.
- * Merged genhomedircon and semanage patches from Dan Walsh.
-
-1.29.6 2006-01-12
- * Merged remove add_local/set_local patch from Ivan Gyurdiev.
-
-1.29.5 2006-01-05
- * Added filename to semodule error reporting.
-
-1.29.4 2006-01-05
- * Merged genhomedircon and semanage patch from Dan Walsh.
- * Changed semodule error reporting to include argv[0].
-
-1.29.3 2006-01-04
- * Merged semanage getpwnam bug fix from Serge Hallyn (IBM).
- * Merged patch series from Ivan Gyurdiev.
- This includes patches to:
- - cleanup setsebool
- - update setsebool to apply active booleans through libsemanage
- - update semodule to use the new semanage_set_rebuild() interface
- - fix various bugs in semanage
- * Merged patch from Dan Walsh (Red Hat).
- This includes fixes for restorecon, chcat, fixfiles, genhomedircon,
- and semanage.
-
-1.29.2 2005-12-14
- * Merged patch for chcat script from Dan Walsh.
-
-1.29.1 2005-12-08
- * Merged fix for audit2allow long option list from Dan Walsh.
- * Merged -r option for restorecon (alias for -R) from Dan Walsh.
- * Merged chcat script and man page from Dan Walsh.
-
-1.28 2005-12-07
- * Updated version for release.
-
-1.27.37 2005-12-07
- * Clarified the genhomedircon warning message.
-
-1.27.36 2005-12-05
- * Changed genhomedircon to warn on use of ROLE in homedir_template
- if using managed policy, as libsemanage does not yet support it.
-
-1.27.35 2005-12-02
- * Merged genhomedircon bug fix from Dan Walsh.
-
-1.27.34 2005-12-02
- * Revised semodule* man pages to refer to checkmodule and
- to include example sections.
-
-1.27.33 2005-12-01
- * Merged audit2allow --tefile and --fcfile support from Dan Walsh.
- * Merged genhomedircon fix from Dan Walsh.
- * Merged semodule* man pages from Dan Walsh, and edited them.
-
-1.27.32 2005-12-01
- * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to
- retain validation/canonicalization of contexts during init.
-
-1.27.31 2005-11-29
- * Changed genhomedircon to always use user_r for the role in the
- managed case since user_get_defrole is broken.
-
-1.27.30 2005-11-29
- * Merged sestatus, audit2allow, and semanage patch from Dan Walsh.
- * Fixed semodule -v option.
-
-1.27.29 2005-11-28
- * Merged audit2allow python script from Dan Walsh.
- (old script moved to audit2allow.perl, will be removed later).
- * Merged genhomedircon fixes from Dan Walsh.
- * Merged semodule quieting patch from Dan Walsh
- (inverts default, use -v to restore original behavior).
-
-1.27.28 2005-11-15
- * Merged genhomedircon rewrite from Dan Walsh.
-
-1.27.27 2005-11-09
- * Merged setsebool cleanup patch from Ivan Gyurdiev.
-
-1.27.26 2005-11-09
- * Added -B (--build) option to semodule to force a rebuild.
-
-1.27.25 2005-11-08
- * Reverted setsebool patch to call semanage_set_reload_bools().
- * Changed setsebool to disable policy reload and to call
- security_set_boolean_list to update the runtime booleans.
-
-1.27.24 2005-11-08
- * Changed setfiles -c to use new flag to set_matchpathcon_flags()
- to disable context translation by matchpathcon_init().
-
-1.27.23 2005-11-07
- * Changed setfiles for the context canonicalization support.
-
-1.27.22 2005-11-07
- * Changed setsebool to call semanage_is_managed() interface
- and fall back to security_set_boolean_list() if policy is
- not managed.
-
-1.27.21 2005-11-07
- * Merged setsebool memory leak fix from Ivan Gyurdiev.
- * Merged setsebool patch to call semanage_set_reload_bools()
- interface from Ivan Gyurdiev.
-
-1.27.20 2005-11-04
- * Merged setsebool patch from Ivan Gyurdiev.
- This moves setsebool from libselinux/utils to policycoreutils,
- and rewrites it to use libsemanage for permanent boolean changes.
-
-1.27.19 2005-10-25
- * Merged semodule support for reload, noreload, and store options
- from Joshua Brindle.
- * Merged semodule_package rewrite from Joshua Brindle.
-
-1.27.18 2005-10-20
- * Cleaned up usage and error messages and releasing of memory by
- semodule_* utilities.
-
-1.27.17 2005-10-20
- * Corrected error reporting by semodule.
-
-1.27.16 2005-10-19
- * Updated semodule_expand for change to sepol interface.
-
-1.27.15 2005-10-19
- * Merged fixes for make DESTDIR= builds from Joshua Brindle.
-
-1.27.14 2005-10-18
- * Updated semodule_package for sepol interface changes.
-
-1.27.13 2005-10-17
- * Updated semodule_expand/link for sepol interface changes.
-
-1.27.12 2005-10-14
- * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood.
-
-1.27.11 2005-10-13
- * Updated semodule_expand to use get interfaces for hidden sepol_module_package type.
-
-1.27.10 2005-10-13
- * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat).
-
-1.27.9 2005-10-13
- * Merged fixfiles patch from Dan Walsh (Red Hat).
-
-1.27.8 2005-10-13
- * Updated semodule for removal of semanage_strerror.
-
-1.27.7 2005-10-11
- * Updated semodule_link and semodule_expand to use shared libsepol.
- Fixed audit2why to call policydb_init prior to policydb_read (still
- uses the static libsepol).
-
-1.27.6 2005-10-07
- * Updated for changes to libsepol.
- Changed semodule and semodule_package to use the shared libsepol.
- Disabled build of semodule_link and semodule_expand for now.
- Updated audit2why for relocated policydb internal headers,
- still needs to be converted to a shared lib interface.
-
-1.27.5 2005-10-06
- * Fixed warnings in load_policy.
-
-1.27.4 2005-10-06
- * Rewrote load_policy to use the new selinux_mkload_policy()
- interface provided by libselinux.
-
-1.27.3 2005-09-28
- * Merged patch to update semodule to the new libsemanage API
- and improve the user interface from Karl MacMillan (Tresys).
- * Modified semodule for the create/connect API split.
-
-1.27.2 2005-09-20
- * Merged run_init open_init_pty bug fix from Manoj Srivastava
- (unblock SIGCHLD). Bug reported by Erich Schubert.
-
-1.27.1 2005-09-20
- * Merged error shadowing bug fix for restorecon from Dan Walsh.
- * Merged setfiles usage/man page update for -r option from Dan Walsh.
- * Merged fixfiles -C patch to ignore :s0 addition on update
- to a MCS/MLS policy from Dan Walsh.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.9 2005-08-31
- * Changed setfiles -c to translate the context to raw format
- prior to calling libsepol.
-
-1.25.8 2005-08-31
- * Changed semodule to report errors even without -v,
- to detect extraneous arguments, and corrected usage message.
-
-1.25.7 2005-08-25
- * Merged patch for fixfiles -C from Dan Walsh.
-
-1.25.6 2005-08-22
- * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM).
- Bugs found by Coverity.
-
-1.25.5 2005-08-02
- * Merged patch to move module read/write code from libsemanage
- to libsepol from Jason Tang (Tresys).
-
-1.25.4 2005-07-27
- * Changed semodule* to link with libsemanage.
-
-1.25.3 2005-07-26
- * Merged restorecon patch from Ivan Gyurdiev.
-
-1.25.2 2005-07-11
- * Merged load_policy, newrole, and genhomedircon patches from Red Hat.
-
-1.25.1 2005-07-06
- * Merged loadable module support from Tresys Technology.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.11 2005-05-19
- * Merged fixfiles and newrole patch from Dan Walsh.
- * Merged audit2why man page from Dan Walsh.
-
-1.23.10 2005-05-16
- * Extended audit2why to incorporate booleans and local user
- settings when analyzing audit messages.
-
-1.23.9 2005-05-13
- * Updated audit2why for sepol_ prefixes on Flask types to
- avoid namespace collision with libselinux, and to
- include <selinux/selinux.h> now.
-
-1.23.8 2005-05-13
- * Added audit2why utility.
-
-1.23.7 2005-04-29
- * Merged patch for fixfiles from Dan Walsh.
- Allow passing -F to force reset of customizable contexts.
-
-1.23.6 2005-04-13
- * Fixed signed/unsigned pointer bug in load_policy.
- * Reverted context validation patch for genhomedircon.
-
-1.23.5 2005-04-12
- * Reverted load_policy is_selinux_enabled patch from Dan Walsh.
- Otherwise, an initial policy load cannot be performed using
- load_policy, e.g. for anaconda.
-
-1.23.4 2005-04-08
- * Merged load_policy is_selinux_enabled patch from Dan Walsh.
- * Merged restorecon verbose output patch from Dan Walsh.
- * Merged setfiles altroot patch from Chris PeBenito.
-
-1.23.3 2005-03-17
- * Merged context validation patch for genhomedircon from Eric Paris.
-
-1.23.2 2005-03-16
- * Changed setfiles -c to call set_matchpathcon_flags(3) to
- turn off processing of .homedirs and .local.
-
-1.23.1 2005-03-14
- * Merged rewrite of genhomedircon by Eric Paris.
- * Changed fixfiles to relabel jfs since it now supports security xattrs
- (as of 2.6.11). Removed reiserfs until 2.6.12 is released with
- fixed support for reiserfs and selinux.
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21.22 2005-03-07
- * Merged restorecon and genhomedircon patch from Dan Walsh.
-
-1.21.21 2005-02-28
- * Merged load_policy and genhomedircon patch from Dan Walsh.
-
-1.21.20 2005-02-24
- * Merged fixfiles and genhomedircon patch from Dan Walsh.
-
-1.21.19 2005-02-22
- * Merged several fixes from Ulrich Drepper.
-
-1.21.18 2005-02-18
- * Changed load_policy to fall back to the original policy upon
- an error from sepol_genusers().
-
-1.21.17 2005-02-17
- * Merged new genhomedircon script from Dan Walsh.
-
-1.21.16 2005-02-17
- * Changed load_policy to call sepol_genusers().
-
-1.21.15 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.21.14 2005-02-08
- * Merged restorecon patch from Dan Walsh.
-
-1.21.13 2005-02-07
- * Merged sestatus patch from Dan Walsh.
- * Merged further change to fixfiles -C from Dan Walsh.
-
-1.21.12 2005-02-02
- * Merged further patches for restorecon/setfiles -e and fixfiles -C.
-
-1.21.11 2005-02-02
- * Merged patch for fixfiles -C option from Dan Walsh.
- * Merged patch -e support for restorecon from Dan Walsh.
- * Merged updated -e support for setfiles from Dan Walsh.
-
-1.21.10 2005-01-31
- * Merged patch for open_init_pty from Manoj Srivastava.
-
-1.21.9 2005-01-28
- * Merged updated fixfiles script from Dan Walsh.
- * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped.
- * Reverted fixfiles patch for file_contexts.local;
- obsoleted by setfiles rewrite.
- * Merged error handling patch for restorecon from Dan Walsh.
- * Merged semi raw mode for open_init_pty helper from Manoj Srivastava.
-
-1.21.8 2005-01-28
- * Rewrote setfiles to use matchpathcon and the new interfaces
- exported by libselinux (>= 1.21.5).
-
-1.21.7 2005-01-27
- * Prevent overflow of spec array in setfiles.
-
-1.21.6 2005-01-27
- * Merged genhomedircon STARTING_UID bug fix from Dan Walsh.
-
-1.21.5 2005-01-26
- * Merged newrole -l support from Darrel Goeddel (TCS).
-
-1.21.4 2005-01-25
- * Merged fixfiles patch for file_contexts.local from Dan Walsh.
-
-1.21.3 2005-01-21
- * Fixed restorecon to not treat errors from is_context_customizable()
- as a customizable context.
- * Merged setfiles/restorecon patch to not reset user field unless
- -F option is specified from Dan Walsh.
-
-1.21.2 2005-01-21
- * Merged open_init_pty helper for run_init from Manoj Srivastava.
- * Merged audit2allow and genhomedircon man pages from Manoj Srivastava.
-
-1.21.1 2005-01-19
- * Merged customizable contexts patch for restorecon/setfiles from Dan Walsh.
-
-1.20 2005-01-06
- * Merged fixfiles rewrite from Dan Walsh.
- * Merged restorecon patch from Dan Walsh.
- * Merged fixfiles and restorecon patches from Dan Walsh.
- * Changed restorecon to ignore ENOENT errors from matchpathcon.
- * Merged nonls patch from Chris PeBenito.
- * Removed fixfiles.cron.
- * Merged run_init.8 patch from Dan Walsh.
-
-1.18 2004-11-01
- * Merged audit2allow patch from Thomas Bleher, with mods by Dan Walsh.
- * Merged sestatus patch from Steve Grubb.
- * Merged fixfiles patch from Dan Walsh.
- * Added -l option to setfiles to log changes via syslog.
- * Merged -e option to setfiles to exclude directories.
- * Merged -R option to restorecon for recursive descent.
- * Merged sestatus patch from Steve Grubb via Dan Walsh.
- * Merged load_policy and fixfiles.cron patches from Dan Walsh.
- * Merged fix for setfiles context validation patch from Colin Walters.
- * Merged setfiles context validation patch from Colin Walters.
- * Merged genhomedircon patch from Russell Coker.
- * Merged restorecon patch from Russell Coker.
-
-1.16 2004-08-13
- * Merged audit2allow fix from Tom London.
- * Merged load_policy man page from Dan Walsh.
- * Merged newrole bug fix from Chad Hanson.
- * Changed load_policy to preserve booleans by default.
- * Changed load_policy to invoke sepol_genbools() instead.
- * Changed load_policy to also invoke security_load_booleans().
- * Merged genhomedircon fixes from Dan Walsh.
- * Changed restorecon to use realpath.
- * Merged fixfiles patch from Dan Walsh.
- * Merged genhomedircon patch from Russell Coker and Dan Walsh.
- * Merged fixfiles patch and fixfiles.cron script from Dan Walsh.
- * Merged stat fix for setfiles -s from Russell Coker.
-
-1.14 2004-06-25
- * Merged fix for fixfiles.
- * Merged enhancements to setfiles, fixfiles and restorecon from Dan Walsh.
- * Merged updated genhomedircon script from Russell Coker.
- * Merged run_init patch to find initrc_context from Dan Walsh.
- * Merged fixfiles patch for /etc/selinux from Dan Walsh.
- * Merged restorecon patch from Dan Walsh.
- * Merged fixfiles patch from Dan Walsh.
-
-1.12 2004-05-10
- * Merged newrole patch from Colin Walters.
- * Merged fixfiles from Dan Walsh.
-
-1.10 2004-04-05
- * Changed setfiles to not abort upon lsetfilecon failures.
- * Merged sestatus from Chris PeBenito.
- * Merged fixes for restorecon.
- * Merged setfiles verbosity patch from Dan Walsh and Stephen Tweedie.
- * Merged restorecon patch from Dan Walsh.
- * Revert add_assoc change from setfiles.
- * Moved restorecon to /sbin.
- * Disable add_assoc in setfiles by default, use -a to enable.
- * Merged genhomedircon patch from Dan Walsh.
- * Merged restorecon patch from Dan Walsh.
- * Merged setfiles buffer size change from Dan Walsh.
- * Merged genhomedircon fix from Karl MacMillan of Tresys.
- This generates separate lines for each prefix.
-
-1.8 2004-03-09
- * Merged genhomedircon patch from Karl MacMillan of Tresys.
- * Removed checkcon script (obsoleted by restorecon -nv).
- * Replaced restorecon script with C program from Dan Walsh.
- Uses the new matchpathcon function from libselinux.
-
-1.6 2004-02-18
- * Fixed setfiles sorting problem reported by Colin Walters.
- * Merged setfiles patch from Robert Bihlmeyer, amended by Russell Coker.
- * Added scripts (checkcon, restorecon, genhomedircon) from Dan Walsh.
- * Quiet warning about duplicate same specifications if -q is used.
- * Fixed usage message of audit2allow.
-
-1.4 2003-12-01
- * Merged patch from Russell Coker.
- * Added audit2allow (formerly newrules.pl from policy).
- * Dropped -lattr from Makefiles.
- * Merged setfiles check type first patch by Russell Coker.
-
-1.2 2003-09-30
- * Merged run_init close file patch from Chris PeBenito.
- * Merged setfiles stem compression patch by Russell Coker.
- * Merged setfiles usage/getopt/err patch by Russell Coker.
- * Merged setfiles altroot patch by Hardened Gentoo team.
- * Merged i18n patch by Dan Walsh.
- * Changed Makefiles to allow non-root rpm builds.
-
-1.1 2003-08-13
- * Dropped obsolete psid code from setfiles.
-
-1.0 2003-07-11
- * Initial public release.
-
Copied: tags/policycoreutils_1_30_29/policycoreutils/ChangeLog (from rev 2030, trunk/policycoreutils/ChangeLog)
===================================================================
--- tags/policycoreutils_1_30_29/policycoreutils/ChangeLog (rev 0)
+++ tags/policycoreutils_1_30_29/policycoreutils/ChangeLog 2006-09-13 21:31:24 UTC (rev 2031)
@@ -0,0 +1,648 @@
+1.30.29 2006-09-13
+ * Man page corrections from Dan Walsh
+ * Change all python invocations to /usr/bin/python -E
+ * Add missing getopt flags to genhomedircon
+
+1.30.28 2006-09-01
+ * Merged fix for restorecon // handling from Erich Schubert.
+ * Merged translations update and fixfiles fix from Dan Walsh.
+
+1.30.27 2006-08-24
+ * Merged fix for restorecon symlink handling from Erich Schubert.
+
+1.30.26 2006-08-11
+ * Merged semanage local file contexts patch from Chris PeBenito.
+
+1.30.25 2006-08-03
+ * Merged patch from Dan Walsh with:
+ * audit2allow: process MAC_POLICY_LOAD events
+ * newrole: run shell with - prefix to start a login shell
+ * po: po file updates
+ * restorecond: bail if SELinux not enabled
+ * fixfiles: omit -q
+ * genhomedircon: fix exit code if non-root
+ * semodule_deps: install man page
+
+1.30.24 2006-08-03
+ * Merged secon Makefile fix from Joshua Brindle.
+
+1.30.23 2006-08-03
+ * Merged netfilter contexts support patch from Chris PeBenito.
+
+1.30.22 2006-07-28
+ * Merged restorecond size_t fix from Joshua Brindle.
+
+1.30.21 2006-07-28
+ * Merged secon keycreate patch from Michael LeMay.
+
+1.30.20 2006-07-26
+ * Merged restorecond fixes from Dan Walsh.
+ Merged updated po files from Dan Walsh.
+
+1.30.19 2006-07-26
+ * Merged python gettext patch from Stephen Bennett.
+
+1.30.18 2006-07-25
+ * Merged semodule_deps from Karl MacMillan.
+
+1.30.17 2006-06-29
+ * Lindent.
+
+1.30.16 2006-06-26
+ * Merged patch from Dan Walsh with:
+ * -p option (progress) for setfiles and restorecon.
+ * disable context translation for setfiles and restorecon.
+ * on/off values for setsebool.
+
+1.30.15 2006-06-26
+ * Merged setfiles and semodule_link fixes from Joshua Brindle.
+
+1.30.14 2006-06-16
+ * Merged fix for setsebool error path from Serge Hallyn.
+
+1.30.13 2006-06-16
+ * Merged patch from Dan Walsh with:
+ * Updated po files.
+ * Fixes for genhomedircon and seobject.
+ * Audit message for mass relabel by setfiles.
+
+1.30.12 2006-06-02
+ * Updated fixfiles script for new setfiles location in /sbin.
+
+1.30.11 2006-05-26
+ * Merged more translations from Dan Walsh.
+ * Merged patch to relocate setfiles to /sbin for early relabel
+ when /usr might not be mounted from Dan Walsh.
+ * Merged semanage/seobject patch to preserve fcontext ordering in list.
+ * Merged secon patch from James Antill.
+
+1.30.10 2006-05-22
+ * Merged patch with updates to audit2allow, secon, genhomedircon,
+ and semanage from Dan Walsh.
+
+1.30.9 2006-05-08
+ * Fixed audit2allow and po Makefiles for DESTDIR= builds.
+ * Merged .po file patch from Dan Walsh.
+ * Merged bug fix for genhomedircon.
+
+1.30.8 2006-05-08
+ * Merged patch from Dan Walsh.
+ This includes audit2allow changes for analysis plugins,
+ internationalization support for several additional programs
+ and added po files, some fixes for semanage, and several cleanups.
+ It also adds a new secon utility.
+
+1.30.7 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.6 2006-04-14
+ * Merged semanage prefix support from Russell Coker.
+
+1.30.5 2006-04-11
+ * Added a test to setfiles to check that the spec file is
+ a regular file.
+
+1.30.4 2006-03-29
+ * Merged audit2allow fixes for refpolicy from Dan Walsh.
+ * Merged fixfiles patch from Dan Walsh.
+ * Merged restorecond daemon from Dan Walsh.
+
+1.30.3 2006-03-29
+ * Merged semanage non-MLS fixes from Chris PeBenito.
+
+1.30.2 2006-03-29
+ * Merged semanage and semodule man page examples from Thomas Bleher.
+
+1.30.1 2006-03-20
+ * Merged semanage labeling prefix patch from Ivan Gyurdiev.
+
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.28 2006-03-13
+ * Merged German translations (de.po) by Debian translation team from Manoj Srivastava.
+
+1.29.27 2006-03-08
+ * Merged audit2allow -R support, chcat fix, semanage MLS checks
+ and semanage audit calls from Dan Walsh.
+
+1.29.26 2006-02-15
+ * Merged semanage bug fix patch from Ivan Gyurdiev.
+
+1.29.25 2006-02-14
+ * Merged improve bindings patch from Ivan Gyurdiev.
+
+1.29.24 2006-02-14
+ * Merged semanage usage patch from Ivan Gyurdiev.
+ * Merged use PyList patch from Ivan Gyurdiev.
+
+1.29.23 2006-02-13
+ * Merged newrole -V/--version support from Glauber de Oliveira Costa.
+
+1.29.22 2006-02-13
+ * Merged genhomedircon prefix patch from Dan Walsh.
+
+1.29.21 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.29.20 2006-02-07
+ * Merged seuser/user_extra support patch to semodule_package
+ from Joshua Brindle.
+
+1.29.19 2006-02-06
+ * Merged getopt type fix for semodule_link/expand and sestatus
+ from Chris PeBenito.
+
+1.29.18 2006-02-02
+ * Merged clone record on set_con patch from Ivan Gyurdiev.
+
+1.29.17 2006-01-30
+ * Merged genhomedircon fix from Dan Walsh.
+
+1.29.16 2006-01-30
+ * Merged seusers.system patch from Ivan Gyurdiev.
+ * Merged improve port/fcontext API patch from Ivan Gyurdiev.
+ * Merged genhomedircon patch from Dan Walsh.
+
+1.29.15 2006-01-27
+ * Merged newrole audit patch from Steve Grubb.
+
+1.29.14 2006-01-27
+ * Merged seuser -> seuser local rename patch from Ivan Gyurdiev.
+
+1.29.13 2006-01-27
+ * Merged semanage and semodule access check patches from Joshua Brindle.
+
+1.29.12 2006-01-26
+ * Merged restorecon, chcat, and semanage patches from Dan Walsh.
+
+1.29.11 2006-01-25
+ * Modified newrole and run_init to use the loginuid when
+ supported to obtain the Linux user identity to re-authenticate,
+ and to fall back to real uid. Dropped the use of the SELinux
+ user identity, as Linux users are now mapped to SELinux users
+ via seusers and the SELinux user identity space is separate.
+
+1.29.10 2006-01-20
+ * Merged semanage bug fixes from Ivan Gyurdiev.
+ * Merged semanage fixes from Russell Coker.
+ * Merged chcat.8 and genhomedircon patches from Dan Walsh.
+
+1.29.9 2006-01-19
+ * Merged chcat, semanage, and setsebool patches from Dan Walsh.
+
+1.29.8 2006-01-18
+ * Merged semanage fixes from Ivan Gyurdiev.
+ * Merged semanage fixes from Russell Coker.
+ * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh.
+
+1.29.7 2006-01-13
+ * Merged newrole cleanup patch from Steve Grubb.
+ * Merged setfiles/restorecon performance patch from Russell Coker.
+ * Merged genhomedircon and semanage patches from Dan Walsh.
+
+1.29.6 2006-01-12
+ * Merged remove add_local/set_local patch from Ivan Gyurdiev.
+
+1.29.5 2006-01-05
+ * Added filename to semodule error reporting.
+
+1.29.4 2006-01-05
+ * Merged genhomedircon and semanage patch from Dan Walsh.
+ * Changed semodule error reporting to include argv[0].
+
+1.29.3 2006-01-04
+ * Merged semanage getpwnam bug fix from Serge Hallyn (IBM).
+ * Merged patch series from Ivan Gyurdiev.
+ This includes patches to:
+ - cleanup setsebool
+ - update setsebool to apply active booleans through libsemanage
+ - update semodule to use the new semanage_set_rebuild() interface
+ - fix various bugs in semanage
+ * Merged patch from Dan Walsh (Red Hat).
+ This includes fixes for restorecon, chcat, fixfiles, genhomedircon,
+ and semanage.
+
+1.29.2 2005-12-14
+ * Merged patch for chcat script from Dan Walsh.
+
+1.29.1 2005-12-08
+ * Merged fix for audit2allow long option list from Dan Walsh.
+ * Merged -r option for restorecon (alias for -R) from Dan Walsh.
+ * Merged chcat script and man page from Dan Walsh.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.37 2005-12-07
+ * Clarified the genhomedircon warning message.
+
+1.27.36 2005-12-05
+ * Changed genhomedircon to warn on use of ROLE in homedir_template
+ if using managed policy, as libsemanage does not yet support it.
+
+1.27.35 2005-12-02
+ * Merged genhomedircon bug fix from Dan Walsh.
+
+1.27.34 2005-12-02
+ * Revised semodule* man pages to refer to checkmodule and
+ to include example sections.
+
+1.27.33 2005-12-01
+ * Merged audit2allow --tefile and --fcfile support from Dan Walsh.
+ * Merged genhomedircon fix from Dan Walsh.
+ * Merged semodule* man pages from Dan Walsh, and edited them.
+
+1.27.32 2005-12-01
+ * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to
+ retain validation/canonicalization of contexts during init.
+
+1.27.31 2005-11-29
+ * Changed genhomedircon to always use user_r for the role in the
+ managed case since user_get_defrole is broken.
+
+1.27.30 2005-11-29
+ * Merged sestatus, audit2allow, and semanage patch from Dan Walsh.
+ * Fixed semodule -v option.
+
+1.27.29 2005-11-28
+ * Merged audit2allow python script from Dan Walsh.
+ (old script moved to audit2allow.perl, will be removed later).
+ * Merged genhomedircon fixes from Dan Walsh.
+ * Merged semodule quieting patch from Dan Walsh
+ (inverts default, use -v to restore original behavior).
+
+1.27.28 2005-11-15
+ * Merged genhomedircon rewrite from Dan Walsh.
+
+1.27.27 2005-11-09
+ * Merged setsebool cleanup patch from Ivan Gyurdiev.
+
+1.27.26 2005-11-09
+ * Added -B (--build) option to semodule to force a rebuild.
+
+1.27.25 2005-11-08
+ * Reverted setsebool patch to call semanage_set_reload_bools().
+ * Changed setsebool to disable policy reload and to call
+ security_set_boolean_list to update the runtime booleans.
+
+1.27.24 2005-11-08
+ * Changed setfiles -c to use new flag to set_matchpathcon_flags()
+ to disable context translation by matchpathcon_init().
+
+1.27.23 2005-11-07
+ * Changed setfiles for the context canonicalization support.
+
+1.27.22 2005-11-07
+ * Changed setsebool to call semanage_is_managed() interface
+ and fall back to security_set_boolean_list() if policy is
+ not managed.
+
+1.27.21 2005-11-07
+ * Merged setsebool memory leak fix from Ivan Gyurdiev.
+ * Merged setsebool patch to call semanage_set_reload_bools()
+ interface from Ivan Gyurdiev.
+
+1.27.20 2005-11-04
+ * Merged setsebool patch from Ivan Gyurdiev.
+ This moves setsebool from libselinux/utils to policycoreutils,
+ and rewrites it to use libsemanage for permanent boolean changes.
+
+1.27.19 2005-10-25
+ * Merged semodule support for reload, noreload, and store options
+ from Joshua Brindle.
+ * Merged semodule_package rewrite from Joshua Brindle.
+
+1.27.18 2005-10-20
+ * Cleaned up usage and error messages and releasing of memory by
+ semodule_* utilities.
+
+1.27.17 2005-10-20
+ * Corrected error reporting by semodule.
+
+1.27.16 2005-10-19
+ * Updated semodule_expand for change to sepol interface.
+
+1.27.15 2005-10-19
+ * Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+1.27.14 2005-10-18
+ * Updated semodule_package for sepol interface changes.
+
+1.27.13 2005-10-17
+ * Updated semodule_expand/link for sepol interface changes.
+
+1.27.12 2005-10-14
+ * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood.
+
+1.27.11 2005-10-13
+ * Updated semodule_expand to use get interfaces for hidden sepol_module_package type.
+
+1.27.10 2005-10-13
+ * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat).
+
+1.27.9 2005-10-13
+ * Merged fixfiles patch from Dan Walsh (Red Hat).
+
+1.27.8 2005-10-13
+ * Updated semodule for removal of semanage_strerror.
+
+1.27.7 2005-10-11
+ * Updated semodule_link and semodule_expand to use shared libsepol.
+ Fixed audit2why to call policydb_init prior to policydb_read (still
+ uses the static libsepol).
+
+1.27.6 2005-10-07
+ * Updated for changes to libsepol.
+ Changed semodule and semodule_package to use the shared libsepol.
+ Disabled build of semodule_link and semodule_expand for now.
+ Updated audit2why for relocated policydb internal headers,
+ still needs to be converted to a shared lib interface.
+
+1.27.5 2005-10-06
+ * Fixed warnings in load_policy.
+
+1.27.4 2005-10-06
+ * Rewrote load_policy to use the new selinux_mkload_policy()
+ interface provided by libselinux.
+
+1.27.3 2005-09-28
+ * Merged patch to update semodule to the new libsemanage API
+ and improve the user interface from Karl MacMillan (Tresys).
+ * Modified semodule for the create/connect API split.
+
+1.27.2 2005-09-20
+ * Merged run_init open_init_pty bug fix from Manoj Srivastava
+ (unblock SIGCHLD). Bug reported by Erich Schubert.
+
+1.27.1 2005-09-20
+ * Merged error shadowing bug fix for restorecon from Dan Walsh.
+ * Merged setfiles usage/man page update for -r option from Dan Walsh.
+ * Merged fixfiles -C patch to ignore :s0 addition on update
+ to a MCS/MLS policy from Dan Walsh.
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.9 2005-08-31
+ * Changed setfiles -c to translate the context to raw format
+ prior to calling libsepol.
+
+1.25.8 2005-08-31
+ * Changed semodule to report errors even without -v,
+ to detect extraneous arguments, and corrected usage message.
+
+1.25.7 2005-08-25
+ * Merged patch for fixfiles -C from Dan Walsh.
+
+1.25.6 2005-08-22
+ * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM).
+ Bugs found by Coverity.
+
+1.25.5 2005-08-02
+ * Merged patch to move module read/write code from libsemanage
+ to libsepol from Jason Tang (Tresys).
+
+1.25.4 2005-07-27
+ * Changed semodule* to link with libsemanage.
+
+1.25.3 2005-07-26
+ * Merged restorecon patch from Ivan Gyurdiev.
+
+1.25.2 2005-07-11
+ * Merged load_policy, newrole, and genhomedircon patches from Red Hat.
+
+1.25.1 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.11 2005-05-19
+ * Merged fixfiles and newrole patch from Dan Walsh.
+ * Merged audit2why man page from Dan Walsh.
+
+1.23.10 2005-05-16
+ * Extended audit2why to incorporate booleans and local user
+ settings when analyzing audit messages.
+
+1.23.9 2005-05-13
+ * Updated audit2why for sepol_ prefixes on Flask types to
+ avoid namespace collision with libselinux, and to
+ include <selinux/selinux.h> now.
+
+1.23.8 2005-05-13
+ * Added audit2why utility.
+
+1.23.7 2005-04-29
+ * Merged patch for fixfiles from Dan Walsh.
+ Allow passing -F to force reset of customizable contexts.
+
+1.23.6 2005-04-13
+ * Fixed signed/unsigned pointer bug in load_policy.
+ * Reverted context validation patch for genhomedircon.
+
+1.23.5 2005-04-12
+ * Reverted load_policy is_selinux_enabled patch from Dan Walsh.
+ Otherwise, an initial policy load cannot be performed using
+ load_policy, e.g. for anaconda.
+
+1.23.4 2005-04-08
+ * Merged load_policy is_selinux_enabled patch from Dan Walsh.
+ * Merged restorecon verbose output patch from Dan Walsh.
+ * Merged setfiles altroot patch from Chris PeBenito.
+
+1.23.3 2005-03-17
+ * Merged context validation patch for genhomedircon from Eric Paris.
+
+1.23.2 2005-03-16
+ * Changed setfiles -c to call set_matchpathcon_flags(3) to
+ turn off processing of .homedirs and .local.
+
+1.23.1 2005-03-14
+ * Merged rewrite of genhomedircon by Eric Paris.
+ * Changed fixfiles to relabel jfs since it now supports security xattrs
+ (as of 2.6.11). Removed reiserfs until 2.6.12 is released with
+ fixed support for reiserfs and selinux.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.22 2005-03-07
+ * Merged restorecon and genhomedircon patch from Dan Walsh.
+
+1.21.21 2005-02-28
+ * Merged load_policy and genhomedircon patch from Dan Walsh.
+
+1.21.20 2005-02-24
+ * Merged fixfiles and genhomedircon patch from Dan Walsh.
+
+1.21.19 2005-02-22
+ * Merged several fixes from Ulrich Drepper.
+
+1.21.18 2005-02-18
+ * Changed load_policy to fall back to the original policy upon
+ an error from sepol_genusers().
+
+1.21.17 2005-02-17
+ * Merged new genhomedircon script from Dan Walsh.
+
+1.21.16 2005-02-17
+ * Changed load_policy to call sepol_genusers().
+
+1.21.15 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.14 2005-02-08
+ * Merged restorecon patch from Dan Walsh.
+
+1.21.13 2005-02-07
+ * Merged sestatus patch from Dan Walsh.
+ * Merged further change to fixfiles -C from Dan Walsh.
+
+1.21.12 2005-02-02
+ * Merged further patches for restorecon/setfiles -e and fixfiles -C.
+
+1.21.11 2005-02-02
+ * Merged patch for fixfiles -C option from Dan Walsh.
+ * Merged patch -e support for restorecon from Dan Walsh.
+ * Merged updated -e support for setfiles from Dan Walsh.
+
+1.21.10 2005-01-31
+ * Merged patch for open_init_pty from Manoj Srivastava.
+
+1.21.9 2005-01-28
+ * Merged updated fixfiles script from Dan Walsh.
+ * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped.
+ * Reverted fixfiles patch for file_contexts.local;
+ obsoleted by setfiles rewrite.
+ * Merged error handling patch for restorecon from Dan Walsh.
+ * Merged semi raw mode for open_init_pty helper from Manoj Srivastava.
+
+1.21.8 2005-01-28
+ * Rewrote setfiles to use matchpathcon and the new interfaces
+ exported by libselinux (>= 1.21.5).
+
+1.21.7 2005-01-27
+ * Prevent overflow of spec array in setfiles.
+
+1.21.6 2005-01-27
+ * Merged genhomedircon STARTING_UID bug fix from Dan Walsh.
+
+1.21.5 2005-01-26
+ * Merged newrole -l support from Darrel Goeddel (TCS).
+
+1.21.4 2005-01-25
+ * Merged fixfiles patch for file_contexts.local from Dan Walsh.
+
+1.21.3 2005-01-21
+ * Fixed restorecon to not treat errors from is_context_customizable()
+ as a customizable context.
+ * Merged setfiles/restorecon patch to not reset user field unless
+ -F option is specified from Dan Walsh.
+
+1.21.2 2005-01-21
+ * Merged open_init_pty helper for run_init from Manoj Srivastava.
+ * Merged audit2allow and genhomedircon man pages from Manoj Srivastava.
+
+1.21.1 2005-01-19
+ * Merged customizable contexts patch for restorecon/setfiles from Dan Walsh.
+
+1.20 2005-01-06
+ * Merged fixfiles rewrite from Dan Walsh.
+ * Merged restorecon patch from Dan Walsh.
+ * Merged fixfiles and restorecon patches from Dan Walsh.
+ * Changed restorecon to ignore ENOENT errors from matchpathcon.
+ * Merged nonls patch from Chris PeBenito.
+ * Removed fixfiles.cron.
+ * Merged run_init.8 patch from Dan Walsh.
+
+1.18 2004-11-01
+ * Merged audit2allow patch from Thomas Bleher, with mods by Dan Walsh.
+ * Merged sestatus patch from Steve Grubb.
+ * Merged fixfiles patch from Dan Walsh.
+ * Added -l option to setfiles to log changes via syslog.
+ * Merged -e option to setfiles to exclude directories.
+ * Merged -R option to restorecon for recursive descent.
+ * Merged sestatus patch from Steve Grubb via Dan Walsh.
+ * Merged load_policy and fixfiles.cron patches from Dan Walsh.
+ * Merged fix for setfiles context validation patch from Colin Walters.
+ * Merged setfiles context validation patch from Colin Walters.
+ * Merged genhomedircon patch from Russell Coker.
+ * Merged restorecon patch from Russell Coker.
+
+1.16 2004-08-13
+ * Merged audit2allow fix from Tom London.
+ * Merged load_policy man page from Dan Walsh.
+ * Merged newrole bug fix from Chad Hanson.
+ * Changed load_policy to preserve booleans by default.
+ * Changed load_policy to invoke sepol_genbools() instead.
+ * Changed load_policy to also invoke security_load_booleans().
+ * Merged genhomedircon fixes from Dan Walsh.
+ * Changed restorecon to use realpath.
+ * Merged fixfiles patch from Dan Walsh.
+ * Merged genhomedircon patch from Russell Coker and Dan Walsh.
+ * Merged fixfiles patch and fixfiles.cron script from Dan Walsh.
+ * Merged stat fix for setfiles -s from Russell Coker.
+
+1.14 2004-06-25
+ * Merged fix for fixfiles.
+ * Merged enhancements to setfiles, fixfiles and restorecon from Dan Walsh.
+ * Merged updated genhomedircon script from Russell Coker.
+ * Merged run_init patch to find initrc_context from Dan Walsh.
+ * Merged fixfiles patch for /etc/selinux from Dan Walsh.
+ * Merged restorecon patch from Dan Walsh.
+ * Merged fixfiles patch from Dan Walsh.
+
+1.12 2004-05-10
+ * Merged newrole patch from Colin Walters.
+ * Merged fixfiles from Dan Walsh.
+
+1.10 2004-04-05
+ * Changed setfiles to not abort upon lsetfilecon failures.
+ * Merged sestatus from Chris PeBenito.
+ * Merged fixes for restorecon.
+ * Merged setfiles verbosity patch from Dan Walsh and Stephen Tweedie.
+ * Merged restorecon patch from Dan Walsh.
+ * Revert add_assoc change from setfiles.
+ * Moved restorecon to /sbin.
+ * Disable add_assoc in setfiles by default, use -a to enable.
+ * Merged genhomedircon patch from Dan Walsh.
+ * Merged restorecon patch from Dan Walsh.
+ * Merged setfiles buffer size change from Dan Walsh.
+ * Merged genhomedircon fix from Karl MacMillan of Tresys.
+ This generates separate lines for each prefix.
+
+1.8 2004-03-09
+ * Merged genhomedircon patch from Karl MacMillan of Tresys.
+ * Removed checkcon script (obsoleted by restorecon -nv).
+ * Replaced restorecon script with C program from Dan Walsh.
+ Uses the new matchpathcon function from libselinux.
+
+1.6 2004-02-18
+ * Fixed setfiles sorting problem reported by Colin Walters.
+ * Merged setfiles patch from Robert Bihlmeyer, amended by Russell Coker.
+ * Added scripts (checkcon, restorecon, genhomedircon) from Dan Walsh.
+ * Quiet warning about duplicate same specifications if -q is used.
+ * Fixed usage message of audit2allow.
+
+1.4 2003-12-01
+ * Merged patch from Russell Coker.
+ * Added audit2allow (formerly newrules.pl from policy).
+ * Dropped -lattr from Makefiles.
+ * Merged setfiles check type first patch by Russell Coker.
+
+1.2 2003-09-30
+ * Merged run_init close file patch from Chris PeBenito.
+ * Merged setfiles stem compression patch by Russell Coker.
+ * Merged setfiles usage/getopt/err patch by Russell Coker.
+ * Merged setfiles altroot patch by Hardened Gentoo team.
+ * Merged i18n patch by Dan Walsh.
+ * Changed Makefiles to allow non-root rpm builds.
+
+1.1 2003-08-13
+ * Dropped obsolete psid code from setfiles.
+
+1.0 2003-07-11
+ * Initial public release.
+
Deleted: tags/policycoreutils_1_30_29/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2006-09-05 14:57:13 UTC (rev 2026)
+++ tags/policycoreutils_1_30_29/policycoreutils/VERSION 2006-09-13 21:31:24 UTC (rev 2031)
@@ -1 +0,0 @@
-1.30.28
Copied: tags/policycoreutils_1_30_29/policycoreutils/VERSION (from rev 2030, trunk/policycoreutils/VERSION)
===================================================================
--- tags/policycoreutils_1_30_29/policycoreutils/VERSION (rev 0)
+++ tags/policycoreutils_1_30_29/policycoreutils/VERSION 2006-09-13 21:31:24 UTC (rev 2031)
@@ -0,0 +1 @@
+1.30.29
Deleted: tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow 2006-09-05 14:57:13 UTC (rev 2026)
+++ tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow 2006-09-13 21:31:24 UTC (rev 2031)
@@ -1,213 +0,0 @@
-#! /usr/bin/env python
-# Copyright (C) 2005 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# Audit2allow is a rewrite of prior perl script.
-#
-# Based off original audit2allow perl script: which credits
-# newrules.pl, Copyright (C) 2001 Justin R. Smith (js...@mc...)
-# 2003 Oct 11: Add -l option by Yuichi Nakamura(yn...@us...)
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
-# 02111-1307 USA
-#
-#
-from avc import *
-
-if __name__ == '__main__':
- import commands, sys, os, getopt, selinux
- import gettext
- try:
- gettext.install('policycoreutils')
- except:
- pass
- def get_mls_flag():
- if selinux.is_selinux_mls_enabled():
- return "-M"
- else:
- return ""
-
- def usage(msg = ""):
- print _('audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
- -a, --all read input from audit and message log, conflicts with -i\n\
- -d, --dmesg read input from output of /bin/dmesg\n\
- -h, --help display this message\n\
- -i, --input read input from <inputfile> conflicts with -a\n\
- -l, --lastreload read input only after last \"load_policy\"\n\
- -m, --module generate module/require output <modulename> \n\
- -M generate loadable module package, conflicts with -o\n\
- -o, --output append output to <outputfile>, conflicts with -M\n\
- -r, --requires generate require output \n\
- -t, --tefile Add input from Existing Type Enforcement file\n\
- -f, --fcfile Existing Type Enforcement file, requires -M\n\
- -v, --verbose verbose output\n\
- -A, --analyze Analyze output\n\
- ')
- if msg != "":
- print msg
- sys.exit(1)
-
- def errorExit(error):
- sys.stderr.write("%s: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
- #
- #
- #
- try:
- last_reload = 0
- inputfd = sys.stdin
- output = sys.stdout
- module = ""
- requires = 0
- verbose = 0
- auditlogs = 0
- buildPP = 0
- input_ind = 0
- output_ind = 0
- ref_ind = False
- analyze = False
- te_inputs = []
-
- fc_file = ""
- gopts, cmds = getopt.getopt(sys.argv[1:],
- 'Aadf:hi:lm:M:o:rt:vR',
- ['all',
- 'analyze',
- 'dmesg',
- 'fcfile=',
- 'help',
- 'input=',
- 'lastreload',
- 'module=',
- 'output=',
- 'requires',
- 'reference',
- 'tefile=',
- 'verbose'
- ])
- for o,a in gopts:
- if o == "-a" or o == "--all":
- if input_ind:
- usage()
- inputfd = open("/var/log/messages", "r")
- auditlogs = 1
- if o == "-d" or o == "--dmesg":
- inputfd = os.popen("/bin/dmesg", "r")
- if o == "-f" or o == "--fcfile":
- if a[0] == "-":
- usage()
- fc_file = a
- if o == "-h" or o == "--help":
- usage()
- if o == "-i"or o == "--input":
- if auditlogs or a[0] == "-":
- usage()
- input_ind = 1
- inputfd = open(a, "r")
- if o == '--lastreload' or o == "-l":
- last_reload = 1
- if o == "-m" or o == "--module":
- if module != "" or a[0] == "-":
- usage()
- module = a
- if o == "-M":
- if module != "" or output_ind or a[0] == "-":
- usage()
- module = a
- outfile = a+".te"
- buildPP = 1
- if not os.path.exists("/usr/bin/checkmodule"):
- errorExit("-M Requires the checkmodule command, you need to install the checkpolicy rpm package")
- output = open(outfile, "w")
- if o == "-r" or o == "--requires":
- requires = 1
- if o == "-t" or o == "--tefile":
- te_inputs.append(open(a, "r"))
-
- if o == "-R" or o == "--reference":
- ref_ind = True
-
- if o == "-o" or o == "--output":
- if module != "" or a[0] == "-":
- usage()
- output = open(a, "a")
- output_ind = 1
- if o == "-v" or o == "--verbose":
- verbose = 1
-
- if o == "-A" or o == "--analyze":
- analyze = True
-
- if len(cmds) != 0:
- usage()
-
- if fc_file != "" and not buildPP:
- usage("Error %s: Option -fc requires -M" % sys.argv[0])
-
- serules = SERules(last_reload, verbose)
-
- for i in te_inputs:
- te = TERules(serules)
- te.load(i)
-
- serules.load(inputfd)
-
-
- if ref_ind:
- serules.gen_reference_policy()
-
- if analyze:
- serules.analyze()
- sys.exit(0)
-
- if auditlogs and os.path.exists("/var/log/audit/audit.log"):
- inputfd = os.popen("ausearch -m avc,MAC_POLICY_LOAD")
- serules.load(inputfd)
-
- if buildPP:
- print (_("Generating type enforcment file: %s.te") % module)
- output.write(serules.out(requires, module))
- output.flush()
- if buildPP:
- cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
- print _("Compiling policy")
- print cmd
- rc = commands.getstatusoutput(cmd)
- if rc[0] == 0:
- cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
- if fc_file != "":
- cmd = "%s -f %s" % (cmd, fc_file)
-
- print cmd
- rc = commands.getstatusoutput(cmd)
- if rc[0] == 0:
- print _("\n******************** IMPORTANT ***********************\n")
- print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
- else:
- errorExit(rc[1])
- else:
- errorExit(rc[1])
-
- except getopt.error, error:
- errorExit(_("Options Error: %s ") % error.msg)
- except ValueError, error:
- errorExit(error.args[0])
- except IOError, error:
- errorExit(error)
- except KeyboardInterrupt, error:
- sys.exit(0)
Copied: tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow (from rev 2030, trunk/policycoreutils/audit2allow/audit2allow)
===================================================================
--- tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow (rev 0)
+++ tags/policycoreutils_1_30_29/policycoreutils/audit2allow/audit2allow 2006-09-13 21:31:24 UTC (rev 2031)
@@ -0,0 +1,213 @@
+#! /usr/bin/python -E
+# Copyright (C) 2005 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# Audit2allow is a rewrite of prior perl script.
+#
+# Based off original audit2allow perl script: which credits
+# newrules.pl, Copyright (C) 2001 Justin R. Smith (js...@mc...)
+# 2003 Oct 11: Add -l option by Yuichi Nakamura(yn...@us...)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+#
+from avc import *
+
+if __name__ == '__main__':
+ import commands, sys, os, getopt, selinux
+ import gettext
+ try:
+ gettext.install('policycoreutils')
+ except:
+ pass
+ def get_mls_flag():
+ if selinux.is_selinux_mls_enabled():
+ return "-M"
+ else:
+ return ""
+
+ def usage(msg = ""):
+ print _('audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
+ -a, --all read input from audit and message log, conflicts with -i\n\
+ -d, --dmesg read input from output of /bin/dmesg\n\
+ -h, --help display this message\n\
+ -i, --input read input from <inputfile> conflicts with -a\n\
+ -l, --lastreload read input only after last \"load_policy\"\n\
+ -m, --module generate module/require output <modulename> \n\
+ -M generate loadable module package, conflicts with -o\n\
+ -o, --output append output to <outputfile>, conflicts with -M\n\
+ -r, --requires generate require output \n\
+ -t, --tefile Add input from Existing Type Enforcement file\n\
+ -f, --fcfile Existing Type Enforcement file, requires -M\n\
+ -v, --verbose verbose output\n\
+ -A, --analyze Analyze output\n\
+ ')
+ if msg != "":
+ print msg
+ sys.exit(1)
+
+ def errorExit(error):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+ #
+ #
+ #
+ try:
+ last_reload = 0
+ inputfd = sys.stdin
+ output = sys.stdout
+ module = ""
+ requires = 0
+ verbose = 0
+ auditlogs = 0
+ buildPP = 0
+ input_ind = 0
+ output_ind = 0
+ ref_ind = False
+ analyze = False
+ te_inputs = []
+
+ fc_file = ""
+ gopts, cmds = getopt.getopt(sys.argv[1:],
+ 'Aadf:hi:lm:M:o:rt:vR',
+ ['all',
+ 'analyze',
+ 'dmesg',
+ 'fcfile=',
+ 'help',
+ 'input=',
+ 'lastreload',
+ 'module=',
+ 'output=',
+ 'requires',
+ 'reference',
+ 'tefile=',
+ 'verbose'
+ ])
+ for o,a in gopts:
+ if o == "-a" or o == "--all":
+ if input_ind:
+ usage()
+ inputfd = open("/var/log/messages", "r")
+ auditlogs = 1
+ if o == "-d" or o == "--dmesg":
+ inputfd = os.popen("/bin/dmesg", "r")
+ if o == "-f" or o == "--fcfile":
+ if a[0] == "-":
+ usage()
+ fc_file = a
+ if o == "-h" or o == "--help":
+ usage()
+ if o == "-i"or o == "--input":
+ if auditlogs or a[0] == "-":
+ usage()
+ input_ind = 1
+ inputfd = open(a, "r")
+ if o == '--lastreload' or o == "-l":
+ last_reload = 1
+ if o == "-m" or o == "--module":
+ if module != "" or a[0] == "-":
+ usage()
+ module = a
+ if o == "-M":
+ if module != "" or output_ind or a[0] == "-":
+ usage()
+ module = a
+ outfile = a+".te"
+ buildPP = 1
+ if not os.path.exists("/usr/bin/checkmodule"):
+ errorExit("-M Requires the checkmodule command, you need to install the checkpolicy rpm package")
+ output = open(outfile, "w")
+ if o == "-r" or o == "--requires":
+ requires = 1
+ if o == "-t" or o == "--tefile":
+ te_inputs.append(open(a, "r"))
+
+ if o == "-R" or o == "--reference":
+ ref_ind = True
+
+ if o == "-o" or o == "--output":
+ if module != "" or a[0] == "-":
+ usage()
+ output = open(a, "a")
+ output_ind = 1
+ if o == "-v" or o == "--verbose":
+ verbose = 1
+
+ if o == "-A" or o == "--analyze":
+ analyze = True
+
+ if len(cmds) != 0:
+ usage()
+
+ if fc_file != "" and not buildPP:
+ usage("Error %s: Option -fc requires -M" % sys.argv[0])
+
+ serules = SERules(last_reload, verbose)
+
+ for i in te_inputs:
+ te = TERules(serules)
+ te.load(i)
+
+ serules.load(inputfd)
+
+
+ if ref_ind:
+ serules.gen_reference_policy()
+
+ if analyze:
+ serules.analyze()
+ sys.exit(0)
+
+ if auditlogs and os.path.exists("/var/log/audit/audit.log"):
+ inputfd = os.popen("ausearch -m avc,MAC_POLICY_LOAD")
+ serules.load(inputfd)
+
+ if buildPP:
+ print (_("Generating type enforcment file: %s.te") % module)
+ output.write(serules.out(requires, module))
+ output.flush()
+ if buildPP:
+ cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
+ print _("Compiling policy")
+ print cmd
+ rc = commands.getstatusoutput(cmd)
+ if rc[0] == 0:
+ cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
+ if fc_file != "":
+ cmd = "%s -f %s" % (cmd, fc_file)
+
+ print cmd
+ rc = commands.getstatusoutput(cmd)
+ if rc[0] == 0:
+ print _("\n******************** IMPORTANT ***********************\n")
+ print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
+ else:
+ errorExit(rc[1])
+ ...
[truncated message content] |
|
From: <mad...@us...> - 2006-09-28 12:17:30
|
Revision: 2035
http://svn.sourceforge.net/selinux/?rev=2035&view=rev
Author: madmethod
Date: 2006-09-28 05:16:58 -0700 (Thu, 28 Sep 2006)
Log Message:
-----------
tag for checkpolicy 1.30.12
Added Paths:
-----------
tags/checkpolicy_1_30_12/
tags/checkpolicy_1_30_12/checkpolicy/
tags/checkpolicy_1_30_12/checkpolicy/ChangeLog
tags/checkpolicy_1_30_12/checkpolicy/VERSION
tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c
tags/checkpolicy_1_30_12/checkpolicy/module_compiler.h
tags/checkpolicy_1_30_12/checkpolicy/policy_parse.y
Removed Paths:
-------------
tags/checkpolicy_1_30_12/checkpolicy/ChangeLog
tags/checkpolicy_1_30_12/checkpolicy/VERSION
tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c
tags/checkpolicy_1_30_12/checkpolicy/module_compiler.h
tags/checkpolicy_1_30_12/checkpolicy/policy_parse.y
Copied: tags/checkpolicy_1_30_12/checkpolicy (from rev 2032, trunk/checkpolicy)
Deleted: tags/checkpolicy_1_30_12/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/checkpolicy_1_30_12/checkpolicy/ChangeLog 2006-09-28 12:16:58 UTC (rev 2035)
@@ -1,285 +0,0 @@
-1.30.11 2006-09-05
- * merged range_transition enhancements and user module format
- changes from Darrel Goeddel
-
-1.30.10 2006-08-03
- * Merged symtab datum patch from Karl MacMillan.
-
-1.30.9 2006-06-29
- * Lindent.
-
-1.30.8 2006-06-29
- * Merged patch to remove TE rule conflict checking from the parser
- from Joshua Brindle. This can only be done properly by the
- expander.
-
-1.30.7 2006-06-27
- * Merged patch to make checkpolicy/checkmodule handling of
- duplicate/conflicting TE rules the same as the expander
- from Joshua Brindle.
-
-1.30.6 2006-06-26
- * Merged optionals in base take 2 patch set from Joshua Brindle.
-
-1.30.5 2006-05-05
- * Merged compiler cleanup patch from Karl MacMillan.
- * Merged fix warnings patch from Karl MacMillan.
-
-1.30.4 2006-04-05
- * Changed require_class to reject permissions that have not been
- declared if building a base module.
-
-1.30.3 2006-03-28
- * Fixed checkmodule to call link_modules prior to expand_module
- to handle optionals.
-
-1.30.2 2006-03-28
- * Fixed require_class to avoid shadowing permissions already defined
- in an inherited common definition.
-
-1.30.1 2006-03-22
- * Moved processing of role and user require statements to 2nd pass.
-
-1.30 2006-03-14
- * Updated version for release.
-
-1.29.5 2006-03-09
- * Fixed bug in role dominance (define_role_dom).
-
-1.29.4 2006-02-14
- * Added a check for failure to declare each sensitivity in
- a level definition.
-
-1.29.3 2006-02-13
- * Changed to clone level data for aliased sensitivities to
- avoid double free upon sens_destroy. Bug reported by Kevin
- Carr of Tresys Technology.
-
-1.29.2 2006-02-13
- * Merged optionals in base patch from Joshua Brindle.
-
-1.29.1 2006-02-01
- * Merged sepol_av_to_string patch from Joshua Brindle.
-
-1.28 2005-12-07
- * Updated version for release.
-
-1.27.20 2005-12-02
- * Merged checkmodule man page from Dan Walsh, and edited it.
-
-1.27.19 2005-12-01
- * Added error checking of all ebitmap_set_bit calls for out of
- memory conditions.
-
-1.27.18 2005-12-01
- * Merged removal of compatibility handling of netlink classes
- (requirement that policies with newer versions include the
- netlink class definitions, remapping of fine-grained netlink
- classes in newer source policies to single netlink class when
- generating older policies) from George Coker.
-
-1.27.17 2005-10-25
- * Merged dismod fix from Joshua Brindle.
-
-1.27.16 2005-10-20
- * Removed obsolete cond_check_type_rules() function and call and
- cond_optimize_lists() call from checkpolicy.c; these are handled
- during parsing and expansion now.
-
-1.27.15 2005-10-19
- * Updated calls to expand_module for interface change.
-
-1.27.14 2005-10-19
- * Changed checkmodule to verify that expand_module succeeds
- when building base modules.
-
-1.27.13 2005-10-19
- * Merged module compiler fixes from Joshua Brindle.
-
-1.27.12 2005-10-19
- * Removed direct calls to hierarchy_check_constraints() and
- check_assertions() from checkpolicy since they are now called
- internally by expand_module().
-
-1.27.11 2005-10-18
- * Updated for changes to sepol policydb_index_others interface.
-
-1.27.10 2005-10-17
- * Updated for changes to sepol expand_module and link_modules interfaces.
-
-1.27.9 2005-10-13
- * Merged support for require blocks inside conditionals from
- Joshua Brindle (Tresys).
-
-1.27.8 2005-10-06
- * Updated for changes to libsepol.
-
-1.27.7 2005-10-05
- * Merged several bug fixes from Joshua Brindle (Tresys).
-
-1.27.6 2005-10-03
- * Merged MLS in modules patch from Joshua Brindle (Tresys).
-
-1.27.5 2005-09-28
- * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
-
-1.27.4 2005-09-26
- * Merged bugfix for dup role transition error messages from
- Karl MacMillan (Tresys).
-
-1.27.3 2005-09-23
- * Merged policyver/modulever patches from Joshua Brindle (Tresys).
-
-1.27.2 2005-09-20
- * Fixed parse_categories handling of undefined category.
-
-1.27.1 2005-09-16
- * Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.12 2005-08-22
- * Fixed handling of validatetrans constraint expressions.
- Bug reported by Dan Walsh for checkpolicy -M.
-
-1.25.11 2005-08-18
- * Merged use-after-free fix from Serge Hallyn (IBM).
- Bug found by Coverity.
-
-1.25.10 2005-08-15
- * Fixed further memory leaks found by valgrind.
-
-1.25.9 2005-08-15
- * Changed checkpolicy to destroy the policydbs prior to exit
- to allow leak detection.
- * Fixed several memory leaks found by valgrind.
-
-1.25.8 2005-08-11
- * Updated checkpolicy and dispol for the new avtab format.
- Converted users of ebitmaps to new inline operators.
- Note: The binary policy format version has been incremented to
- version 20 as a result of these changes. To build a policy
- for a kernel that does not yet include these changes, use
- the -c 19 option to checkpolicy.
-
-1.25.7 2005-08-11
- * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
-
-1.25.6 2005-08-10
- * Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
-
-1.25.5 2005-08-09
- * Fixed call to hierarchy checking code to pass the right policydb.
-
-1.25.4 2005-08-02
- * Merged patch to update dismod for the relocation of the
- module read/write code from libsemanage to libsepol, and
- to enable build of test subdirectory from Jason Tang (Tresys).
-
-1.25.3 2005-07-18
- * Merged hierarchy check fix from Joshua Brindle (Tresys).
-
-1.25.2 2005-07-06
- * Merged loadable module support from Tresys Technology.
-
-1.25.1 2005-06-24
- * Merged patch to prohibit the use of * and ~ in type sets
- (other than in neverallow statements) and in role sets
- from Joshua Brindle (Tresys).
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.4 2005-05-19
- * Merged cleanup patch from Dan Walsh.
-
-1.23.3 2005-05-13
- * Added sepol_ prefix to Flask types to avoid namespace
- collision with libselinux.
-
-1.23.2 2005-04-29
- * Merged identifier fix from Joshua Brindle (Tresys).
-
-1.23.1 2005-04-13
- * Merged hierarchical type/role patch from Tresys Technology.
- * Merged MLS fixes from Darrel Goeddel of TCS.
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21.4 2005-02-17
- * Moved genpolusers utility to libsepol.
- * Merged range_transition support from Darrel Goeddel (TCS).
-
-1.21.3 2005-02-16
- * Merged define_user() cleanup patch from Darrel Goeddel (TCS).
-
-1.21.2 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.21.1 2005-01-26
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
-
-1.20 2005-01-04
- * Merged typeattribute statement patch from Darrel Goeddel of TCS.
- * Changed genpolusers to handle multiple user config files.
- * Merged nodecon ordering patch from Chad Hanson of TCS.
-
-1.18 2004-10-07
- * MLS build fix.
- * Fixed Makefile dependencies (Chris PeBenito).
- * Merged fix for role dominance ordering issue from Chad Hanson of TCS.
- * Preserve portcon ordering and apply more checking.
-
-1.16 2004-08-13
- * Allow empty conditional clauses.
- * Moved genpolbools utility to libsepol.
- * Updated for libsepol set functions.
- * Changed to link with libsepol.a.
- * Moved core functionality into libsepol.
- * Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys.
- * Added genpolusers program.
- * Fixed bug in checkpolicy conditional code.
-
-1.14 2004-06-28
- * Merged fix for MLS logic from Daniel Thayer of TCS.
- * Require semicolon terminator for typealias statement.
-
-1.12 2004-06-16
- * Merged fine-grained netlink class support.
-
-1.10 2004-04-07
- * Merged ipv6 support from James Morris of RedHat.
- * Fixed compute_av bug discovered by Chad Hanson of TCS.
-
-1.8 2004-03-09
- * Merged policydb MLS patch from Chad Hanson of TCS.
- * Fixed mmap of policy file.
-
-1.6 2004-02-18
- * Merged conditional policy extensions from Tresys Technology.
- * Added typealias declaration support per Russell Coker's request.
- * Added support for excluding types from type sets based on
- a patch by David Caplan, but reimplemented as a change to the
- policy grammar.
- * Merged patch from Colin Walters to report source file name and line
- number for errors when available.
- * Un-deprecated role transitions.
-
-1.4 2003-12-01
- * Regenerated headers.
- * Merged patches from Bastian Blank and Joerg Hoh.
-
-1.2 2003-09-30
- * Merged MLS build patch from Karl MacMillan of Tresys.
- * Merged checkpolicy man page from Magosanyi Arpad.
-
-1.1 2003-08-13
- * Fixed endian bug in policydb_write for behavior value.
- * License -> GPL.
- * Merged coding style cleanups from James Morris.
-
-1.0 2003-07-11
- * Initial public release.
-
Copied: tags/checkpolicy_1_30_12/checkpolicy/ChangeLog (from rev 2034, trunk/checkpolicy/ChangeLog)
===================================================================
--- tags/checkpolicy_1_30_12/checkpolicy/ChangeLog (rev 0)
+++ tags/checkpolicy_1_30_12/checkpolicy/ChangeLog 2006-09-28 12:16:58 UTC (rev 2035)
@@ -0,0 +1,289 @@
+1.30.12 2006-09-28
+ * Merged user and range_transition support for modules from
+ Darrel Goeddel
+
+1.30.11 2006-09-05
+ * merged range_transition enhancements and user module format
+ changes from Darrel Goeddel
+
+1.30.10 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.30.9 2006-06-29
+ * Lindent.
+
+1.30.8 2006-06-29
+ * Merged patch to remove TE rule conflict checking from the parser
+ from Joshua Brindle. This can only be done properly by the
+ expander.
+
+1.30.7 2006-06-27
+ * Merged patch to make checkpolicy/checkmodule handling of
+ duplicate/conflicting TE rules the same as the expander
+ from Joshua Brindle.
+
+1.30.6 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.30.5 2006-05-05
+ * Merged compiler cleanup patch from Karl MacMillan.
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.4 2006-04-05
+ * Changed require_class to reject permissions that have not been
+ declared if building a base module.
+
+1.30.3 2006-03-28
+ * Fixed checkmodule to call link_modules prior to expand_module
+ to handle optionals.
+
+1.30.2 2006-03-28
+ * Fixed require_class to avoid shadowing permissions already defined
+ in an inherited common definition.
+
+1.30.1 2006-03-22
+ * Moved processing of role and user require statements to 2nd pass.
+
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.5 2006-03-09
+ * Fixed bug in role dominance (define_role_dom).
+
+1.29.4 2006-02-14
+ * Added a check for failure to declare each sensitivity in
+ a level definition.
+
+1.29.3 2006-02-13
+ * Changed to clone level data for aliased sensitivities to
+ avoid double free upon sens_destroy. Bug reported by Kevin
+ Carr of Tresys Technology.
+
+1.29.2 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.29.1 2006-02-01
+ * Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.20 2005-12-02
+ * Merged checkmodule man page from Dan Walsh, and edited it.
+
+1.27.19 2005-12-01
+ * Added error checking of all ebitmap_set_bit calls for out of
+ memory conditions.
+
+1.27.18 2005-12-01
+ * Merged removal of compatibility handling of netlink classes
+ (requirement that policies with newer versions include the
+ netlink class definitions, remapping of fine-grained netlink
+ classes in newer source policies to single netlink class when
+ generating older policies) from George Coker.
+
+1.27.17 2005-10-25
+ * Merged dismod fix from Joshua Brindle.
+
+1.27.16 2005-10-20
+ * Removed obsolete cond_check_type_rules() function and call and
+ cond_optimize_lists() call from checkpolicy.c; these are handled
+ during parsing and expansion now.
+
+1.27.15 2005-10-19
+ * Updated calls to expand_module for interface change.
+
+1.27.14 2005-10-19
+ * Changed checkmodule to verify that expand_module succeeds
+ when building base modules.
+
+1.27.13 2005-10-19
+ * Merged module compiler fixes from Joshua Brindle.
+
+1.27.12 2005-10-19
+ * Removed direct calls to hierarchy_check_constraints() and
+ check_assertions() from checkpolicy since they are now called
+ internally by expand_module().
+
+1.27.11 2005-10-18
+ * Updated for changes to sepol policydb_index_others interface.
+
+1.27.10 2005-10-17
+ * Updated for changes to sepol expand_module and link_modules interfaces.
+
+1.27.9 2005-10-13
+ * Merged support for require blocks inside conditionals from
+ Joshua Brindle (Tresys).
+
+1.27.8 2005-10-06
+ * Updated for changes to libsepol.
+
+1.27.7 2005-10-05
+ * Merged several bug fixes from Joshua Brindle (Tresys).
+
+1.27.6 2005-10-03
+ * Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.27.5 2005-09-28
+ * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
+
+1.27.4 2005-09-26
+ * Merged bugfix for dup role transition error messages from
+ Karl MacMillan (Tresys).
+
+1.27.3 2005-09-23
+ * Merged policyver/modulever patches from Joshua Brindle (Tresys).
+
+1.27.2 2005-09-20
+ * Fixed parse_categories handling of undefined category.
+
+1.27.1 2005-09-16
+ * Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.12 2005-08-22
+ * Fixed handling of validatetrans constraint expressions.
+ Bug reported by Dan Walsh for checkpolicy -M.
+
+1.25.11 2005-08-18
+ * Merged use-after-free fix from Serge Hallyn (IBM).
+ Bug found by Coverity.
+
+1.25.10 2005-08-15
+ * Fixed further memory leaks found by valgrind.
+
+1.25.9 2005-08-15
+ * Changed checkpolicy to destroy the policydbs prior to exit
+ to allow leak detection.
+ * Fixed several memory leaks found by valgrind.
+
+1.25.8 2005-08-11
+ * Updated checkpolicy and dispol for the new avtab format.
+ Converted users of ebitmaps to new inline operators.
+ Note: The binary policy format version has been incremented to
+ version 20 as a result of these changes. To build a policy
+ for a kernel that does not yet include these changes, use
+ the -c 19 option to checkpolicy.
+
+1.25.7 2005-08-11
+ * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
+
+1.25.6 2005-08-10
+ * Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
+
+1.25.5 2005-08-09
+ * Fixed call to hierarchy checking code to pass the right policydb.
+
+1.25.4 2005-08-02
+ * Merged patch to update dismod for the relocation of the
+ module read/write code from libsemanage to libsepol, and
+ to enable build of test subdirectory from Jason Tang (Tresys).
+
+1.25.3 2005-07-18
+ * Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.25.2 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.25.1 2005-06-24
+ * Merged patch to prohibit the use of * and ~ in type sets
+ (other than in neverallow statements) and in role sets
+ from Joshua Brindle (Tresys).
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.4 2005-05-19
+ * Merged cleanup patch from Dan Walsh.
+
+1.23.3 2005-05-13
+ * Added sepol_ prefix to Flask types to avoid namespace
+ collision with libselinux.
+
+1.23.2 2005-04-29
+ * Merged identifier fix from Joshua Brindle (Tresys).
+
+1.23.1 2005-04-13
+ * Merged hierarchical type/role patch from Tresys Technology.
+ * Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.4 2005-02-17
+ * Moved genpolusers utility to libsepol.
+ * Merged range_transition support from Darrel Goeddel (TCS).
+
+1.21.3 2005-02-16
+ * Merged define_user() cleanup patch from Darrel Goeddel (TCS).
+
+1.21.2 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.1 2005-01-26
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.20 2005-01-04
+ * Merged typeattribute statement patch from Darrel Goeddel of TCS.
+ * Changed genpolusers to handle multiple user config files.
+ * Merged nodecon ordering patch from Chad Hanson of TCS.
+
+1.18 2004-10-07
+ * MLS build fix.
+ * Fixed Makefile dependencies (Chris PeBenito).
+ * Merged fix for role dominance ordering issue from Chad Hanson of TCS.
+ * Preserve portcon ordering and apply more checking.
+
+1.16 2004-08-13
+ * Allow empty conditional clauses.
+ * Moved genpolbools utility to libsepol.
+ * Updated for libsepol set functions.
+ * Changed to link with libsepol.a.
+ * Moved core functionality into libsepol.
+ * Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys.
+ * Added genpolusers program.
+ * Fixed bug in checkpolicy conditional code.
+
+1.14 2004-06-28
+ * Merged fix for MLS logic from Daniel Thayer of TCS.
+ * Require semicolon terminator for typealias statement.
+
+1.12 2004-06-16
+ * Merged fine-grained netlink class support.
+
+1.10 2004-04-07
+ * Merged ipv6 support from James Morris of RedHat.
+ * Fixed compute_av bug discovered by Chad Hanson of TCS.
+
+1.8 2004-03-09
+ * Merged policydb MLS patch from Chad Hanson of TCS.
+ * Fixed mmap of policy file.
+
+1.6 2004-02-18
+ * Merged conditional policy extensions from Tresys Technology.
+ * Added typealias declaration support per Russell Coker's request.
+ * Added support for excluding types from type sets based on
+ a patch by David Caplan, but reimplemented as a change to the
+ policy grammar.
+ * Merged patch from Colin Walters to report source file name and line
+ number for errors when available.
+ * Un-deprecated role transitions.
+
+1.4 2003-12-01
+ * Regenerated headers.
+ * Merged patches from Bastian Blank and Joerg Hoh.
+
+1.2 2003-09-30
+ * Merged MLS build patch from Karl MacMillan of Tresys.
+ * Merged checkpolicy man page from Magosanyi Arpad.
+
+1.1 2003-08-13
+ * Fixed endian bug in policydb_write for behavior value.
+ * License -> GPL.
+ * Merged coding style cleanups from James Morris.
+
+1.0 2003-07-11
+ * Initial public release.
+
Deleted: tags/checkpolicy_1_30_12/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/checkpolicy_1_30_12/checkpolicy/VERSION 2006-09-28 12:16:58 UTC (rev 2035)
@@ -1 +0,0 @@
-1.30.11
Copied: tags/checkpolicy_1_30_12/checkpolicy/VERSION (from rev 2034, trunk/checkpolicy/VERSION)
===================================================================
--- tags/checkpolicy_1_30_12/checkpolicy/VERSION (rev 0)
+++ tags/checkpolicy_1_30_12/checkpolicy/VERSION 2006-09-28 12:16:58 UTC (rev 2035)
@@ -0,0 +1 @@
+1.30.12
Deleted: tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c
===================================================================
--- trunk/checkpolicy/module_compiler.c 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c 2006-09-28 12:16:58 UTC (rev 2035)
@@ -1,1304 +0,0 @@
-/* Author : Joshua Brindle <jbr...@tr...>
- * Karl MacMillan <kma...@tr...>
- * Jason Tang <jt...@tr...>
- * Added support for binary policy modules
- *
- * Copyright (C) 2004 - 2005 Tresys Technology, LLC
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, version 2.
- */
-
-#include <assert.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/avrule_block.h>
-#include <sepol/policydb/conditional.h>
-
-#include "queue.h"
-#include "module_compiler.h"
-
-union stack_item_u {
- avrule_block_t *avrule;
- cond_list_t *cond_list;
-};
-
-typedef struct scope_stack {
- union stack_item_u u;
- int type; /* for above union: 1 = avrule block, 2 = conditional */
- avrule_decl_t *decl; /* if in an avrule block, which
- * declaration is current */
- avrule_t *last_avrule;
- int in_else; /* if in an avrule block, within ELSE branch */
- int require_given; /* 1 if this block had at least one require */
- struct scope_stack *parent, *child;
-} scope_stack_t;
-
-extern policydb_t *policydbp;
-extern queue_t id_queue;
-extern int yyerror(char *msg);
-extern void yyerror2(char *fmt, ...);
-
-static int push_stack(int stack_type, ...);
-static void pop_stack(void);
-
-/* keep track of the last item added to the stack */
-static scope_stack_t *stack_top = NULL;
-static avrule_block_t *last_block;
-static uint32_t next_decl_id = 1;
-
-int define_policy(int pass, int module_header_given)
-{
- char *id;
-
- if (module_header_given) {
- if (policydbp->policy_type != POLICY_MOD) {
- yyerror
- ("Module specification found while not building a policy module.\n");
- return -1;
- }
-
- if (pass == 2) {
- while ((id = queue_remove(id_queue)) != NULL)
- free(id);
- } else {
- id = (char *)queue_remove(id_queue);
- if (!id) {
- yyerror("no module name");
- return -1;
- }
- policydbp->name = id;
- if ((policydbp->version =
- queue_remove(id_queue)) == NULL) {
- yyerror
- ("Expected a module version but none was found.");
- return -1;
- }
- }
- } else {
- if (policydbp->policy_type == POLICY_MOD) {
- yyerror
- ("Building a policy module, but no module specification found.\n");
- return -1;
- }
- }
- /* the first declaration within the global avrule
- block will always have an id of 1 */
- next_decl_id = 2;
-
- /* reset the scoping stack */
- while (stack_top != NULL) {
- pop_stack();
- }
- if (push_stack(1, policydbp->global, policydbp->global->branch_list) ==
- -1) {
- return -1;
- }
- last_block = policydbp->global;
- return 0;
-}
-
-/* Given the current parse stack, returns 1 if a declaration would be
- * allowed here or 0 if not. For example, declarations are not
- * allowed in conditionals, so if there are any conditionals in the
- * current scope stack then this would return a 0.
- */
-static int is_declaration_allowed(void)
-{
- if (stack_top->type != 1 || stack_top->in_else) {
- return 0;
- }
- return 1;
-}
-
-/* Attempt to declare a symbol within the current declaration. If
- * currently within a non-conditional and in a non-else branch then
- * insert the symbol, return 0 on success if symbol was undeclared.
- * For roles and users, it is legal to have multiple declarations; as
- * such return 1 to indicate that caller must free() the datum because
- * it was not added. If symbols may not be declared here return -1.
- * For duplicate declarations return -2. For all else, including out
- * of memory, return -3. Note that dest_value and datum_value might
- * not be restricted pointers. */
-int declare_symbol(uint32_t symbol_type,
- hashtab_key_t key, hashtab_datum_t datum,
- uint32_t * dest_value, uint32_t * datum_value)
-{
- avrule_decl_t *decl = stack_top->decl;
- int retval;
-
- /* first check that symbols may be declared here */
- if (!is_declaration_allowed()) {
- return -1;
- }
- retval = symtab_insert(policydbp, symbol_type, key, datum,
- SCOPE_DECL, decl->decl_id, dest_value);
- if (retval == 1) {
- symtab_datum_t *s =
- (symtab_datum_t *) hashtab_search(policydbp->
- symtab[symbol_type].table,
- key);
- assert(s != NULL);
- *dest_value = s->value;
- } else if (retval == -2) {
- return -2;
- } else if (retval < 0) {
- return -3;
- } else { /* fall through possible if retval is 0 */
- }
- if (datum_value != NULL) {
- if (ebitmap_set_bit(decl->declared.scope + symbol_type,
- *datum_value - 1, 1)) {
- return -3;
- }
- }
- return retval;
-}
-
-role_datum_t *declare_role(void)
-{
- char *id = queue_remove(id_queue), *dest_id = NULL;
- role_datum_t *role = NULL, *dest_role = NULL;
- int retval;
- uint32_t value;
-
- if (id == NULL) {
- yyerror("no role name");
- return NULL;
- }
- if ((role = (role_datum_t *) malloc(sizeof(*role))) == NULL) {
- yyerror("Out of memory!");
- free(id);
- return NULL;
- }
- role_datum_init(role);
-
- retval =
- declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value,
- &value);
- if (retval == 0) {
- role->s.value = value;
- if ((dest_id = strdup(id)) == NULL) {
- yyerror("Out of memory!");
- return NULL;
- }
- } else {
- /* this role was already declared in this module, or error */
- dest_id = id;
- role_datum_destroy(role);
- free(role);
- }
- if (retval == 0 || retval == 1) {
- /* create a new role_datum_t for this decl, if necessary */
- hashtab_t roles_tab;
- assert(stack_top->type == 1);
- if (stack_top->parent == NULL) {
- /* in parent, so use global symbol table */
- roles_tab = policydbp->p_roles.table;
- } else {
- roles_tab = stack_top->decl->p_roles.table;
- }
- dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id);
- if (dest_role == NULL) {
- if ((dest_role =
- (role_datum_t *) malloc(sizeof(*dest_role))) ==
- NULL) {
- yyerror("Out of memory!");
- free(dest_id);
- return NULL;
- }
- role_datum_init(dest_role);
- dest_role->s.value = value;
- if (hashtab_insert(roles_tab, dest_id, dest_role)) {
- yyerror("Out of memory!");
- free(dest_id);
- role_datum_destroy(dest_role);
- free(dest_role);
- return NULL;
- }
- } else {
- free(dest_id);
- }
- } else {
- free(dest_id);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return NULL;
- }
- case -2:{
- yyerror("duplicate declaration of role");
- return NULL;
- }
- case -1:{
- yyerror("could not declare role here");
- return NULL;
- }
- case 0:{
- if (ebitmap_set_bit
- (&dest_role->dominates, role->s.value - 1, 1)) {
- yyerror("out of memory");
- return NULL;
- }
- return dest_role;
- }
- case 1:{
- return dest_role; /* role already declared for this block */
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-type_datum_t *declare_type(unsigned char primary, unsigned char isattr)
-{
- char *id;
- type_datum_t *typdatum;
- int retval;
- uint32_t value = 0;
-
- id = (char *)queue_remove(id_queue);
- if (!id) {
- yyerror("no type/attribute name?");
- return NULL;
- }
- if (strcmp(id, "self") == 0) {
- yyerror
- ("'self' is a reserved type name and may not be declared.");
- free(id);
- return NULL;
- }
-
- typdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
- if (!typdatum) {
- yyerror("Out of memory!");
- free(id);
- return NULL;
- }
- type_datum_init(typdatum);
- typdatum->primary = primary;
- typdatum->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
-
- retval = declare_symbol(SYM_TYPES, id, typdatum, &value, &value);
- if (retval == 0 || retval == 1) {
- if (typdatum->primary) {
- typdatum->s.value = value;
- }
- } else {
- /* error occurred (can't have duplicate type declarations) */
- free(id);
- type_datum_destroy(typdatum);
- free(typdatum);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return NULL;
- }
- case -2:{
- yyerror2("duplicate declaration of type/attribute");
- return NULL;
- }
- case -1:{
- yyerror("could not declare type/attribute here");
- return NULL;
- }
- case 0:
- case 1:{
- return typdatum;
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-user_datum_t *declare_user(void)
-{
- char *id = queue_remove(id_queue), *dest_id = NULL;
- user_datum_t *user = NULL, *dest_user = NULL;
- int retval;
- uint32_t value = 0;
-
- if (id == NULL) {
- yyerror("no user name");
- return NULL;
- }
- if ((user = (user_datum_t *) malloc(sizeof(*user))) == NULL) {
- yyerror("Out of memory!");
- free(id);
- return NULL;
- }
- user_datum_init(user);
-
- retval =
- declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value,
- &value);
-
- if (retval == 0) {
- user->s.value = value;
- if ((dest_id = strdup(id)) == NULL) {
- yyerror("Out of memory!");
- return NULL;
- }
- } else {
- /* this user was already declared in this module, or error */
- dest_id = id;
- user_datum_destroy(user);
- free(user);
- }
- if (retval == 0 || retval == 1) {
- /* create a new user_datum_t for this decl, if necessary */
- hashtab_t users_tab;
- assert(stack_top->type == 1);
- if (stack_top->parent == NULL) {
- /* in parent, so use global symbol table */
- users_tab = policydbp->p_users.table;
- } else {
- users_tab = stack_top->decl->p_users.table;
- }
- dest_user = (user_datum_t *) hashtab_search(users_tab, dest_id);
- if (dest_user == NULL) {
- if ((dest_user =
- (user_datum_t *) malloc(sizeof(*dest_user))) ==
- NULL) {
- yyerror("Out of memory!");
- free(dest_id);
- return NULL;
- }
- user_datum_init(dest_user);
- dest_user->s.value = value;
- if (hashtab_insert(users_tab, dest_id, dest_user)) {
- yyerror("Out of memory!");
- free(dest_id);
- user_datum_destroy(dest_user);
- free(dest_user);
- return NULL;
- }
- } else {
- free(dest_id);
- }
- } else {
- free(dest_id);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return NULL;
- }
- case -2:{
- yyerror("duplicate declaration of user");
- return NULL;
- }
- case -1:{
- yyerror("could not declare user here");
- return NULL;
- }
- case 0:{
- return dest_user;
- }
- case 1:{
- return dest_user; /* user already declared for this block */
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-/* Return a type_datum_t for the local avrule_decl with the given ID.
- * If it does not exist, create one with the same value as 'value'.
- * This function assumes that the ID is within scope. c.f.,
- * is_id_in_scope().
- *
- * NOTE: this function usurps ownership of id afterwards. The caller
- * shall not reference it nor free() it afterwards.
- */
-type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr)
-{
- type_datum_t *dest_typdatum;
- hashtab_t types_tab;
- assert(stack_top->type == 1);
- if (stack_top->parent == NULL) {
- /* in global, so use global symbol table */
- types_tab = policydbp->p_types.table;
- } else {
- types_tab = stack_top->decl->p_types.table;
- }
- dest_typdatum = hashtab_search(types_tab, id);
- if (!dest_typdatum) {
- dest_typdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
- if (dest_typdatum == NULL) {
- free(id);
- return NULL;
- }
- type_datum_init(dest_typdatum);
- dest_typdatum->s.value = value;
- dest_typdatum->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
- dest_typdatum->primary = 1;
- if (hashtab_insert(types_tab, id, dest_typdatum)) {
- free(id);
- type_datum_destroy(dest_typdatum);
- free(dest_typdatum);
- return NULL;
- }
-
- } else {
- free(id);
- if (dest_typdatum->flavor != isattr ? TYPE_ATTRIB : TYPE_TYPE) {
- return NULL;
- }
- }
- return dest_typdatum;
-}
-
-/* Given the current parse stack, returns 1 if a requirement would be
- * allowed here or 0 if not. For example, the ELSE branch may never
- * have its own requirements.
- */
-static int is_require_allowed(void)
-{
- if (stack_top->type == 1 && !stack_top->in_else) {
- return 1;
- }
- return 0;
-}
-
-/* Attempt to require a symbol within the current scope. If currently
- * within an optional (and not its else branch), add the symbol to the
- * required list. Return 0 on success, 1 if caller needs to free()
- * datum. If symbols may not be declared here return -1. For duplicate
- * declarations return -2. For all else, including out of memory,
- * return -3.. Note that dest_value and datum_value might not be
- * restricted pointers.
- */
-int require_symbol(uint32_t symbol_type,
- hashtab_key_t key, hashtab_datum_t datum,
- uint32_t * dest_value, uint32_t * datum_value)
-{
- avrule_decl_t *decl = stack_top->decl;
- int retval;
-
- /* first check that symbols may be required here */
- if (!is_require_allowed()) {
- return -1;
- }
- retval = symtab_insert(policydbp, symbol_type, key, datum,
- SCOPE_REQ, decl->decl_id, dest_value);
- if (retval == 1) {
- symtab_datum_t *s =
- (symtab_datum_t *) hashtab_search(policydbp->
- symtab[symbol_type].table,
- key);
- assert(s != NULL);
- *dest_value = s->value;
- } else if (retval == -2) {
- /* ignore require statements if that symbol was
- * previously declared and is in current scope */
- int prev_declaration_ok = 0;
- if (is_id_in_scope(symbol_type, key)) {
- if (symbol_type == SYM_TYPES) {
- /* check that previous symbol has same
- * type/attribute-ness */
- unsigned char new_isattr =
- ((type_datum_t *) datum)->flavor;
- type_datum_t *old_datum =
- (type_datum_t *) hashtab_search(policydbp->
- symtab
- [SYM_TYPES].
- table, key);
- assert(old_datum != NULL);
- unsigned char old_isattr = old_datum->flavor;
- prev_declaration_ok =
- (old_isattr == new_isattr ? 1 : 0);
- } else {
- prev_declaration_ok = 1;
- }
- }
- if (prev_declaration_ok) {
- /* ignore this require statement because it
- * was already declared within my scope */
- stack_top->require_given = 1;
- return 1;
- } else {
- /* previous declaration was not in scope or
- * had a mismatched type/attribute, so
- * generate an error */
- return -2;
- }
- } else if (retval < 0) {
- return -3;
- } else { /* fall through possible if retval is 0 or 1 */
- }
- if (datum_value != NULL) {
- if (ebitmap_set_bit(decl->required.scope + symbol_type,
- *datum_value - 1, 1)) {
- return -3;
- }
- }
- stack_top->require_given = 1;
- return retval;
-}
-
-int add_perm_to_class(uint32_t perm_value, uint32_t class_value)
-{
- avrule_decl_t *decl = stack_top->decl;
- scope_index_t *scope;
-
- assert(perm_value >= 1);
- assert(class_value >= 1);
- scope = &decl->required;
- if (class_value > scope->class_perms_len) {
- int i;
- ebitmap_t *new_map = realloc(scope->class_perms_map,
- class_value * sizeof(*new_map));
- if (new_map == NULL) {
- return -1;
- }
- scope->class_perms_map = new_map;
- for (i = scope->class_perms_len; i < class_value; i++) {
- ebitmap_init(scope->class_perms_map + i);
- }
- scope->class_perms_len = class_value;
- }
- if (ebitmap_set_bit(scope->class_perms_map + class_value - 1,
- perm_value - 1, 1)) {
- return -1;
- }
- return 0;
-}
-
-static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
- __attribute__ ((unused)))
-{
- if (key)
- free(key);
- free(datum);
- return 0;
-}
-
-static void class_datum_destroy(class_datum_t * cladatum)
-{
- if (cladatum != NULL) {
- hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
- hashtab_destroy(cladatum->permissions.table);
- free(cladatum);
- }
-}
-
-int require_class(int pass)
-{
- char *class_id = queue_remove(id_queue);
- char *perm_id = NULL;
- class_datum_t *datum = NULL;
- perm_datum_t *perm = NULL;
- int ret;
-
- if (pass == 2) {
- free(class_id);
- while ((perm_id = queue_remove(id_queue)) != NULL)
- free(perm_id);
- return 0;
- }
-
- /* first add the class if it is not already there */
- if (class_id == NULL) {
- yyerror("no class name for class definition?");
- return -1;
- }
-
- if ((datum = calloc(1, sizeof(*datum))) == NULL ||
- symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) {
- yyerror("Out of memory!");
- goto cleanup;
- }
- ret =
- require_symbol(SYM_CLASSES, class_id, datum, &datum->s.value,
- &datum->s.value);
- switch (ret) {
- case -3:{
- yyerror("Out of memory!");
- free(class_id);
- class_datum_destroy(datum);
- goto cleanup;
- }
- case -2:{
- yyerror("duplicate declaration of class");
- free(class_id);
- class_datum_destroy(datum);
- goto cleanup;
- }
- case -1:{
- yyerror("could not require class here");
- free(class_id);
- class_datum_destroy(datum);
- goto cleanup;
- }
- case 0:{
- /* a new class was added; reindex everything */
- if (policydb_index_classes(policydbp)) {
- yyerror("Out of memory!");
- goto cleanup;
- }
- break;
- }
- case 1:{
- class_datum_destroy(datum);
- datum =
- hashtab_search(policydbp->p_classes.table,
- class_id);
- assert(datum); /* the class datum should have existed */
- free(class_id);
- break;
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-
- /* now add each of the permissions to this class's requirements */
- while ((perm_id = queue_remove(id_queue)) != NULL) {
- int allocated = 0;
-
- /* Is the permission already in the table? */
- perm = hashtab_search(datum->permissions.table, perm_id);
- if (!perm && datum->comdatum)
- perm =
- hashtab_search(datum->comdatum->permissions.table,
- perm_id);
- if (perm) {
- /* Yes, drop the name. */
- free(perm_id);
- } else {
- /* No - allocate and insert an entry for it. */
- if (policydbp->policy_type == POLICY_BASE) {
- yyerror2
- ("Base policy - require of permission %s without prior declaration.",
- perm_id);
- free(perm_id);
- goto cleanup;
- }
- allocated = 1;
- if ((perm = malloc(sizeof(*perm))) == NULL) {
- yyerror("Out of memory!");
- free(perm_id);
- goto cleanup;
- }
- memset(perm, 0, sizeof(*perm));
- ret =
- hashtab_insert(datum->permissions.table, perm_id,
- perm);
- if (ret) {
- yyerror("Out of memory!");
- free(perm_id);
- free(perm);
- goto cleanup;
- }
- perm->s.value = datum->permissions.nprim + 1;
- }
-
- if (add_perm_to_class(perm->s.value, datum->s.value) == -1) {
- yyerror("Out of memory!");
- goto cleanup;
- }
-
- /* Update number of primitives if we allocated one. */
- if (allocated)
- datum->permissions.nprim++;
- }
- return 0;
- cleanup:
- return -1;
-}
-
-int require_role(int pass)
-{
- char *id = queue_remove(id_queue);
- role_datum_t *role = NULL;
- int retval;
- if (pass == 2) {
- free(id);
- return 0;
- }
- if (id == NULL) {
- yyerror("no role name");
- return -1;
- }
- if ((role = malloc(sizeof(*role))) == NULL) {
- free(id);
- yyerror("Out of memory!");
- return -1;
- }
- role_datum_init(role);
- retval =
- require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role,
- &role->s.value, &role->s.value);
- if (retval != 0) {
- free(id);
- role_datum_destroy(role);
- free(role);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return -1;
- }
- case -2:{
- yyerror("duplicate declaration of role");
- return -1;
- }
- case -1:{
- yyerror("could not require role here");
- return -1;
- }
- case 0:{
- /* all roles dominate themselves */
- if (ebitmap_set_bit
- (&role->dominates, role->s.value - 1, 1)) {
- yyerror("Out of memory");
- return -1;
- }
- return 0;
- }
- case 1:{
- return 0; /* role already required */
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-static int require_type_or_attribute(int pass, unsigned char isattr)
-{
- char *id = queue_remove(id_queue);
- type_datum_t *type = NULL;
- int retval;
- if (pass == 2) {
- free(id);
- return 0;
- }
- if (id == NULL) {
- yyerror("no type name");
- return -1;
- }
- if ((type = malloc(sizeof(*type))) == NULL) {
- free(id);
- yyerror("Out of memory!");
- return -1;
- }
- type_datum_init(type);
- type->primary = 1;
- type->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
- retval =
- require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type,
- &type->s.value, &type->s.value);
- if (retval != 0) {
- free(id);
- free(type);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return -1;
- }
- case -2:{
- yyerror("duplicate declaration of type/attribute");
- return -1;
- }
- case -1:{
- yyerror("could not require type/attribute here");
- return -1;
- }
- case 0:{
- return 0;
- }
- case 1:{
- return 0; /* type already required */
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-int require_type(int pass)
-{
- return require_type_or_attribute(pass, 0);
-}
-
-int require_attribute(int pass)
-{
- return require_type_or_attribute(pass, 1);
-}
-
-int require_user(int pass)
-{
- char *id = queue_remove(id_queue);
- user_datum_t *user = NULL;
- int retval;
- if (pass == 1) {
- free(id);
- return 0;
- }
- if (id == NULL) {
- yyerror("no user name");
- return -1;
- }
- if ((user = malloc(sizeof(*user))) == NULL) {
- free(id);
- yyerror("Out of memory!");
- return -1;
- }
- user_datum_init(user);
- retval =
- require_symbol(SYM_USERS, id, (hashtab_datum_t *) user,
- &user->s.value, &user->s.value);
- if (retval != 0) {
- free(id);
- user_datum_destroy(user);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return -1;
- }
- case -2:{
- yyerror("duplicate declaration of user");
- return -1;
- }
- case -1:{
- yyerror("could not require user here");
- return -1;
- }
- case 0:{
- return 0;
- }
- case 1:{
- return 0; /* user already required */
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-int require_bool(int pass)
-{
- char *id = queue_remove(id_queue);
- cond_bool_datum_t *booldatum = NULL;
- int retval;
- if (pass == 2) {
- free(id);
- return 0;
- }
- if (id == NULL) {
- yyerror("no boolean name");
- return -1;
- }
- if ((booldatum = calloc(1, sizeof(*booldatum))) == NULL) {
- cond_destroy_bool(id, booldatum, NULL);
- yyerror("Out of memory!");
- return -1;
- }
- retval =
- require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
- &booldatum->s.value, &booldatum->s.value);
- if (retval != 0) {
- cond_destroy_bool(id, booldatum, NULL);
- }
- switch (retval) {
- case -3:{
- yyerror("Out of memory!");
- return -1;
- }
- case -2:{
- yyerror("duplicate declaration of boolean");
- return -1;
- }
- case -1:{
- yyerror("could not require boolean here");
- return -1;
- }
- case 0:{
- return 0;
- }
- case 1:{
- return 0; /* boolean already required */
- }
- default:{
- assert(0); /* should never get here */
- }
- }
-}
-
-static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
-{
- int i;
- if (stack == NULL) {
- return 0; /* no matching scope found */
- }
- if (stack->type == 1) {
- avrule_decl_t *decl = stack->decl;
- for (i = 0; i < scope->decl_ids_len; i++) {
- if (scope->decl_ids[i] == decl->decl_id) {
- return 1;
- }
- }
- } else {
- /* note that conditionals can't declare or require
- * symbols, so skip this level */
- }
-
- /* not within scope of this stack, so try its parent */
- return is_scope_in_stack(scope, stack->parent);
-}
-
-int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
-{
- scope_datum_t *scope =
- (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
- table, id);
- if (scope == NULL) {
- return 1; /* id is not known, so return success */
- }
- return is_scope_in_stack(scope, stack_top);
-}
-
-static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
- scope_index_t * scope)
-{
- if (class_value > scope->class_perms_len) {
- return 1;
- }
- if (ebitmap_get_bit(scope->class_perms_map + class_value - 1,
- perm_value - 1)) {
- return 1;
- }
- return 0;
-}
-
-static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
- scope_stack_t * stack)
-{
- if (stack == NULL) {
- return 0; /* no matching scope found */
- }
- if (stack->type == 1) {
- avrule_decl_t *decl = stack->decl;
- if (is_perm_in_scope_index
- (perm_value, class_value, &decl->required)
- || is_perm_in_scope_index(perm_value, class_value,
- &decl->declared)) {
- return 1;
- }
- } else {
- /* note that conditionals can't declare or require
- * symbols, so skip this level */
- }
-
- /* not within scope of this stack, so try its parent */
- return is_perm_in_stack(perm_value, class_value, stack->parent);
-}
-
-int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
-{
- class_datum_t *cladatum =
- (class_datum_t *) hashtab_search(policydbp->p_classes.table,
- class_id);
- perm_datum_t *perdatum;
- if (cladatum == NULL) {
- return 1;
- }
- perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
- perm_id);
- if (perdatum == NULL) {
- return 1;
- }
- return is_perm_in_stack(perdatum->s.value, cladatum->s.value,
- stack_top);
-}
-
-cond_list_t *get_current_cond_list(cond_list_t * cond)
-{
- /* FIX ME: do something different here if in a nested
- * conditional? */
- avrule_decl_t *decl = stack_top->decl;
- return get_decl_cond_list(policydbp, decl, cond);
-}
-
-/* Append the new conditional node to the existing ones. During
- * expansion the list will be reversed -- i.e., the last AV rule will
- * be the first one listed in the policy. This matches the behavior
- * of the upstream compiler. */
-void append_cond_list(cond_list_t * cond)
-{
- cond_list_t *old_cond = get_current_cond_list(cond);
- avrule_t *tmp;
- assert(old_cond != NULL); /* probably out of memory */
- if (old_cond->avtrue_list == NULL) {
- old_cond->avtrue_list = cond->avtrue_list;
- } else {
- for (tmp = old_cond->avtrue_list; tmp->next != NULL;
- tmp = tmp->next) ;
- tmp->next = cond->avtrue_list;
- }
- if (old_cond->avfalse_list == NULL) {
- old_cond->avfalse_list = cond->avfalse_list;
- } else {
- for (tmp = old_cond->avfalse_list; tmp->next != NULL;
- tmp = tmp->next) ;
- tmp->next = cond->avfalse_list;
- }
-}
-
-void append_avrule(avrule_t * avrule)
-{
- avrule_decl_t *decl = stack_top->decl;
-
- /* currently avrules follow a completely different code path
- * for handling avrules and compute types
- * (define_cond_avrule_te_avtab, define_cond_compute_type);
- * therefore there ought never be a conditional on top of the
- * scope stack */
- assert(stack_top->type == 1);
-
- if (stack_top->last_avrule == NULL) {
- decl->avrules = avrule;
- } else {
- stack_top->last_avrule->next = avrule;
- }
- stack_top->last_avrule = avrule;
-}
-
-/* this doesn't actually append, but really prepends it */
-void append_role_trans(role_trans_rule_t * role_tr_rules)
-{
- avrule_decl_t *decl = stack_top->decl;
-
- /* role transitions are not allowed within conditionals */
- assert(stack_top->type == 1);
-
- role_tr_rules->next = decl->role_tr_rules;
- decl->role_tr_rules = role_tr_rules;
-}
-
-/* this doesn't actually append, but really prepends it */
-void append_role_allow(role_allow_rule_t * role_allow_rules)
-{
- avrule_decl_t *decl = stack_top->decl;
-
- /* role allows are not allowed within conditionals */
- assert(stack_top->type == 1);
-
- role_allow_rules->next = decl->role_allow_rules;
- decl->role_allow_rules = role_allow_rules;
-}
-
-/* this doesn't actually append, but really prepends it */
-void append_range_trans(range_trans_rule_t * range_tr_rules)
-{
- avrule_decl_t *decl = stack_top->decl;
-
- /* range transitions are not allowed within conditionals */
- assert(stack_top->type == 1);
-
- range_tr_rules->next = decl->range_tr_rules;
- decl->range_tr_rules = range_tr_rules;
-}
-
-int begin_optional(int pass)
-{
- avrule_block_t *block = NULL;
- avrule_decl_t *decl;
- if (pass == 1) {
- /* allocate a new avrule block for this optional block */
- if ((block = avrule_block_create()) == NULL ||
- (decl = avrule_decl_create(next_decl_id)) == NULL) {
- goto cleanup;
- }
- block->flags |= AVRULE_OPTIONAL;
- block->branch_list = decl;
- last_block->next = block;
- } else {
- /* select the next block from the chain built during pass 1 */
- block = last_block->next;
- assert(block != NULL &&
- block->branch_list != NULL &&
- block->branch_list->decl_id == next_decl_id);
- decl = block->branch_list;
- }
- if (push_stack(1, block, decl) == -1) {
- goto cleanup;
- }
- stack_top->last_avrule = NULL;
- last_block = block;
- next_decl_id++;
- return 0;
- cleanup:
- yyerror("Out of memory!");
- avrule_block_destroy(block);
- return -1;
-}
-
-int end_optional(int pass)
-{
- /* once nested conditionals are allowed, do the stack unfolding here */
- pop_stack();
- return 0;
-}
-
-int begin_optional_else(int pass)
-{
- avrule_decl_t *decl;
- assert(stack_top->type == 1 && stack_top->in_else == 0);
- if (pass == 1) {
- /* allocate a new declaration and add it to the
- * current chain */
- if ((decl = avrule_decl_create(next_decl_id)) == NULL) {
- yyerror("Out of memory!");
- return -1;
- }
- stack_top->decl->next = decl;
- } else {
- /* pick the (hopefully last) declaration of this
- avrule block, built from pass 1 */
- decl = stack_top->decl->next;
- assert(decl != NULL &&
- decl->next == NULL && decl->decl_id == next_decl_id);
- }
- stack_top->in_else = 1;
- stack_top->decl = decl;
- stack_top->last_avrule = NULL;
- stack_top->require_given = 0;
- next_decl_id++;
- return 0;
-}
-
-static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
-{
- int i;
- if (stack == NULL) {
- return 0;
- }
- if (stack->type == 1) {
- scope_index_t *src_scope = &stack->decl->required;
- scope_index_t *dest_scope = &dest->required;
- for (i = 0; i < SYM_NUM; i++) {
- ebitmap_t *src_bitmap = &src_scope->scope[i];
- ebitmap_t *dest_bitmap = &dest_scope->scope[i];
- if (ebitmap_union(dest_bitmap, src_bitmap)) {
- yyerror("Out of memory!");
- return -1;
- }
- }
- /* now copy class permissions */
- if (src_scope->class_perms_len > dest_scope->class_perms_len) {
- ebitmap_t *new_map =
- realloc(dest_scope->class_perms_map,
- src_scope->class_perms_len *
- sizeof(*new_map));
- if (new_map == NULL) {
- yyerror("Out of memory!");
- return -1;
- }
- dest_scope->class_perms_map = new_map;
- for (i = dest_scope->class_perms_len;
- i < src_scope->class_perms_len; i++) {
- ebitmap_init(dest_scope->class_perms_map + i);
- }
- dest_scope->class_perms_len =
- src_scope->class_perms_len;
- }
- for (i = 0; i < src_scope->class_perms_len; i++) {
- ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
- ebitmap_t *dest_bitmap =
- &dest_scope->class_perms_map[i];
- if (ebitmap_union(dest_bitmap, src_bitmap)) {
- yyerror("Out of memory!");
- return -1;
- }
- }
- }
- return copy_requirements(dest, stack->parent);
-}
-
-/* During pass 1, check that at least one thing was required within
- * this block, for those places where a REQUIRED is necessary. During
- * pass 2, have this block inherit its parents' requirements. Return
- * 0 on success, -1 on failure. */
-int end_avrule_block(int pass)
-{
- avrule_decl_t *decl = stack_top->decl;
- assert(stack_top->type == 1);
- if (pass == 2) {
- /* this avrule_decl inherits all of its parents'
- * requirements */
- if (copy_requirements(decl, stack_top->parent) == -1) {
- return -1;
- }
- return 0;
- }
- if (!stack_top->in_else && !stack_top->require_given) {
- if (policydbp->policy_type == POLICY_BASE
- && stack_top->parent != NULL) {
- /* if this is base no require should be in the global block */
- return 0;
- } else {
- /* non-ELSE branches must have at least one thing required */
- yyerror("This block has no require section.");
- return -1;
- }
- }
- return 0;
-}
-
-/* Push a new scope on to the stack and update the 'last' pointer.
- * Return 0 on success, -1 if out * of memory. */
-static int push_stack(int stack_type, ...)
-{
- scope_stack_t *s = calloc(1, sizeof(*s));
- va_list ap;
- if (s == NULL) {
- return -1;
- }
- va_start(ap, stack_type);
- switch (s->type = stack_type) {
- case 1:{
- s->u.avrule = va_arg(ap, avrule_block_t *);
- s->decl = va_arg(ap, avrule_decl_t *);
- break;
- }
- case 2:{
- s->u.cond_list = va_arg(ap, cond_list_t *);
- break;
- }
- default:
- /* invalid stack type given */
- assert(0);
- }
- va_end(ap);
- s->parent = stack_top;
- s->child = NULL;
- stack_top = s;
- return 0;
-}
-
-/* Pop off the most recently added from the stack. Update the 'last'
- * pointer. */
-static void pop_stack(void)
-{
- scope_stack_t *parent;
- assert(stack_top != NULL);
- parent = stack_top->parent;
- if (parent != NULL) {
- parent->child = NULL;
- }
- free(stack_top);
- stack_top = parent;
-}
Copied: tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c (from rev 2033, trunk/checkpolicy/module_compiler.c)
===================================================================
--- tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c (rev 0)
+++ tags/checkpolicy_1_30_12/checkpolicy/module_compiler.c 2006-09-28 12:16:58 UTC (rev 2035)
@@ -0,0 +1,1420 @@
+/* Author : Joshua Brindle <jbr...@tr...>
+ * Karl MacMillan <kma...@tr...>
+ * Jason Tang <jt...@tr...>
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004 - 2005 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/avrule_block.h>
+#include <sepol/policydb/conditional.h>
+
+#include "queue.h"
+#include "module_compiler.h"
+
+union stack_item_u {
+ avrule_block_t *avrule;
+ cond_list_t *cond_list;
+};
+
+typedef struct scope_stack {
+ union stack_item_u u;
+ int type; /* for above union: 1 = avrule block, 2 = conditional */
+ avrule_decl_t *decl; /* if in an avrule block, which
+ * declaration is current */
+ avrule_t *last_avrule;
+ int in_else; /* if in an avrule block, within ELSE branch */
+ int require_given; /* 1 if this block had at least one require */
+ struct scope_stack *parent, *child;
+} scope_stack_t;
+
+extern policydb_t *policydbp;
+extern queue_t id_queue;
+extern int yyerror(char *msg);
+extern void yyerror2(char *fmt, ...);
+
+static int push_stack(int stack_type, ...);
+static void pop_stack(void);
+
+/* keep track of the last item added to the stack */
+static scope_stack_t *stack_top = NULL;
+static avrule_block_t *last_block;
+static uint32_t next_decl_id = 1;
+
+int define_policy(int pass, int module_header_given)
+{
+ char *id;
+
+ if (module_header_given) {
+ if (policydbp->policy_type != POLICY_MOD) {
+ yyerror
+ ("Module specification found while not building a policy module.\n");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)) != NULL)
+ free(id);
+ } else {
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no module name");
+ return -1;
+ }
+ policydbp->name = id;
+ if ((policydbp->version =
+ queue_remove(id_queue)) == NULL) {
+ yyerror
+ ("Expected a module version but none was found.");
+ return -1;
+ }
+ }
+ } else {
+ if (policydbp->policy_type == POLICY_MOD) {
+ yyerror
+ ("Building a policy module, but no module specification found.\n");
+ return -1;
+ }
+ }
+ /* the first declaration within the global avrule
+ block will always have an id of 1 */
+ next_decl_id = 2;
+
+ /* reset the scoping stack */
+ while (stack_top != NULL) {
+ pop_stack();
+ }
+ if (push_stack(1, policydbp->global, policydbp->global->branch_list) ==
+ -1) {
+ return -1;
+ }
+ last_block = policydbp->global;
+ return 0;
+}
+
+/* Given the current parse stack, returns 1 if a declaration would be
+ * allowed here or 0 if not. For example, declarations are not
+ * allowed in conditionals, so if there are any conditionals in the
+ * current scope stack then this would return a 0.
+ */
+static int is_declaration_allowed(void)
+{
+ if (stack_top->type != 1 || stack_top->in_else) {
+ return 0;
+ }
+ return 1;
+}
+
+/* Attempt to declare a symbol within the current declaration. If
+ * currently within a non-conditional and in a non-else branch then
+ * insert the symbol, return 0 on success if symbol was undeclared.
+ * For roles and users, it is legal to have multiple declarations; as
+ * such return 1 to indicate that caller must free() the datum because
+ * it was not added. If symbols may not be declared here return -1.
+ * For duplicate declarations return -2. For all else, including out
+ * of memory, return -3. Note that dest_value and datum_value might
+ * not be restricted pointers. */
+int declare_symbol(uint32_t symbol_type,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t * dest_value, uint32_t * datum_value)
+{
+ avrule_decl_t *decl = stack_top->decl;
+ int retval;
+
+ /* first check that symbols may be declared here */
+ if (!is_declaration_allowed()) {
+ return -1;
+ }
+ retval = symtab_insert(policydbp, symbol_type, key, datum,
+ SCOPE_DECL, decl->decl_id, dest_value);
+ if (retval == 1) {
+ symtab_datum_t *s =
+ (symtab_datum_t *) hashtab_search(policydbp->
+ symtab[symbol_type].table,
+ key);
+ assert(s != NULL);
+ *dest_value = s->value;
+ } else if (retval == -2) {
+ return -2;
+ } else if (retval < 0) {
+ return -3;
+ } else { /* fall through possible if retval is 0 */
+ }
+ if (datum_value != NULL) {
+ if (ebitmap_set_bit(decl->declared.scope + symbol_type,
+ *datum_value - 1, 1)) {
+ return -3;
+ }
+ }
+ return retval;
+}
+
+role_datum_t *declare_role(void)
+{
+ char *id = queue_remove(id_queue), *dest_id = NULL;
+ role_datum_t *role = NULL, *dest_role = NULL;
+ int retval;
+ uint32_t value;
+
+ if (id == NULL) {
+ yyerror("no role name");
+ return NULL;
+ }
+ if ((role = (role_datum_t *) malloc(sizeof(*role))) == NULL) {
+ yyerror("Out of memory!");
+ free(id);
+ return NULL;
+ }
+ role_datum_init(role);
+
+ retval =
+ declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value,
+ &value);
+ if (retval == 0) {
+ role->s.value = value;
+ if ((dest_id = strdup(id)) == NULL) {
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ } else {
+ /* this role was already declared in this module, or error */
+ dest_id = id;
+ role_datum_destroy(role);
+ free(role);
+ }
+ if (retval == 0 || retval == 1) {
+ /* create a new role_datum_t for this decl, if necessary */
+ hashtab_t roles_tab;
+ assert(stack_top->type == 1);
+ if (stack_top->parent == NULL) {
+ /* in parent, so use global symbol table */
+ roles_tab = policydbp->p_roles.table;
+ } else {
+ roles_tab = stack_top->decl->p_roles.table;
+ }
+ dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id);
+ if (dest_role == NULL) {
+ if ((dest_role =
+ (role_datum_t *) malloc(sizeof(*dest_role))) ==
+ NULL) {
+ yyerror("Out of memory!");
+ free(dest_id);
+ return NULL;
+ }
+ role_datum_init(dest_role);
+ dest_role->s.value = value;
+ if (hashtab_insert(roles_tab, dest_id, dest_role)) {
+ yyerror("Out of memory!");
+ free(dest_id);
+ role_datum_destroy(dest_role);
+ free(dest_role);
+ return NULL;
+ }
+ } else {
+ free(dest_id);
+ }
+ } else {
+ free(dest_id);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ case -2:{
+ yyerror("duplicate declaration of role");
+ return NULL;
+ }
+ case -1:{
+ yyerror("could not declare role here");
+ return NULL;
+ }
+ case 0:{
+ if (ebitmap_set_bit
+ (&dest_role->dominates, role->s.value - 1, 1)) {
+ yyer...
[truncated message content] |
|
From: <mad...@us...> - 2006-09-28 12:19:13
|
Revision: 2036
http://svn.sourceforge.net/selinux/?rev=2036&view=rev
Author: madmethod
Date: 2006-09-28 05:18:30 -0700 (Thu, 28 Sep 2006)
Log Message:
-----------
tag for libsepol 1.12.27
Added Paths:
-----------
tags/libsepol_1_12_27/
tags/libsepol_1_12_27/libsepol/
tags/libsepol_1_12_27/libsepol/ChangeLog
tags/libsepol_1_12_27/libsepol/VERSION
tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h
tags/libsepol_1_12_27/libsepol/src/expand.c
tags/libsepol_1_12_27/libsepol/src/link.c
tags/libsepol_1_12_27/libsepol/src/policydb.c
Removed Paths:
-------------
tags/libsepol_1_12_27/libsepol/ChangeLog
tags/libsepol_1_12_27/libsepol/VERSION
tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h
tags/libsepol_1_12_27/libsepol/src/expand.c
tags/libsepol_1_12_27/libsepol/src/link.c
tags/libsepol_1_12_27/libsepol/src/policydb.c
Copied: tags/libsepol_1_12_27/libsepol (from rev 2032, trunk/libsepol)
Deleted: tags/libsepol_1_12_27/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/libsepol_1_12_27/libsepol/ChangeLog 2006-09-28 12:18:30 UTC (rev 2036)
@@ -1,566 +0,0 @@
-1.12.26 2006-09-05
- * Merged range transition enhancements and user format changes
- Darrel Goeddel
-
-1.12.25 2006-08-24
- * Merged conditionally expand neverallows patch from Jeremy Mowery.
- * Merged refactor expander patch from Jeremy Mowery.
-
-1.12.24 2006-08-03
- * Merged libsepol unit tests from Joshua Brindle.
-
-1.12.23 2006-08-03
- * Merged symtab datum patch from Karl MacMillan.
-
-1.12.22 2006-08-03
- * Merged netfilter contexts support from Chris PeBenito.
-
-1.12.21 2006-07-28
- * Merged helpful hierarchy check errors patch from Joshua Brindle.
-
-1.12.20 2006-07-25
- * Merged semodule_deps patch from Karl MacMillan.
- This adds source module names to the avrule decls.
-
-1.12.19 2006-06-29
- * Lindent.
-
-1.12.18 2006-06-26
- * Merged optionals in base take 2 patch set from Joshua Brindle.
-
-1.12.17 2006-05-30
- * Revert 1.12.16.
-
-1.12.16 2006-05-30
- * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
- replacing the prior patch.
-
-1.12.15 2006-05-30
- * Merged fixes for several memory leaks in the error paths during
- policy read from Serge Hallyn.
-
-1.12.14 2006-05-25
- * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
- based on bug report and suggested fix by Cedric Roux.
-
-1.12.13 2006-05-24
- * Merged sens_copy_callback, check_role_hierarchy_callback,
- and node_from_record fixes from Serge Hallyn.
-
-1.12.12 2006-05-22
- * Added sepol_policydb_compat_net() interface for testing whether
- a policy requires the compatibility support for network checks
- to be enabled in the kernel.
-
-1.12.11 2006-05-17
- * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
- Reworked to use calloc in the first place, and converted some other
- malloc/memset pairs to calloc calls.
-
-1.12.10 2006-05-08
- * Merged patch to revert role/user decl upgrade from Karl MacMillan.
-
-1.12.9 2006-05-08
- * Dropped tests from all Makefile target.
-
-1.12.8 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.12.7 2006-05-05
- * Merged libsepol test framework patch from Karl MacMillan.
-
-1.12.6 2006-04-28
- * Fixed cond_normalize to traverse the entire cond list at link time.
-
-1.12.5 2006-04-03
- * Merged fix for leak of optional package sections from Ivan Gyurdiev.
-
-1.12.4 2006-03-29
- * Generalize test for bitmap overflow in ebitmap_set_bit.
-
-1.12.3 2006-03-27
- * Fixed attr_convert_callback and expand_convert_type_set
- typemap bug.
-
-1.12.2 2006-03-24
- * Fixed avrule_block_write num_decls endian bug.
-
-1.12.1 2006-03-20
- * Fixed sepol_module_package_write buffer overflow bug.
-
-1.12 2006-03-14
- * Updated version for release.
-
-1.11.20 2006-03-08
- * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
- * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
-
-1.11.19 2006-02-21
- * Merged sepol_policydb_mls_enabled interface and error handling
- changes from Ivan Gyurdiev.
-
-1.11.18 2006-02-16
- * Merged node_expand_addr bugfix and node_compare* change from
- Ivan Gyurdiev.
-
-1.11.17 2006-02-15
- * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
- * Merged bug fix patch from Ivan Gyurdiev.
-
-1.11.16 2006-02-14
- * Added a defined flag to level_datum_t for use by checkpolicy.
-
-1.11.15 2006-02-14
- * Merged nodecon support patch from Ivan Gyurdiev.
- * Merged cleanups patch from Ivan Gyurdiev.
-
-1.11.14 2006-02-13
- * Merged optionals in base patch from Joshua Brindle.
-
-1.11.13 2006-02-07
- * Merged seuser/user_extra support patch from Joshua Brindle.
- * Merged fix patch from Ivan Gyurdiev.
-
-1.11.12 2006-02-02
- * Merged clone record on set_con patch from Ivan Gyurdiev.
-
-1.11.11 2006-02-01
- * Merged assertion copying bugfix from Joshua Brindle.
- * Merged sepol_av_to_string patch from Joshua Brindle.
-
-1.11.10 2006-01-30
- * Merged cond_expr mapping and package section count bug fixes
- from Joshua Brindle.
- * Merged improve port/fcontext API patch from Ivan Gyurdiev.
- * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
-
-1.11.9 2006-01-12
- * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
-
-1.11.8 2006-01-09
- * Merged 2nd const in APIs patch from Ivan Gyurdiev.
-
-1.11.7 2006-01-06
- * Merged const in APIs patch from Ivan Gyurdiev.
- * Merged compare2 function patch from Ivan Gyurdiev.
-
-1.11.6 2006-01-06
- * Fixed hierarchy checker to only check allow rules.
-
-1.11.5 2006-01-05
- * Merged further fixes from Russell Coker, specifically:
- - av_to_string overflow checking
- - sepol_context_to_string error handling
- - hierarchy checking memory leak fixes and optimizations
- - avrule_block_read variable initialization
- * Marked deprecated code in genbools and genusers.
-
-1.11.4 2006-01-05
- * Merged bugfix for sepol_port_modify from Russell Coker.
-
-1.11.3 2006-01-05
- * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
- * Merged port ordering patch from Ivan Gyurdiev.
-
-1.11.2 2006-01-04
- * Merged patch series from Ivan Gyurdiev.
- This includes patches to:
- - support ordering of records in compare function
- - enable port interfaces
- - add interfaces for context validity and range checks
- - add include guards
-
-1.11.1 2005-12-16
- * Fixed mls_range_cpy bug.
-
-1.10 2005-12-07
- * Updated version for release.
-
-1.9.42 2005-12-05
- * Dropped handle from user_del_role interface.
-
-1.9.41 2005-11-28
- * Merged remove defrole from sepol patch from Ivan Gyurdiev.
-
-1.9.40 2005-11-15
- * Merged module function and map file cleanup from Ivan Gyurdiev.
- * Merged MLS and genusers cleanups from Ivan Gyurdiev.
-
-1.9.39 2005-11-09
- Prepare for removal of booleans* and *.users files.
- * Cleaned up sepol_genbools to not regenerate the image if
- there were no changes in the boolean values, including the
- degenerate case where there are no booleans or booleans.local
- files.
- * Cleaned up sepol_genusers to not warn on missing local.users.
-
-1.9.38 2005-11-08
- * Removed sepol_port_* from libsepol.map, as the port interfaces
- are not yet stable.
-
-1.9.37 2005-11-04
- * Merged context destroy cleanup patch from Ivan Gyurdiev.
-
-1.9.36 2005-11-03
- * Merged context_to_string interface change patch from Ivan Gyurdiev.
-
-1.9.35 2005-11-01
- * Added src/dso.h and src/*_internal.h.
- Added hidden_def for exported symbols used within libsepol.
- Added hidden for symbols that should not be exported by
- the wildcards in libsepol.map.
-
-1.9.34 2005-10-31
- * Merged record interface, record bugfix, and set_roles patches
- from Ivan Gyurdiev.
-
-1.9.33 2005-10-27
- * Merged count specification change from Ivan Gyurdiev.
-
-1.9.32 2005-10-26
- * Added further checking and error reporting to
- sepol_module_package_read and _info.
-
-1.9.31 2005-10-26
- * Merged sepol handle passing, DEBUG conversion, and memory leak
- fix patches from Ivan Gyurdiev.
-
-1.9.30 2005-10-25
- * Removed processing of system.users from sepol_genusers and
- dropped delusers logic.
-
-1.9.29 2005-10-25
- * Removed policydb_destroy from error path of policydb_read,
- since create/init/destroy/free of policydb is handled by the
- caller now.
- * Fixed sepol_module_package_read to handle a failed policydb_read
- properly.
-
-1.9.28 2005-10-25
- * Merged query/exists and count patches from Ivan Gyurdiev.
-
-1.9.27 2005-10-25
- * Merged fix for pruned types in expand code from Joshua Brindle.
- * Merged new module package format code from Joshua Brindle.
-
-1.9.26 2005-10-24
- * Merged context interface cleanup, record conversion code,
- key passing, and bug fix patches from Ivan Gyurdiev.
-
-1.9.25 2005-10-21
- * Merged users cleanup patch from Ivan Gyurdiev.
-
-1.9.24 2005-10-21
- * Merged user record memory leak fix from Ivan Gyurdiev.
- * Merged reorganize users patch from Ivan Gyurdiev.
-
-1.9.23 2005-10-19
- * Added check flag to expand_module() to control assertion
- and hierarchy checking on expansion.
-
-1.9.22 2005-10-19
- * Reworked check_assertions() and hierarchy_check_constraints()
- to take handles and use callback-based error reporting.
- * Changed expand_module() to call check_assertions() and
- hierarchy_check_constraints() prior to returning the expanded
- policy.
-
-1.9.21 2005-10-18
- * Changed sepol_module_package_set_file_contexts to copy the
- file contexts data since it is internally managed.
-
-1.9.20 2005-10-18
- * Added sepol_policy_file_set_handle interface to associate
- a handle with a policy file.
- * Added handle argument to policydb_from_image/to_image.
- * Added sepol_module_package_set_file_contexts interface.
- * Dropped sepol_module_package_create_file interface.
- * Reworked policydb_read/write, policydb_from_image/to_image,
- and sepol_module_package_read/write to use callback-based error
- reporting system rather than DEBUG.
-
-1.9.19 2005-10-17
- * Reworked link_packages, link_modules, and expand_module to use
- callback-based error reporting system rather than error buffering.
-
-1.9.18 2005-10-14
- * Merged conditional expression mapping fix in the module linking
- code from Joshua Brindle.
-
-1.9.17 2005-10-13
- * Hid sepol_module_package type definition, and added get interfaces.
-
-1.9.16 2005-10-13
- * Merged new callback-based error reporting system from Ivan
- Gyurdiev.
-
-1.9.15 2005-10-13
- * Merged support for require blocks inside conditionals from
- Joshua Brindle (Tresys).
-
-1.9.14 2005-10-07
- * Fixed use of policydb_from_image/to_image to ensure proper
- init of policydb.
-
-1.9.13 2005-10-07
- * Isolated policydb internal headers under <sepol/policydb/*.h>.
- These headers should only be used by users of the static libsepol.
- Created new <sepol/policydb.h> with new public types and interfaces
- for shared libsepol.
- Created new <sepol/module.h> with public types and interfaces moved
- or wrapped from old module.h, link.h, and expand.h, adjusted for
- new public types for policydb and policy_file.
- Added public interfaces to libsepol.map.
- Some implementation changes visible to users of the static libsepol:
- 1) policydb_read no longer calls policydb_init.
- Caller must do so first.
- 2) policydb_init no longer takes policy_type argument.
- Caller must set policy_type separately.
- 3) expand_module automatically enables the global branch.
- Caller no longer needs to do so.
- 4) policydb_write uses the policy_type and policyvers from the
- policydb itself, and sepol_set_policyvers() has been removed.
-
-1.9.12 2005-10-06
- * Merged function renaming and static cleanup from Ivan Gyurdiev.
-
-1.9.11 2005-10-05
- * Merged bug fix for check_assertions handling of no assertions
- from Joshua Brindle (Tresys).
-
-1.9.10 2005-10-04
- * Merged iterate patch from Ivan Gyurdiev.
-
-1.9.9 2005-10-03
- * Merged MLS in modules patch from Joshua Brindle (Tresys).
-
-1.9.8 2005-09-30
- * Merged pointer typedef elimination patch from Ivan Gyurdiev.
- * Merged user list function, new mls functions, and bugfix patch
- from Ivan Gyurdiev.
-
-1.9.7 2005-09-28
- * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
-
-1.9.6 2005-09-23
- * Merged bug fix patches from Joshua Brindle (Tresys).
-
-1.9.5 2005-09-21
- * Merged boolean record and memory leak fix patches from Ivan
- Gyurdiev.
-
-1.9.4 2005-09-19
- * Merged interface record patch from Ivan Gyurdiev.
-
-1.9.3 2005-09-14
- * Merged fix for sepol_enable/disable_debug from Ivan
- Gyurdiev.
-
-1.9.2 2005-09-14
- * Merged stddef.h patch and debug conversion patch from
- Ivan Gyurdiev.
-
-1.9.1 2005-09-09
- * Fixed expand_avtab and expand_cond_av_list to keep separate
- entries with identical keys but different enabled flags.
-
-1.8 2005-09-06
- * Updated version for release.
-
-1.7.24 2005-08-31
- * Fixed symtab_insert return value for duplicate declarations.
-
-1.7.23 2005-08-31
- * Merged fix for memory error in policy_module_destroy from
- Jason Tang (Tresys).
-
-1.7.22 2005-08-26
- * Merged fix for memory leak in sepol_context_to_sid from
- Jason Tang (Tresys).
-
-1.7.21 2005-08-25
- * Merged fixes for resource leaks on error paths and
- change to scope_destroy from Joshua Brindle (Tresys).
-
-1.7.20 2005-08-23
- * Merged more fixes for resource leaks on error paths
- from Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.7.19 2005-08-19
- * Changed to treat all type conflicts as fatal errors.
-
-1.7.18 2005-08-18
- * Merged several error handling fixes from
- Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.7.17 2005-08-15
- * Fixed further memory leaks found by valgrind.
-
-1.7.16 2005-08-15
- * Fixed several memory leaks found by valgrind.
-
-1.7.15 2005-08-12
- * Fixed empty list test in cond_write_av_list. Bug found by
- Coverity, reported by Serge Hallyn (IBM).
- * Merged patch to policydb_write to check errors
- when writing the type->attribute reverse map from
- Serge Hallyn (IBM). Bug found by Coverity.
- * Fixed policydb_destroy to properly handle NULL type_attr_map
- or attr_type_map.
-
-1.7.14 2005-08-12
- * Fixed use of uninitialized data by expand_avtab_node by
- clearing type_val_to_struct in policydb_index_others.
-
-1.7.13 2005-08-11
- * Improved memory use by SELinux by both reducing the avtab
- node size and reducing the number of avtab nodes (by not
- expanding attributes in TE rules when possible). Added
- expand_avtab and expand_cond_av_list functions for use by
- assertion checker, hierarchy checker, compatibility code,
- and dispol. Added new inline ebitmap operators and converted
- existing users of ebitmaps to the new operators for greater
- efficiency.
- Note: The binary policy format version has been incremented to
- version 20 as a result of these changes.
-
-1.7.12 2005-08-10
- * Fixed bug in constraint_node_clone handling of name sets.
-
-1.7.11 2005-08-08
- * Fix range_trans_clone to map the type values properly.
-
-1.7.10 2005-08-02
- * Merged patch to move module read/write code from libsemanage
- to libsepol from Jason Tang (Tresys).
-
-1.7.9 2005-08-02
- * Enabled further compiler warning flags and fixed them.
-
-1.7.8 2005-08-02
- * Merged user, context, port records patch from Ivan Gyurdiev.
- * Merged key extract function patch from Ivan Gyurdiev.
-
-1.7.7 2005-07-27
- * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
-
-1.7.6 2005-07-26
- * Merged context reorganization, memory leak fixes,
- port and interface loading, replacements for genusers and
- genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
- * Merged uninitialized variable bugfix from Dan Walsh.
-
-1.7.5 2005-07-18
- * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
- * Removed genpolbools and genpolusers utilities.
-
-1.7.4 2005-07-18
- * Merged hierarchy check fix from Joshua Brindle (Tresys).
-
-1.7.3 2005-07-13
- * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
-
-1.7.2 2005-07-11
- * Merged genbools debugging message cleanup from Red Hat.
-
-1.7.1 2005-07-06
- * Merged loadable module support from Tresys Technology.
-
-1.6 2005-06-20
- * Updated version for release.
-
-1.5.10 2005-05-19
- * License changed to LGPL v2.1, see COPYING.
-
-1.5.9 2005-05-16
- * Added sepol_genbools_policydb and sepol_genusers_policydb for
- audit2why.
-
-1.5.8 2005-05-13
- * Added sepol_ prefix to Flask types to avoid
- namespace collision with libselinux.
-
-1.5.7 2005-05-13
- * Added sepol_compute_av_reason() for audit2why.
-
-1.5.6 2005-04-25
- * Fixed bug in role hierarchy checker.
-
-1.5.5 2005-04-13
- * Merged hierarchical type/role patch from Tresys Technology.
- * Merged MLS fixes from Darrel Goeddel of TCS.
-
-1.5.4 2005-04-13
- * Changed sepol_genusers to not delete users by default,
- and added a sepol_set_delusers function to enable deletion.
- Also, removed special case handling of system_u and user_u.
-
-1.5.3 2005-03-29
- * Merged booleans.local patch from Dan Walsh.
-
-1.5.2 2005-03-16
- * Added man page for sepol_check_context.
-
-1.5.1 2005-03-15
- * Added man page for sepol_genusers function.
- * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
-
-1.4 2005-03-09
- * Updated version for release.
-
-1.3.8 2005-03-08
- * Cleaned up error handling in sepol_genusers and sepol_genbools.
-
-1.3.7 2005-02-28
- * Merged sepol_debug and fclose patch from Dan Walsh.
-
-1.3.6 2005-02-22
- * Changed sepol_genusers to also use getline and correctly handle
- EOL.
-
-1.3.5 2005-02-17
- * Merged range_transition support from Darrel Goeddel (TCS).
-
-1.3.4 2005-02-16
- * Added sepol_genusers function.
-
-1.3.3 2005-02-14
- * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
-
-1.3.2 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.3.1 2005-01-26
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
-
-1.2.1 2005-01-19
- * Merged build fix patch from Manoj Srivastava.
-
-1.2 2004-10-07
- * MLS build fixes.
- * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
-
-1.0 2004-08-19
- * Initial public release.
-
-0.4 2004-08-13
- * Merged patch from Dan Walsh to ignore case on booleans.
- * Changed sepol_genbools* to preserve the original policy version.
- * Replaced exported global variables with set functions.
- * Moved genpolbools utility from checkpolicy to libsepol.
- * Added man pages for sepol_genbools* and genpolbools.
-
-0.3 2004-08-10
- * Added ChangeLog, COPYING, spec file.
- * Added sepol_genbools_array() for load_policy.
- * Created libsepol.map to limit exported symbols in shared library.
-
-0.2 2004-08-09
- * Exported other functions for checkpolicy and friends.
- * Renamed service and sidtab functions to avoid libselinux conflict.
- * Removed original code from checkpolicy, which now uses libsepol.
- * Code cleanup: kill legacy references to kernel types/functions.
-
-0.1 2004-08-06
- * Moved checkpolicy core logic into a library.
- * Exported sepol_genbools() for load_policy.
Copied: tags/libsepol_1_12_27/libsepol/ChangeLog (from rev 2034, trunk/libsepol/ChangeLog)
===================================================================
--- tags/libsepol_1_12_27/libsepol/ChangeLog (rev 0)
+++ tags/libsepol_1_12_27/libsepol/ChangeLog 2006-09-28 12:18:30 UTC (rev 2036)
@@ -0,0 +1,570 @@
+1.12.27 2006-09-28
+ * Merged mls user and range_transition support in modules
+ from Darrel Goeddel
+
+1.12.26 2006-09-05
+ * Merged range transition enhancements and user format changes
+ Darrel Goeddel
+
+1.12.25 2006-08-24
+ * Merged conditionally expand neverallows patch from Jeremy Mowery.
+ * Merged refactor expander patch from Jeremy Mowery.
+
+1.12.24 2006-08-03
+ * Merged libsepol unit tests from Joshua Brindle.
+
+1.12.23 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.12.22 2006-08-03
+ * Merged netfilter contexts support from Chris PeBenito.
+
+1.12.21 2006-07-28
+ * Merged helpful hierarchy check errors patch from Joshua Brindle.
+
+1.12.20 2006-07-25
+ * Merged semodule_deps patch from Karl MacMillan.
+ This adds source module names to the avrule decls.
+
+1.12.19 2006-06-29
+ * Lindent.
+
+1.12.18 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.12.17 2006-05-30
+ * Revert 1.12.16.
+
+1.12.16 2006-05-30
+ * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
+ replacing the prior patch.
+
+1.12.15 2006-05-30
+ * Merged fixes for several memory leaks in the error paths during
+ policy read from Serge Hallyn.
+
+1.12.14 2006-05-25
+ * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
+ based on bug report and suggested fix by Cedric Roux.
+
+1.12.13 2006-05-24
+ * Merged sens_copy_callback, check_role_hierarchy_callback,
+ and node_from_record fixes from Serge Hallyn.
+
+1.12.12 2006-05-22
+ * Added sepol_policydb_compat_net() interface for testing whether
+ a policy requires the compatibility support for network checks
+ to be enabled in the kernel.
+
+1.12.11 2006-05-17
+ * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
+ Reworked to use calloc in the first place, and converted some other
+ malloc/memset pairs to calloc calls.
+
+1.12.10 2006-05-08
+ * Merged patch to revert role/user decl upgrade from Karl MacMillan.
+
+1.12.9 2006-05-08
+ * Dropped tests from all Makefile target.
+
+1.12.8 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.12.7 2006-05-05
+ * Merged libsepol test framework patch from Karl MacMillan.
+
+1.12.6 2006-04-28
+ * Fixed cond_normalize to traverse the entire cond list at link time.
+
+1.12.5 2006-04-03
+ * Merged fix for leak of optional package sections from Ivan Gyurdiev.
+
+1.12.4 2006-03-29
+ * Generalize test for bitmap overflow in ebitmap_set_bit.
+
+1.12.3 2006-03-27
+ * Fixed attr_convert_callback and expand_convert_type_set
+ typemap bug.
+
+1.12.2 2006-03-24
+ * Fixed avrule_block_write num_decls endian bug.
+
+1.12.1 2006-03-20
+ * Fixed sepol_module_package_write buffer overflow bug.
+
+1.12 2006-03-14
+ * Updated version for release.
+
+1.11.20 2006-03-08
+ * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
+ * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
+
+1.11.19 2006-02-21
+ * Merged sepol_policydb_mls_enabled interface and error handling
+ changes from Ivan Gyurdiev.
+
+1.11.18 2006-02-16
+ * Merged node_expand_addr bugfix and node_compare* change from
+ Ivan Gyurdiev.
+
+1.11.17 2006-02-15
+ * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
+ * Merged bug fix patch from Ivan Gyurdiev.
+
+1.11.16 2006-02-14
+ * Added a defined flag to level_datum_t for use by checkpolicy.
+
+1.11.15 2006-02-14
+ * Merged nodecon support patch from Ivan Gyurdiev.
+ * Merged cleanups patch from Ivan Gyurdiev.
+
+1.11.14 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.11.13 2006-02-07
+ * Merged seuser/user_extra support patch from Joshua Brindle.
+ * Merged fix patch from Ivan Gyurdiev.
+
+1.11.12 2006-02-02
+ * Merged clone record on set_con patch from Ivan Gyurdiev.
+
+1.11.11 2006-02-01
+ * Merged assertion copying bugfix from Joshua Brindle.
+ * Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.11.10 2006-01-30
+ * Merged cond_expr mapping and package section count bug fixes
+ from Joshua Brindle.
+ * Merged improve port/fcontext API patch from Ivan Gyurdiev.
+ * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
+
+1.11.9 2006-01-12
+ * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
+
+1.11.8 2006-01-09
+ * Merged 2nd const in APIs patch from Ivan Gyurdiev.
+
+1.11.7 2006-01-06
+ * Merged const in APIs patch from Ivan Gyurdiev.
+ * Merged compare2 function patch from Ivan Gyurdiev.
+
+1.11.6 2006-01-06
+ * Fixed hierarchy checker to only check allow rules.
+
+1.11.5 2006-01-05
+ * Merged further fixes from Russell Coker, specifically:
+ - av_to_string overflow checking
+ - sepol_context_to_string error handling
+ - hierarchy checking memory leak fixes and optimizations
+ - avrule_block_read variable initialization
+ * Marked deprecated code in genbools and genusers.
+
+1.11.4 2006-01-05
+ * Merged bugfix for sepol_port_modify from Russell Coker.
+
+1.11.3 2006-01-05
+ * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
+ * Merged port ordering patch from Ivan Gyurdiev.
+
+1.11.2 2006-01-04
+ * Merged patch series from Ivan Gyurdiev.
+ This includes patches to:
+ - support ordering of records in compare function
+ - enable port interfaces
+ - add interfaces for context validity and range checks
+ - add include guards
+
+1.11.1 2005-12-16
+ * Fixed mls_range_cpy bug.
+
+1.10 2005-12-07
+ * Updated version for release.
+
+1.9.42 2005-12-05
+ * Dropped handle from user_del_role interface.
+
+1.9.41 2005-11-28
+ * Merged remove defrole from sepol patch from Ivan Gyurdiev.
+
+1.9.40 2005-11-15
+ * Merged module function and map file cleanup from Ivan Gyurdiev.
+ * Merged MLS and genusers cleanups from Ivan Gyurdiev.
+
+1.9.39 2005-11-09
+ Prepare for removal of booleans* and *.users files.
+ * Cleaned up sepol_genbools to not regenerate the image if
+ there were no changes in the boolean values, including the
+ degenerate case where there are no booleans or booleans.local
+ files.
+ * Cleaned up sepol_genusers to not warn on missing local.users.
+
+1.9.38 2005-11-08
+ * Removed sepol_port_* from libsepol.map, as the port interfaces
+ are not yet stable.
+
+1.9.37 2005-11-04
+ * Merged context destroy cleanup patch from Ivan Gyurdiev.
+
+1.9.36 2005-11-03
+ * Merged context_to_string interface change patch from Ivan Gyurdiev.
+
+1.9.35 2005-11-01
+ * Added src/dso.h and src/*_internal.h.
+ Added hidden_def for exported symbols used within libsepol.
+ Added hidden for symbols that should not be exported by
+ the wildcards in libsepol.map.
+
+1.9.34 2005-10-31
+ * Merged record interface, record bugfix, and set_roles patches
+ from Ivan Gyurdiev.
+
+1.9.33 2005-10-27
+ * Merged count specification change from Ivan Gyurdiev.
+
+1.9.32 2005-10-26
+ * Added further checking and error reporting to
+ sepol_module_package_read and _info.
+
+1.9.31 2005-10-26
+ * Merged sepol handle passing, DEBUG conversion, and memory leak
+ fix patches from Ivan Gyurdiev.
+
+1.9.30 2005-10-25
+ * Removed processing of system.users from sepol_genusers and
+ dropped delusers logic.
+
+1.9.29 2005-10-25
+ * Removed policydb_destroy from error path of policydb_read,
+ since create/init/destroy/free of policydb is handled by the
+ caller now.
+ * Fixed sepol_module_package_read to handle a failed policydb_read
+ properly.
+
+1.9.28 2005-10-25
+ * Merged query/exists and count patches from Ivan Gyurdiev.
+
+1.9.27 2005-10-25
+ * Merged fix for pruned types in expand code from Joshua Brindle.
+ * Merged new module package format code from Joshua Brindle.
+
+1.9.26 2005-10-24
+ * Merged context interface cleanup, record conversion code,
+ key passing, and bug fix patches from Ivan Gyurdiev.
+
+1.9.25 2005-10-21
+ * Merged users cleanup patch from Ivan Gyurdiev.
+
+1.9.24 2005-10-21
+ * Merged user record memory leak fix from Ivan Gyurdiev.
+ * Merged reorganize users patch from Ivan Gyurdiev.
+
+1.9.23 2005-10-19
+ * Added check flag to expand_module() to control assertion
+ and hierarchy checking on expansion.
+
+1.9.22 2005-10-19
+ * Reworked check_assertions() and hierarchy_check_constraints()
+ to take handles and use callback-based error reporting.
+ * Changed expand_module() to call check_assertions() and
+ hierarchy_check_constraints() prior to returning the expanded
+ policy.
+
+1.9.21 2005-10-18
+ * Changed sepol_module_package_set_file_contexts to copy the
+ file contexts data since it is internally managed.
+
+1.9.20 2005-10-18
+ * Added sepol_policy_file_set_handle interface to associate
+ a handle with a policy file.
+ * Added handle argument to policydb_from_image/to_image.
+ * Added sepol_module_package_set_file_contexts interface.
+ * Dropped sepol_module_package_create_file interface.
+ * Reworked policydb_read/write, policydb_from_image/to_image,
+ and sepol_module_package_read/write to use callback-based error
+ reporting system rather than DEBUG.
+
+1.9.19 2005-10-17
+ * Reworked link_packages, link_modules, and expand_module to use
+ callback-based error reporting system rather than error buffering.
+
+1.9.18 2005-10-14
+ * Merged conditional expression mapping fix in the module linking
+ code from Joshua Brindle.
+
+1.9.17 2005-10-13
+ * Hid sepol_module_package type definition, and added get interfaces.
+
+1.9.16 2005-10-13
+ * Merged new callback-based error reporting system from Ivan
+ Gyurdiev.
+
+1.9.15 2005-10-13
+ * Merged support for require blocks inside conditionals from
+ Joshua Brindle (Tresys).
+
+1.9.14 2005-10-07
+ * Fixed use of policydb_from_image/to_image to ensure proper
+ init of policydb.
+
+1.9.13 2005-10-07
+ * Isolated policydb internal headers under <sepol/policydb/*.h>.
+ These headers should only be used by users of the static libsepol.
+ Created new <sepol/policydb.h> with new public types and interfaces
+ for shared libsepol.
+ Created new <sepol/module.h> with public types and interfaces moved
+ or wrapped from old module.h, link.h, and expand.h, adjusted for
+ new public types for policydb and policy_file.
+ Added public interfaces to libsepol.map.
+ Some implementation changes visible to users of the static libsepol:
+ 1) policydb_read no longer calls policydb_init.
+ Caller must do so first.
+ 2) policydb_init no longer takes policy_type argument.
+ Caller must set policy_type separately.
+ 3) expand_module automatically enables the global branch.
+ Caller no longer needs to do so.
+ 4) policydb_write uses the policy_type and policyvers from the
+ policydb itself, and sepol_set_policyvers() has been removed.
+
+1.9.12 2005-10-06
+ * Merged function renaming and static cleanup from Ivan Gyurdiev.
+
+1.9.11 2005-10-05
+ * Merged bug fix for check_assertions handling of no assertions
+ from Joshua Brindle (Tresys).
+
+1.9.10 2005-10-04
+ * Merged iterate patch from Ivan Gyurdiev.
+
+1.9.9 2005-10-03
+ * Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.9.8 2005-09-30
+ * Merged pointer typedef elimination patch from Ivan Gyurdiev.
+ * Merged user list function, new mls functions, and bugfix patch
+ from Ivan Gyurdiev.
+
+1.9.7 2005-09-28
+ * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
+
+1.9.6 2005-09-23
+ * Merged bug fix patches from Joshua Brindle (Tresys).
+
+1.9.5 2005-09-21
+ * Merged boolean record and memory leak fix patches from Ivan
+ Gyurdiev.
+
+1.9.4 2005-09-19
+ * Merged interface record patch from Ivan Gyurdiev.
+
+1.9.3 2005-09-14
+ * Merged fix for sepol_enable/disable_debug from Ivan
+ Gyurdiev.
+
+1.9.2 2005-09-14
+ * Merged stddef.h patch and debug conversion patch from
+ Ivan Gyurdiev.
+
+1.9.1 2005-09-09
+ * Fixed expand_avtab and expand_cond_av_list to keep separate
+ entries with identical keys but different enabled flags.
+
+1.8 2005-09-06
+ * Updated version for release.
+
+1.7.24 2005-08-31
+ * Fixed symtab_insert return value for duplicate declarations.
+
+1.7.23 2005-08-31
+ * Merged fix for memory error in policy_module_destroy from
+ Jason Tang (Tresys).
+
+1.7.22 2005-08-26
+ * Merged fix for memory leak in sepol_context_to_sid from
+ Jason Tang (Tresys).
+
+1.7.21 2005-08-25
+ * Merged fixes for resource leaks on error paths and
+ change to scope_destroy from Joshua Brindle (Tresys).
+
+1.7.20 2005-08-23
+ * Merged more fixes for resource leaks on error paths
+ from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.19 2005-08-19
+ * Changed to treat all type conflicts as fatal errors.
+
+1.7.18 2005-08-18
+ * Merged several error handling fixes from
+ Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.17 2005-08-15
+ * Fixed further memory leaks found by valgrind.
+
+1.7.16 2005-08-15
+ * Fixed several memory leaks found by valgrind.
+
+1.7.15 2005-08-12
+ * Fixed empty list test in cond_write_av_list. Bug found by
+ Coverity, reported by Serge Hallyn (IBM).
+ * Merged patch to policydb_write to check errors
+ when writing the type->attribute reverse map from
+ Serge Hallyn (IBM). Bug found by Coverity.
+ * Fixed policydb_destroy to properly handle NULL type_attr_map
+ or attr_type_map.
+
+1.7.14 2005-08-12
+ * Fixed use of uninitialized data by expand_avtab_node by
+ clearing type_val_to_struct in policydb_index_others.
+
+1.7.13 2005-08-11
+ * Improved memory use by SELinux by both reducing the avtab
+ node size and reducing the number of avtab nodes (by not
+ expanding attributes in TE rules when possible). Added
+ expand_avtab and expand_cond_av_list functions for use by
+ assertion checker, hierarchy checker, compatibility code,
+ and dispol. Added new inline ebitmap operators and converted
+ existing users of ebitmaps to the new operators for greater
+ efficiency.
+ Note: The binary policy format version has been incremented to
+ version 20 as a result of these changes.
+
+1.7.12 2005-08-10
+ * Fixed bug in constraint_node_clone handling of name sets.
+
+1.7.11 2005-08-08
+ * Fix range_trans_clone to map the type values properly.
+
+1.7.10 2005-08-02
+ * Merged patch to move module read/write code from libsemanage
+ to libsepol from Jason Tang (Tresys).
+
+1.7.9 2005-08-02
+ * Enabled further compiler warning flags and fixed them.
+
+1.7.8 2005-08-02
+ * Merged user, context, port records patch from Ivan Gyurdiev.
+ * Merged key extract function patch from Ivan Gyurdiev.
+
+1.7.7 2005-07-27
+ * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
+
+1.7.6 2005-07-26
+ * Merged context reorganization, memory leak fixes,
+ port and interface loading, replacements for genusers and
+ genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
+ * Merged uninitialized variable bugfix from Dan Walsh.
+
+1.7.5 2005-07-18
+ * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
+ * Removed genpolbools and genpolusers utilities.
+
+1.7.4 2005-07-18
+ * Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.7.3 2005-07-13
+ * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
+
+1.7.2 2005-07-11
+ * Merged genbools debugging message cleanup from Red Hat.
+
+1.7.1 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.6 2005-06-20
+ * Updated version for release.
+
+1.5.10 2005-05-19
+ * License changed to LGPL v2.1, see COPYING.
+
+1.5.9 2005-05-16
+ * Added sepol_genbools_policydb and sepol_genusers_policydb for
+ audit2why.
+
+1.5.8 2005-05-13
+ * Added sepol_ prefix to Flask types to avoid
+ namespace collision with libselinux.
+
+1.5.7 2005-05-13
+ * Added sepol_compute_av_reason() for audit2why.
+
+1.5.6 2005-04-25
+ * Fixed bug in role hierarchy checker.
+
+1.5.5 2005-04-13
+ * Merged hierarchical type/role patch from Tresys Technology.
+ * Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.5.4 2005-04-13
+ * Changed sepol_genusers to not delete users by default,
+ and added a sepol_set_delusers function to enable deletion.
+ Also, removed special case handling of system_u and user_u.
+
+1.5.3 2005-03-29
+ * Merged booleans.local patch from Dan Walsh.
+
+1.5.2 2005-03-16
+ * Added man page for sepol_check_context.
+
+1.5.1 2005-03-15
+ * Added man page for sepol_genusers function.
+ * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
+
+1.4 2005-03-09
+ * Updated version for release.
+
+1.3.8 2005-03-08
+ * Cleaned up error handling in sepol_genusers and sepol_genbools.
+
+1.3.7 2005-02-28
+ * Merged sepol_debug and fclose patch from Dan Walsh.
+
+1.3.6 2005-02-22
+ * Changed sepol_genusers to also use getline and correctly handle
+ EOL.
+
+1.3.5 2005-02-17
+ * Merged range_transition support from Darrel Goeddel (TCS).
+
+1.3.4 2005-02-16
+ * Added sepol_genusers function.
+
+1.3.3 2005-02-14
+ * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
+
+1.3.2 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.3.1 2005-01-26
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.2.1 2005-01-19
+ * Merged build fix patch from Manoj Srivastava.
+
+1.2 2004-10-07
+ * MLS build fixes.
+ * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
+
+1.0 2004-08-19
+ * Initial public release.
+
+0.4 2004-08-13
+ * Merged patch from Dan Walsh to ignore case on booleans.
+ * Changed sepol_genbools* to preserve the original policy version.
+ * Replaced exported global variables with set functions.
+ * Moved genpolbools utility from checkpolicy to libsepol.
+ * Added man pages for sepol_genbools* and genpolbools.
+
+0.3 2004-08-10
+ * Added ChangeLog, COPYING, spec file.
+ * Added sepol_genbools_array() for load_policy.
+ * Created libsepol.map to limit exported symbols in shared library.
+
+0.2 2004-08-09
+ * Exported other functions for checkpolicy and friends.
+ * Renamed service and sidtab functions to avoid libselinux conflict.
+ * Removed original code from checkpolicy, which now uses libsepol.
+ * Code cleanup: kill legacy references to kernel types/functions.
+
+0.1 2004-08-06
+ * Moved checkpolicy core logic into a library.
+ * Exported sepol_genbools() for load_policy.
Deleted: tags/libsepol_1_12_27/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/libsepol_1_12_27/libsepol/VERSION 2006-09-28 12:18:30 UTC (rev 2036)
@@ -1 +0,0 @@
-1.12.26
Copied: tags/libsepol_1_12_27/libsepol/VERSION (from rev 2034, trunk/libsepol/VERSION)
===================================================================
--- tags/libsepol_1_12_27/libsepol/VERSION (rev 0)
+++ tags/libsepol_1_12_27/libsepol/VERSION 2006-09-28 12:18:30 UTC (rev 2036)
@@ -0,0 +1 @@
+1.12.27
Deleted: tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h 2006-09-28 12:18:30 UTC (rev 2036)
@@ -1,608 +0,0 @@
-
-/* Author : Stephen Smalley, <sd...@ep...> */
-
-/*
- * Updated: Joshua Brindle <jbr...@tr...>
- * Karl MacMillan <kma...@tr...>
- * Jason Tang <jt...@tr...>
- *
- * Module support
- *
- * Updated: Trusted Computer Solutions, Inc. <dgo...@tr...>
- *
- * Support for enhanced MLS infrastructure.
- *
- * Updated: Frank Mayer <ma...@tr...> and Karl MacMillan <kma...@tr...>
- *
- * Added conditional policy language extensions
- *
- * Updated: Red Hat, Inc. James Morris <jm...@re...>
- *
- * Fine-grained netlink support
- * IPv6 support
- * Code cleanup
- *
- * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
- * Copyright (C) 2003 - 2004 Tresys Technology, LLC
- * Copyright (C) 2003 - 2004 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-/* FLASK */
-
-/*
- * A policy database (policydb) specifies the
- * configuration data for the security policy.
- */
-
-#ifndef _SEPOL_POLICYDB_POLICYDB_H_
-#define _SEPOL_POLICYDB_POLICYDB_H_
-
-#include <stdio.h>
-#include <stddef.h>
-
-#include <sepol/policydb.h>
-
-#include <sepol/policydb/flask_types.h>
-#include <sepol/policydb/symtab.h>
-#include <sepol/policydb/avtab.h>
-#include <sepol/policydb/context.h>
-#include <sepol/policydb/constraint.h>
-#include <sepol/policydb/sidtab.h>
-
-#define ERRMSG_LEN 1024
-
-#define POLICYDB_SUCCESS 0
-#define POLICYDB_ERROR -1
-#define POLICYDB_UNSUPPORTED -2
-
-/*
- * A datum type is defined for each kind of symbol
- * in the configuration data: individual permissions,
- * common prefixes for access vectors, classes,
- * users, roles, types, sensitivities, categories, etc.
- */
-
-/* type set preserves data needed by modules such as *, ~ and attributes */
-typedef struct type_set {
- ebitmap_t types;
- ebitmap_t negset;
-#define TYPE_STAR 1
-#define TYPE_COMP 2
- uint32_t flags;
-} type_set_t;
-
-typedef struct role_set {
- ebitmap_t roles;
-#define ROLE_STAR 1
-#define ROLE_COMP 2
- uint32_t flags;
-} role_set_t;
-
-/* Permission attributes */
-typedef struct perm_datum {
- symtab_datum_t s;
-} perm_datum_t;
-
-/* Attributes of a common prefix for access vectors */
-typedef struct common_datum {
- symtab_datum_t s;
- symtab_t permissions; /* common permissions */
-} common_datum_t;
-
-/* Class attributes */
-typedef struct class_datum {
- symtab_datum_t s;
- char *comkey; /* common name */
- common_datum_t *comdatum; /* common datum */
- symtab_t permissions; /* class-specific permission symbol table */
- constraint_node_t *constraints; /* constraints on class permissions */
- constraint_node_t *validatetrans; /* special transition rules */
-} class_datum_t;
-
-/* Role attributes */
-typedef struct role_datum {
- symtab_datum_t s;
- ebitmap_t dominates; /* set of roles dominated by this role */
- type_set_t types; /* set of authorized types for role */
- ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
-} role_datum_t;
-
-typedef struct role_trans {
- uint32_t role; /* current role */
- uint32_t type; /* program executable type */
- uint32_t new_role; /* new role */
- struct role_trans *next;
-} role_trans_t;
-
-typedef struct role_allow {
- uint32_t role; /* current role */
- uint32_t new_role; /* new role */
- struct role_allow *next;
-} role_allow_t;
-
-/* Type attributes */
-typedef struct type_datum {
- symtab_datum_t s;
- uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */
-#define TYPE_TYPE 0 /* regular type or alias in kernel policies */
-#define TYPE_ATTRIB 1 /* attribute */
-#define TYPE_ALIAS 2 /* alias in modular policy */
- uint32_t flavor;
- ebitmap_t types; /* types with this attribute */
-} type_datum_t;
-
-/* User attributes */
-typedef struct user_datum {
- symtab_datum_t s;
- role_set_t roles; /* set of authorized roles for user */
- mls_semantic_range_t range; /* MLS range (min. - max.) for user */
- mls_semantic_level_t dfltlevel; /* default login MLS level for user */
- ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
- mls_range_t exp_range; /* expanded range used for validation */
- mls_level_t exp_dfltlevel; /* expanded range used for validation */
-} user_datum_t;
-
-/* Sensitivity attributes */
-typedef struct level_datum {
- mls_level_t *level; /* sensitivity and associated categories */
- unsigned char isalias; /* is this sensitivity an alias for another? */
- unsigned char defined;
-} level_datum_t;
-
-/* Category attributes */
-typedef struct cat_datum {
- symtab_datum_t s;
- unsigned char isalias; /* is this category an alias for another? */
-} cat_datum_t;
-
-typedef struct range_trans {
- uint32_t source_type;
- uint32_t target_type;
- uint32_t target_class;
- mls_range_t target_range;
- struct range_trans *next;
-} range_trans_t;
-
-/* Boolean data type */
-typedef struct cond_bool_datum {
- symtab_datum_t s;
- int state;
-} cond_bool_datum_t;
-
-struct cond_node;
-
-typedef struct cond_node cond_list_t;
-struct cond_av_list;
-
-typedef struct class_perm_node {
- uint32_t class;
- uint32_t data; /* permissions or new type */
- struct class_perm_node *next;
-} class_perm_node_t;
-
-typedef struct avrule {
-/* these typedefs are almost exactly the same as those in avtab.h - they are
- * here because of the need to include neverallow and dontaudit messages */
-#define AVRULE_ALLOWED 1
-#define AVRULE_AUDITALLOW 2
-#define AVRULE_AUDITDENY 4
-#define AVRULE_DONTAUDIT 8
-#define AVRULE_NEVERALLOW 128
-#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
-#define AVRULE_TRANSITION 16
-#define AVRULE_MEMBER 32
-#define AVRULE_CHANGE 64
-#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
- uint32_t specified;
-#define RULE_SELF 1
- uint32_t flags;
- type_set_t stypes;
- type_set_t ttypes;
- class_perm_node_t *perms;
- unsigned long line; /* line number from policy.conf where
- * this rule originated */
- struct avrule *next;
-} avrule_t;
-
-typedef struct role_trans_rule {
- role_set_t roles; /* current role */
- type_set_t types; /* program executable type */
- uint32_t new_role; /* new role */
- struct role_trans_rule *next;
-} role_trans_rule_t;
-
-typedef struct role_allow_rule {
- role_set_t roles; /* current role */
- role_set_t new_roles; /* new roles */
- struct role_allow_rule *next;
-} role_allow_rule_t;
-
-typedef struct range_trans_rule {
- type_set_t stypes;
- type_set_t ttypes;
- ebitmap_t tclasses;
- mls_semantic_range_t trange;
- struct range_trans_rule *next;
-} range_trans_rule_t;
-
-/*
- * The configuration data includes security contexts for
- * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
- * network interfaces, and nodes. This structure stores the
- * relevant data for one such entry. Entries of the same kind
- * (e.g. all initial SIDs) are linked together into a list.
- */
-typedef struct ocontext {
- union {
- char *name; /* name of initial SID, fs, netif, fstype, path */
- struct {
- uint8_t protocol;
- uint16_t low_port;
- uint16_t high_port;
- } port; /* TCP or UDP port information */
- struct {
- uint32_t addr;
- uint32_t mask;
- } node; /* node information */
- struct {
- uint32_t addr[4];
- uint32_t mask[4];
- } node6; /* IPv6 node information */
- } u;
- union {
- uint32_t sclass; /* security class for genfs */
- uint32_t behavior; /* labeling behavior for fs_use */
- } v;
- context_struct_t context[2]; /* security context(s) */
- sepol_security_id_t sid[2]; /* SID(s) */
- struct ocontext *next;
-} ocontext_t;
-
-typedef struct genfs {
- char *fstype;
- struct ocontext *head;
- struct genfs *next;
-} genfs_t;
-
-/* symbol table array indices */
-#define SYM_COMMONS 0
-#define SYM_CLASSES 1
-#define SYM_ROLES 2
-#define SYM_TYPES 3
-#define SYM_USERS 4
-#define SYM_BOOLS 5
-#define SYM_LEVELS 6
-#define SYM_CATS 7
-#define SYM_NUM 8
-
-/* object context array indices */
-#define OCON_ISID 0 /* initial SIDs */
-#define OCON_FS 1 /* unlabeled file systems */
-#define OCON_PORT 2 /* TCP and UDP port numbers */
-#define OCON_NETIF 3 /* network interfaces */
-#define OCON_NODE 4 /* nodes */
-#define OCON_FSUSE 5 /* fs_use */
-#define OCON_NODE6 6 /* IPv6 nodes */
-#define OCON_NUM 7
-
-/* section: module information */
-
-/* scope_index_t holds all of the symbols that are in scope in a
- * particular situation. The bitmaps are indices (and thus must
- * subtract one) into the global policydb->scope array. */
-typedef struct scope_index {
- ebitmap_t scope[SYM_NUM];
-#define p_classes_scope scope[SYM_CLASSES]
-#define p_roles_scope scope[SYM_ROLES]
-#define p_types_scope scope[SYM_TYPES]
-#define p_users_scope scope[SYM_USERS]
-#define p_bools_scope scope[SYM_BOOLS]
-#define p_sens_scope scope[SYM_LEVELS]
-#define p_cat_scope scope[SYM_CATS]
-
- /* this array maps from class->value to the permissions within
- * scope. if bit (perm->value - 1) is set in map
- * class_perms_map[class->value - 1] then that permission is
- * enabled for this class within this decl. */
- ebitmap_t *class_perms_map;
- /* total number of classes in class_perms_map array */
- uint32_t class_perms_len;
-} scope_index_t;
-
-/* a list of declarations for a particular avrule_decl */
-
-/* These two structs declare a block of policy that has TE and RBAC
- * statements and declarations. The root block (the global policy)
- * can never have an ELSE branch. */
-typedef struct avrule_decl {
- uint32_t decl_id;
- uint32_t enabled; /* whether this block is enabled */
-
- cond_list_t *cond_list;
- avrule_t *avrules;
- role_trans_rule_t *role_tr_rules;
- role_allow_rule_t *role_allow_rules;
- range_trans_rule_t *range_tr_rules;
- scope_index_t required; /* symbols needed to activate this block */
- scope_index_t declared; /* symbols declared within this block */
-
- /* for additive statements (type attribute, roles, and users) */
- symtab_t symtab[SYM_NUM];
-
- /* In a linked module this will contain the name of the module
- * from which this avrule_decl originated. */
- char *module_name;
-
- struct avrule_decl *next;
-} avrule_decl_t;
-
-typedef struct avrule_block {
- avrule_decl_t *branch_list;
- avrule_decl_t *enabled; /* pointer to which branch is enabled. this is
- used in linking and never written to disk */
-#define AVRULE_OPTIONAL 1
- uint32_t flags; /* any flags for this block, currently just optional */
- struct avrule_block *next;
-} avrule_block_t;
-
-/* Every identifier has its own scope datum. The datum describes if
- * the item is to be included into the final policy during
- * expansion. */
-typedef struct scope_datum {
-/* Required for this decl */
-#define SCOPE_REQ 1
-/* Declared in this decl */
-#define SCOPE_DECL 2
- uint32_t scope;
- uint32_t *decl_ids;
- uint32_t decl_ids_len;
- /* decl_ids is a list of avrule_decl's that declare/require
- * this symbol. If scope==SCOPE_DECL then this is a list of
- * declarations. If the symbol may only be declared once
- * (types, bools) then decl_ids_len will be exactly 1. For
- * implicitly declared things (roles, users) then decl_ids_len
- * will be at least 1. */
-} scope_datum_t;
-
-/* The policy database */
-typedef struct policydb {
-#define POLICY_KERN SEPOL_POLICY_KERN
-#define POLICY_BASE SEPOL_POLICY_BASE
-#define POLICY_MOD SEPOL_POLICY_MOD
- uint32_t policy_type;
- char *name;
- char *version;
-
- /* Set when the policydb is modified such that writing is unsupported */
- int unsupported_format;
-
- /* Whether this policydb is mls, should always be set */
- int mls;
-
- /* symbol tables */
- symtab_t symtab[SYM_NUM];
-#define p_commons symtab[SYM_COMMONS]
-#define p_classes symtab[SYM_CLASSES]
-#define p_roles symtab[SYM_ROLES]
-#define p_types symtab[SYM_TYPES]
-#define p_users symtab[SYM_USERS]
-#define p_bools symtab[SYM_BOOLS]
-#define p_levels symtab[SYM_LEVELS]
-#define p_cats symtab[SYM_CATS]
-
- /* symbol names indexed by (value - 1) */
- char **sym_val_to_name[SYM_NUM];
-#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
-#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
-#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
-#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
-#define p_user_val_to_name sym_val_to_name[SYM_USERS]
-#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
-#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
-#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
-
- /* class, role, and user attributes indexed by (value - 1) */
- class_datum_t **class_val_to_struct;
- role_datum_t **role_val_to_struct;
- user_datum_t **user_val_to_struct;
- type_datum_t **type_val_to_struct;
-
- /* module stuff section -- used in parsing and for modules */
-
- /* keep track of the scope for every identifier. these are
- * hash tables, where the key is the identifier name and value
- * a scope_datum_t. as a convenience, one may use the
- * p_*_macros (cf. struct scope_index_t declaration). */
- symtab_t scope[SYM_NUM];
-
- /* module rule storage */
- avrule_block_t *global;
- /* avrule_decl index used for link/expand */
- avrule_decl_t **decl_val_to_struct;
-
- /* compiled storage of rules - use for the kernel policy */
-
- /* type enforcement access vectors and transitions */
- avtab_t te_avtab;
-
- /* bools indexed by (value - 1) */
- cond_bool_datum_t **bool_val_to_struct;
- /* type enforcement conditional access vectors and transitions */
- avtab_t te_cond_avtab;
- /* linked list indexing te_cond_avtab by conditional */
- cond_list_t *cond_list;
-
- /* role transitions */
- role_trans_t *role_tr;
-
- /* role allows */
- role_allow_t *role_allow;
-
- /* security contexts of initial SIDs, unlabeled file systems,
- TCP or UDP port numbers, network interfaces and nodes */
- ocontext_t *ocontexts[OCON_NUM];
-
- /* security contexts for files in filesystems that cannot support
- a persistent label mapping or use another
- fixed labeling behavior. */
- genfs_t *genfs;
-
- /* range transitions */
- range_trans_t *range_tr;
-
- ebitmap_t *type_attr_map;
-
- ebitmap_t *attr_type_map; /* not saved in the binary policy */
-
- unsigned policyvers;
-} policydb_t;
-
-struct sepol_policydb {
- struct policydb p;
-};
-
-extern int policydb_init(policydb_t * p);
-
-extern int policydb_from_image(sepol_handle_t * handle,
- void *data, size_t len, policydb_t * policydb);
-
-extern int policydb_to_image(sepol_handle_t * handle,
- policydb_t * policydb, void **newdata,
- size_t * newlen);
-
-extern int policydb_index_classes(policydb_t * p);
-
-extern int policydb_index_bools(policydb_t * p);
-
-extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
- unsigned int verbose);
-
-extern int policydb_reindex_users(policydb_t * p);
-
-extern void policydb_destroy(policydb_t * p);
-
-extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
-
-/* Deprecated */
-extern int policydb_context_isvalid(const policydb_t * p,
- const context_struct_t * c);
-
-extern void symtabs_destroy(symtab_t * symtab);
-extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p);
-typedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d,
- void *args);
-extern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num);
-
-extern void class_perm_node_init(class_perm_node_t * x);
-extern void type_set_init(type_set_t * x);
-extern void type_set_destroy(type_set_t * x);
-extern int type_set_cpy(type_set_t * dst, type_set_t * src);
-extern int type_set_or_eq(type_set_t * dst, type_set_t * other);
-extern void role_set_init(role_set_t * x);
-extern void role_set_destroy(role_set_t * x);
-extern void avrule_init(avrule_t * x);
-extern void avrule_destroy(avrule_t * x);
-extern void avrule_list_destroy(avrule_t * x);
-extern void role_trans_rule_init(role_trans_rule_t * x);
-extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
-
-extern void role_datum_init(role_datum_t * x);
-extern void role_datum_destroy(role_datum_t * x);
-extern void role_allow_rule_init(role_allow_rule_t * x);
-extern void role_allow_rule_destroy(role_allow_rule_t * x);
-extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
-extern void range_trans_rule_init(range_trans_rule_t *x);
-extern void range_trans_rule_destroy(range_trans_rule_t *x);
-extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
-extern void type_datum_init(type_datum_t * x);
-extern void type_datum_destroy(type_datum_t * x);
-extern void user_datum_init(user_datum_t * x);
-extern void user_datum_destroy(user_datum_t * x);
-
-extern int check_assertions(sepol_handle_t * handle,
- policydb_t * p, avrule_t * avrules);
-
-extern int symtab_insert(policydb_t * x, uint32_t sym,
- hashtab_key_t key, hashtab_datum_t datum,
- uint32_t scope, uint32_t avrule_decl_id,
- uint32_t * value);
-
-/* A policy "file" may be a memory region referenced by a (data, len) pair
- or a file referenced by a FILE pointer. */
-typedef struct policy_file {
-#define PF_USE_MEMORY 0
-#define PF_USE_STDIO 1
-#define PF_LEN 2 /* total up length in len field */
- unsigned type;
- char *data;
- size_t len;
- size_t size;
- FILE *fp;
- struct sepol_handle *handle;
- unsigned char buffer[BUFSIZ];
-} policy_file_t;
-
-struct sepol_policy_file {
- struct policy_file pf;
-};
-
-extern int policydb_read(policydb_t * p, struct policy_file *fp,
- unsigned int verbose);
-extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
- struct policy_file *fp);
-
-extern int policydb_write(struct policydb *p, struct policy_file *pf);
-
-#define PERM_SYMTAB_SIZE 32
-
-/* Identify specific policy version changes */
-#define POLICYDB_VERSION_BASE 15
-#define POLICYDB_VERSION_BOOL 16
-#define POLICYDB_VERSION_IPV6 17
-#define POLICYDB_VERSION_NLCLASS 18
-#define POLICYDB_VERSION_VALIDATETRANS 19
-#define POLICYDB_VERSION_MLS 19
-#define POLICYDB_VERSION_AVTAB 20
-#define POLICYDB_VERSION_RANGETRANS 21
-
-/* Range of policy versions we understand*/
-#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
-
-/* Module versions and specific changes*/
-#define MOD_POLICYDB_VERSION_BASE 4
-#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
-#define MOD_POLICYDB_VERSION_MLS 5
-#define MOD_POLICYDB_VERSION_RANGETRANS 6
-#define MOD_POLICYDB_VERSION_MLS_USERS 6
-
-#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
-
-#define POLICYDB_CONFIG_MLS 1
-
-#define OBJECT_R "object_r"
-#define OBJECT_R_VAL 1
-
-#define POLICYDB_MAGIC SELINUX_MAGIC
-#define POLICYDB_STRING "SE Linux"
-#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
-#define POLICYDB_MOD_STRING "SE Linux Module"
-
-#endif /* _POLICYDB_H_ */
-
-/* FLASK */
Copied: tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h (from rev 2033, trunk/libsepol/include/sepol/policydb/policydb.h)
===================================================================
--- tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h (rev 0)
+++ tags/libsepol_1_12_27/libsepol/include/sepol/policydb/policydb.h 2006-09-28 12:18:30 UTC (rev 2036)
@@ -0,0 +1,612 @@
+
+/* Author : Stephen Smalley, <sd...@ep...> */
+
+/*
+ * Updated: Joshua Brindle <jbr...@tr...>
+ * Karl MacMillan <kma...@tr...>
+ * Jason Tang <jt...@tr...>
+ *
+ * Module support
+ *
+ * Updated: Trusted Computer Solutions, Inc. <dgo...@tr...>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Frank Mayer <ma...@tr...> and Karl MacMillan <kma...@tr...>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Red Hat, Inc. James Morris <jm...@re...>
+ *
+ * Fine-grained netlink support
+ * IPv6 support
+ * Code cleanup
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ * Copyright (C) 2003 - 2004 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * A policy database (policydb) specifies the
+ * configuration data for the security policy.
+ */
+
+#ifndef _SEPOL_POLICYDB_POLICYDB_H_
+#define _SEPOL_POLICYDB_POLICYDB_H_
+
+#include <stdio.h>
+#include <stddef.h>
+
+#include <sepol/policydb.h>
+
+#include <sepol/policydb...
[truncated message content] |
|
From: <mad...@us...> - 2006-09-28 18:29:13
|
Revision: 2039
http://svn.sourceforge.net/selinux/?rev=2039&view=rev
Author: madmethod
Date: 2006-09-28 11:28:44 -0700 (Thu, 28 Sep 2006)
Log Message:
-----------
tag for libsepol 1.12.28
Added Paths:
-----------
tags/libsepol_1_12_28/
tags/libsepol_1_12_28/libsepol/
tags/libsepol_1_12_28/libsepol/ChangeLog
tags/libsepol_1_12_28/libsepol/VERSION
tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h
tags/libsepol_1_12_28/libsepol/src/Makefile
tags/libsepol_1_12_28/libsepol/src/expand.c
tags/libsepol_1_12_28/libsepol/src/link.c
tags/libsepol_1_12_28/libsepol/src/policydb.c
Removed Paths:
-------------
tags/libsepol_1_12_28/libsepol/ChangeLog
tags/libsepol_1_12_28/libsepol/VERSION
tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h
tags/libsepol_1_12_28/libsepol/src/Makefile
tags/libsepol_1_12_28/libsepol/src/expand.c
tags/libsepol_1_12_28/libsepol/src/link.c
tags/libsepol_1_12_28/libsepol/src/policydb.c
Copied: tags/libsepol_1_12_28/libsepol (from rev 2032, trunk/libsepol)
Deleted: tags/libsepol_1_12_28/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/libsepol_1_12_28/libsepol/ChangeLog 2006-09-28 18:28:44 UTC (rev 2039)
@@ -1,566 +0,0 @@
-1.12.26 2006-09-05
- * Merged range transition enhancements and user format changes
- Darrel Goeddel
-
-1.12.25 2006-08-24
- * Merged conditionally expand neverallows patch from Jeremy Mowery.
- * Merged refactor expander patch from Jeremy Mowery.
-
-1.12.24 2006-08-03
- * Merged libsepol unit tests from Joshua Brindle.
-
-1.12.23 2006-08-03
- * Merged symtab datum patch from Karl MacMillan.
-
-1.12.22 2006-08-03
- * Merged netfilter contexts support from Chris PeBenito.
-
-1.12.21 2006-07-28
- * Merged helpful hierarchy check errors patch from Joshua Brindle.
-
-1.12.20 2006-07-25
- * Merged semodule_deps patch from Karl MacMillan.
- This adds source module names to the avrule decls.
-
-1.12.19 2006-06-29
- * Lindent.
-
-1.12.18 2006-06-26
- * Merged optionals in base take 2 patch set from Joshua Brindle.
-
-1.12.17 2006-05-30
- * Revert 1.12.16.
-
-1.12.16 2006-05-30
- * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
- replacing the prior patch.
-
-1.12.15 2006-05-30
- * Merged fixes for several memory leaks in the error paths during
- policy read from Serge Hallyn.
-
-1.12.14 2006-05-25
- * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
- based on bug report and suggested fix by Cedric Roux.
-
-1.12.13 2006-05-24
- * Merged sens_copy_callback, check_role_hierarchy_callback,
- and node_from_record fixes from Serge Hallyn.
-
-1.12.12 2006-05-22
- * Added sepol_policydb_compat_net() interface for testing whether
- a policy requires the compatibility support for network checks
- to be enabled in the kernel.
-
-1.12.11 2006-05-17
- * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
- Reworked to use calloc in the first place, and converted some other
- malloc/memset pairs to calloc calls.
-
-1.12.10 2006-05-08
- * Merged patch to revert role/user decl upgrade from Karl MacMillan.
-
-1.12.9 2006-05-08
- * Dropped tests from all Makefile target.
-
-1.12.8 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.12.7 2006-05-05
- * Merged libsepol test framework patch from Karl MacMillan.
-
-1.12.6 2006-04-28
- * Fixed cond_normalize to traverse the entire cond list at link time.
-
-1.12.5 2006-04-03
- * Merged fix for leak of optional package sections from Ivan Gyurdiev.
-
-1.12.4 2006-03-29
- * Generalize test for bitmap overflow in ebitmap_set_bit.
-
-1.12.3 2006-03-27
- * Fixed attr_convert_callback and expand_convert_type_set
- typemap bug.
-
-1.12.2 2006-03-24
- * Fixed avrule_block_write num_decls endian bug.
-
-1.12.1 2006-03-20
- * Fixed sepol_module_package_write buffer overflow bug.
-
-1.12 2006-03-14
- * Updated version for release.
-
-1.11.20 2006-03-08
- * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
- * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
-
-1.11.19 2006-02-21
- * Merged sepol_policydb_mls_enabled interface and error handling
- changes from Ivan Gyurdiev.
-
-1.11.18 2006-02-16
- * Merged node_expand_addr bugfix and node_compare* change from
- Ivan Gyurdiev.
-
-1.11.17 2006-02-15
- * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
- * Merged bug fix patch from Ivan Gyurdiev.
-
-1.11.16 2006-02-14
- * Added a defined flag to level_datum_t for use by checkpolicy.
-
-1.11.15 2006-02-14
- * Merged nodecon support patch from Ivan Gyurdiev.
- * Merged cleanups patch from Ivan Gyurdiev.
-
-1.11.14 2006-02-13
- * Merged optionals in base patch from Joshua Brindle.
-
-1.11.13 2006-02-07
- * Merged seuser/user_extra support patch from Joshua Brindle.
- * Merged fix patch from Ivan Gyurdiev.
-
-1.11.12 2006-02-02
- * Merged clone record on set_con patch from Ivan Gyurdiev.
-
-1.11.11 2006-02-01
- * Merged assertion copying bugfix from Joshua Brindle.
- * Merged sepol_av_to_string patch from Joshua Brindle.
-
-1.11.10 2006-01-30
- * Merged cond_expr mapping and package section count bug fixes
- from Joshua Brindle.
- * Merged improve port/fcontext API patch from Ivan Gyurdiev.
- * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
-
-1.11.9 2006-01-12
- * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
-
-1.11.8 2006-01-09
- * Merged 2nd const in APIs patch from Ivan Gyurdiev.
-
-1.11.7 2006-01-06
- * Merged const in APIs patch from Ivan Gyurdiev.
- * Merged compare2 function patch from Ivan Gyurdiev.
-
-1.11.6 2006-01-06
- * Fixed hierarchy checker to only check allow rules.
-
-1.11.5 2006-01-05
- * Merged further fixes from Russell Coker, specifically:
- - av_to_string overflow checking
- - sepol_context_to_string error handling
- - hierarchy checking memory leak fixes and optimizations
- - avrule_block_read variable initialization
- * Marked deprecated code in genbools and genusers.
-
-1.11.4 2006-01-05
- * Merged bugfix for sepol_port_modify from Russell Coker.
-
-1.11.3 2006-01-05
- * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
- * Merged port ordering patch from Ivan Gyurdiev.
-
-1.11.2 2006-01-04
- * Merged patch series from Ivan Gyurdiev.
- This includes patches to:
- - support ordering of records in compare function
- - enable port interfaces
- - add interfaces for context validity and range checks
- - add include guards
-
-1.11.1 2005-12-16
- * Fixed mls_range_cpy bug.
-
-1.10 2005-12-07
- * Updated version for release.
-
-1.9.42 2005-12-05
- * Dropped handle from user_del_role interface.
-
-1.9.41 2005-11-28
- * Merged remove defrole from sepol patch from Ivan Gyurdiev.
-
-1.9.40 2005-11-15
- * Merged module function and map file cleanup from Ivan Gyurdiev.
- * Merged MLS and genusers cleanups from Ivan Gyurdiev.
-
-1.9.39 2005-11-09
- Prepare for removal of booleans* and *.users files.
- * Cleaned up sepol_genbools to not regenerate the image if
- there were no changes in the boolean values, including the
- degenerate case where there are no booleans or booleans.local
- files.
- * Cleaned up sepol_genusers to not warn on missing local.users.
-
-1.9.38 2005-11-08
- * Removed sepol_port_* from libsepol.map, as the port interfaces
- are not yet stable.
-
-1.9.37 2005-11-04
- * Merged context destroy cleanup patch from Ivan Gyurdiev.
-
-1.9.36 2005-11-03
- * Merged context_to_string interface change patch from Ivan Gyurdiev.
-
-1.9.35 2005-11-01
- * Added src/dso.h and src/*_internal.h.
- Added hidden_def for exported symbols used within libsepol.
- Added hidden for symbols that should not be exported by
- the wildcards in libsepol.map.
-
-1.9.34 2005-10-31
- * Merged record interface, record bugfix, and set_roles patches
- from Ivan Gyurdiev.
-
-1.9.33 2005-10-27
- * Merged count specification change from Ivan Gyurdiev.
-
-1.9.32 2005-10-26
- * Added further checking and error reporting to
- sepol_module_package_read and _info.
-
-1.9.31 2005-10-26
- * Merged sepol handle passing, DEBUG conversion, and memory leak
- fix patches from Ivan Gyurdiev.
-
-1.9.30 2005-10-25
- * Removed processing of system.users from sepol_genusers and
- dropped delusers logic.
-
-1.9.29 2005-10-25
- * Removed policydb_destroy from error path of policydb_read,
- since create/init/destroy/free of policydb is handled by the
- caller now.
- * Fixed sepol_module_package_read to handle a failed policydb_read
- properly.
-
-1.9.28 2005-10-25
- * Merged query/exists and count patches from Ivan Gyurdiev.
-
-1.9.27 2005-10-25
- * Merged fix for pruned types in expand code from Joshua Brindle.
- * Merged new module package format code from Joshua Brindle.
-
-1.9.26 2005-10-24
- * Merged context interface cleanup, record conversion code,
- key passing, and bug fix patches from Ivan Gyurdiev.
-
-1.9.25 2005-10-21
- * Merged users cleanup patch from Ivan Gyurdiev.
-
-1.9.24 2005-10-21
- * Merged user record memory leak fix from Ivan Gyurdiev.
- * Merged reorganize users patch from Ivan Gyurdiev.
-
-1.9.23 2005-10-19
- * Added check flag to expand_module() to control assertion
- and hierarchy checking on expansion.
-
-1.9.22 2005-10-19
- * Reworked check_assertions() and hierarchy_check_constraints()
- to take handles and use callback-based error reporting.
- * Changed expand_module() to call check_assertions() and
- hierarchy_check_constraints() prior to returning the expanded
- policy.
-
-1.9.21 2005-10-18
- * Changed sepol_module_package_set_file_contexts to copy the
- file contexts data since it is internally managed.
-
-1.9.20 2005-10-18
- * Added sepol_policy_file_set_handle interface to associate
- a handle with a policy file.
- * Added handle argument to policydb_from_image/to_image.
- * Added sepol_module_package_set_file_contexts interface.
- * Dropped sepol_module_package_create_file interface.
- * Reworked policydb_read/write, policydb_from_image/to_image,
- and sepol_module_package_read/write to use callback-based error
- reporting system rather than DEBUG.
-
-1.9.19 2005-10-17
- * Reworked link_packages, link_modules, and expand_module to use
- callback-based error reporting system rather than error buffering.
-
-1.9.18 2005-10-14
- * Merged conditional expression mapping fix in the module linking
- code from Joshua Brindle.
-
-1.9.17 2005-10-13
- * Hid sepol_module_package type definition, and added get interfaces.
-
-1.9.16 2005-10-13
- * Merged new callback-based error reporting system from Ivan
- Gyurdiev.
-
-1.9.15 2005-10-13
- * Merged support for require blocks inside conditionals from
- Joshua Brindle (Tresys).
-
-1.9.14 2005-10-07
- * Fixed use of policydb_from_image/to_image to ensure proper
- init of policydb.
-
-1.9.13 2005-10-07
- * Isolated policydb internal headers under <sepol/policydb/*.h>.
- These headers should only be used by users of the static libsepol.
- Created new <sepol/policydb.h> with new public types and interfaces
- for shared libsepol.
- Created new <sepol/module.h> with public types and interfaces moved
- or wrapped from old module.h, link.h, and expand.h, adjusted for
- new public types for policydb and policy_file.
- Added public interfaces to libsepol.map.
- Some implementation changes visible to users of the static libsepol:
- 1) policydb_read no longer calls policydb_init.
- Caller must do so first.
- 2) policydb_init no longer takes policy_type argument.
- Caller must set policy_type separately.
- 3) expand_module automatically enables the global branch.
- Caller no longer needs to do so.
- 4) policydb_write uses the policy_type and policyvers from the
- policydb itself, and sepol_set_policyvers() has been removed.
-
-1.9.12 2005-10-06
- * Merged function renaming and static cleanup from Ivan Gyurdiev.
-
-1.9.11 2005-10-05
- * Merged bug fix for check_assertions handling of no assertions
- from Joshua Brindle (Tresys).
-
-1.9.10 2005-10-04
- * Merged iterate patch from Ivan Gyurdiev.
-
-1.9.9 2005-10-03
- * Merged MLS in modules patch from Joshua Brindle (Tresys).
-
-1.9.8 2005-09-30
- * Merged pointer typedef elimination patch from Ivan Gyurdiev.
- * Merged user list function, new mls functions, and bugfix patch
- from Ivan Gyurdiev.
-
-1.9.7 2005-09-28
- * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
-
-1.9.6 2005-09-23
- * Merged bug fix patches from Joshua Brindle (Tresys).
-
-1.9.5 2005-09-21
- * Merged boolean record and memory leak fix patches from Ivan
- Gyurdiev.
-
-1.9.4 2005-09-19
- * Merged interface record patch from Ivan Gyurdiev.
-
-1.9.3 2005-09-14
- * Merged fix for sepol_enable/disable_debug from Ivan
- Gyurdiev.
-
-1.9.2 2005-09-14
- * Merged stddef.h patch and debug conversion patch from
- Ivan Gyurdiev.
-
-1.9.1 2005-09-09
- * Fixed expand_avtab and expand_cond_av_list to keep separate
- entries with identical keys but different enabled flags.
-
-1.8 2005-09-06
- * Updated version for release.
-
-1.7.24 2005-08-31
- * Fixed symtab_insert return value for duplicate declarations.
-
-1.7.23 2005-08-31
- * Merged fix for memory error in policy_module_destroy from
- Jason Tang (Tresys).
-
-1.7.22 2005-08-26
- * Merged fix for memory leak in sepol_context_to_sid from
- Jason Tang (Tresys).
-
-1.7.21 2005-08-25
- * Merged fixes for resource leaks on error paths and
- change to scope_destroy from Joshua Brindle (Tresys).
-
-1.7.20 2005-08-23
- * Merged more fixes for resource leaks on error paths
- from Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.7.19 2005-08-19
- * Changed to treat all type conflicts as fatal errors.
-
-1.7.18 2005-08-18
- * Merged several error handling fixes from
- Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.7.17 2005-08-15
- * Fixed further memory leaks found by valgrind.
-
-1.7.16 2005-08-15
- * Fixed several memory leaks found by valgrind.
-
-1.7.15 2005-08-12
- * Fixed empty list test in cond_write_av_list. Bug found by
- Coverity, reported by Serge Hallyn (IBM).
- * Merged patch to policydb_write to check errors
- when writing the type->attribute reverse map from
- Serge Hallyn (IBM). Bug found by Coverity.
- * Fixed policydb_destroy to properly handle NULL type_attr_map
- or attr_type_map.
-
-1.7.14 2005-08-12
- * Fixed use of uninitialized data by expand_avtab_node by
- clearing type_val_to_struct in policydb_index_others.
-
-1.7.13 2005-08-11
- * Improved memory use by SELinux by both reducing the avtab
- node size and reducing the number of avtab nodes (by not
- expanding attributes in TE rules when possible). Added
- expand_avtab and expand_cond_av_list functions for use by
- assertion checker, hierarchy checker, compatibility code,
- and dispol. Added new inline ebitmap operators and converted
- existing users of ebitmaps to the new operators for greater
- efficiency.
- Note: The binary policy format version has been incremented to
- version 20 as a result of these changes.
-
-1.7.12 2005-08-10
- * Fixed bug in constraint_node_clone handling of name sets.
-
-1.7.11 2005-08-08
- * Fix range_trans_clone to map the type values properly.
-
-1.7.10 2005-08-02
- * Merged patch to move module read/write code from libsemanage
- to libsepol from Jason Tang (Tresys).
-
-1.7.9 2005-08-02
- * Enabled further compiler warning flags and fixed them.
-
-1.7.8 2005-08-02
- * Merged user, context, port records patch from Ivan Gyurdiev.
- * Merged key extract function patch from Ivan Gyurdiev.
-
-1.7.7 2005-07-27
- * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
-
-1.7.6 2005-07-26
- * Merged context reorganization, memory leak fixes,
- port and interface loading, replacements for genusers and
- genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
- * Merged uninitialized variable bugfix from Dan Walsh.
-
-1.7.5 2005-07-18
- * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
- * Removed genpolbools and genpolusers utilities.
-
-1.7.4 2005-07-18
- * Merged hierarchy check fix from Joshua Brindle (Tresys).
-
-1.7.3 2005-07-13
- * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
-
-1.7.2 2005-07-11
- * Merged genbools debugging message cleanup from Red Hat.
-
-1.7.1 2005-07-06
- * Merged loadable module support from Tresys Technology.
-
-1.6 2005-06-20
- * Updated version for release.
-
-1.5.10 2005-05-19
- * License changed to LGPL v2.1, see COPYING.
-
-1.5.9 2005-05-16
- * Added sepol_genbools_policydb and sepol_genusers_policydb for
- audit2why.
-
-1.5.8 2005-05-13
- * Added sepol_ prefix to Flask types to avoid
- namespace collision with libselinux.
-
-1.5.7 2005-05-13
- * Added sepol_compute_av_reason() for audit2why.
-
-1.5.6 2005-04-25
- * Fixed bug in role hierarchy checker.
-
-1.5.5 2005-04-13
- * Merged hierarchical type/role patch from Tresys Technology.
- * Merged MLS fixes from Darrel Goeddel of TCS.
-
-1.5.4 2005-04-13
- * Changed sepol_genusers to not delete users by default,
- and added a sepol_set_delusers function to enable deletion.
- Also, removed special case handling of system_u and user_u.
-
-1.5.3 2005-03-29
- * Merged booleans.local patch from Dan Walsh.
-
-1.5.2 2005-03-16
- * Added man page for sepol_check_context.
-
-1.5.1 2005-03-15
- * Added man page for sepol_genusers function.
- * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
-
-1.4 2005-03-09
- * Updated version for release.
-
-1.3.8 2005-03-08
- * Cleaned up error handling in sepol_genusers and sepol_genbools.
-
-1.3.7 2005-02-28
- * Merged sepol_debug and fclose patch from Dan Walsh.
-
-1.3.6 2005-02-22
- * Changed sepol_genusers to also use getline and correctly handle
- EOL.
-
-1.3.5 2005-02-17
- * Merged range_transition support from Darrel Goeddel (TCS).
-
-1.3.4 2005-02-16
- * Added sepol_genusers function.
-
-1.3.3 2005-02-14
- * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
-
-1.3.2 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.3.1 2005-01-26
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
-
-1.2.1 2005-01-19
- * Merged build fix patch from Manoj Srivastava.
-
-1.2 2004-10-07
- * MLS build fixes.
- * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
-
-1.0 2004-08-19
- * Initial public release.
-
-0.4 2004-08-13
- * Merged patch from Dan Walsh to ignore case on booleans.
- * Changed sepol_genbools* to preserve the original policy version.
- * Replaced exported global variables with set functions.
- * Moved genpolbools utility from checkpolicy to libsepol.
- * Added man pages for sepol_genbools* and genpolbools.
-
-0.3 2004-08-10
- * Added ChangeLog, COPYING, spec file.
- * Added sepol_genbools_array() for load_policy.
- * Created libsepol.map to limit exported symbols in shared library.
-
-0.2 2004-08-09
- * Exported other functions for checkpolicy and friends.
- * Renamed service and sidtab functions to avoid libselinux conflict.
- * Removed original code from checkpolicy, which now uses libsepol.
- * Code cleanup: kill legacy references to kernel types/functions.
-
-0.1 2004-08-06
- * Moved checkpolicy core logic into a library.
- * Exported sepol_genbools() for load_policy.
Copied: tags/libsepol_1_12_28/libsepol/ChangeLog (from rev 2038, trunk/libsepol/ChangeLog)
===================================================================
--- tags/libsepol_1_12_28/libsepol/ChangeLog (rev 0)
+++ tags/libsepol_1_12_28/libsepol/ChangeLog 2006-09-28 18:28:44 UTC (rev 2039)
@@ -0,0 +1,573 @@
+1.12.28 2006-09-28
+ * Build libsepol's static object files with -fpic
+
+1.12.27 2006-09-28
+ * Merged mls user and range_transition support in modules
+ from Darrel Goeddel
+
+1.12.26 2006-09-05
+ * Merged range transition enhancements and user format changes
+ Darrel Goeddel
+
+1.12.25 2006-08-24
+ * Merged conditionally expand neverallows patch from Jeremy Mowery.
+ * Merged refactor expander patch from Jeremy Mowery.
+
+1.12.24 2006-08-03
+ * Merged libsepol unit tests from Joshua Brindle.
+
+1.12.23 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.12.22 2006-08-03
+ * Merged netfilter contexts support from Chris PeBenito.
+
+1.12.21 2006-07-28
+ * Merged helpful hierarchy check errors patch from Joshua Brindle.
+
+1.12.20 2006-07-25
+ * Merged semodule_deps patch from Karl MacMillan.
+ This adds source module names to the avrule decls.
+
+1.12.19 2006-06-29
+ * Lindent.
+
+1.12.18 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.12.17 2006-05-30
+ * Revert 1.12.16.
+
+1.12.16 2006-05-30
+ * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
+ replacing the prior patch.
+
+1.12.15 2006-05-30
+ * Merged fixes for several memory leaks in the error paths during
+ policy read from Serge Hallyn.
+
+1.12.14 2006-05-25
+ * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
+ based on bug report and suggested fix by Cedric Roux.
+
+1.12.13 2006-05-24
+ * Merged sens_copy_callback, check_role_hierarchy_callback,
+ and node_from_record fixes from Serge Hallyn.
+
+1.12.12 2006-05-22
+ * Added sepol_policydb_compat_net() interface for testing whether
+ a policy requires the compatibility support for network checks
+ to be enabled in the kernel.
+
+1.12.11 2006-05-17
+ * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
+ Reworked to use calloc in the first place, and converted some other
+ malloc/memset pairs to calloc calls.
+
+1.12.10 2006-05-08
+ * Merged patch to revert role/user decl upgrade from Karl MacMillan.
+
+1.12.9 2006-05-08
+ * Dropped tests from all Makefile target.
+
+1.12.8 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.12.7 2006-05-05
+ * Merged libsepol test framework patch from Karl MacMillan.
+
+1.12.6 2006-04-28
+ * Fixed cond_normalize to traverse the entire cond list at link time.
+
+1.12.5 2006-04-03
+ * Merged fix for leak of optional package sections from Ivan Gyurdiev.
+
+1.12.4 2006-03-29
+ * Generalize test for bitmap overflow in ebitmap_set_bit.
+
+1.12.3 2006-03-27
+ * Fixed attr_convert_callback and expand_convert_type_set
+ typemap bug.
+
+1.12.2 2006-03-24
+ * Fixed avrule_block_write num_decls endian bug.
+
+1.12.1 2006-03-20
+ * Fixed sepol_module_package_write buffer overflow bug.
+
+1.12 2006-03-14
+ * Updated version for release.
+
+1.11.20 2006-03-08
+ * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
+ * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
+
+1.11.19 2006-02-21
+ * Merged sepol_policydb_mls_enabled interface and error handling
+ changes from Ivan Gyurdiev.
+
+1.11.18 2006-02-16
+ * Merged node_expand_addr bugfix and node_compare* change from
+ Ivan Gyurdiev.
+
+1.11.17 2006-02-15
+ * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
+ * Merged bug fix patch from Ivan Gyurdiev.
+
+1.11.16 2006-02-14
+ * Added a defined flag to level_datum_t for use by checkpolicy.
+
+1.11.15 2006-02-14
+ * Merged nodecon support patch from Ivan Gyurdiev.
+ * Merged cleanups patch from Ivan Gyurdiev.
+
+1.11.14 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.11.13 2006-02-07
+ * Merged seuser/user_extra support patch from Joshua Brindle.
+ * Merged fix patch from Ivan Gyurdiev.
+
+1.11.12 2006-02-02
+ * Merged clone record on set_con patch from Ivan Gyurdiev.
+
+1.11.11 2006-02-01
+ * Merged assertion copying bugfix from Joshua Brindle.
+ * Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.11.10 2006-01-30
+ * Merged cond_expr mapping and package section count bug fixes
+ from Joshua Brindle.
+ * Merged improve port/fcontext API patch from Ivan Gyurdiev.
+ * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
+
+1.11.9 2006-01-12
+ * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
+
+1.11.8 2006-01-09
+ * Merged 2nd const in APIs patch from Ivan Gyurdiev.
+
+1.11.7 2006-01-06
+ * Merged const in APIs patch from Ivan Gyurdiev.
+ * Merged compare2 function patch from Ivan Gyurdiev.
+
+1.11.6 2006-01-06
+ * Fixed hierarchy checker to only check allow rules.
+
+1.11.5 2006-01-05
+ * Merged further fixes from Russell Coker, specifically:
+ - av_to_string overflow checking
+ - sepol_context_to_string error handling
+ - hierarchy checking memory leak fixes and optimizations
+ - avrule_block_read variable initialization
+ * Marked deprecated code in genbools and genusers.
+
+1.11.4 2006-01-05
+ * Merged bugfix for sepol_port_modify from Russell Coker.
+
+1.11.3 2006-01-05
+ * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
+ * Merged port ordering patch from Ivan Gyurdiev.
+
+1.11.2 2006-01-04
+ * Merged patch series from Ivan Gyurdiev.
+ This includes patches to:
+ - support ordering of records in compare function
+ - enable port interfaces
+ - add interfaces for context validity and range checks
+ - add include guards
+
+1.11.1 2005-12-16
+ * Fixed mls_range_cpy bug.
+
+1.10 2005-12-07
+ * Updated version for release.
+
+1.9.42 2005-12-05
+ * Dropped handle from user_del_role interface.
+
+1.9.41 2005-11-28
+ * Merged remove defrole from sepol patch from Ivan Gyurdiev.
+
+1.9.40 2005-11-15
+ * Merged module function and map file cleanup from Ivan Gyurdiev.
+ * Merged MLS and genusers cleanups from Ivan Gyurdiev.
+
+1.9.39 2005-11-09
+ Prepare for removal of booleans* and *.users files.
+ * Cleaned up sepol_genbools to not regenerate the image if
+ there were no changes in the boolean values, including the
+ degenerate case where there are no booleans or booleans.local
+ files.
+ * Cleaned up sepol_genusers to not warn on missing local.users.
+
+1.9.38 2005-11-08
+ * Removed sepol_port_* from libsepol.map, as the port interfaces
+ are not yet stable.
+
+1.9.37 2005-11-04
+ * Merged context destroy cleanup patch from Ivan Gyurdiev.
+
+1.9.36 2005-11-03
+ * Merged context_to_string interface change patch from Ivan Gyurdiev.
+
+1.9.35 2005-11-01
+ * Added src/dso.h and src/*_internal.h.
+ Added hidden_def for exported symbols used within libsepol.
+ Added hidden for symbols that should not be exported by
+ the wildcards in libsepol.map.
+
+1.9.34 2005-10-31
+ * Merged record interface, record bugfix, and set_roles patches
+ from Ivan Gyurdiev.
+
+1.9.33 2005-10-27
+ * Merged count specification change from Ivan Gyurdiev.
+
+1.9.32 2005-10-26
+ * Added further checking and error reporting to
+ sepol_module_package_read and _info.
+
+1.9.31 2005-10-26
+ * Merged sepol handle passing, DEBUG conversion, and memory leak
+ fix patches from Ivan Gyurdiev.
+
+1.9.30 2005-10-25
+ * Removed processing of system.users from sepol_genusers and
+ dropped delusers logic.
+
+1.9.29 2005-10-25
+ * Removed policydb_destroy from error path of policydb_read,
+ since create/init/destroy/free of policydb is handled by the
+ caller now.
+ * Fixed sepol_module_package_read to handle a failed policydb_read
+ properly.
+
+1.9.28 2005-10-25
+ * Merged query/exists and count patches from Ivan Gyurdiev.
+
+1.9.27 2005-10-25
+ * Merged fix for pruned types in expand code from Joshua Brindle.
+ * Merged new module package format code from Joshua Brindle.
+
+1.9.26 2005-10-24
+ * Merged context interface cleanup, record conversion code,
+ key passing, and bug fix patches from Ivan Gyurdiev.
+
+1.9.25 2005-10-21
+ * Merged users cleanup patch from Ivan Gyurdiev.
+
+1.9.24 2005-10-21
+ * Merged user record memory leak fix from Ivan Gyurdiev.
+ * Merged reorganize users patch from Ivan Gyurdiev.
+
+1.9.23 2005-10-19
+ * Added check flag to expand_module() to control assertion
+ and hierarchy checking on expansion.
+
+1.9.22 2005-10-19
+ * Reworked check_assertions() and hierarchy_check_constraints()
+ to take handles and use callback-based error reporting.
+ * Changed expand_module() to call check_assertions() and
+ hierarchy_check_constraints() prior to returning the expanded
+ policy.
+
+1.9.21 2005-10-18
+ * Changed sepol_module_package_set_file_contexts to copy the
+ file contexts data since it is internally managed.
+
+1.9.20 2005-10-18
+ * Added sepol_policy_file_set_handle interface to associate
+ a handle with a policy file.
+ * Added handle argument to policydb_from_image/to_image.
+ * Added sepol_module_package_set_file_contexts interface.
+ * Dropped sepol_module_package_create_file interface.
+ * Reworked policydb_read/write, policydb_from_image/to_image,
+ and sepol_module_package_read/write to use callback-based error
+ reporting system rather than DEBUG.
+
+1.9.19 2005-10-17
+ * Reworked link_packages, link_modules, and expand_module to use
+ callback-based error reporting system rather than error buffering.
+
+1.9.18 2005-10-14
+ * Merged conditional expression mapping fix in the module linking
+ code from Joshua Brindle.
+
+1.9.17 2005-10-13
+ * Hid sepol_module_package type definition, and added get interfaces.
+
+1.9.16 2005-10-13
+ * Merged new callback-based error reporting system from Ivan
+ Gyurdiev.
+
+1.9.15 2005-10-13
+ * Merged support for require blocks inside conditionals from
+ Joshua Brindle (Tresys).
+
+1.9.14 2005-10-07
+ * Fixed use of policydb_from_image/to_image to ensure proper
+ init of policydb.
+
+1.9.13 2005-10-07
+ * Isolated policydb internal headers under <sepol/policydb/*.h>.
+ These headers should only be used by users of the static libsepol.
+ Created new <sepol/policydb.h> with new public types and interfaces
+ for shared libsepol.
+ Created new <sepol/module.h> with public types and interfaces moved
+ or wrapped from old module.h, link.h, and expand.h, adjusted for
+ new public types for policydb and policy_file.
+ Added public interfaces to libsepol.map.
+ Some implementation changes visible to users of the static libsepol:
+ 1) policydb_read no longer calls policydb_init.
+ Caller must do so first.
+ 2) policydb_init no longer takes policy_type argument.
+ Caller must set policy_type separately.
+ 3) expand_module automatically enables the global branch.
+ Caller no longer needs to do so.
+ 4) policydb_write uses the policy_type and policyvers from the
+ policydb itself, and sepol_set_policyvers() has been removed.
+
+1.9.12 2005-10-06
+ * Merged function renaming and static cleanup from Ivan Gyurdiev.
+
+1.9.11 2005-10-05
+ * Merged bug fix for check_assertions handling of no assertions
+ from Joshua Brindle (Tresys).
+
+1.9.10 2005-10-04
+ * Merged iterate patch from Ivan Gyurdiev.
+
+1.9.9 2005-10-03
+ * Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.9.8 2005-09-30
+ * Merged pointer typedef elimination patch from Ivan Gyurdiev.
+ * Merged user list function, new mls functions, and bugfix patch
+ from Ivan Gyurdiev.
+
+1.9.7 2005-09-28
+ * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
+
+1.9.6 2005-09-23
+ * Merged bug fix patches from Joshua Brindle (Tresys).
+
+1.9.5 2005-09-21
+ * Merged boolean record and memory leak fix patches from Ivan
+ Gyurdiev.
+
+1.9.4 2005-09-19
+ * Merged interface record patch from Ivan Gyurdiev.
+
+1.9.3 2005-09-14
+ * Merged fix for sepol_enable/disable_debug from Ivan
+ Gyurdiev.
+
+1.9.2 2005-09-14
+ * Merged stddef.h patch and debug conversion patch from
+ Ivan Gyurdiev.
+
+1.9.1 2005-09-09
+ * Fixed expand_avtab and expand_cond_av_list to keep separate
+ entries with identical keys but different enabled flags.
+
+1.8 2005-09-06
+ * Updated version for release.
+
+1.7.24 2005-08-31
+ * Fixed symtab_insert return value for duplicate declarations.
+
+1.7.23 2005-08-31
+ * Merged fix for memory error in policy_module_destroy from
+ Jason Tang (Tresys).
+
+1.7.22 2005-08-26
+ * Merged fix for memory leak in sepol_context_to_sid from
+ Jason Tang (Tresys).
+
+1.7.21 2005-08-25
+ * Merged fixes for resource leaks on error paths and
+ change to scope_destroy from Joshua Brindle (Tresys).
+
+1.7.20 2005-08-23
+ * Merged more fixes for resource leaks on error paths
+ from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.19 2005-08-19
+ * Changed to treat all type conflicts as fatal errors.
+
+1.7.18 2005-08-18
+ * Merged several error handling fixes from
+ Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.17 2005-08-15
+ * Fixed further memory leaks found by valgrind.
+
+1.7.16 2005-08-15
+ * Fixed several memory leaks found by valgrind.
+
+1.7.15 2005-08-12
+ * Fixed empty list test in cond_write_av_list. Bug found by
+ Coverity, reported by Serge Hallyn (IBM).
+ * Merged patch to policydb_write to check errors
+ when writing the type->attribute reverse map from
+ Serge Hallyn (IBM). Bug found by Coverity.
+ * Fixed policydb_destroy to properly handle NULL type_attr_map
+ or attr_type_map.
+
+1.7.14 2005-08-12
+ * Fixed use of uninitialized data by expand_avtab_node by
+ clearing type_val_to_struct in policydb_index_others.
+
+1.7.13 2005-08-11
+ * Improved memory use by SELinux by both reducing the avtab
+ node size and reducing the number of avtab nodes (by not
+ expanding attributes in TE rules when possible). Added
+ expand_avtab and expand_cond_av_list functions for use by
+ assertion checker, hierarchy checker, compatibility code,
+ and dispol. Added new inline ebitmap operators and converted
+ existing users of ebitmaps to the new operators for greater
+ efficiency.
+ Note: The binary policy format version has been incremented to
+ version 20 as a result of these changes.
+
+1.7.12 2005-08-10
+ * Fixed bug in constraint_node_clone handling of name sets.
+
+1.7.11 2005-08-08
+ * Fix range_trans_clone to map the type values properly.
+
+1.7.10 2005-08-02
+ * Merged patch to move module read/write code from libsemanage
+ to libsepol from Jason Tang (Tresys).
+
+1.7.9 2005-08-02
+ * Enabled further compiler warning flags and fixed them.
+
+1.7.8 2005-08-02
+ * Merged user, context, port records patch from Ivan Gyurdiev.
+ * Merged key extract function patch from Ivan Gyurdiev.
+
+1.7.7 2005-07-27
+ * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
+
+1.7.6 2005-07-26
+ * Merged context reorganization, memory leak fixes,
+ port and interface loading, replacements for genusers and
+ genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
+ * Merged uninitialized variable bugfix from Dan Walsh.
+
+1.7.5 2005-07-18
+ * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
+ * Removed genpolbools and genpolusers utilities.
+
+1.7.4 2005-07-18
+ * Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.7.3 2005-07-13
+ * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
+
+1.7.2 2005-07-11
+ * Merged genbools debugging message cleanup from Red Hat.
+
+1.7.1 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.6 2005-06-20
+ * Updated version for release.
+
+1.5.10 2005-05-19
+ * License changed to LGPL v2.1, see COPYING.
+
+1.5.9 2005-05-16
+ * Added sepol_genbools_policydb and sepol_genusers_policydb for
+ audit2why.
+
+1.5.8 2005-05-13
+ * Added sepol_ prefix to Flask types to avoid
+ namespace collision with libselinux.
+
+1.5.7 2005-05-13
+ * Added sepol_compute_av_reason() for audit2why.
+
+1.5.6 2005-04-25
+ * Fixed bug in role hierarchy checker.
+
+1.5.5 2005-04-13
+ * Merged hierarchical type/role patch from Tresys Technology.
+ * Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.5.4 2005-04-13
+ * Changed sepol_genusers to not delete users by default,
+ and added a sepol_set_delusers function to enable deletion.
+ Also, removed special case handling of system_u and user_u.
+
+1.5.3 2005-03-29
+ * Merged booleans.local patch from Dan Walsh.
+
+1.5.2 2005-03-16
+ * Added man page for sepol_check_context.
+
+1.5.1 2005-03-15
+ * Added man page for sepol_genusers function.
+ * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
+
+1.4 2005-03-09
+ * Updated version for release.
+
+1.3.8 2005-03-08
+ * Cleaned up error handling in sepol_genusers and sepol_genbools.
+
+1.3.7 2005-02-28
+ * Merged sepol_debug and fclose patch from Dan Walsh.
+
+1.3.6 2005-02-22
+ * Changed sepol_genusers to also use getline and correctly handle
+ EOL.
+
+1.3.5 2005-02-17
+ * Merged range_transition support from Darrel Goeddel (TCS).
+
+1.3.4 2005-02-16
+ * Added sepol_genusers function.
+
+1.3.3 2005-02-14
+ * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
+
+1.3.2 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.3.1 2005-01-26
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.2.1 2005-01-19
+ * Merged build fix patch from Manoj Srivastava.
+
+1.2 2004-10-07
+ * MLS build fixes.
+ * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
+
+1.0 2004-08-19
+ * Initial public release.
+
+0.4 2004-08-13
+ * Merged patch from Dan Walsh to ignore case on booleans.
+ * Changed sepol_genbools* to preserve the original policy version.
+ * Replaced exported global variables with set functions.
+ * Moved genpolbools utility from checkpolicy to libsepol.
+ * Added man pages for sepol_genbools* and genpolbools.
+
+0.3 2004-08-10
+ * Added ChangeLog, COPYING, spec file.
+ * Added sepol_genbools_array() for load_policy.
+ * Created libsepol.map to limit exported symbols in shared library.
+
+0.2 2004-08-09
+ * Exported other functions for checkpolicy and friends.
+ * Renamed service and sidtab functions to avoid libselinux conflict.
+ * Removed original code from checkpolicy, which now uses libsepol.
+ * Code cleanup: kill legacy references to kernel types/functions.
+
+0.1 2004-08-06
+ * Moved checkpolicy core logic into a library.
+ * Exported sepol_genbools() for load_policy.
Deleted: tags/libsepol_1_12_28/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/libsepol_1_12_28/libsepol/VERSION 2006-09-28 18:28:44 UTC (rev 2039)
@@ -1 +0,0 @@
-1.12.26
Copied: tags/libsepol_1_12_28/libsepol/VERSION (from rev 2038, trunk/libsepol/VERSION)
===================================================================
--- tags/libsepol_1_12_28/libsepol/VERSION (rev 0)
+++ tags/libsepol_1_12_28/libsepol/VERSION 2006-09-28 18:28:44 UTC (rev 2039)
@@ -0,0 +1 @@
+1.12.28
Deleted: tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2006-09-18 19:13:13 UTC (rev 2032)
+++ tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h 2006-09-28 18:28:44 UTC (rev 2039)
@@ -1,608 +0,0 @@
-
-/* Author : Stephen Smalley, <sd...@ep...> */
-
-/*
- * Updated: Joshua Brindle <jbr...@tr...>
- * Karl MacMillan <kma...@tr...>
- * Jason Tang <jt...@tr...>
- *
- * Module support
- *
- * Updated: Trusted Computer Solutions, Inc. <dgo...@tr...>
- *
- * Support for enhanced MLS infrastructure.
- *
- * Updated: Frank Mayer <ma...@tr...> and Karl MacMillan <kma...@tr...>
- *
- * Added conditional policy language extensions
- *
- * Updated: Red Hat, Inc. James Morris <jm...@re...>
- *
- * Fine-grained netlink support
- * IPv6 support
- * Code cleanup
- *
- * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
- * Copyright (C) 2003 - 2004 Tresys Technology, LLC
- * Copyright (C) 2003 - 2004 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-/* FLASK */
-
-/*
- * A policy database (policydb) specifies the
- * configuration data for the security policy.
- */
-
-#ifndef _SEPOL_POLICYDB_POLICYDB_H_
-#define _SEPOL_POLICYDB_POLICYDB_H_
-
-#include <stdio.h>
-#include <stddef.h>
-
-#include <sepol/policydb.h>
-
-#include <sepol/policydb/flask_types.h>
-#include <sepol/policydb/symtab.h>
-#include <sepol/policydb/avtab.h>
-#include <sepol/policydb/context.h>
-#include <sepol/policydb/constraint.h>
-#include <sepol/policydb/sidtab.h>
-
-#define ERRMSG_LEN 1024
-
-#define POLICYDB_SUCCESS 0
-#define POLICYDB_ERROR -1
-#define POLICYDB_UNSUPPORTED -2
-
-/*
- * A datum type is defined for each kind of symbol
- * in the configuration data: individual permissions,
- * common prefixes for access vectors, classes,
- * users, roles, types, sensitivities, categories, etc.
- */
-
-/* type set preserves data needed by modules such as *, ~ and attributes */
-typedef struct type_set {
- ebitmap_t types;
- ebitmap_t negset;
-#define TYPE_STAR 1
-#define TYPE_COMP 2
- uint32_t flags;
-} type_set_t;
-
-typedef struct role_set {
- ebitmap_t roles;
-#define ROLE_STAR 1
-#define ROLE_COMP 2
- uint32_t flags;
-} role_set_t;
-
-/* Permission attributes */
-typedef struct perm_datum {
- symtab_datum_t s;
-} perm_datum_t;
-
-/* Attributes of a common prefix for access vectors */
-typedef struct common_datum {
- symtab_datum_t s;
- symtab_t permissions; /* common permissions */
-} common_datum_t;
-
-/* Class attributes */
-typedef struct class_datum {
- symtab_datum_t s;
- char *comkey; /* common name */
- common_datum_t *comdatum; /* common datum */
- symtab_t permissions; /* class-specific permission symbol table */
- constraint_node_t *constraints; /* constraints on class permissions */
- constraint_node_t *validatetrans; /* special transition rules */
-} class_datum_t;
-
-/* Role attributes */
-typedef struct role_datum {
- symtab_datum_t s;
- ebitmap_t dominates; /* set of roles dominated by this role */
- type_set_t types; /* set of authorized types for role */
- ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
-} role_datum_t;
-
-typedef struct role_trans {
- uint32_t role; /* current role */
- uint32_t type; /* program executable type */
- uint32_t new_role; /* new role */
- struct role_trans *next;
-} role_trans_t;
-
-typedef struct role_allow {
- uint32_t role; /* current role */
- uint32_t new_role; /* new role */
- struct role_allow *next;
-} role_allow_t;
-
-/* Type attributes */
-typedef struct type_datum {
- symtab_datum_t s;
- uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */
-#define TYPE_TYPE 0 /* regular type or alias in kernel policies */
-#define TYPE_ATTRIB 1 /* attribute */
-#define TYPE_ALIAS 2 /* alias in modular policy */
- uint32_t flavor;
- ebitmap_t types; /* types with this attribute */
-} type_datum_t;
-
-/* User attributes */
-typedef struct user_datum {
- symtab_datum_t s;
- role_set_t roles; /* set of authorized roles for user */
- mls_semantic_range_t range; /* MLS range (min. - max.) for user */
- mls_semantic_level_t dfltlevel; /* default login MLS level for user */
- ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
- mls_range_t exp_range; /* expanded range used for validation */
- mls_level_t exp_dfltlevel; /* expanded range used for validation */
-} user_datum_t;
-
-/* Sensitivity attributes */
-typedef struct level_datum {
- mls_level_t *level; /* sensitivity and associated categories */
- unsigned char isalias; /* is this sensitivity an alias for another? */
- unsigned char defined;
-} level_datum_t;
-
-/* Category attributes */
-typedef struct cat_datum {
- symtab_datum_t s;
- unsigned char isalias; /* is this category an alias for another? */
-} cat_datum_t;
-
-typedef struct range_trans {
- uint32_t source_type;
- uint32_t target_type;
- uint32_t target_class;
- mls_range_t target_range;
- struct range_trans *next;
-} range_trans_t;
-
-/* Boolean data type */
-typedef struct cond_bool_datum {
- symtab_datum_t s;
- int state;
-} cond_bool_datum_t;
-
-struct cond_node;
-
-typedef struct cond_node cond_list_t;
-struct cond_av_list;
-
-typedef struct class_perm_node {
- uint32_t class;
- uint32_t data; /* permissions or new type */
- struct class_perm_node *next;
-} class_perm_node_t;
-
-typedef struct avrule {
-/* these typedefs are almost exactly the same as those in avtab.h - they are
- * here because of the need to include neverallow and dontaudit messages */
-#define AVRULE_ALLOWED 1
-#define AVRULE_AUDITALLOW 2
-#define AVRULE_AUDITDENY 4
-#define AVRULE_DONTAUDIT 8
-#define AVRULE_NEVERALLOW 128
-#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
-#define AVRULE_TRANSITION 16
-#define AVRULE_MEMBER 32
-#define AVRULE_CHANGE 64
-#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
- uint32_t specified;
-#define RULE_SELF 1
- uint32_t flags;
- type_set_t stypes;
- type_set_t ttypes;
- class_perm_node_t *perms;
- unsigned long line; /* line number from policy.conf where
- * this rule originated */
- struct avrule *next;
-} avrule_t;
-
-typedef struct role_trans_rule {
- role_set_t roles; /* current role */
- type_set_t types; /* program executable type */
- uint32_t new_role; /* new role */
- struct role_trans_rule *next;
-} role_trans_rule_t;
-
-typedef struct role_allow_rule {
- role_set_t roles; /* current role */
- role_set_t new_roles; /* new roles */
- struct role_allow_rule *next;
-} role_allow_rule_t;
-
-typedef struct range_trans_rule {
- type_set_t stypes;
- type_set_t ttypes;
- ebitmap_t tclasses;
- mls_semantic_range_t trange;
- struct range_trans_rule *next;
-} range_trans_rule_t;
-
-/*
- * The configuration data includes security contexts for
- * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
- * network interfaces, and nodes. This structure stores the
- * relevant data for one such entry. Entries of the same kind
- * (e.g. all initial SIDs) are linked together into a list.
- */
-typedef struct ocontext {
- union {
- char *name; /* name of initial SID, fs, netif, fstype, path */
- struct {
- uint8_t protocol;
- uint16_t low_port;
- uint16_t high_port;
- } port; /* TCP or UDP port information */
- struct {
- uint32_t addr;
- uint32_t mask;
- } node; /* node information */
- struct {
- uint32_t addr[4];
- uint32_t mask[4];
- } node6; /* IPv6 node information */
- } u;
- union {
- uint32_t sclass; /* security class for genfs */
- uint32_t behavior; /* labeling behavior for fs_use */
- } v;
- context_struct_t context[2]; /* security context(s) */
- sepol_security_id_t sid[2]; /* SID(s) */
- struct ocontext *next;
-} ocontext_t;
-
-typedef struct genfs {
- char *fstype;
- struct ocontext *head;
- struct genfs *next;
-} genfs_t;
-
-/* symbol table array indices */
-#define SYM_COMMONS 0
-#define SYM_CLASSES 1
-#define SYM_ROLES 2
-#define SYM_TYPES 3
-#define SYM_USERS 4
-#define SYM_BOOLS 5
-#define SYM_LEVELS 6
-#define SYM_CATS 7
-#define SYM_NUM 8
-
-/* object context array indices */
-#define OCON_ISID 0 /* initial SIDs */
-#define OCON_FS 1 /* unlabeled file systems */
-#define OCON_PORT 2 /* TCP and UDP port numbers */
-#define OCON_NETIF 3 /* network interfaces */
-#define OCON_NODE 4 /* nodes */
-#define OCON_FSUSE 5 /* fs_use */
-#define OCON_NODE6 6 /* IPv6 nodes */
-#define OCON_NUM 7
-
-/* section: module information */
-
-/* scope_index_t holds all of the symbols that are in scope in a
- * particular situation. The bitmaps are indices (and thus must
- * subtract one) into the global policydb->scope array. */
-typedef struct scope_index {
- ebitmap_t scope[SYM_NUM];
-#define p_classes_scope scope[SYM_CLASSES]
-#define p_roles_scope scope[SYM_ROLES]
-#define p_types_scope scope[SYM_TYPES]
-#define p_users_scope scope[SYM_USERS]
-#define p_bools_scope scope[SYM_BOOLS]
-#define p_sens_scope scope[SYM_LEVELS]
-#define p_cat_scope scope[SYM_CATS]
-
- /* this array maps from class->value to the permissions within
- * scope. if bit (perm->value - 1) is set in map
- * class_perms_map[class->value - 1] then that permission is
- * enabled for this class within this decl. */
- ebitmap_t *class_perms_map;
- /* total number of classes in class_perms_map array */
- uint32_t class_perms_len;
-} scope_index_t;
-
-/* a list of declarations for a particular avrule_decl */
-
-/* These two structs declare a block of policy that has TE and RBAC
- * statements and declarations. The root block (the global policy)
- * can never have an ELSE branch. */
-typedef struct avrule_decl {
- uint32_t decl_id;
- uint32_t enabled; /* whether this block is enabled */
-
- cond_list_t *cond_list;
- avrule_t *avrules;
- role_trans_rule_t *role_tr_rules;
- role_allow_rule_t *role_allow_rules;
- range_trans_rule_t *range_tr_rules;
- scope_index_t required; /* symbols needed to activate this block */
- scope_index_t declared; /* symbols declared within this block */
-
- /* for additive statements (type attribute, roles, and users) */
- symtab_t symtab[SYM_NUM];
-
- /* In a linked module this will contain the name of the module
- * from which this avrule_decl originated. */
- char *module_name;
-
- struct avrule_decl *next;
-} avrule_decl_t;
-
-typedef struct avrule_block {
- avrule_decl_t *branch_list;
- avrule_decl_t *enabled; /* pointer to which branch is enabled. this is
- used in linking and never written to disk */
-#define AVRULE_OPTIONAL 1
- uint32_t flags; /* any flags for this block, currently just optional */
- struct avrule_block *next;
-} avrule_block_t;
-
-/* Every identifier has its own scope datum. The datum describes if
- * the item is to be included into the final policy during
- * expansion. */
-typedef struct scope_datum {
-/* Required for this decl */
-#define SCOPE_REQ 1
-/* Declared in this decl */
-#define SCOPE_DECL 2
- uint32_t scope;
- uint32_t *decl_ids;
- uint32_t decl_ids_len;
- /* decl_ids is a list of avrule_decl's that declare/require
- * this symbol. If scope==SCOPE_DECL then this is a list of
- * declarations. If the symbol may only be declared once
- * (types, bools) then decl_ids_len will be exactly 1. For
- * implicitly declared things (roles, users) then decl_ids_len
- * will be at least 1. */
-} scope_datum_t;
-
-/* The policy database */
-typedef struct policydb {
-#define POLICY_KERN SEPOL_POLICY_KERN
-#define POLICY_BASE SEPOL_POLICY_BASE
-#define POLICY_MOD SEPOL_POLICY_MOD
- uint32_t policy_type;
- char *name;
- char *version;
-
- /* Set when the policydb is modified such that writing is unsupported */
- int unsupported_format;
-
- /* Whether this policydb is mls, should always be set */
- int mls;
-
- /* symbol tables */
- symtab_t symtab[SYM_NUM];
-#define p_commons symtab[SYM_COMMONS]
-#define p_classes symtab[SYM_CLASSES]
-#define p_roles symtab[SYM_ROLES]
-#define p_types symtab[SYM_TYPES]
-#define p_users symtab[SYM_USERS]
-#define p_bools symtab[SYM_BOOLS]
-#define p_levels symtab[SYM_LEVELS]
-#define p_cats symtab[SYM_CATS]
-
- /* symbol names indexed by (value - 1) */
- char **sym_val_to_name[SYM_NUM];
-#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
-#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
-#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
-#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
-#define p_user_val_to_name sym_val_to_name[SYM_USERS]
-#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
-#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
-#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
-
- /* class, role, and user attributes indexed by (value - 1) */
- class_datum_t **class_val_to_struct;
- role_datum_t **role_val_to_struct;
- user_datum_t **user_val_to_struct;
- type_datum_t **type_val_to_struct;
-
- /* module stuff section -- used in parsing and for modules */
-
- /* keep track of the scope for every identifier. these are
- * hash tables, where the key is the identifier name and value
- * a scope_datum_t. as a convenience, one may use the
- * p_*_macros (cf. struct scope_index_t declaration). */
- symtab_t scope[SYM_NUM];
-
- /* module rule storage */
- avrule_block_t *global;
- /* avrule_decl index used for link/expand */
- avrule_decl_t **decl_val_to_struct;
-
- /* compiled storage of rules - use for the kernel policy */
-
- /* type enforcement access vectors and transitions */
- avtab_t te_avtab;
-
- /* bools indexed by (value - 1) */
- cond_bool_datum_t **bool_val_to_struct;
- /* type enforcement conditional access vectors and transitions */
- avtab_t te_cond_avtab;
- /* linked list indexing te_cond_avtab by conditional */
- cond_list_t *cond_list;
-
- /* role transitions */
- role_trans_t *role_tr;
-
- /* role allows */
- role_allow_t *role_allow;
-
- /* security contexts of initial SIDs, unlabeled file systems,
- TCP or UDP port numbers, network interfaces and nodes */
- ocontext_t *ocontexts[OCON_NUM];
-
- /* security contexts for files in filesystems that cannot support
- a persistent label mapping or use another
- fixed labeling behavior. */
- genfs_t *genfs;
-
- /* range transitions */
- range_trans_t *range_tr;
-
- ebitmap_t *type_attr_map;
-
- ebitmap_t *attr_type_map; /* not saved in the binary policy */
-
- unsigned policyvers;
-} policydb_t;
-
-struct sepol_policydb {
- struct policydb p;
-};
-
-extern int policydb_init(policydb_t * p);
-
-extern int policydb_from_image(sepol_handle_t * handle,
- void *data, size_t len, policydb_t * policydb);
-
-extern int policydb_to_image(sepol_handle_t * handle,
- policydb_t * policydb, void **newdata,
- size_t * newlen);
-
-extern int policydb_index_classes(policydb_t * p);
-
-extern int policydb_index_bools(policydb_t * p);
-
-extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
- unsigned int verbose);
-
-extern int policydb_reindex_users(policydb_t * p);
-
-extern void policydb_destroy(policydb_t * p);
-
-extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
-
-/* Deprecated */
-extern int policydb_context_isvalid(const policydb_t * p,
- const context_struct_t * c);
-
-extern void symtabs_destroy(symtab_t * symtab);
-extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p);
-typedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d,
- void *args);
-extern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num);
-
-extern void class_perm_node_init(class_perm_node_t * x);
-extern void type_set_init(type_set_t * x);
-extern void type_set_destroy(type_set_t * x);
-extern int type_set_cpy(type_set_t * dst, type_set_t * src);
-extern int type_set_or_eq(type_set_t * dst, type_set_t * other);
-extern void role_set_init(role_set_t * x);
-extern void role_set_destroy(role_set_t * x);
-extern void avrule_init(avrule_t * x);
-extern void avrule_destroy(avrule_t * x);
-extern void avrule_list_destroy(avrule_t * x);
-extern void role_trans_rule_init(role_trans_rule_t * x);
-extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
-
-extern void role_datum_init(role_datum_t * x);
-extern void role_datum_destroy(role_datum_t * x);
-extern void role_allow_rule_init(role_allow_rule_t * x);
-extern void role_allow_rule_destroy(role_allow_rule_t * x);
-extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
-extern void range_trans_rule_init(range_trans_rule_t *x);
-extern void range_trans_rule_destroy(range_trans_rule_t *x);
-extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
-extern void type_datum_init(type_datum_t * x);
-extern void type_datum_destroy(type_datum_t * x);
-extern void user_datum_init(user_datum_t * x);
-extern void user_datum_destroy(user_datum_t * x);
-
-extern int check_assertions(sepol_handle_t * handle,
- policydb_t * p, avrule_t * avrules);
-
-extern int symtab_insert(policydb_t * x, uint32_t sym,
- hashtab_key_t key, hashtab_datum_t datum,
- uint32_t scope, uint32_t avrule_decl_id,
- uint32_t * value);
-
-/* A policy "file" may be a memory region referenced by a (data, len) pair
- or a file referenced by a FILE pointer. */
-typedef struct policy_file {
-#define PF_USE_MEMORY 0
-#define PF_USE_STDIO 1
-#define PF_LEN 2 /* total up length in len field */
- unsigned type;
- char *data;
- size_t len;
- size_t size;
- FILE *fp;
- struct sepol_handle *handle;
- unsigned char buffer[BUFSIZ];
-} policy_file_t;
-
-struct sepol_policy_file {
- struct policy_file pf;
-};
-
-extern int policydb_read(policydb_t * p, struct policy_file *fp,
- unsigned int verbose);
-extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
- struct policy_file *fp);
-
-extern int policydb_write(struct policydb *p, struct policy_file *pf);
-
-#define PERM_SYMTAB_SIZE 32
-
-/* Identify specific policy version changes */
-#define POLICYDB_VERSION_BASE 15
-#define POLICYDB_VERSION_BOOL 16
-#define POLICYDB_VERSION_IPV6 17
-#define POLICYDB_VERSION_NLCLASS 18
-#define POLICYDB_VERSION_VALIDATETRANS 19
-#define POLICYDB_VERSION_MLS 19
-#define POLICYDB_VERSION_AVTAB 20
-#define POLICYDB_VERSION_RANGETRANS 21
-
-/* Range of policy versions we understand*/
-#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
-
-/* Module versions and specific changes*/
-#define MOD_POLICYDB_VERSION_BASE 4
-#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
-#define MOD_POLICYDB_VERSION_MLS 5
-#define MOD_POLICYDB_VERSION_RANGETRANS 6
-#define MOD_POLICYDB_VERSION_MLS_USERS 6
-
-#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
-
-#define POLICYDB_CONFIG_MLS 1
-
-#define OBJECT_R "object_r"
-#define OBJECT_R_VAL 1
-
-#define POLICYDB_MAGIC SELINUX_MAGIC
-#define POLICYDB_STRING "SE Linux"
-#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
-#define POLICYDB_MOD_STRING "SE Linux Module"
-
-#endif /* _POLICYDB_H_ */
-
-/* FLASK */
Copied: tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h (from rev 2033, trunk/libsepol/include/sepol/policydb/policydb.h)
===================================================================
--- tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h (rev 0)
+++ tags/libsepol_1_12_28/libsepol/include/sepol/policydb/policydb.h 2006-09-28 18:28:44 UTC (rev 2039)
@@ -0,0 +1,612 @@
+
+/* Author : Stephen Smalley, <sd...@ep...> */
+
+/*
+ * Updated: Joshua Brindle <jbr...@tr...>
+ * Karl MacMillan <kma...@tr...>
+ * Jason Tang <jt...@tr...>
+ *
+ * Module support
+ *
+ * Updated: Trusted Computer Solutions, Inc. <dgo...@tr...>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Frank Mayer <ma...@tr...> and Karl MacMillan <kma...@tr...>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Red Hat, Inc. James Morris <jm...@re...>
+ *
+ * Fine-grained netlink support
+ * IPv6 support
+ * Code cleanup
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ * Copyright (C) 2003 - 2004 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * A policy database (policydb) specifies the
+ * configuration data for the security policy.
+ */
+
+#ifn...
[truncated message content] |
|
From: <ssm...@us...> - 2006-09-29 15:44:17
|
Revision: 2047
http://svn.sourceforge.net/selinux/?rev=2047&view=rev
Author: ssmalley
Date: 2006-09-29 08:44:05 -0700 (Fri, 29 Sep 2006)
Log Message:
-----------
Tag new versions
Added Paths:
-----------
tags/libselinux_1_30_29/
tags/libselinux_1_30_29/libselinux/
tags/libselinux_1_30_29/libselinux/ChangeLog
tags/libselinux_1_30_29/libselinux/VERSION
tags/libselinux_1_30_29/libselinux/src/setrans_client.c
tags/libsemanage_1_6_17/
tags/libsemanage_1_6_17/libsemanage/
tags/libsemanage_1_6_17/libsemanage/ChangeLog
tags/libsemanage_1_6_17/libsemanage/VERSION
tags/policycoreutils_1_30_30/
tags/policycoreutils_1_30_30/policycoreutils/
tags/policycoreutils_1_30_30/policycoreutils/ChangeLog
tags/policycoreutils_1_30_30/policycoreutils/VERSION
tags/policycoreutils_1_30_30/policycoreutils/newrole/newrole.c
Removed Paths:
-------------
tags/libselinux_1_30_29/libselinux/ChangeLog
tags/libselinux_1_30_29/libselinux/VERSION
tags/libselinux_1_30_29/libselinux/src/setrans_client.c
tags/libsemanage_1_6_17/libsemanage/ChangeLog
tags/libsemanage_1_6_17/libsemanage/VERSION
tags/policycoreutils_1_30_30/policycoreutils/ChangeLog
tags/policycoreutils_1_30_30/policycoreutils/VERSION
tags/policycoreutils_1_30_30/policycoreutils/newrole/newrole.c
Copied: tags/libselinux_1_30_29/libselinux (from rev 2044, trunk/libselinux)
Deleted: tags/libselinux_1_30_29/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2006-09-29 15:33:28 UTC (rev 2044)
+++ tags/libselinux_1_30_29/libselinux/ChangeLog 2006-09-29 15:44:05 UTC (rev 2047)
@@ -1,557 +0,0 @@
- * Merged av_permissions.h update from Steve Grubb,
- adding setsockcreate and polmatch definitions.
-
-1.30.28 2006-09-13
- * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
- * Merged c++ class identifier fix from Joe Nall.
-
-1.30.27 2006-08-24
- * Merged patch to not log avc stats upon a reset from Steve Grubb.
- * Applied patch to revert compat_net setting upon policy load.
-
-1.30.26 2006-08-11
- * Merged file context homedir and local path functions from
- Chris PeBenito.
-
-1.30.25 2006-08-11
- * Rework functions that access /proc/pid/attr to access the
- per-thread nodes, and unify the code to simplify maintenance.
-
-1.30.24 2006-08-10
- * Merged return value fix for *getfilecon() from Dan Walsh.
-
-1.30.23 2006-08-10
- * Merged sockcreate interfaces from Eric Paris.
-
-1.30.22 2006-08-03
- * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
-
-1.30.21 2006-08-03
- * Merged netfilter_contexts support patch from Chris PeBenito.
-
-1.30.20 2006-08-01
- * Merged context_*_set errno patch from Jim Meyering.
-
-1.30.19 2006-06-29
- * Lindent.
-
-1.30.18 2006-06-27
- * Merged {get,set}procattrcon patch set from Eric Paris.
- * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
-
-1.30.17 2006-06-27
- * Regenerated Flask headers from refpolicy.
-
-1.30.16 2006-06-26
- * Merged patch from Dan Walsh with:
- - Added selinux_file_context_{cmp,verify}.
- - Added selinux_lsetfilecon_default.
- - Delay translation of contexts in matchpathcon.
-
-1.30.15 2006-06-16
- * Merged patch from Dan Walsh with:
- * Added selinux_getpolicytype() function.
- * Modified setrans code to skip processing if !mls_enabled.
-
-1.30.14 2006-06-16
- * Set errno in the !selinux_mnt case.
-
-1.30.13 2006-06-02
- * Allocate large buffers from the heap, not on stack.
- Affects is_context_customizable, selinux_init_load_policy,
- and selinux_getenforcemode.
-
-1.30.12 2006-06-02
- * Merged !selinux_mnt checks from Ian Kent.
-
-1.30.11 2006-05-24
- * Merged matchmediacon and trans_to_raw_context fixes from
- Serge Hallyn.
-
-1.30.10 2006-05-22
- * Merged simple setrans client cache from Dan Walsh.
- Merged avcstat patch from Russell Coker.
-
-1.30.9 2006-05-22
- * Modified selinux_mkload_policy() to also set /selinux/compat_net
- appropriately for the loaded policy.
-
-1.30.8 2006-05-17
- * Added matchpathcon_fini() function to free memory allocated by
- matchpathcon_init().
-
-1.30.7 2006-05-16
- * Merged setrans client cleanup patch from Steve Grubb.
-
-1.30.6 2006-05-08
- * Merged getfscreatecon man page fix from Dan Walsh.
- * Updated booleans(8) man page to drop references to the old
- booleans file and to note that setsebool can be used to set
- the boot-time defaults via -P.
-
-1.30.5 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.30.4 2006-05-05
- * Merged setrans client support from Dan Walsh.
- This removes use of libsetrans.
- * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
- * Merged swig typemap fixes from Glauber de Oliveira Costa.
-
-1.30.3 2006-04-12
- * Added distclean target to Makefile.
- * Regenerated swig files.
-
-1.30.2 2006-04-11
- * Changed matchpathcon_init to verify that the spec file is
- a regular file.
- * Merged python binding t_output_helper removal patch from Dan Walsh.
-
-1.30.1 2006-03-20
- * Merged Makefile PYLIBVER definition patch from Dan Walsh.
-
-1.30 2006-03-14
- * Updated version for release.
-
-1.29.8 2006-02-27
- * Altered rpm_execcon fallback logic for permissive mode to also
- handle case where /selinux/enforce is not available.
-
-1.29.7 2006-01-20
- * Merged install-pywrap Makefile patch from Joshua Brindle.
-
-1.29.6 2006-01-18
- * Merged pywrap Makefile patch from Dan Walsh.
-
-1.29.5 2006-01-11
- * Added getseuser test program.
-
-1.29.4 2006-01-06
- * Added format attribute to myprintf in matchpathcon.c and
- removed obsoleted rootlen variable in init_selinux_config().
-
-1.29.3 2006-01-04
- * Merged several fixes and improvements from Ulrich Drepper
- (Red Hat), including:
- - corrected use of getline
- - further calls to __fsetlocking for local files
- - use of strdupa and asprintf
- - proper handling of dirent in booleans code
- - use of -z relro
- - several other optimizations
- * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
-
-1.29.2 2005-12-14
- * Merged call to finish_context_translations from Dan Walsh.
- This eliminates a memory leak from failing to release memory
- allocated by libsetrans.
-
-1.29.1 2005-12-08
- * Merged patch for swig interfaces from Dan Walsh.
-
-1.28 2005-12-07
- * Updated version for release.
-
-1.27.28 2005-12-01
- * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
- modified matchpathcon implementation to make context validation/
- canonicalization optional at matchpathcon_init time, deferring it
- to a successful matchpathcon by default unless the new flag is set
- by the caller.
-
-1.27.27 2005-12-01
- * Added matchpathcon_init_prefix() interface, and
- reworked matchpathcon implementation to support selective
- loading of file contexts entries based on prefix matching
- between the pathname regex stems and the specified path
- prefix (stem must be a prefix of the specified path prefix).
-
-1.27.26 2005-11-29
- * Merged getsebool patch from Dan Walsh.
-
-1.27.25 2005-11-29
- * Added -f file_contexts option to matchpathcon util.
- Fixed warning message in matchpathcon_init().
-
-1.27.24 2005-11-29
- * Merged Makefile python definitions patch from Dan Walsh.
-
-1.27.23 2005-11-28
- * Merged swigify patch from Dan Walsh.
-
-1.27.22 2005-11-15
- * Merged make failure in rpm_execcon non-fatal in permissive mode
- patch from Ivan Gyurdiev.
-
-1.27.21 2005-11-08
- * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
- and modified matchpathcon_init() to skip context translation
- if it is set by the caller.
-
-1.27.20 2005-11-07
- * Added security_canonicalize_context() interface and
- set_matchpathcon_canoncon() interface for obtaining
- canonical contexts. Changed matchpathcon internals
- to obtain canonical contexts by default. Provided
- fallback for kernels that lack extended selinuxfs context
- interface.
-
-1.27.19 2005-11-04
- * Merged seusers parser changes from Ivan Gyurdiev.
- * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
- * Changed seusers parser to reject empty fields.
-
-1.27.18 2005-11-03
- * Merged seusers empty level handling patch from Jonathan Kim (TCS).
-
-1.27.17 2005-10-27
- * Changed default entry for seusers to use __default__ to avoid
- ambiguity with users named "default".
-
-1.27.16 2005-10-27
- * Fixed init_selinux_config() handling of missing /etc/selinux/config
- or missing SELINUXTYPE= definition.
- * Merged selinux_translations_path() patch from Dan Walsh.
-
-1.27.15 2005-10-25
- * Added hidden_proto/def for get_default_context_with_role.
-
-1.27.14 2005-10-25
- * Merged selinux_path() and selinux_homedir_context_path()
- functions from Joshua Brindle.
-
-1.27.13 2005-10-19
- * Merged fixes for make DESTDIR= builds from Joshua Brindle.
-
-1.27.12 2005-10-18
- * Merged get_default_context_with_rolelevel and man pages from
- Dan Walsh (Red Hat).
-
-1.27.11 2005-10-18
- * Updated call to sepol_policydb_to_image for sepol changes.
-
-1.27.10 2005-10-17
- * Changed getseuserbyname to ignore empty lines and to handle
- no matching entry in the same manner as no seusers file.
-
-1.27.9 2005-10-13
- * Changed selinux_mkload_policy to try downgrading the
- latest policy version available to the kernel-supported version.
-
-1.27.8 2005-10-11
- * Changed selinux_mkload_policy to fall back to the maximum
- policy version supported by libsepol if the kernel policy version
- falls outside of the supported range.
-
-1.27.7 2005-10-06
- * Changed getseuserbyname to fall back to the Linux username and
- NULL level if seusers config file doesn't exist unless
- REQUIRESEUSERS=1 is set in /etc/selinux/config.
- * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
-
-1.27.6 2005-10-06
- * Added selinux_init_load_policy() function as an even higher level
- interface for the initial policy load by /sbin/init. This obsoletes
- the load_policy() function in the sysvinit-selinux.patch.
-
-1.27.5 2005-10-06
- * Added selinux_mkload_policy() function as a higher level interface
- for loading policy than the security_load_policy() interface.
-
-1.27.4 2005-10-05
- * Merged fix for matchpathcon (regcomp error checking) from Johan
- Fischer. Also added use of regerror to obtain the error string
- for inclusion in the error message.
-
-1.27.3 2005-10-03
- * Changed getseuserbyname to not require (and ignore if present)
- the MLS level in seusers.conf if MLS is disabled, setting *level
- to NULL in this case.
-
-1.27.2 2005-09-30
- * Merged getseuserbyname patch from Dan Walsh.
-
-1.27.1 2005-09-19
- * Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
- This allows file_contexts with MLS fields to be processed on
- non-MLS-enabled systems with policies that are otherwise
- identical (e.g. same type definitions).
- * Merged get_ordered_context_list_with_level() function from
- Dan Walsh, and added get_default_context_with_level().
- This allows MLS level selection for users other than the
- default level.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.7 2005-09-01
- * Merged modified form of patch to avoid dlopen/dlclose by
- the static libselinux from Dan Walsh. Users of the static libselinux
- will not have any context translation by default.
-
-1.25.6 2005-08-31
- * Added public functions to export context translation to
- users of libselinux (selinux_trans_to_raw_context,
- selinux_raw_to_trans_context).
-
-1.25.5 2005-08-26
- * Remove special definition for context_range_set; use
- common code.
-
-1.25.4 2005-08-25
- * Hid translation-related symbols entirely and ensured that
- raw functions have hidden definitions for internal use.
- * Allowed setting NULL via context_set* functions.
- * Allowed whitespace in MLS component of context.
- * Changed rpm_execcon to use translated functions to workaround
- lack of MLS level on upgraded systems.
-
-1.25.3 2005-08-23
- * Merged context translation patch, originally by TCS,
- with modifications by Dan Walsh (Red Hat).
-
-1.25.2 2005-08-11
- * Merged several fixes for error handling paths in the
- AVC sidtab, matchpathcon, booleans, context, and get_context_list
- code from Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.25.1 2005-08-10
- * Removed setupns; migrated to pam.
- * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
- Original symbol is temporarily retained for compatibility until
- all callers are updated.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.12 2005-06-13
- * Merged security_setupns() from Chad Sellers.
-
-1.23.11 2005-05-19
- * Merged avcstat and selinux man page from Dan Walsh.
- * Changed security_load_booleans to process booleans.local
- even if booleans file doesn't exist.
-
-1.23.10 2005-04-29
- * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
-
-1.23.9 2005-04-26
- * Rewrote get_ordered_context_list and helpers, including
- changing logic to allow variable MLS fields.
-
-1.23.8 2005-04-25
- * Merged matchpathcon and man page patch from Dan Walsh.
-
-1.23.7 2005-04-12
- * Changed boolean functions to return -1 with errno ENOENT
- rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
- mounted).
-
-1.23.6 2005-04-08
- * Fixed bug in matchpathcon_filespec_destroy.
-
-1.23.5 2005-04-05
- * Fixed bug in rpm_execcon error handling path.
-
-1.23.4 2005-04-04
- * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
- * Merged fix for getconlist utility from Andreas Steinmetz.
-
-1.23.3 2005-03-29
- * Merged security_set_boolean_list patch from Dan Walsh.
- This introduces booleans.local support for setsebool.
-
-1.23.2 2005-03-17
- * Merged destructors patch from Tomas Mraz.
-
-1.23.1 2005-03-16
- * Added set_matchpathcon_flags() function for setting flags
- controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
- means only process the base file_contexts file, not
- file_contexts.homedirs or file_contexts.local, and is for use by
- setfiles -c.
- * Updated matchpathcon.3 man page.
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21.13 2005-03-08
- * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
-
-1.21.12 2005-03-01
- * Changed matchpathcon_common to ignore any non-format bits in the mode.
-
-1.21.11 2005-02-22
- * Merged several fixes from Ulrich Drepper.
-
-1.21.10 2005-02-17
- * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
- * Added selinux_users_path() for path to directory containing
- system.users and local.users.
-
-1.21.9 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.21.8 2005-02-07
- * Regenerated av_permissions.h.
-
-1.21.7 2005-02-01
- * Modified avc_dump_av to explicitly check for any permissions that
- cannot be mapped to string names and display them as a hex value.
-
-1.21.6 2005-01-31
- * Regenerated av_permissions.h.
-
-1.21.5 2005-01-28
- * Generalized matchpathcon internals, exported more interfaces,
- and moved additional code from setfiles into libselinux so that
- setfiles can directly use matchpathcon.
-
-1.21.4 2005-01-27
- * Prevent overflow of spec array in matchpathcon.
-
-1.21.3 2005-01-26
- * Fixed several uses of internal functions to avoid relocations.
- * Changed rpm_execcon to check is_selinux_enabled() and fallback to
- a regular execve if not enabled (or unable to determine due to a lack
- of /proc, e.g. chroot'd environment).
-
-
-1.21.2 2005-01-24
- * Merged minor fix for avcstat from Dan Walsh.
-
-1.21.1 2005-01-19
- * Merged patch from Dan Walsh, including:
- - new is_context_customizable function
- - changed matchpathcon to also use file_contexts.local if present
- - man page cleanups
-
-1.20 2005-01-04
- * Changed matchpathcon to return -1 with errno ENOENT for
- <<none>> entries, and also for an empty file_contexts configuration.
- * Removed some trivial utils that were not useful or redundant.
- * Changed BINDIR default to /usr/sbin to match change in Fedora.
- * Added security_compute_member.
- * Added man page for setcon.
- * Merged more man pages from Dan Walsh.
- * Merged avcstat from James Morris.
- * Merged build fix for mips from Manoj Srivastava.
- * Merged C++ support from John Ramsdell of MITRE.
- * Merged setcon() function from Darrel Goeddel of TCS.
- * Merged setsebool/togglesebool enhancement from Steve Grubb.
- * Merged cleanup patches from Steve Grubb.
-
-1.18 2004-11-01
- * Merged cleanup patches from Steve Grubb.
- * Added rpm_execcon.
- * Merged setenforce and removable context patch from Dan Walsh.
- * Merged build fix for alpha from Ulrich Drepper.
- * Removed copyright/license from selinux_netlink.h - definitions only.
- * Merged matchmediacon from Dan Walsh.
- * Regenerated headers for new nscd permissions.
- * Added get_default_context_with_role.
- * Added set_matchpathcon_printf.
- * Reworked av_inherit.h to allow easier re-use by kernel.
- * Changed avc_has_perm_noaudit to not fail on netlink errors.
- * Changed avc netlink code to check pid based on patch by Steve Grubb.
- * Merged second optimization patch from Ulrich Drepper.
- * Changed matchpathcon to skip invalid file_contexts entries.
- * Made string tables private to libselinux.
- * Merged strcat->stpcpy patch from Ulrich Drepper.
- * Merged matchpathcon man page from Dan Walsh.
- * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
- * Autobind netlink socket.
- * Dropped compatibility code from security_compute_user.
- * Merged fix for context_range_set from Chad Hanson.
- * Merged allocation failure checking patch from Chad Hanson.
- * Merged avc netlink error message patch from Colin Walters.
-
-1.16 2004-08-19
- * Regenerated headers for nscd class.
- * Merged man pages from Dan Walsh.
- * Merged context_new bug fix for MLS ranges from Chad Hanson.
- * Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
- * Renamed change_bool and show_bools to setsebool and getsebool.
- * Merged security_load_booleans() function from Dan Walsh.
- * Added selinux_booleans_path() function.
- * Changed avc_init function prototype to use const.
- * Regenerated headers for crontab permission.
- * Added checkAccess from Dan Walsh.
- * Merged getenforce patch from Dan Walsh.
- * Regenerated headers for dbus classes.
-
-1.14 2004-06-16
- * Regenerated headers for fine-grained netlink classes.
- * Merged selinux_config bug fix from Dan Walsh.
- * Added userspace AVC man pages.
- * Added man links for API calls to existing man pages documenting them.
- * Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
- * Merged patch to determine config file paths at runtime to support
- reorganized layout.
- * Regenerated flask headers with stable ordering.
- * Merged patch for man pages from Russell Coker.
-
-1.12 2004-05-10
- * Updated flask files to include new SE-X security classes.
- * Added security_disable function for runtime disable of SELinux prior
- to initial policy load (for /sbin/init).
- * Changed get_ordered_context_list to omit any reachable contexts
- that are not explicitly listed in default_contexts, unless there
- are no matches.
- * Merged man pages from Russell Coker and Dan Walsh.
- * Merged memory leak fixes from Dan Walsh.
- * Merged policyvers errno patch from Chris PeBenito.
-
-1.10 2004-04-05
- * Merged getenforce patch from Dan Walsh.
- * Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
- the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
- Based on a patch by Russell Coker.
- * Merged matchpathcon buffer size fix from Dan Walsh.
-
-1.8 2004-03-09
- * Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
- * Added matchpathcon function.
- * Updated userspace AVC to handle netlink selinux notifications.
-
-1.6 2004-02-18
- * Merged conditional policy extensions from Tresys Technology.
- * Added userspace avc and SID table implementation.
- * Fixed type on size in getpeercon per Thorsten Kukuk's advice.
- * Fixed use of getpwnam_r per Thorsten Kukuk's advice.
- * Changed to use getpwnam_r rather than getpwnam internally to
- avoid clobbering any existing pwd struct obtained by the caller.
- * Added getpeercon function to encapsulate getsockopt SO_PEERSEC
- and handle allocation ala getfilecon.
- * Changed is_selinux_enabled to return -1 on errors.
- * Changed to discover selinuxfs mount point via /proc/mounts
- so that the mount point can be changed without rebuilding.
-
-1.4 2003-12-01
- * Merged another cleanup patch from Bastian Blank and Joerg Hoh.
- * Regenerate headers for new permissions.
- * Merged static lib build patch from Bastian Blank and Joerg Hoh.
- * Export SELINUXMNT definition, add SELINUXPOLICY definition.
- * Add functions to provide access to enforce and policyvers.
- * Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
- * Fixed type for 'size' in *getfilecon.
- * Dropped -lattr and changed #include's to <sys/xattr.h>
- * Merged patch to move shared library to /lib from Dan Walsh.
- * Changed get_ordered_context_list to support a failsafe context.
- * Added selinuxenabled utility.
- * Merged const patch from Thorsten Kukuk.
-
-1.2 2003-09-30
- * Change is_selinux_enabled to fail if policy isn't loaded.
- * Changed Makefiles to allow non-root rpm builds.
- * Added -lattr for libselinux.so to ensure proper binding.
-
-1.1 2003-08-13
- * Ensure that context strings are padded with a null byte
- in case the kernel didn't include one.
- * Regenerate headers, update helpers.c for code cleanup.
- * Pass soname flag to linker (Colin Walters).
- * Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
-
-1.0 2003-07-11
- * Initial public release.
Copied: tags/libselinux_1_30_29/libselinux/ChangeLog (from rev 2046, trunk/libselinux/ChangeLog)
===================================================================
--- tags/libselinux_1_30_29/libselinux/ChangeLog (rev 0)
+++ tags/libselinux_1_30_29/libselinux/ChangeLog 2006-09-29 15:44:05 UTC (rev 2047)
@@ -0,0 +1,558 @@
+1.30.29 2006-09-29
+ * Merged av_permissions.h update from Steve Grubb,
+ adding setsockcreate and polmatch definitions.
+
+1.30.28 2006-09-13
+ * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
+ * Merged c++ class identifier fix from Joe Nall.
+
+1.30.27 2006-08-24
+ * Merged patch to not log avc stats upon a reset from Steve Grubb.
+ * Applied patch to revert compat_net setting upon policy load.
+
+1.30.26 2006-08-11
+ * Merged file context homedir and local path functions from
+ Chris PeBenito.
+
+1.30.25 2006-08-11
+ * Rework functions that access /proc/pid/attr to access the
+ per-thread nodes, and unify the code to simplify maintenance.
+
+1.30.24 2006-08-10
+ * Merged return value fix for *getfilecon() from Dan Walsh.
+
+1.30.23 2006-08-10
+ * Merged sockcreate interfaces from Eric Paris.
+
+1.30.22 2006-08-03
+ * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
+
+1.30.21 2006-08-03
+ * Merged netfilter_contexts support patch from Chris PeBenito.
+
+1.30.20 2006-08-01
+ * Merged context_*_set errno patch from Jim Meyering.
+
+1.30.19 2006-06-29
+ * Lindent.
+
+1.30.18 2006-06-27
+ * Merged {get,set}procattrcon patch set from Eric Paris.
+ * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
+
+1.30.17 2006-06-27
+ * Regenerated Flask headers from refpolicy.
+
+1.30.16 2006-06-26
+ * Merged patch from Dan Walsh with:
+ - Added selinux_file_context_{cmp,verify}.
+ - Added selinux_lsetfilecon_default.
+ - Delay translation of contexts in matchpathcon.
+
+1.30.15 2006-06-16
+ * Merged patch from Dan Walsh with:
+ * Added selinux_getpolicytype() function.
+ * Modified setrans code to skip processing if !mls_enabled.
+
+1.30.14 2006-06-16
+ * Set errno in the !selinux_mnt case.
+
+1.30.13 2006-06-02
+ * Allocate large buffers from the heap, not on stack.
+ Affects is_context_customizable, selinux_init_load_policy,
+ and selinux_getenforcemode.
+
+1.30.12 2006-06-02
+ * Merged !selinux_mnt checks from Ian Kent.
+
+1.30.11 2006-05-24
+ * Merged matchmediacon and trans_to_raw_context fixes from
+ Serge Hallyn.
+
+1.30.10 2006-05-22
+ * Merged simple setrans client cache from Dan Walsh.
+ Merged avcstat patch from Russell Coker.
+
+1.30.9 2006-05-22
+ * Modified selinux_mkload_policy() to also set /selinux/compat_net
+ appropriately for the loaded policy.
+
+1.30.8 2006-05-17
+ * Added matchpathcon_fini() function to free memory allocated by
+ matchpathcon_init().
+
+1.30.7 2006-05-16
+ * Merged setrans client cleanup patch from Steve Grubb.
+
+1.30.6 2006-05-08
+ * Merged getfscreatecon man page fix from Dan Walsh.
+ * Updated booleans(8) man page to drop references to the old
+ booleans file and to note that setsebool can be used to set
+ the boot-time defaults via -P.
+
+1.30.5 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.4 2006-05-05
+ * Merged setrans client support from Dan Walsh.
+ This removes use of libsetrans.
+ * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
+ * Merged swig typemap fixes from Glauber de Oliveira Costa.
+
+1.30.3 2006-04-12
+ * Added distclean target to Makefile.
+ * Regenerated swig files.
+
+1.30.2 2006-04-11
+ * Changed matchpathcon_init to verify that the spec file is
+ a regular file.
+ * Merged python binding t_output_helper removal patch from Dan Walsh.
+
+1.30.1 2006-03-20
+ * Merged Makefile PYLIBVER definition patch from Dan Walsh.
+
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.8 2006-02-27
+ * Altered rpm_execcon fallback logic for permissive mode to also
+ handle case where /selinux/enforce is not available.
+
+1.29.7 2006-01-20
+ * Merged install-pywrap Makefile patch from Joshua Brindle.
+
+1.29.6 2006-01-18
+ * Merged pywrap Makefile patch from Dan Walsh.
+
+1.29.5 2006-01-11
+ * Added getseuser test program.
+
+1.29.4 2006-01-06
+ * Added format attribute to myprintf in matchpathcon.c and
+ removed obsoleted rootlen variable in init_selinux_config().
+
+1.29.3 2006-01-04
+ * Merged several fixes and improvements from Ulrich Drepper
+ (Red Hat), including:
+ - corrected use of getline
+ - further calls to __fsetlocking for local files
+ - use of strdupa and asprintf
+ - proper handling of dirent in booleans code
+ - use of -z relro
+ - several other optimizations
+ * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
+
+1.29.2 2005-12-14
+ * Merged call to finish_context_translations from Dan Walsh.
+ This eliminates a memory leak from failing to release memory
+ allocated by libsetrans.
+
+1.29.1 2005-12-08
+ * Merged patch for swig interfaces from Dan Walsh.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.28 2005-12-01
+ * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
+ modified matchpathcon implementation to make context validation/
+ canonicalization optional at matchpathcon_init time, deferring it
+ to a successful matchpathcon by default unless the new flag is set
+ by the caller.
+
+1.27.27 2005-12-01
+ * Added matchpathcon_init_prefix() interface, and
+ reworked matchpathcon implementation to support selective
+ loading of file contexts entries based on prefix matching
+ between the pathname regex stems and the specified path
+ prefix (stem must be a prefix of the specified path prefix).
+
+1.27.26 2005-11-29
+ * Merged getsebool patch from Dan Walsh.
+
+1.27.25 2005-11-29
+ * Added -f file_contexts option to matchpathcon util.
+ Fixed warning message in matchpathcon_init().
+
+1.27.24 2005-11-29
+ * Merged Makefile python definitions patch from Dan Walsh.
+
+1.27.23 2005-11-28
+ * Merged swigify patch from Dan Walsh.
+
+1.27.22 2005-11-15
+ * Merged make failure in rpm_execcon non-fatal in permissive mode
+ patch from Ivan Gyurdiev.
+
+1.27.21 2005-11-08
+ * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
+ and modified matchpathcon_init() to skip context translation
+ if it is set by the caller.
+
+1.27.20 2005-11-07
+ * Added security_canonicalize_context() interface and
+ set_matchpathcon_canoncon() interface for obtaining
+ canonical contexts. Changed matchpathcon internals
+ to obtain canonical contexts by default. Provided
+ fallback for kernels that lack extended selinuxfs context
+ interface.
+
+1.27.19 2005-11-04
+ * Merged seusers parser changes from Ivan Gyurdiev.
+ * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
+ * Changed seusers parser to reject empty fields.
+
+1.27.18 2005-11-03
+ * Merged seusers empty level handling patch from Jonathan Kim (TCS).
+
+1.27.17 2005-10-27
+ * Changed default entry for seusers to use __default__ to avoid
+ ambiguity with users named "default".
+
+1.27.16 2005-10-27
+ * Fixed init_selinux_config() handling of missing /etc/selinux/config
+ or missing SELINUXTYPE= definition.
+ * Merged selinux_translations_path() patch from Dan Walsh.
+
+1.27.15 2005-10-25
+ * Added hidden_proto/def for get_default_context_with_role.
+
+1.27.14 2005-10-25
+ * Merged selinux_path() and selinux_homedir_context_path()
+ functions from Joshua Brindle.
+
+1.27.13 2005-10-19
+ * Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+1.27.12 2005-10-18
+ * Merged get_default_context_with_rolelevel and man pages from
+ Dan Walsh (Red Hat).
+
+1.27.11 2005-10-18
+ * Updated call to sepol_policydb_to_image for sepol changes.
+
+1.27.10 2005-10-17
+ * Changed getseuserbyname to ignore empty lines and to handle
+ no matching entry in the same manner as no seusers file.
+
+1.27.9 2005-10-13
+ * Changed selinux_mkload_policy to try downgrading the
+ latest policy version available to the kernel-supported version.
+
+1.27.8 2005-10-11
+ * Changed selinux_mkload_policy to fall back to the maximum
+ policy version supported by libsepol if the kernel policy version
+ falls outside of the supported range.
+
+1.27.7 2005-10-06
+ * Changed getseuserbyname to fall back to the Linux username and
+ NULL level if seusers config file doesn't exist unless
+ REQUIRESEUSERS=1 is set in /etc/selinux/config.
+ * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
+
+1.27.6 2005-10-06
+ * Added selinux_init_load_policy() function as an even higher level
+ interface for the initial policy load by /sbin/init. This obsoletes
+ the load_policy() function in the sysvinit-selinux.patch.
+
+1.27.5 2005-10-06
+ * Added selinux_mkload_policy() function as a higher level interface
+ for loading policy than the security_load_policy() interface.
+
+1.27.4 2005-10-05
+ * Merged fix for matchpathcon (regcomp error checking) from Johan
+ Fischer. Also added use of regerror to obtain the error string
+ for inclusion in the error message.
+
+1.27.3 2005-10-03
+ * Changed getseuserbyname to not require (and ignore if present)
+ the MLS level in seusers.conf if MLS is disabled, setting *level
+ to NULL in this case.
+
+1.27.2 2005-09-30
+ * Merged getseuserbyname patch from Dan Walsh.
+
+1.27.1 2005-09-19
+ * Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
+ This allows file_contexts with MLS fields to be processed on
+ non-MLS-enabled systems with policies that are otherwise
+ identical (e.g. same type definitions).
+ * Merged get_ordered_context_list_with_level() function from
+ Dan Walsh, and added get_default_context_with_level().
+ This allows MLS level selection for users other than the
+ default level.
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.7 2005-09-01
+ * Merged modified form of patch to avoid dlopen/dlclose by
+ the static libselinux from Dan Walsh. Users of the static libselinux
+ will not have any context translation by default.
+
+1.25.6 2005-08-31
+ * Added public functions to export context translation to
+ users of libselinux (selinux_trans_to_raw_context,
+ selinux_raw_to_trans_context).
+
+1.25.5 2005-08-26
+ * Remove special definition for context_range_set; use
+ common code.
+
+1.25.4 2005-08-25
+ * Hid translation-related symbols entirely and ensured that
+ raw functions have hidden definitions for internal use.
+ * Allowed setting NULL via context_set* functions.
+ * Allowed whitespace in MLS component of context.
+ * Changed rpm_execcon to use translated functions to workaround
+ lack of MLS level on upgraded systems.
+
+1.25.3 2005-08-23
+ * Merged context translation patch, originally by TCS,
+ with modifications by Dan Walsh (Red Hat).
+
+1.25.2 2005-08-11
+ * Merged several fixes for error handling paths in the
+ AVC sidtab, matchpathcon, booleans, context, and get_context_list
+ code from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.25.1 2005-08-10
+ * Removed setupns; migrated to pam.
+ * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
+ Original symbol is temporarily retained for compatibility until
+ all callers are updated.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.12 2005-06-13
+ * Merged security_setupns() from Chad Sellers.
+
+1.23.11 2005-05-19
+ * Merged avcstat and selinux man page from Dan Walsh.
+ * Changed security_load_booleans to process booleans.local
+ even if booleans file doesn't exist.
+
+1.23.10 2005-04-29
+ * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
+
+1.23.9 2005-04-26
+ * Rewrote get_ordered_context_list and helpers, including
+ changing logic to allow variable MLS fields.
+
+1.23.8 2005-04-25
+ * Merged matchpathcon and man page patch from Dan Walsh.
+
+1.23.7 2005-04-12
+ * Changed boolean functions to return -1 with errno ENOENT
+ rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
+ mounted).
+
+1.23.6 2005-04-08
+ * Fixed bug in matchpathcon_filespec_destroy.
+
+1.23.5 2005-04-05
+ * Fixed bug in rpm_execcon error handling path.
+
+1.23.4 2005-04-04
+ * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
+ * Merged fix for getconlist utility from Andreas Steinmetz.
+
+1.23.3 2005-03-29
+ * Merged security_set_boolean_list patch from Dan Walsh.
+ This introduces booleans.local support for setsebool.
+
+1.23.2 2005-03-17
+ * Merged destructors patch from Tomas Mraz.
+
+1.23.1 2005-03-16
+ * Added set_matchpathcon_flags() function for setting flags
+ controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
+ means only process the base file_contexts file, not
+ file_contexts.homedirs or file_contexts.local, and is for use by
+ setfiles -c.
+ * Updated matchpathcon.3 man page.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.13 2005-03-08
+ * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
+
+1.21.12 2005-03-01
+ * Changed matchpathcon_common to ignore any non-format bits in the mode.
+
+1.21.11 2005-02-22
+ * Merged several fixes from Ulrich Drepper.
+
+1.21.10 2005-02-17
+ * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
+ * Added selinux_users_path() for path to directory containing
+ system.users and local.users.
+
+1.21.9 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.8 2005-02-07
+ * Regenerated av_permissions.h.
+
+1.21.7 2005-02-01
+ * Modified avc_dump_av to explicitly check for any permissions that
+ cannot be mapped to string names and display them as a hex value.
+
+1.21.6 2005-01-31
+ * Regenerated av_permissions.h.
+
+1.21.5 2005-01-28
+ * Generalized matchpathcon internals, exported more interfaces,
+ and moved additional code from setfiles into libselinux so that
+ setfiles can directly use matchpathcon.
+
+1.21.4 2005-01-27
+ * Prevent overflow of spec array in matchpathcon.
+
+1.21.3 2005-01-26
+ * Fixed several uses of internal functions to avoid relocations.
+ * Changed rpm_execcon to check is_selinux_enabled() and fallback to
+ a regular execve if not enabled (or unable to determine due to a lack
+ of /proc, e.g. chroot'd environment).
+
+
+1.21.2 2005-01-24
+ * Merged minor fix for avcstat from Dan Walsh.
+
+1.21.1 2005-01-19
+ * Merged patch from Dan Walsh, including:
+ - new is_context_customizable function
+ - changed matchpathcon to also use file_contexts.local if present
+ - man page cleanups
+
+1.20 2005-01-04
+ * Changed matchpathcon to return -1 with errno ENOENT for
+ <<none>> entries, and also for an empty file_contexts configuration.
+ * Removed some trivial utils that were not useful or redundant.
+ * Changed BINDIR default to /usr/sbin to match change in Fedora.
+ * Added security_compute_member.
+ * Added man page for setcon.
+ * Merged more man pages from Dan Walsh.
+ * Merged avcstat from James Morris.
+ * Merged build fix for mips from Manoj Srivastava.
+ * Merged C++ support from John Ramsdell of MITRE.
+ * Merged setcon() function from Darrel Goeddel of TCS.
+ * Merged setsebool/togglesebool enhancement from Steve Grubb.
+ * Merged cleanup patches from Steve Grubb.
+
+1.18 2004-11-01
+ * Merged cleanup patches from Steve Grubb.
+ * Added rpm_execcon.
+ * Merged setenforce and removable context patch from Dan Walsh.
+ * Merged build fix for alpha from Ulrich Drepper.
+ * Removed copyright/license from selinux_netlink.h - definitions only.
+ * Merged matchmediacon from Dan Walsh.
+ * Regenerated headers for new nscd permissions.
+ * Added get_default_context_with_role.
+ * Added set_matchpathcon_printf.
+ * Reworked av_inherit.h to allow easier re-use by kernel.
+ * Changed avc_has_perm_noaudit to not fail on netlink errors.
+ * Changed avc netlink code to check pid based on patch by Steve Grubb.
+ * Merged second optimization patch from Ulrich Drepper.
+ * Changed matchpathcon to skip invalid file_contexts entries.
+ * Made string tables private to libselinux.
+ * Merged strcat->stpcpy patch from Ulrich Drepper.
+ * Merged matchpathcon man page from Dan Walsh.
+ * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+1.16 2004-08-19
+ * Regenerated headers for nscd class.
+ * Merged man pages from Dan Walsh.
+ * Merged context_new bug fix for MLS ranges from Chad Hanson.
+ * Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
+ * Renamed change_bool and show_bools to setsebool and getsebool.
+ * Merged security_load_booleans() function from Dan Walsh.
+ * Added selinux_booleans_path() function.
+ * Changed avc_init function prototype to use const.
+ * Regenerated headers for crontab permission.
+ * Added checkAccess from Dan Walsh.
+ * Merged getenforce patch from Dan Walsh.
+ * Regenerated headers for dbus classes.
+
+1.14 2004-06-16
+ * Regenerated headers for fine-grained netlink classes.
+ * Merged selinux_config bug fix from Dan Walsh.
+ * Added userspace AVC man pages.
+ * Added man links for API calls to existing man pages documenting them.
+ * Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
+ * Merged patch to determine config file paths at runtime to support
+ reorganized layout.
+ * Regenerated flask headers with stable ordering.
+ * Merged patch for man pages from Russell Coker.
+
+1.12 2004-05-10
+ * Updated flask files to include new SE-X security classes.
+ * Added security_disable function for runtime disable of SELinux prior
+ to initial policy load (for /sbin/init).
+ * Changed get_ordered_context_list to omit any reachable contexts
+ that are not explicitly listed in default_contexts, unless there
+ are no matches.
+ * Merged man pages from Russell Coker and Dan Walsh.
+ * Merged memory leak fixes from Dan Walsh.
+ * Merged policyvers errno patch from Chris PeBenito.
+
+1.10 2004-04-05
+ * Merged getenforce patch from Dan Walsh.
+ * Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
+ the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
+ Based on a patch by Russell Coker.
+ * Merged matchpathcon buffer size fix from Dan Walsh.
+
+1.8 2004-03-09
+ * Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
+ * Added matchpathcon function.
+ * Updated userspace AVC to handle netlink selinux notifications.
+
+1.6 2004-02-18
+ * Merged conditional policy extensions from Tresys Technology.
+ * Added userspace avc and SID table implementation.
+ * Fixed type on size in getpeercon per Thorsten Kukuk's advice.
+ * Fixed use of getpwnam_r per Thorsten Kukuk's advice.
+ * Changed to use getpwnam_r rather than getpwnam internally to
+ avoid clobbering any existing pwd struct obtained by the caller.
+ * Added getpeercon function to encapsulate getsockopt SO_PEERSEC
+ and handle allocation ala getfilecon.
+ * Changed is_selinux_enabled to return -1 on errors.
+ * Changed to discover selinuxfs mount point via /proc/mounts
+ so that the mount point can be changed without rebuilding.
+
+1.4 2003-12-01
+ * Merged another cleanup patch from Bastian Blank and Joerg Hoh.
+ * Regenerate headers for new permissions.
+ * Merged static lib build patch from Bastian Blank and Joerg Hoh.
+ * Export SELINUXMNT definition, add SELINUXPOLICY definition.
+ * Add functions to provide access to enforce and policyvers.
+ * Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
+ * Fixed type for 'size' in *getfilecon.
+ * Dropped -lattr and changed #include's to <sys/xattr.h>
+ * Merged patch to move shared library to /lib from Dan Walsh.
+ * Changed get_ordered_context_list to support a failsafe context.
+ * Added selinuxenabled utility.
+ * Merged const patch from Thorsten Kukuk.
+
+1.2 2003-09-30
+ * Change is_selinux_enabled to fail if policy isn't loaded.
+ * Changed Makefiles to allow non-root rpm builds.
+ * Added -lattr for libselinux.so to ensure proper binding.
+
+1.1 2003-08-13
+ * Ensure that context strings are padded with a null byte
+ in case the kernel didn't include one.
+ * Regenerate headers, update helpers.c for code cleanup.
+ * Pass soname flag to linker (Colin Walters).
+ * Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
+
+1.0 2003-07-11
+ * Initial public release.
Deleted: tags/libselinux_1_30_29/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2006-09-29 15:33:28 UTC (rev 2044)
+++ tags/libselinux_1_30_29/libselinux/VERSION 2006-09-29 15:44:05 UTC (rev 2047)
@@ -1 +0,0 @@
-1.30.28
Copied: tags/libselinux_1_30_29/libselinux/VERSION (from rev 2046, trunk/libselinux/VERSION)
===================================================================
--- tags/libselinux_1_30_29/libselinux/VERSION (rev 0)
+++ tags/libselinux_1_30_29/libselinux/VERSION 2006-09-29 15:44:05 UTC (rev 2047)
@@ -0,0 +1 @@
+1.30.29
Deleted: tags/libselinux_1_30_29/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c 2006-09-29 15:33:28 UTC (rev 2044)
+++ tags/libselinux_1_30_29/libselinux/src/setrans_client.c 2006-09-29 15:44:05 UTC (rev 2047)
@@ -1,322 +0,0 @@
-/* Copyright (c) 2006 Trusted Computer Solutions, Inc. */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <netdb.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include "dso.h"
-#include "selinux_internal.h"
-#include "setrans_internal.h"
-
-static int mls_enabled = -1;
-
-// Simple cache
-static __thread security_context_t prev_t2r_trans = NULL;
-static __thread security_context_t prev_t2r_raw = NULL;
-static __thread security_context_t prev_r2t_trans = NULL;
-static __thread security_context_t prev_r2t_raw = NULL;
-
-int cache_trans hidden = 1;
-
-/*
- * setransd_open
- *
- * This function opens a socket to the setransd.
- * Returns: on success, a file descriptor ( >= 0 ) to the socket
- * on error, a negative value
- */
-static int setransd_open(void)
-{
- struct sockaddr_un addr;
- int fd;
-
- fd = socket(PF_UNIX, SOCK_STREAM, 0);
- if (fd < 0) {
- return -1;
- }
-
- memset(&addr, 0, sizeof(addr));
- addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path));
- if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
- close(fd);
- return -1;
- }
-
- return fd;
-}
-
-/* Returns: 0 on success, <0 on failure */
-static int
-send_request(int fd, uint32_t function, const char *data1, const char *data2)
-{
- struct msghdr msgh;
- struct iovec iov[5];
- uint32_t data1_size;
- uint32_t data2_size;
- ssize_t count, expected;
- unsigned int i;
-
- if (fd < 0)
- return -1;
-
- if (!data1)
- data1 = "";
- if (!data2)
- data2 = "";
-
- data1_size = strlen(data1) + 1;
- data2_size = strlen(data2) + 1;
-
- iov[0].iov_base = &function;
- iov[0].iov_len = sizeof(function);
- iov[1].iov_base = &data1_size;
- iov[1].iov_len = sizeof(data1_size);
- iov[2].iov_base = &data2_size;
- iov[2].iov_len = sizeof(data2_size);
- iov[3].iov_base = (char *)data1;
- iov[3].iov_len = data1_size;
- iov[4].iov_base = (char *)data2;
- iov[4].iov_len = data2_size;
- memset(&msgh, 0, sizeof(msgh));
- msgh.msg_iov = iov;
- msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
-
- expected = 0;
- for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
- expected += iov[i].iov_len;
-
- while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) && (errno == EINTR)) ;
- if (count < 0 || count != expected)
- return -1;
-
- return 0;
-}
-
-/* Returns: 0 on success, <0 on failure */
-static int
-receive_response(int fd, uint32_t function, char **outdata, int32_t * ret_val)
-{
- struct iovec resp_hdr[3];
- uint32_t func;
- uint32_t data_size;
- char *data;
- struct iovec resp_data;
- ssize_t count;
-
- if (fd < 0)
- return -1;
-
- resp_hdr[0].iov_base = &func;
- resp_hdr[0].iov_len = sizeof(func);
- resp_hdr[1].iov_base = &data_size;
- resp_hdr[1].iov_len = sizeof(data_size);
- resp_hdr[2].iov_base = ret_val;
- resp_hdr[2].iov_len = sizeof(*ret_val);
-
- while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
- if (count != (sizeof(func) + sizeof(data_size) + sizeof(*ret_val))) {
- return -1;
- }
-
- if (func != function || !data_size || data_size > MAX_DATA_BUF) {
- return -1;
- }
-
- data = malloc(data_size);
- if (!data) {
- return -1;
- }
-
- resp_data.iov_base = data;
- resp_data.iov_len = data_size;
-
- while (((count = readv(fd, &resp_data, 1))) < 0 && (errno == EINTR)) ;
- if (count < 0 || (uint32_t) count != data_size ||
- data[data_size - 1] != '\0') {
- free(data);
- return -1;
- }
- *outdata = data;
- return 0;
-}
-
-static int raw_to_trans_context(char *raw, char **transp)
-{
- int ret;
- int32_t ret_val;
- int fd;
-
- *transp = NULL;
-
- fd = setransd_open();
- if (fd < 0)
- return fd;
-
- ret = send_request(fd, RAW_TO_TRANS_CONTEXT, raw, NULL);
- if (ret)
- goto out;
-
- ret = receive_response(fd, RAW_TO_TRANS_CONTEXT, transp, &ret_val);
- if (ret)
- goto out;
-
- ret = ret_val;
- out:
- close(fd);
- return ret;
-}
-
-static int trans_to_raw_context(char *trans, char **rawp)
-{
- int ret;
- int32_t ret_val;
- int fd;
-
- *rawp = NULL;
-
- fd = setransd_open();
- if (fd < 0)
- return fd;
- ret = send_request(fd, TRANS_TO_RAW_CONTEXT, trans, NULL);
- if (ret)
- goto out;
-
- ret = receive_response(fd, TRANS_TO_RAW_CONTEXT, rawp, &ret_val);
- if (ret)
- goto out;
-
- ret = ret_val;
- out:
- close(fd);
- return ret;
-}
-
-hidden void fini_context_translations(void)
-{
- if (cache_trans) {
- free(prev_r2t_trans);
- free(prev_r2t_raw);
- free(prev_t2r_trans);
- free(prev_t2r_raw);
- }
-}
-
-hidden int init_context_translations(void)
-{
- int ret, fd;
- int32_t ret_val;
- char *out = NULL;
-
- mls_enabled = is_selinux_mls_enabled();
- if (!mls_enabled)
- return 0;
-
- fd = setransd_open();
- if (fd < 0)
- return fd;
-
- ret = send_request(fd, SETRANS_INIT, NULL, NULL);
- if (ret)
- goto out;
-
- ret = receive_response(fd, SETRANS_INIT, &out, &ret_val);
- free(out);
- if (!ret)
- ret = ret_val;
- out:
- close(fd);
- return ret;
-}
-
-int selinux_trans_to_raw_context(security_context_t trans,
- security_context_t * rawp)
-{
- if (!trans) {
- *rawp = NULL;
- return 0;
- }
-
- if (!mls_enabled) {
- *rawp = strdup(trans);
- goto out;
- }
-
- if (cache_trans) {
- if (prev_t2r_trans && strcmp(prev_t2r_trans, trans) == 0) {
- *rawp = strdup(prev_t2r_raw);
- } else {
- free(prev_t2r_trans);
- prev_t2r_trans = NULL;
- free(prev_t2r_raw);
- prev_t2r_raw = NULL;
- if (trans_to_raw_context(trans, rawp))
- *rawp = strdup(trans);
- if (*rawp) {
- prev_t2r_trans = strdup(trans);
- if (!prev_t2r_trans)
- goto out;
- prev_t2r_raw = strdup(*rawp);
- if (!prev_t2r_raw) {
- free(prev_t2r_trans);
- prev_t2r_trans = NULL;
- }
- }
- }
- } else if (trans_to_raw_context(trans, rawp))
- *rawp = strdup(trans);
- out:
- return *rawp ? 0 : -1;
-}
-
-hidden_def(selinux_trans_to_raw_context)
-
-int selinux_raw_to_trans_context(security_context_t raw,
- security_context_t * transp)
-{
- if (!raw) {
- *transp = NULL;
- return 0;
- }
-
- if (!mls_enabled) {
- *transp = strdup(raw);
- goto out;
- }
-
- if (cache_trans) {
- if (prev_r2t_raw && strcmp(prev_r2t_raw, raw) == 0) {
- *transp = strdup(prev_r2t_trans);
- } else {
- free(prev_r2t_raw);
- prev_r2t_raw = NULL;
- free(prev_r2t_trans);
- prev_r2t_trans = NULL;
- if (raw_to_trans_context(raw, transp))
- *transp = strdup(raw);
- if (*transp) {
- prev_r2t_raw = strdup(raw);
- if (!prev_r2t_raw)
- goto out;
- prev_r2t_trans = strdup(*transp);
- if (!prev_r2t_trans) {
- free(prev_r2t_raw);
- prev_r2t_raw = NULL;
- }
- }
- }
- } else if (raw_to_trans_context(raw, transp))
- *transp = strdup(raw);
- out:
- return *transp ? 0 : -1;
-}
-
-hidden_def(selinux_raw_to_trans_context)
Copied: tags/libselinux_1_30_29/libselinux/src/setrans_client.c (from rev 2045, trunk/libselinux/src/setrans_client.c)
===================================================================
--- tags/libselinux_1_30_29/libselinux/src/setrans_client.c (rev 0)
+++ tags/libselinux_1_30_29/libselinux/src/setrans_client.c 2006-09-29 15:44:05 UTC (rev 2047)
@@ -0,0 +1,323 @@
+/* Copyright (c) 2006 Trusted Computer Solutions, Inc. */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <netdb.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include "dso.h"
+#include "selinux_internal.h"
+#include "setrans_internal.h"
+
+static int mls_enabled = -1;
+
+// Simple cache
+static __thread security_context_t prev_t2r_trans = NULL;
+static __thread security_context_t prev_t2r_raw = NULL;
+static __thread security_context_t prev_r2t_trans = NULL;
+static __thread security_context_t prev_r2t_raw = NULL;
+
+int cache_trans hidden = 1;
+
+/*
+ * setransd_open
+ *
+ * This function opens a socket to the setransd.
+ * Returns: on success, a file descriptor ( >= 0 ) to the socket
+ * on error, a negative value
+ */
+static int setransd_open(void)
+{
+ struct sockaddr_un addr;
+ int fd;
+
+ fd = socket(PF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0) {
+ return -1;
+ }
+
+ memset(&addr, 0, sizeof(addr));
+ addr.sun_family = AF_UNIX;
+ strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path));
+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+ close(fd);
+ return -1;
+ }
+
+ return fd;
+}
+
+/* Returns: 0 on success, <0 on failure */
+static int
+send_request(int fd, uint32_t function, const char *data1, const char *data2)
+{
+ struct msghdr msgh;
+ struct iovec iov[5];
+ uint32_t data1_size;
+ uint32_t data2_size;
+ ssize_t count, expected;
+ unsigned int i;
+
+ if (fd < 0)
+ return -1;
+
+ if (!data1)
+ data1 = "";
+ if (!data2)
+ data2 = "";
+
+ data1_size = strlen(data1) + 1;
+ data2_size = strlen(data2) + 1;
+
+ iov[0].iov_base = &function;
+ iov[0].iov_len = sizeof(function);
+ iov[1].iov_base = &data1_size;
+ iov[1].iov_len = sizeof(data1_size);
+ iov[2].iov_base = &data2_size;
+ iov[2].iov_len = sizeof(data2_size);
+ iov[3].iov_base = (char *)data1;
+ iov[3].iov_len = data1_size;
+ iov[4].iov_base = (char *)data2;
+ iov[4].iov_len = data2_size;
+ memset(&msgh, 0, sizeof(msgh));
+ msgh.msg_iov = iov;
+ msgh.msg_iovlen = sizeof(iov) / sizeof(iov[0]);
+
+ expected = 0;
+ for (i = 0; i < sizeof(iov) / sizeof(iov[0]); i++)
+ expected += iov[i].iov_len;
+
+ while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0)
+ && (errno == EINTR)) ;
+ if (count < 0 || count != expected)
+ return -1;
+
+ return 0;
+}
+
+/* Returns: 0 on success, <0 on failure */
+static int
+receive_response(int fd, uint32_t function, char **outdata, int32_t * ret_val)
+{
+ struct iovec resp_hdr[3];
+ uint32_t func;
+ uint32_t data_size;
+ char *data;
+ struct iovec resp_data;
+ ssize_t count;
+
+ if (fd < 0)
+ return -1;
+
+ resp_hdr[0].iov_base = &func;
+ resp_hdr[0].iov_len = sizeof(func);
+ resp_hdr[1].iov_base = &data_size;
+ resp_hdr[1].iov_len = sizeof(data_size);
+ resp_hdr[2].iov_base = ret_val;
+ resp_hdr[2].iov_len = sizeof(*ret_val);
+
+ while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
+ if (count != (sizeof(func) + sizeof(data_size) + sizeof(*ret_val))) {
+ return -1;
+ }
+
+ if (func != function || !data_size || data_size > MAX_DATA_BUF) {
+ return -1;
+ }
+
+ data = malloc(data_size);
+ if (!data) {
+ return -1;
+ }
+
+ resp_data.iov_base = data;
+ resp_data.iov_len = data_size;
+
+ while (((count = readv(fd, &resp_data, 1))) < 0 && (errno == EINTR)) ;
+ if (count < 0 || (uint32_t) count != data_size ||
+ data[data_size - 1] != '\0') {
+ free(data);
+ return -1;
+ }
+ *outdata = data;
+ return 0;
+}
+
+static int raw_to_trans_context(char *raw, char **transp)
+{
+ int ret;
+ int32_t ret_val;
+ int fd;
+
+ *transp = NULL;
+
+ fd = setransd_open();
+ if (fd < 0)
+ return fd;
+
+ ret = send_request(fd, RAW_TO_TRANS_CONTEXT, raw, NULL);
+ if (ret)
+ goto out;
+
+ ret = receive_response(fd, RAW_TO_TRANS_CONTEXT, transp, &ret_val);
+ if (ret)
+ goto out;
+
+ ret = ret_val;
+ out:
+ close(fd);
+ return ret;
+}
+
+static int trans_to_raw_context(char *trans, char **rawp)
+{
+ int ret;
+ int32_t ret_val;
+ int fd;
+
+ *rawp = NULL;
+
+ fd = setransd_open();
+ if (fd < 0)
+ return fd;
+ ret = send_request(fd, TRANS_TO_RAW_CONTEXT, trans, NULL);
+ if (ret)
+ goto out;
+
+ ret = receive_response(fd, TRANS_TO_RAW_CONTEXT, rawp, &ret_val);
+ if (ret)
+ goto out;
+
+ ret = ret_val;
+ out:
+ close(fd);
+ return ret;
+}
+
+hidden void fini_context_translations(void)
+{
+ if (cache_trans) {
+ free(prev_r2t_trans);
+ free(prev_r2t_raw);
+ free(prev_t2r_trans);
+ free(prev_t2r_raw);
+ }
+}
+
+hidden int init_context_translations(void)
+{
+ int ret, fd;
+ int32_t ret_val;
+ char *out = NULL;
+
+ mls_enabled = is_selinux_mls_enabled();
+ if (!mls_enabled)
+ return 0;
+
+ fd = setransd_open();
+ if (fd < 0)
+ return fd;
+
+ ret = send_request(fd, SETRANS_INIT, NULL, NULL);
+ if (ret)
+ goto out;
+
+ ret = receive_response(fd, SETRANS_INIT, &out, &ret_val);
+ free(out);
+ if (!ret)
+ ret = ret_val;
+ out:
+ close(fd);
+ return ret;
+}
+
+int selinux_trans_to_raw_context(security_context_t trans,
+ security_context_t * rawp)
+{
+ if (!trans) {
+ *rawp = NULL;
+ return 0;
+ }
+
+ if (!mls_enabled) {
+ *rawp = strdup(trans);
+ goto out;
+ }
+
+ if (cache_trans) {
+ if (prev_t2r_trans && strcmp(prev_t2r_trans, trans) == 0) {
+ *rawp = strdup(prev_t2r_raw);
+ } else {
+ free(prev_t2r_trans);
+ prev_t2r_trans = NULL;
+ free(prev_t2r_raw);
+ prev_t2r_raw = NULL;
+ if (trans_to_raw_context(trans, rawp))
+ *rawp = strdup(trans);
+ if (*rawp) {
+ prev_t2r_trans = strdup(trans);
+ if (!prev_t2r_trans)
+ goto out;
+ prev_t2r_raw = strdup(*rawp);
+ if (!prev_t2r_raw) {
+ free(prev_t2r_trans);
+ prev_t2r_trans = NULL;
+ }
+ }
+ }
+ } else if (trans_to_raw_context(trans, rawp))
+ *rawp = strdup(trans);
+ out:
+ return *rawp ? 0 : -1;
+}
+
+hidden_def(selinux_trans_to_raw_context)
+
+int selinux_raw_to_trans_context(security_context_t raw,
+ security_context_t * transp)
+{
+ if (!raw) {
+ *transp = NULL;
+ return 0;
+ }
+
+ if (!mls_enabled) {
+ *transp = strdup(raw);
+ goto out;
+ }
+
+ if (cache_trans) {
+ if (prev_r2t_raw && strcmp(prev_r2t_raw, raw) == 0) {
+ *transp = strdup(prev_r2t_trans);
+ } else {
+ free(prev_r2t_raw);
+ prev_r2t_raw = NULL;
+ free(prev_r2t_trans);
+ prev_r2t_trans = NULL;
+ if (raw_to_trans_context(raw, transp))
+ *transp = strdup(raw);
+ if (*transp) {
+ prev_r2t_raw = strdup(raw);
+ if (!prev_r2t_raw)
+ goto out;
+ prev_r2t_trans = strdup(*transp);
+ if (!prev_r2t_trans) {
+ free(prev_r2t_raw);
+ prev_r2t_raw = NULL;
+ }
+ }
+ }
+ } else if (raw_to_trans_context(raw, transp))
+ *transp = strdup(raw);
+ out:
+ return *transp ? 0 : -1;
+}
+
+hidden_def(selinux_raw_to_trans_context)
Copied: tags/libsemanage_1_6_17/libsemanage (from rev 2044, trunk/libsemanage)
Deleted: tags/libsemanage_1_6_17/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2006-09-29 15:33:28 UTC (rev 2044)
+++ tags/libsemanage_1_6_17/libsemanage/ChangeLog 2006-09-29 15:44:05 UTC (rev 2047)
@@ -1,526 +0,0 @@
- * Merged patch to skip reload if no active store exists and
- the store path doesn't match the active store path from Dan Walsh.
- * Merged patch to not destroy sepol handle on error path of
- connect from James Athey.
- * Merged patch to add genhomedircon path to semanage.conf from
- James Athey.
-
-1.6.16 2006-08-14
- * Make most copy errors fatal, but allow exceptions for
- file_contexts.local, seusers, and netfilter_contexts if
- the source file does not exist in the store.
-
-1.6.15 2006-08-11
- * Merged separate local file contexts patch from Chris PeBenito.
-
-1.6.14 2006-08-11
- * Merged patch to make most copy errors non-fatal from Dan Walsh.
-
-1.6.13 2006-08-03
- * Merged netfilter contexts support from Chris PeBenito.
-
-1.6.12 2006-07-11
- * Merged support for read operations on read-only fs from
- Caleb Case (Tresys Technology).
-
-1.6.11 2006-06-29
- * Lindent.
-
-1.6.10 2006-06-26
- * Merged setfiles location check patch from Dan Walsh.
-
-1.6.9 2006-06-16
- * Merged several fixes from Serge Hallyn:
- dbase_file_cache: deref of uninit data on error path.
- dbase_policydb_cache: clear fp to avoid double fclose
- semanage_fc_sort: destroy temp on error paths
-
-1.6.8 2006-06-02
- * Updated default location for setfiles to /sbin to
- match policycoreutils. This can also be adjusted via
- semanage.conf using the syntax:
- [setfiles]
- path = /path/to/setfiles
- args = -q -c $@ $<
- [end]
-
-1.6.7 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.6.6 2006-04-14
- * Merged updated file context sorting patch from Christopher
- Ashworth, with bug fix for escaped character flag.
-
-1.6.5 2006-04-13
- * Merged file context sorting code from Christopher Ashworth
- (Tresys Technology), based on fc_sort.c code in refpolicy.
-
-1.6.4 2006-04-12
- * Merged python binding t_output_helper removal patch from Dan Walsh.
- * Regenerated swig files.
-
-1.6.3 2006-03-30
- * Merged corrected fix for descriptor leak from Dan Walsh.
-
-1.6.2 2006-03-20
- * Merged Makefile PYLIBVER definition patch from Dan Walsh.
-
-1.6.1 2006-03-20
- * Merged man page reorganization from Ivan Gyurdiev.
-
-1.6 2006-03-14
- * Updated version for release.
-
-1.5.31 2006-03-09
- * Merged abort early on merge errors patch from Ivan Gyurdiev.
-
-1.5.30 2006-03-08
- * Cleaned up error handling in semanage_split_fc based on a patch
- by Serge Hallyn (IBM) and suggestions by Ivan Gyurdiev.
-
-1.5.29 2006-02-21
- * Merged MLS handling fixes from Ivan Gyurdiev.
-
-1.5.28 2006-02-16
- * Merged bug fix for fcontext validate handler from Ivan Gyurdiev.
-
-1.5.27 2006-02-16
- * Merged base_merge_components changes from Ivan Gyurdiev.
-
-1.5.26 2006-02-15
- * Merged paths array patch from Ivan Gyurdiev.
- * Merg...
[truncated message content] |
|
From: <mad...@us...> - 2006-10-06 00:17:54
|
Revision: 2050
http://svn.sourceforge.net/selinux/?rev=2050&view=rev
Author: madmethod
Date: 2006-10-05 17:17:46 -0700 (Thu, 05 Oct 2006)
Log Message:
-----------
tag for libselinux 1.30.30
Added Paths:
-----------
tags/libselinux_1_30_30/
tags/libselinux_1_30_30/libselinux/
tags/libselinux_1_30_30/libselinux/ChangeLog
tags/libselinux_1_30_30/libselinux/VERSION
tags/libselinux_1_30_30/libselinux/include/selinux/avc.h
tags/libselinux_1_30_30/libselinux/src/avc.c
Removed Paths:
-------------
tags/libselinux_1_30_30/libselinux/ChangeLog
tags/libselinux_1_30_30/libselinux/VERSION
tags/libselinux_1_30_30/libselinux/include/selinux/avc.h
tags/libselinux_1_30_30/libselinux/src/avc.c
Copied: tags/libselinux_1_30_30/libselinux (from rev 2047, trunk/libselinux)
Deleted: tags/libselinux_1_30_30/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2006-09-29 15:44:05 UTC (rev 2047)
+++ tags/libselinux_1_30_30/libselinux/ChangeLog 2006-10-06 00:17:46 UTC (rev 2050)
@@ -1,558 +0,0 @@
-1.30.29 2006-09-29
- * Merged av_permissions.h update from Steve Grubb,
- adding setsockcreate and polmatch definitions.
-
-1.30.28 2006-09-13
- * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
- * Merged c++ class identifier fix from Joe Nall.
-
-1.30.27 2006-08-24
- * Merged patch to not log avc stats upon a reset from Steve Grubb.
- * Applied patch to revert compat_net setting upon policy load.
-
-1.30.26 2006-08-11
- * Merged file context homedir and local path functions from
- Chris PeBenito.
-
-1.30.25 2006-08-11
- * Rework functions that access /proc/pid/attr to access the
- per-thread nodes, and unify the code to simplify maintenance.
-
-1.30.24 2006-08-10
- * Merged return value fix for *getfilecon() from Dan Walsh.
-
-1.30.23 2006-08-10
- * Merged sockcreate interfaces from Eric Paris.
-
-1.30.22 2006-08-03
- * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
-
-1.30.21 2006-08-03
- * Merged netfilter_contexts support patch from Chris PeBenito.
-
-1.30.20 2006-08-01
- * Merged context_*_set errno patch from Jim Meyering.
-
-1.30.19 2006-06-29
- * Lindent.
-
-1.30.18 2006-06-27
- * Merged {get,set}procattrcon patch set from Eric Paris.
- * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
-
-1.30.17 2006-06-27
- * Regenerated Flask headers from refpolicy.
-
-1.30.16 2006-06-26
- * Merged patch from Dan Walsh with:
- - Added selinux_file_context_{cmp,verify}.
- - Added selinux_lsetfilecon_default.
- - Delay translation of contexts in matchpathcon.
-
-1.30.15 2006-06-16
- * Merged patch from Dan Walsh with:
- * Added selinux_getpolicytype() function.
- * Modified setrans code to skip processing if !mls_enabled.
-
-1.30.14 2006-06-16
- * Set errno in the !selinux_mnt case.
-
-1.30.13 2006-06-02
- * Allocate large buffers from the heap, not on stack.
- Affects is_context_customizable, selinux_init_load_policy,
- and selinux_getenforcemode.
-
-1.30.12 2006-06-02
- * Merged !selinux_mnt checks from Ian Kent.
-
-1.30.11 2006-05-24
- * Merged matchmediacon and trans_to_raw_context fixes from
- Serge Hallyn.
-
-1.30.10 2006-05-22
- * Merged simple setrans client cache from Dan Walsh.
- Merged avcstat patch from Russell Coker.
-
-1.30.9 2006-05-22
- * Modified selinux_mkload_policy() to also set /selinux/compat_net
- appropriately for the loaded policy.
-
-1.30.8 2006-05-17
- * Added matchpathcon_fini() function to free memory allocated by
- matchpathcon_init().
-
-1.30.7 2006-05-16
- * Merged setrans client cleanup patch from Steve Grubb.
-
-1.30.6 2006-05-08
- * Merged getfscreatecon man page fix from Dan Walsh.
- * Updated booleans(8) man page to drop references to the old
- booleans file and to note that setsebool can be used to set
- the boot-time defaults via -P.
-
-1.30.5 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.30.4 2006-05-05
- * Merged setrans client support from Dan Walsh.
- This removes use of libsetrans.
- * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
- * Merged swig typemap fixes from Glauber de Oliveira Costa.
-
-1.30.3 2006-04-12
- * Added distclean target to Makefile.
- * Regenerated swig files.
-
-1.30.2 2006-04-11
- * Changed matchpathcon_init to verify that the spec file is
- a regular file.
- * Merged python binding t_output_helper removal patch from Dan Walsh.
-
-1.30.1 2006-03-20
- * Merged Makefile PYLIBVER definition patch from Dan Walsh.
-
-1.30 2006-03-14
- * Updated version for release.
-
-1.29.8 2006-02-27
- * Altered rpm_execcon fallback logic for permissive mode to also
- handle case where /selinux/enforce is not available.
-
-1.29.7 2006-01-20
- * Merged install-pywrap Makefile patch from Joshua Brindle.
-
-1.29.6 2006-01-18
- * Merged pywrap Makefile patch from Dan Walsh.
-
-1.29.5 2006-01-11
- * Added getseuser test program.
-
-1.29.4 2006-01-06
- * Added format attribute to myprintf in matchpathcon.c and
- removed obsoleted rootlen variable in init_selinux_config().
-
-1.29.3 2006-01-04
- * Merged several fixes and improvements from Ulrich Drepper
- (Red Hat), including:
- - corrected use of getline
- - further calls to __fsetlocking for local files
- - use of strdupa and asprintf
- - proper handling of dirent in booleans code
- - use of -z relro
- - several other optimizations
- * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
-
-1.29.2 2005-12-14
- * Merged call to finish_context_translations from Dan Walsh.
- This eliminates a memory leak from failing to release memory
- allocated by libsetrans.
-
-1.29.1 2005-12-08
- * Merged patch for swig interfaces from Dan Walsh.
-
-1.28 2005-12-07
- * Updated version for release.
-
-1.27.28 2005-12-01
- * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
- modified matchpathcon implementation to make context validation/
- canonicalization optional at matchpathcon_init time, deferring it
- to a successful matchpathcon by default unless the new flag is set
- by the caller.
-
-1.27.27 2005-12-01
- * Added matchpathcon_init_prefix() interface, and
- reworked matchpathcon implementation to support selective
- loading of file contexts entries based on prefix matching
- between the pathname regex stems and the specified path
- prefix (stem must be a prefix of the specified path prefix).
-
-1.27.26 2005-11-29
- * Merged getsebool patch from Dan Walsh.
-
-1.27.25 2005-11-29
- * Added -f file_contexts option to matchpathcon util.
- Fixed warning message in matchpathcon_init().
-
-1.27.24 2005-11-29
- * Merged Makefile python definitions patch from Dan Walsh.
-
-1.27.23 2005-11-28
- * Merged swigify patch from Dan Walsh.
-
-1.27.22 2005-11-15
- * Merged make failure in rpm_execcon non-fatal in permissive mode
- patch from Ivan Gyurdiev.
-
-1.27.21 2005-11-08
- * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
- and modified matchpathcon_init() to skip context translation
- if it is set by the caller.
-
-1.27.20 2005-11-07
- * Added security_canonicalize_context() interface and
- set_matchpathcon_canoncon() interface for obtaining
- canonical contexts. Changed matchpathcon internals
- to obtain canonical contexts by default. Provided
- fallback for kernels that lack extended selinuxfs context
- interface.
-
-1.27.19 2005-11-04
- * Merged seusers parser changes from Ivan Gyurdiev.
- * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
- * Changed seusers parser to reject empty fields.
-
-1.27.18 2005-11-03
- * Merged seusers empty level handling patch from Jonathan Kim (TCS).
-
-1.27.17 2005-10-27
- * Changed default entry for seusers to use __default__ to avoid
- ambiguity with users named "default".
-
-1.27.16 2005-10-27
- * Fixed init_selinux_config() handling of missing /etc/selinux/config
- or missing SELINUXTYPE= definition.
- * Merged selinux_translations_path() patch from Dan Walsh.
-
-1.27.15 2005-10-25
- * Added hidden_proto/def for get_default_context_with_role.
-
-1.27.14 2005-10-25
- * Merged selinux_path() and selinux_homedir_context_path()
- functions from Joshua Brindle.
-
-1.27.13 2005-10-19
- * Merged fixes for make DESTDIR= builds from Joshua Brindle.
-
-1.27.12 2005-10-18
- * Merged get_default_context_with_rolelevel and man pages from
- Dan Walsh (Red Hat).
-
-1.27.11 2005-10-18
- * Updated call to sepol_policydb_to_image for sepol changes.
-
-1.27.10 2005-10-17
- * Changed getseuserbyname to ignore empty lines and to handle
- no matching entry in the same manner as no seusers file.
-
-1.27.9 2005-10-13
- * Changed selinux_mkload_policy to try downgrading the
- latest policy version available to the kernel-supported version.
-
-1.27.8 2005-10-11
- * Changed selinux_mkload_policy to fall back to the maximum
- policy version supported by libsepol if the kernel policy version
- falls outside of the supported range.
-
-1.27.7 2005-10-06
- * Changed getseuserbyname to fall back to the Linux username and
- NULL level if seusers config file doesn't exist unless
- REQUIRESEUSERS=1 is set in /etc/selinux/config.
- * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
-
-1.27.6 2005-10-06
- * Added selinux_init_load_policy() function as an even higher level
- interface for the initial policy load by /sbin/init. This obsoletes
- the load_policy() function in the sysvinit-selinux.patch.
-
-1.27.5 2005-10-06
- * Added selinux_mkload_policy() function as a higher level interface
- for loading policy than the security_load_policy() interface.
-
-1.27.4 2005-10-05
- * Merged fix for matchpathcon (regcomp error checking) from Johan
- Fischer. Also added use of regerror to obtain the error string
- for inclusion in the error message.
-
-1.27.3 2005-10-03
- * Changed getseuserbyname to not require (and ignore if present)
- the MLS level in seusers.conf if MLS is disabled, setting *level
- to NULL in this case.
-
-1.27.2 2005-09-30
- * Merged getseuserbyname patch from Dan Walsh.
-
-1.27.1 2005-09-19
- * Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
- This allows file_contexts with MLS fields to be processed on
- non-MLS-enabled systems with policies that are otherwise
- identical (e.g. same type definitions).
- * Merged get_ordered_context_list_with_level() function from
- Dan Walsh, and added get_default_context_with_level().
- This allows MLS level selection for users other than the
- default level.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.7 2005-09-01
- * Merged modified form of patch to avoid dlopen/dlclose by
- the static libselinux from Dan Walsh. Users of the static libselinux
- will not have any context translation by default.
-
-1.25.6 2005-08-31
- * Added public functions to export context translation to
- users of libselinux (selinux_trans_to_raw_context,
- selinux_raw_to_trans_context).
-
-1.25.5 2005-08-26
- * Remove special definition for context_range_set; use
- common code.
-
-1.25.4 2005-08-25
- * Hid translation-related symbols entirely and ensured that
- raw functions have hidden definitions for internal use.
- * Allowed setting NULL via context_set* functions.
- * Allowed whitespace in MLS component of context.
- * Changed rpm_execcon to use translated functions to workaround
- lack of MLS level on upgraded systems.
-
-1.25.3 2005-08-23
- * Merged context translation patch, originally by TCS,
- with modifications by Dan Walsh (Red Hat).
-
-1.25.2 2005-08-11
- * Merged several fixes for error handling paths in the
- AVC sidtab, matchpathcon, booleans, context, and get_context_list
- code from Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.25.1 2005-08-10
- * Removed setupns; migrated to pam.
- * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
- Original symbol is temporarily retained for compatibility until
- all callers are updated.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.12 2005-06-13
- * Merged security_setupns() from Chad Sellers.
-
-1.23.11 2005-05-19
- * Merged avcstat and selinux man page from Dan Walsh.
- * Changed security_load_booleans to process booleans.local
- even if booleans file doesn't exist.
-
-1.23.10 2005-04-29
- * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
-
-1.23.9 2005-04-26
- * Rewrote get_ordered_context_list and helpers, including
- changing logic to allow variable MLS fields.
-
-1.23.8 2005-04-25
- * Merged matchpathcon and man page patch from Dan Walsh.
-
-1.23.7 2005-04-12
- * Changed boolean functions to return -1 with errno ENOENT
- rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
- mounted).
-
-1.23.6 2005-04-08
- * Fixed bug in matchpathcon_filespec_destroy.
-
-1.23.5 2005-04-05
- * Fixed bug in rpm_execcon error handling path.
-
-1.23.4 2005-04-04
- * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
- * Merged fix for getconlist utility from Andreas Steinmetz.
-
-1.23.3 2005-03-29
- * Merged security_set_boolean_list patch from Dan Walsh.
- This introduces booleans.local support for setsebool.
-
-1.23.2 2005-03-17
- * Merged destructors patch from Tomas Mraz.
-
-1.23.1 2005-03-16
- * Added set_matchpathcon_flags() function for setting flags
- controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
- means only process the base file_contexts file, not
- file_contexts.homedirs or file_contexts.local, and is for use by
- setfiles -c.
- * Updated matchpathcon.3 man page.
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21.13 2005-03-08
- * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
-
-1.21.12 2005-03-01
- * Changed matchpathcon_common to ignore any non-format bits in the mode.
-
-1.21.11 2005-02-22
- * Merged several fixes from Ulrich Drepper.
-
-1.21.10 2005-02-17
- * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
- * Added selinux_users_path() for path to directory containing
- system.users and local.users.
-
-1.21.9 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.21.8 2005-02-07
- * Regenerated av_permissions.h.
-
-1.21.7 2005-02-01
- * Modified avc_dump_av to explicitly check for any permissions that
- cannot be mapped to string names and display them as a hex value.
-
-1.21.6 2005-01-31
- * Regenerated av_permissions.h.
-
-1.21.5 2005-01-28
- * Generalized matchpathcon internals, exported more interfaces,
- and moved additional code from setfiles into libselinux so that
- setfiles can directly use matchpathcon.
-
-1.21.4 2005-01-27
- * Prevent overflow of spec array in matchpathcon.
-
-1.21.3 2005-01-26
- * Fixed several uses of internal functions to avoid relocations.
- * Changed rpm_execcon to check is_selinux_enabled() and fallback to
- a regular execve if not enabled (or unable to determine due to a lack
- of /proc, e.g. chroot'd environment).
-
-
-1.21.2 2005-01-24
- * Merged minor fix for avcstat from Dan Walsh.
-
-1.21.1 2005-01-19
- * Merged patch from Dan Walsh, including:
- - new is_context_customizable function
- - changed matchpathcon to also use file_contexts.local if present
- - man page cleanups
-
-1.20 2005-01-04
- * Changed matchpathcon to return -1 with errno ENOENT for
- <<none>> entries, and also for an empty file_contexts configuration.
- * Removed some trivial utils that were not useful or redundant.
- * Changed BINDIR default to /usr/sbin to match change in Fedora.
- * Added security_compute_member.
- * Added man page for setcon.
- * Merged more man pages from Dan Walsh.
- * Merged avcstat from James Morris.
- * Merged build fix for mips from Manoj Srivastava.
- * Merged C++ support from John Ramsdell of MITRE.
- * Merged setcon() function from Darrel Goeddel of TCS.
- * Merged setsebool/togglesebool enhancement from Steve Grubb.
- * Merged cleanup patches from Steve Grubb.
-
-1.18 2004-11-01
- * Merged cleanup patches from Steve Grubb.
- * Added rpm_execcon.
- * Merged setenforce and removable context patch from Dan Walsh.
- * Merged build fix for alpha from Ulrich Drepper.
- * Removed copyright/license from selinux_netlink.h - definitions only.
- * Merged matchmediacon from Dan Walsh.
- * Regenerated headers for new nscd permissions.
- * Added get_default_context_with_role.
- * Added set_matchpathcon_printf.
- * Reworked av_inherit.h to allow easier re-use by kernel.
- * Changed avc_has_perm_noaudit to not fail on netlink errors.
- * Changed avc netlink code to check pid based on patch by Steve Grubb.
- * Merged second optimization patch from Ulrich Drepper.
- * Changed matchpathcon to skip invalid file_contexts entries.
- * Made string tables private to libselinux.
- * Merged strcat->stpcpy patch from Ulrich Drepper.
- * Merged matchpathcon man page from Dan Walsh.
- * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
- * Autobind netlink socket.
- * Dropped compatibility code from security_compute_user.
- * Merged fix for context_range_set from Chad Hanson.
- * Merged allocation failure checking patch from Chad Hanson.
- * Merged avc netlink error message patch from Colin Walters.
-
-1.16 2004-08-19
- * Regenerated headers for nscd class.
- * Merged man pages from Dan Walsh.
- * Merged context_new bug fix for MLS ranges from Chad Hanson.
- * Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
- * Renamed change_bool and show_bools to setsebool and getsebool.
- * Merged security_load_booleans() function from Dan Walsh.
- * Added selinux_booleans_path() function.
- * Changed avc_init function prototype to use const.
- * Regenerated headers for crontab permission.
- * Added checkAccess from Dan Walsh.
- * Merged getenforce patch from Dan Walsh.
- * Regenerated headers for dbus classes.
-
-1.14 2004-06-16
- * Regenerated headers for fine-grained netlink classes.
- * Merged selinux_config bug fix from Dan Walsh.
- * Added userspace AVC man pages.
- * Added man links for API calls to existing man pages documenting them.
- * Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
- * Merged patch to determine config file paths at runtime to support
- reorganized layout.
- * Regenerated flask headers with stable ordering.
- * Merged patch for man pages from Russell Coker.
-
-1.12 2004-05-10
- * Updated flask files to include new SE-X security classes.
- * Added security_disable function for runtime disable of SELinux prior
- to initial policy load (for /sbin/init).
- * Changed get_ordered_context_list to omit any reachable contexts
- that are not explicitly listed in default_contexts, unless there
- are no matches.
- * Merged man pages from Russell Coker and Dan Walsh.
- * Merged memory leak fixes from Dan Walsh.
- * Merged policyvers errno patch from Chris PeBenito.
-
-1.10 2004-04-05
- * Merged getenforce patch from Dan Walsh.
- * Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
- the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
- Based on a patch by Russell Coker.
- * Merged matchpathcon buffer size fix from Dan Walsh.
-
-1.8 2004-03-09
- * Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
- * Added matchpathcon function.
- * Updated userspace AVC to handle netlink selinux notifications.
-
-1.6 2004-02-18
- * Merged conditional policy extensions from Tresys Technology.
- * Added userspace avc and SID table implementation.
- * Fixed type on size in getpeercon per Thorsten Kukuk's advice.
- * Fixed use of getpwnam_r per Thorsten Kukuk's advice.
- * Changed to use getpwnam_r rather than getpwnam internally to
- avoid clobbering any existing pwd struct obtained by the caller.
- * Added getpeercon function to encapsulate getsockopt SO_PEERSEC
- and handle allocation ala getfilecon.
- * Changed is_selinux_enabled to return -1 on errors.
- * Changed to discover selinuxfs mount point via /proc/mounts
- so that the mount point can be changed without rebuilding.
-
-1.4 2003-12-01
- * Merged another cleanup patch from Bastian Blank and Joerg Hoh.
- * Regenerate headers for new permissions.
- * Merged static lib build patch from Bastian Blank and Joerg Hoh.
- * Export SELINUXMNT definition, add SELINUXPOLICY definition.
- * Add functions to provide access to enforce and policyvers.
- * Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
- * Fixed type for 'size' in *getfilecon.
- * Dropped -lattr and changed #include's to <sys/xattr.h>
- * Merged patch to move shared library to /lib from Dan Walsh.
- * Changed get_ordered_context_list to support a failsafe context.
- * Added selinuxenabled utility.
- * Merged const patch from Thorsten Kukuk.
-
-1.2 2003-09-30
- * Change is_selinux_enabled to fail if policy isn't loaded.
- * Changed Makefiles to allow non-root rpm builds.
- * Added -lattr for libselinux.so to ensure proper binding.
-
-1.1 2003-08-13
- * Ensure that context strings are padded with a null byte
- in case the kernel didn't include one.
- * Regenerate headers, update helpers.c for code cleanup.
- * Pass soname flag to linker (Colin Walters).
- * Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
-
-1.0 2003-07-11
- * Initial public release.
Copied: tags/libselinux_1_30_30/libselinux/ChangeLog (from rev 2049, trunk/libselinux/ChangeLog)
===================================================================
--- tags/libselinux_1_30_30/libselinux/ChangeLog (rev 0)
+++ tags/libselinux_1_30_30/libselinux/ChangeLog 2006-10-06 00:17:46 UTC (rev 2050)
@@ -0,0 +1,562 @@
+1.30.30 2006-10-05
+ * Merged patch from Darrel Goeddel to always use untranslated
+ contexts in the userspace AVC.
+
+1.30.29 2006-09-29
+ * Merged av_permissions.h update from Steve Grubb,
+ adding setsockcreate and polmatch definitions.
+
+1.30.28 2006-09-13
+ * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
+ * Merged c++ class identifier fix from Joe Nall.
+
+1.30.27 2006-08-24
+ * Merged patch to not log avc stats upon a reset from Steve Grubb.
+ * Applied patch to revert compat_net setting upon policy load.
+
+1.30.26 2006-08-11
+ * Merged file context homedir and local path functions from
+ Chris PeBenito.
+
+1.30.25 2006-08-11
+ * Rework functions that access /proc/pid/attr to access the
+ per-thread nodes, and unify the code to simplify maintenance.
+
+1.30.24 2006-08-10
+ * Merged return value fix for *getfilecon() from Dan Walsh.
+
+1.30.23 2006-08-10
+ * Merged sockcreate interfaces from Eric Paris.
+
+1.30.22 2006-08-03
+ * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
+
+1.30.21 2006-08-03
+ * Merged netfilter_contexts support patch from Chris PeBenito.
+
+1.30.20 2006-08-01
+ * Merged context_*_set errno patch from Jim Meyering.
+
+1.30.19 2006-06-29
+ * Lindent.
+
+1.30.18 2006-06-27
+ * Merged {get,set}procattrcon patch set from Eric Paris.
+ * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
+
+1.30.17 2006-06-27
+ * Regenerated Flask headers from refpolicy.
+
+1.30.16 2006-06-26
+ * Merged patch from Dan Walsh with:
+ - Added selinux_file_context_{cmp,verify}.
+ - Added selinux_lsetfilecon_default.
+ - Delay translation of contexts in matchpathcon.
+
+1.30.15 2006-06-16
+ * Merged patch from Dan Walsh with:
+ * Added selinux_getpolicytype() function.
+ * Modified setrans code to skip processing if !mls_enabled.
+
+1.30.14 2006-06-16
+ * Set errno in the !selinux_mnt case.
+
+1.30.13 2006-06-02
+ * Allocate large buffers from the heap, not on stack.
+ Affects is_context_customizable, selinux_init_load_policy,
+ and selinux_getenforcemode.
+
+1.30.12 2006-06-02
+ * Merged !selinux_mnt checks from Ian Kent.
+
+1.30.11 2006-05-24
+ * Merged matchmediacon and trans_to_raw_context fixes from
+ Serge Hallyn.
+
+1.30.10 2006-05-22
+ * Merged simple setrans client cache from Dan Walsh.
+ Merged avcstat patch from Russell Coker.
+
+1.30.9 2006-05-22
+ * Modified selinux_mkload_policy() to also set /selinux/compat_net
+ appropriately for the loaded policy.
+
+1.30.8 2006-05-17
+ * Added matchpathcon_fini() function to free memory allocated by
+ matchpathcon_init().
+
+1.30.7 2006-05-16
+ * Merged setrans client cleanup patch from Steve Grubb.
+
+1.30.6 2006-05-08
+ * Merged getfscreatecon man page fix from Dan Walsh.
+ * Updated booleans(8) man page to drop references to the old
+ booleans file and to note that setsebool can be used to set
+ the boot-time defaults via -P.
+
+1.30.5 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.4 2006-05-05
+ * Merged setrans client support from Dan Walsh.
+ This removes use of libsetrans.
+ * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
+ * Merged swig typemap fixes from Glauber de Oliveira Costa.
+
+1.30.3 2006-04-12
+ * Added distclean target to Makefile.
+ * Regenerated swig files.
+
+1.30.2 2006-04-11
+ * Changed matchpathcon_init to verify that the spec file is
+ a regular file.
+ * Merged python binding t_output_helper removal patch from Dan Walsh.
+
+1.30.1 2006-03-20
+ * Merged Makefile PYLIBVER definition patch from Dan Walsh.
+
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.8 2006-02-27
+ * Altered rpm_execcon fallback logic for permissive mode to also
+ handle case where /selinux/enforce is not available.
+
+1.29.7 2006-01-20
+ * Merged install-pywrap Makefile patch from Joshua Brindle.
+
+1.29.6 2006-01-18
+ * Merged pywrap Makefile patch from Dan Walsh.
+
+1.29.5 2006-01-11
+ * Added getseuser test program.
+
+1.29.4 2006-01-06
+ * Added format attribute to myprintf in matchpathcon.c and
+ removed obsoleted rootlen variable in init_selinux_config().
+
+1.29.3 2006-01-04
+ * Merged several fixes and improvements from Ulrich Drepper
+ (Red Hat), including:
+ - corrected use of getline
+ - further calls to __fsetlocking for local files
+ - use of strdupa and asprintf
+ - proper handling of dirent in booleans code
+ - use of -z relro
+ - several other optimizations
+ * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
+
+1.29.2 2005-12-14
+ * Merged call to finish_context_translations from Dan Walsh.
+ This eliminates a memory leak from failing to release memory
+ allocated by libsetrans.
+
+1.29.1 2005-12-08
+ * Merged patch for swig interfaces from Dan Walsh.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.28 2005-12-01
+ * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
+ modified matchpathcon implementation to make context validation/
+ canonicalization optional at matchpathcon_init time, deferring it
+ to a successful matchpathcon by default unless the new flag is set
+ by the caller.
+
+1.27.27 2005-12-01
+ * Added matchpathcon_init_prefix() interface, and
+ reworked matchpathcon implementation to support selective
+ loading of file contexts entries based on prefix matching
+ between the pathname regex stems and the specified path
+ prefix (stem must be a prefix of the specified path prefix).
+
+1.27.26 2005-11-29
+ * Merged getsebool patch from Dan Walsh.
+
+1.27.25 2005-11-29
+ * Added -f file_contexts option to matchpathcon util.
+ Fixed warning message in matchpathcon_init().
+
+1.27.24 2005-11-29
+ * Merged Makefile python definitions patch from Dan Walsh.
+
+1.27.23 2005-11-28
+ * Merged swigify patch from Dan Walsh.
+
+1.27.22 2005-11-15
+ * Merged make failure in rpm_execcon non-fatal in permissive mode
+ patch from Ivan Gyurdiev.
+
+1.27.21 2005-11-08
+ * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
+ and modified matchpathcon_init() to skip context translation
+ if it is set by the caller.
+
+1.27.20 2005-11-07
+ * Added security_canonicalize_context() interface and
+ set_matchpathcon_canoncon() interface for obtaining
+ canonical contexts. Changed matchpathcon internals
+ to obtain canonical contexts by default. Provided
+ fallback for kernels that lack extended selinuxfs context
+ interface.
+
+1.27.19 2005-11-04
+ * Merged seusers parser changes from Ivan Gyurdiev.
+ * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
+ * Changed seusers parser to reject empty fields.
+
+1.27.18 2005-11-03
+ * Merged seusers empty level handling patch from Jonathan Kim (TCS).
+
+1.27.17 2005-10-27
+ * Changed default entry for seusers to use __default__ to avoid
+ ambiguity with users named "default".
+
+1.27.16 2005-10-27
+ * Fixed init_selinux_config() handling of missing /etc/selinux/config
+ or missing SELINUXTYPE= definition.
+ * Merged selinux_translations_path() patch from Dan Walsh.
+
+1.27.15 2005-10-25
+ * Added hidden_proto/def for get_default_context_with_role.
+
+1.27.14 2005-10-25
+ * Merged selinux_path() and selinux_homedir_context_path()
+ functions from Joshua Brindle.
+
+1.27.13 2005-10-19
+ * Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+1.27.12 2005-10-18
+ * Merged get_default_context_with_rolelevel and man pages from
+ Dan Walsh (Red Hat).
+
+1.27.11 2005-10-18
+ * Updated call to sepol_policydb_to_image for sepol changes.
+
+1.27.10 2005-10-17
+ * Changed getseuserbyname to ignore empty lines and to handle
+ no matching entry in the same manner as no seusers file.
+
+1.27.9 2005-10-13
+ * Changed selinux_mkload_policy to try downgrading the
+ latest policy version available to the kernel-supported version.
+
+1.27.8 2005-10-11
+ * Changed selinux_mkload_policy to fall back to the maximum
+ policy version supported by libsepol if the kernel policy version
+ falls outside of the supported range.
+
+1.27.7 2005-10-06
+ * Changed getseuserbyname to fall back to the Linux username and
+ NULL level if seusers config file doesn't exist unless
+ REQUIRESEUSERS=1 is set in /etc/selinux/config.
+ * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
+
+1.27.6 2005-10-06
+ * Added selinux_init_load_policy() function as an even higher level
+ interface for the initial policy load by /sbin/init. This obsoletes
+ the load_policy() function in the sysvinit-selinux.patch.
+
+1.27.5 2005-10-06
+ * Added selinux_mkload_policy() function as a higher level interface
+ for loading policy than the security_load_policy() interface.
+
+1.27.4 2005-10-05
+ * Merged fix for matchpathcon (regcomp error checking) from Johan
+ Fischer. Also added use of regerror to obtain the error string
+ for inclusion in the error message.
+
+1.27.3 2005-10-03
+ * Changed getseuserbyname to not require (and ignore if present)
+ the MLS level in seusers.conf if MLS is disabled, setting *level
+ to NULL in this case.
+
+1.27.2 2005-09-30
+ * Merged getseuserbyname patch from Dan Walsh.
+
+1.27.1 2005-09-19
+ * Merged STRIP_LEVEL patch for matchpathcon from Dan Walsh.
+ This allows file_contexts with MLS fields to be processed on
+ non-MLS-enabled systems with policies that are otherwise
+ identical (e.g. same type definitions).
+ * Merged get_ordered_context_list_with_level() function from
+ Dan Walsh, and added get_default_context_with_level().
+ This allows MLS level selection for users other than the
+ default level.
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.7 2005-09-01
+ * Merged modified form of patch to avoid dlopen/dlclose by
+ the static libselinux from Dan Walsh. Users of the static libselinux
+ will not have any context translation by default.
+
+1.25.6 2005-08-31
+ * Added public functions to export context translation to
+ users of libselinux (selinux_trans_to_raw_context,
+ selinux_raw_to_trans_context).
+
+1.25.5 2005-08-26
+ * Remove special definition for context_range_set; use
+ common code.
+
+1.25.4 2005-08-25
+ * Hid translation-related symbols entirely and ensured that
+ raw functions have hidden definitions for internal use.
+ * Allowed setting NULL via context_set* functions.
+ * Allowed whitespace in MLS component of context.
+ * Changed rpm_execcon to use translated functions to workaround
+ lack of MLS level on upgraded systems.
+
+1.25.3 2005-08-23
+ * Merged context translation patch, originally by TCS,
+ with modifications by Dan Walsh (Red Hat).
+
+1.25.2 2005-08-11
+ * Merged several fixes for error handling paths in the
+ AVC sidtab, matchpathcon, booleans, context, and get_context_list
+ code from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.25.1 2005-08-10
+ * Removed setupns; migrated to pam.
+ * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
+ Original symbol is temporarily retained for compatibility until
+ all callers are updated.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.12 2005-06-13
+ * Merged security_setupns() from Chad Sellers.
+
+1.23.11 2005-05-19
+ * Merged avcstat and selinux man page from Dan Walsh.
+ * Changed security_load_booleans to process booleans.local
+ even if booleans file doesn't exist.
+
+1.23.10 2005-04-29
+ * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
+
+1.23.9 2005-04-26
+ * Rewrote get_ordered_context_list and helpers, including
+ changing logic to allow variable MLS fields.
+
+1.23.8 2005-04-25
+ * Merged matchpathcon and man page patch from Dan Walsh.
+
+1.23.7 2005-04-12
+ * Changed boolean functions to return -1 with errno ENOENT
+ rather than assert on a NULL selinux_mnt (i.e. selinuxfs not
+ mounted).
+
+1.23.6 2005-04-08
+ * Fixed bug in matchpathcon_filespec_destroy.
+
+1.23.5 2005-04-05
+ * Fixed bug in rpm_execcon error handling path.
+
+1.23.4 2005-04-04
+ * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
+ * Merged fix for getconlist utility from Andreas Steinmetz.
+
+1.23.3 2005-03-29
+ * Merged security_set_boolean_list patch from Dan Walsh.
+ This introduces booleans.local support for setsebool.
+
+1.23.2 2005-03-17
+ * Merged destructors patch from Tomas Mraz.
+
+1.23.1 2005-03-16
+ * Added set_matchpathcon_flags() function for setting flags
+ controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
+ means only process the base file_contexts file, not
+ file_contexts.homedirs or file_contexts.local, and is for use by
+ setfiles -c.
+ * Updated matchpathcon.3 man page.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.13 2005-03-08
+ * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
+
+1.21.12 2005-03-01
+ * Changed matchpathcon_common to ignore any non-format bits in the mode.
+
+1.21.11 2005-02-22
+ * Merged several fixes from Ulrich Drepper.
+
+1.21.10 2005-02-17
+ * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
+ * Added selinux_users_path() for path to directory containing
+ system.users and local.users.
+
+1.21.9 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.8 2005-02-07
+ * Regenerated av_permissions.h.
+
+1.21.7 2005-02-01
+ * Modified avc_dump_av to explicitly check for any permissions that
+ cannot be mapped to string names and display them as a hex value.
+
+1.21.6 2005-01-31
+ * Regenerated av_permissions.h.
+
+1.21.5 2005-01-28
+ * Generalized matchpathcon internals, exported more interfaces,
+ and moved additional code from setfiles into libselinux so that
+ setfiles can directly use matchpathcon.
+
+1.21.4 2005-01-27
+ * Prevent overflow of spec array in matchpathcon.
+
+1.21.3 2005-01-26
+ * Fixed several uses of internal functions to avoid relocations.
+ * Changed rpm_execcon to check is_selinux_enabled() and fallback to
+ a regular execve if not enabled (or unable to determine due to a lack
+ of /proc, e.g. chroot'd environment).
+
+
+1.21.2 2005-01-24
+ * Merged minor fix for avcstat from Dan Walsh.
+
+1.21.1 2005-01-19
+ * Merged patch from Dan Walsh, including:
+ - new is_context_customizable function
+ - changed matchpathcon to also use file_contexts.local if present
+ - man page cleanups
+
+1.20 2005-01-04
+ * Changed matchpathcon to return -1 with errno ENOENT for
+ <<none>> entries, and also for an empty file_contexts configuration.
+ * Removed some trivial utils that were not useful or redundant.
+ * Changed BINDIR default to /usr/sbin to match change in Fedora.
+ * Added security_compute_member.
+ * Added man page for setcon.
+ * Merged more man pages from Dan Walsh.
+ * Merged avcstat from James Morris.
+ * Merged build fix for mips from Manoj Srivastava.
+ * Merged C++ support from John Ramsdell of MITRE.
+ * Merged setcon() function from Darrel Goeddel of TCS.
+ * Merged setsebool/togglesebool enhancement from Steve Grubb.
+ * Merged cleanup patches from Steve Grubb.
+
+1.18 2004-11-01
+ * Merged cleanup patches from Steve Grubb.
+ * Added rpm_execcon.
+ * Merged setenforce and removable context patch from Dan Walsh.
+ * Merged build fix for alpha from Ulrich Drepper.
+ * Removed copyright/license from selinux_netlink.h - definitions only.
+ * Merged matchmediacon from Dan Walsh.
+ * Regenerated headers for new nscd permissions.
+ * Added get_default_context_with_role.
+ * Added set_matchpathcon_printf.
+ * Reworked av_inherit.h to allow easier re-use by kernel.
+ * Changed avc_has_perm_noaudit to not fail on netlink errors.
+ * Changed avc netlink code to check pid based on patch by Steve Grubb.
+ * Merged second optimization patch from Ulrich Drepper.
+ * Changed matchpathcon to skip invalid file_contexts entries.
+ * Made string tables private to libselinux.
+ * Merged strcat->stpcpy patch from Ulrich Drepper.
+ * Merged matchpathcon man page from Dan Walsh.
+ * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+1.16 2004-08-19
+ * Regenerated headers for nscd class.
+ * Merged man pages from Dan Walsh.
+ * Merged context_new bug fix for MLS ranges from Chad Hanson.
+ * Merged toggle_bool from Chris PeBenito, renamed to togglesebool.
+ * Renamed change_bool and show_bools to setsebool and getsebool.
+ * Merged security_load_booleans() function from Dan Walsh.
+ * Added selinux_booleans_path() function.
+ * Changed avc_init function prototype to use const.
+ * Regenerated headers for crontab permission.
+ * Added checkAccess from Dan Walsh.
+ * Merged getenforce patch from Dan Walsh.
+ * Regenerated headers for dbus classes.
+
+1.14 2004-06-16
+ * Regenerated headers for fine-grained netlink classes.
+ * Merged selinux_config bug fix from Dan Walsh.
+ * Added userspace AVC man pages.
+ * Added man links for API calls to existing man pages documenting them.
+ * Replaced $HOME/.default_contexts support with /etc/selinux/contexts/users/$USER support.
+ * Merged patch to determine config file paths at runtime to support
+ reorganized layout.
+ * Regenerated flask headers with stable ordering.
+ * Merged patch for man pages from Russell Coker.
+
+1.12 2004-05-10
+ * Updated flask files to include new SE-X security classes.
+ * Added security_disable function for runtime disable of SELinux prior
+ to initial policy load (for /sbin/init).
+ * Changed get_ordered_context_list to omit any reachable contexts
+ that are not explicitly listed in default_contexts, unless there
+ are no matches.
+ * Merged man pages from Russell Coker and Dan Walsh.
+ * Merged memory leak fixes from Dan Walsh.
+ * Merged policyvers errno patch from Chris PeBenito.
+
+1.10 2004-04-05
+ * Merged getenforce patch from Dan Walsh.
+ * Fixed init_selinuxmnt to correctly handle use of "selinuxfs" as
+ the device specification, i.e. mount selinuxfs /selinux -t selinuxfs.
+ Based on a patch by Russell Coker.
+ * Merged matchpathcon buffer size fix from Dan Walsh.
+
+1.8 2004-03-09
+ * Merged is_selinux_mls_enabled() from Chad Hanson of TCS.
+ * Added matchpathcon function.
+ * Updated userspace AVC to handle netlink selinux notifications.
+
+1.6 2004-02-18
+ * Merged conditional policy extensions from Tresys Technology.
+ * Added userspace avc and SID table implementation.
+ * Fixed type on size in getpeercon per Thorsten Kukuk's advice.
+ * Fixed use of getpwnam_r per Thorsten Kukuk's advice.
+ * Changed to use getpwnam_r rather than getpwnam internally to
+ avoid clobbering any existing pwd struct obtained by the caller.
+ * Added getpeercon function to encapsulate getsockopt SO_PEERSEC
+ and handle allocation ala getfilecon.
+ * Changed is_selinux_enabled to return -1 on errors.
+ * Changed to discover selinuxfs mount point via /proc/mounts
+ so that the mount point can be changed without rebuilding.
+
+1.4 2003-12-01
+ * Merged another cleanup patch from Bastian Blank and Joerg Hoh.
+ * Regenerate headers for new permissions.
+ * Merged static lib build patch from Bastian Blank and Joerg Hoh.
+ * Export SELINUXMNT definition, add SELINUXPOLICY definition.
+ * Add functions to provide access to enforce and policyvers.
+ * Changed is_selinux_enabled to check /proc/filesystems for selinuxfs.
+ * Fixed type for 'size' in *getfilecon.
+ * Dropped -lattr and changed #include's to <sys/xattr.h>
+ * Merged patch to move shared library to /lib from Dan Walsh.
+ * Changed get_ordered_context_list to support a failsafe context.
+ * Added selinuxenabled utility.
+ * Merged const patch from Thorsten Kukuk.
+
+1.2 2003-09-30
+ * Change is_selinux_enabled to fail if policy isn't loaded.
+ * Changed Makefiles to allow non-root rpm builds.
+ * Added -lattr for libselinux.so to ensure proper binding.
+
+1.1 2003-08-13
+ * Ensure that context strings are padded with a null byte
+ in case the kernel didn't include one.
+ * Regenerate headers, update helpers.c for code cleanup.
+ * Pass soname flag to linker (Colin Walters).
+ * Fixes for various items: add const as appropriate, handle missed OOM condition, clean up compile warnings (Colin Walters).
+
+1.0 2003-07-11
+ * Initial public release.
Deleted: tags/libselinux_1_30_30/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2006-09-29 15:44:05 UTC (rev 2047)
+++ tags/libselinux_1_30_30/libselinux/VERSION 2006-10-06 00:17:46 UTC (rev 2050)
@@ -1 +0,0 @@
-1.30.29
Copied: tags/libselinux_1_30_30/libselinux/VERSION (from rev 2049, trunk/libselinux/VERSION)
===================================================================
--- tags/libselinux_1_30_30/libselinux/VERSION (rev 0)
+++ tags/libselinux_1_30_30/libselinux/VERSION 2006-10-06 00:17:46 UTC (rev 2050)
@@ -0,0 +1 @@
+1.30.30
Deleted: tags/libselinux_1_30_30/libselinux/include/selinux/avc.h
===================================================================
--- trunk/libselinux/include/selinux/avc.h 2006-09-29 15:44:05 UTC (rev 2047)
+++ tags/libselinux_1_30_30/libselinux/include/selinux/avc.h 2006-10-06 00:17:46 UTC (rev 2050)
@@ -1,365 +0,0 @@
-/*
- * Access vector cache interface for object managers.
- *
- * Author : Eamon Walsh <ew...@ep...>
- */
-#ifndef _SELINUX_AVC_H_
-#define _SELINUX_AVC_H_
-
-#include <sys/types.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <selinux/selinux.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * SID format and operations
- */
- struct security_id {
- security_context_t ctx;
- unsigned int refcnt;
- };
- typedef struct security_id *security_id_t;
-
-#define SECSID_WILD (security_id_t)NULL /* unspecified SID */
-
-/**
- * avc_sid_to_context - get copy of context corresponding to SID.
- * @sid: input SID
- * @ctx: pointer to context reference
- *
- * Return a copy of the security context corresponding to the input
- * @sid in the memory referenced by @ctx. The caller is expected to
- * free the context with freecon(). Return %0 on success, -%1 on
- * failure, with @errno set to %ENOMEM if insufficient memory was
- * available to make the copy, or %EINVAL if the input SID is invalid.
- */
- int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
-
-/**
- * avc_context_to_sid - get SID for context.
- * @ctx: input security context
- * @sid: pointer to SID reference
- *
- * Look up security context @ctx in SID table, making
- * a new entry if @ctx is not found. Increment the
- * reference counter for the SID. Store a pointer
- * to the SID structure into the memory referenced by @sid,
- * returning %0 on success or -%1 on error with @errno set.
- */
- int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
-
-/**
- * sidget - increment SID reference counter.
- * @sid: SID reference
- *
- * Increment the reference counter for @sid, indicating that
- * @sid is in use by an (additional) object. Return the
- * new reference count, or zero if @sid is invalid (has zero
- * reference count). Note that avc_context_to_sid() also
- * increments reference counts.
- */
- int sidget(security_id_t sid);
-
-/**
- * sidput - decrement SID reference counter.
- * @sid: SID reference
- *
- * Decrement the reference counter for @sid, indicating that
- * a reference to @sid is no longer in use. Return the
- * new reference count. When the reference count reaches
- * zero, the SID is invalid, and avc_context_to_sid() must
- * be called to obtain a new SID for the security context.
- */
- int sidput(security_id_t sid);
-
-/*
- * AVC entry
- */
- struct avc_entry;
- struct avc_entry_ref {
- struct avc_entry *ae;
- };
-
-/**
- * avc_entry_ref_init - initialize an AVC entry reference.
- * @aeref: pointer to avc entry reference structure
- *
- * Use this macro to initialize an avc entry reference structure
- * before first use. These structures are passed to avc_has_perm(),
- * which stores cache entry references in them. They can increase
- * performance on repeated queries.
- */
-#define avc_entry_ref_init(aeref) ((aeref)->ae = NULL)
-
-/*
- * User-provided callbacks for memory, auditing, and locking
- */
-
-/* These structures are passed by reference to avc_init(). Passing
- * a NULL reference will cause the AVC to use a default. The default
- * memory callbacks are malloc() and free(). The default logging method
- * is to print on stderr. If no thread callbacks are passed, a separate
- * listening thread won't be started for kernel policy change messages.
- * If no locking callbacks are passed, no locking will take place.
- */
- struct avc_memory_callback {
- /* malloc() equivalent. */
- void *(*func_malloc) (size_t size);
- /* free() equivalent. */
- void (*func_free) (void *ptr);
- /* Note that these functions should set errno on failure.
- If not, some avc routines may return -1 without errno set. */
- };
-
- struct avc_log_callback {
- /* log the printf-style format and arguments. */
- void (*func_log) (const char *fmt, ...);
- /* store a string representation of auditdata (corresponding
- to the given security class) into msgbuf. */
- void (*func_audit) (void *auditdata, security_class_t cls,
- char *msgbuf, size_t msgbufsize);
- };
-
- struct avc_thread_callback {
- /* create and start a thread, returning an opaque pointer to it;
- the thread should run the given function. */
- void *(*func_create_thread) (void (*run) (void));
- /* cancel a given thread and free its resources. */
- void (*func_stop_thread) (void *thread);
- };
-
- struct avc_lock_callback {
- /* create a lock and return an opaque pointer to it. */
- void *(*func_alloc_lock) (void);
- /* obtain a given lock, blocking if necessary. */
- void (*func_get_lock) (void *lock);
- /* release a given lock. */
- void (*func_release_lock) (void *lock);
- /* destroy a given lock (free memory, etc.) */
- void (*func_free_lock) (void *lock);
- };
-
-/*
- * AVC operations
- */
-
-/**
- * avc_init - Initialize the AVC.
- * @msgprefix: prefix for log messages
- * @mem_callbacks: user-supplied memory callbacks
- * @log_callbacks: user-supplied logging callbacks
- * @thread_callbacks: user-supplied threading callbacks
- * @lock_callbacks: user-supplied locking callbacks
- *
- * Initialize the access vector cache. Return %0 on
- * success or -%1 with @errno set on failure.
- * If @msgprefix is NULL, use "uavc". If any callback
- * structure references are NULL, use default methods
- * for those callbacks (see the definition of the callback
- * structures above).
- */
- int avc_init(const char *msgprefix,
- const struct avc_memory_callback *mem_callbacks,
- const struct avc_log_callback *log_callbacks,
- const struct avc_thread_callback *thread_callbacks,
- const struct avc_lock_callback *lock_callbacks);
-
-/**
- * avc_cleanup - Remove unused SIDs and AVC entries.
- *
- * Search the SID table for SID structures with zero
- * reference counts, and remove them along with all
- * AVC entries that reference them. This can be used
- * to return memory to the system.
- */
- void avc_cleanup(void);
-
-/**
- * avc_reset - Flush the cache and reset statistics.
- *
- * Remove all entries from the cache and reset all access
- * statistics (as returned by avc_cache_stats()) to zero.
- * The SID mapping is not affected. Return %0 on success,
- * -%1 with @errno set on error.
- */
- int avc_reset(void);
-
-/**
- * avc_destroy - Free all AVC structures.
- *
- * Destroy all AVC structures and free all allocated
- * memory. User-supplied locking, memory, and audit
- * callbacks will be retained, but security-event
- * callbacks will not. All SID's will be invalidated.
- * User must call avc_init() if further use of AVC is desired.
- */
- void avc_destroy(void);
-
-/**
- * avc_has_perm_noaudit - Check permissions but perform no auditing.
- * @ssid: source security identifier
- * @tsid: target security identifier
- * @tclass: target security class
- * @requested: requested permissions, interpreted based on @tclass
- * @aeref: AVC entry reference
- * @avd: access vector decisions
- *
- * Check the AVC to determine whether the @requested permissions are granted
- * for the SID pair (@ssid, @tsid), interpreting the permissions
- * based on @tclass, and call the security server on a cache miss to obtain
- * a new decision and add it to the cache. Update @aeref to refer to an AVC
- * entry with the resulting decisions, and return a copy of the decisions
- * in @avd. Return %0 if all @requested permissions are granted, -%1 with
- * @errno set to %EACCES if any permissions are denied, or to another value
- * upon other errors. This function is typically called by avc_has_perm(),
- * but may also be called directly to separate permission checking from
- * auditing, e.g. in cases where a lock must be held for the check but
- * should be released for the auditing.
- */
- int avc_has_perm_noaudit(security_id_t ssid,
- security_id_t tsid,
- security_class_t tclass,
- access_vector_t requested,
- struct avc_entry_ref *aeref,
- struct av_decision *avd);
-
-/**
- * avc_has_perm - Check permissions and perform any appropriate auditing.
- * @ssid: source security identifier
- * @tsid: target security identifier
- * @tclass: target security class
- * @requested: requested permissions, interpreted based on @tclass
- * @aeref: AVC entry reference
- * @auditdata: auxiliary audit data
- *
- * Check the AVC to determine whether the @requested permissions are granted
- * for the SID pair (@ssid, @tsid), interpreting the permissions
- * based on @tclass, and call the security server on a cache miss to obtain
- * a new decision and add it to the cache. Update @aeref to refer to an AVC
- * entry with the resulting decisions. Audit the granting or denial of
- * permissions in accordance with the policy. Return %0 if all @requested
- * permissions are granted, -%1 with @errno set to %EACCES if any permissions
- * are denied or to another value upon other errors.
- */
- int avc_has_perm(security_id_t ssid, security_id_t tsid,
- security_class_t tclass, access_vector_t requested,
- struct avc_entry_ref *aeref, void *auditdata);
-
-/**
- * avc_audit - Audit the granting or denial of permissions.
- * @ssid: source security identifier
- * @tsid: target security identifier
- * @tclass: target security class
- * @requested: requested permissions
- * @avd: access vector decisions
- * @result: result from avc_has_perm_noaudit
- * @auditdata: auxiliary audit data
- *
- * Audit the granting or denial of permissions in accordance
- * with the policy. This function is typically called by
- * avc_has_perm() after a permission check, but can also be
- * called directly by callers who use avc_has_perm_noaudit()
- * in order to separate the permission check from the auditing.
- * For example, this separation is useful when the permission check must
- * be performed under a lock, to allow the lock to be released
- * before calling the auditing code.
- */
- void avc_audit(security_id_t ssid, security_id_t tsid,
- security_class_t tclass, access_vector_t requested,
- struct av_decision *avd, int result, void *auditdata);
-
-/*
- * security event callback facility
- */
-
-/* security events */
-#define AVC_CALLBACK_GRANT 1
-#define AVC_CALLBACK_TRY_REVOKE 2
-#define AVC_CALLBACK_REVOKE 4
-#define AVC_CALLBACK_RESET 8
-#define AVC_CALLBACK_AUDITALLOW_ENABLE 16
-#define AVC_CALLBACK_AUDITALLOW_DISABLE 32
-#define AVC_CALLBACK_AUDITDENY_ENABLE 64
-#define AVC_CALLBACK_AUDITDENY_DISABLE 128
-
-/**
- * avc_add_callback - Register a callback for security events.
- * @callback: callback function
- * @events: bitwise OR of desired security events
- * @ssid: source security identifier or %SECSID_WILD
- * @tsid: target security identifier or %SECSID_WILD
- * @tclass: target security class
- * @perms: permissions
- *
- * Register a callback function for events in the set @events
- * related to the SID pair (@ssid, @tsid) and
- * and the permissions @perms, interpreting
- * @perms based on @tclass. Returns %0 on success or
- * -%1 if insufficient memory exists to add the callback.
- */
- int avc_add_callback(int (*callback)
- (u_int32_t event, security_id_t ssid,
- security_id_t tsid, security_class_t tclass,
- access_vector_t perms,
- access_vector_t * out_retained),
- u_int32_t events, security_id_t ssid,
- security_id_t tsid, security_class_t tclass,
- access_vector_t perms);
-
-/*
- * AVC statistics
- */
-
-/* If set, cache statistics are tracked. This may
- * become a compile-time option in the future.
- */
-#define AVC_CACHE_STATS 1
-
- struct avc_cache_stats {
- unsigned entry_lookups;
- unsigned entry_hits;
- unsigned entry_misses;
- unsigned entry_discards;
- unsigned cav_lookups;
- unsigned cav_hits;
- unsigned cav_probes;
- unsigned cav_misses;
- };
-
-/**
- * avc_cache_stats - get cache access statistics.
- * @stats: reference to statistics structure
- *
- * Fill the supplied structure with information about AVC
- * activity since the last call to avc_init() or
- * avc_reset(). See the structure definition for
- * details.
- */
- void avc_cache_stats(struct avc_cache_stats *stats);
-
-/**
- * avc_av_stats - log av table statistics.
- *
- * Log a message with information about the size and
- * distribution of the access vector table. The audit
- * callback is used to print the message.
- */
- void avc_av_stats(void);
-
-/**
- * avc_sid_stats - log SID table statistics.
- *
- * Log a message with information about the size and
- * distribution of the SID table. The audit callback
- * is used to print the message.
- */
- void avc_sid_stats(void);
-
-#ifdef __cplusplus
-}
-#endif
-#endif /* _SELINUX_AVC_H_ */
Copied: tags/libselinux_1_30_30/libselinux/include/selinux/avc.h (from rev 2048, trunk/libselinux/include/selinux/avc.h)
===================================================================
--- tags/libselinux_1_30_30/libselinux/include/selinux/avc.h (rev 0)
+++ tags/libselinux_1_30_30/libselinux/include/selinux/avc.h 2006-10-06 00:17:46 UTC (rev 2050)
@@ -0,0 +1,367 @@
+/*
+ * Access vector cache interface for object managers.
+ *
+ * Author : Eamon Walsh <ew...@ep...>
+ */
+#ifndef _SELINUX_AVC_H_
+#define _SELINUX_AVC_H_
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SID format and operations
+ */
+ struct security_id {
+ security_context_t ctx;
+ unsigned int refcnt;
+ };
+ typedef struct security_id *security_id_t;
+
+#define SECSID_WILD (security_id_t)NULL /* unspecified SID */
+
+/**
+ * avc_sid_to_context - get copy of context corresponding to SID.
+ * @sid: input SID
+ * @ctx: pointer to context reference
+ *
+ * Return a copy of the security context corresponding to the input
+ * @sid in the memory referenced by @ctx. The caller is expected to
+ * free the context with freecon(). Return %0 on success, -%1 on
+ * failure, with @errno set to %ENOMEM if insufficient memory was
+ * available to make the copy, or %EINVAL if the input SID is invalid.
+ */
+ int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
+ int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx);
+
+/**
+ * avc_context_to_sid - get SID for context.
+ * @ctx: input security context
+ * @sid: pointer to SID reference
+ *
+ * Look up security context @ctx in SID table, making
+ * a new entry if @ctx is not found. Increment the
+ * reference counter for the SID. Store a pointer
+ * to the SID structure into the memory referenced by @sid,
+ * returning %0 on success or -%1 on error with @errno set.
+ */
+ int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
+ int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid);
+
+/**
+ * sidget - increment SID reference counter.
+ * @sid: SID reference
+ *
+ * Increment the reference counter for @sid, indicating that
+ * @sid is in use by an (additional) object. Return the
+ * new reference count, or zero if @sid is invalid (has zero
+ * reference count). Note that avc_context_to_sid() also
+ * increments reference counts.
+ */
+ int sidget(security_id_t sid);
+
+/**
+ * sidput - decrement SID reference counter.
+ * @sid: SID reference
+ *
+ * Decrement the reference counter for @sid, indicating that
+ * a reference to @sid is no longer in use. Return the
+ * new reference count. When the reference count reaches
+ * zero, the SID is invalid, and avc_context_to_sid() must
+ * be called to obtain a new SID for the security context.
+ */
+ int sidput(security_id_t sid);
+
+/*
+ * AVC entry
+ */
+ struct avc_entry;
+ struct avc_entry_ref {
+ struct avc_entry *ae;
+ };
+
+/**
+ * avc_entry_ref_init - initialize an AVC entry reference.
+ * @aeref: pointer to avc entry reference structure
+ *
+ * Use this macro to initialize an avc entry reference structure
+ * before first use. These structures are passed to avc_has_perm(),
+ * which stores cache entry references in them. They can increase
+ * performance on repeated queries.
+ */
+#define avc_entry_ref_init(aeref) ((aeref)->ae = NULL)
+
+/*
+ * User-provided callbacks for memory, auditing, and locking
+ */
+
+/* These structures are passed by reference to avc_init(). Passing
+ * a NULL reference will cause the AVC to use a default. The default
+ * memory callbacks are malloc() and free(). The default logging method
+ * is to print on stderr. If no thread callbacks are passed, a separate
+ * listening thread won't be started for kernel policy change messages.
+ * If no locking callbacks are passed, no locking will take place.
+ */
+ struct avc_memory_callback {
+ /* malloc() equivalent. */
+ void *(*func_malloc) (size_t size);
+ /* free() equivalent. */
+ void (*func_free) (void *ptr);
+ /* Note that these functions should set errno on failure.
+ If not, some avc routines may return -1 without errno set. */
+ };
+
+ struct avc_log_callback {
+ /* log the printf-style format and arguments. */
+ void (*func_log) (const char *fmt, ...);
+ /* store a string representation of auditdata (corresponding
+ to the given security class) into msgbuf. */
+ void (*func_audit) (void *auditdata, security_class_t cls,
+ char *msgbuf, size_t msgbufsize);
+ };
+
+ struct avc_thread_callback {
+ /* create and start a thread, returning an opaque pointer to it;
+ the thread should run the given function. */
+ void *(*func_create_thread) (void (*run) (void));
+ /* cancel a given thread and free its resources. */
+ void (*func_stop_thread) (void *thread);
+ };
+
+ struct avc_lock_callback {
+ /* create a lock and re...
[truncated message content] |
|
From: <mad...@us...> - 2006-10-31 18:39:33
|
Revision: 2076
http://svn.sourceforge.net/selinux/?rev=2076&view=rev
Author: madmethod
Date: 2006-10-31 10:39:13 -0800 (Tue, 31 Oct 2006)
Log Message:
-----------
branch for libsepol 1.15.2
Added Paths:
-----------
tags/libsepol_1_15_2/
tags/libsepol_1_15_2/libsepol/
tags/libsepol_1_15_2/libsepol/ChangeLog
tags/libsepol_1_15_2/libsepol/VERSION
tags/libsepol_1_15_2/libsepol/src/link.c
Removed Paths:
-------------
tags/libsepol_1_15_2/libsepol/ChangeLog
tags/libsepol_1_15_2/libsepol/VERSION
tags/libsepol_1_15_2/libsepol/src/link.c
Copied: tags/libsepol_1_15_2/libsepol (from rev 2074, trunk/libsepol)
Deleted: tags/libsepol_1_15_2/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-10-24 16:09:54 UTC (rev 2074)
+++ tags/libsepol_1_15_2/libsepol/ChangeLog 2006-10-31 18:39:13 UTC (rev 2076)
@@ -1,581 +0,0 @@
-1.15.1 2006-10-24
- * Merged fix for version comparison that was preventing range
- transition rules from being written for a version 5 base policy
- from Darrel Goeddel.
-
-1.14 2006-10-17
- * Updated version for release.
-
-1.12.28 2006-09-28
- * Build libsepol's static object files with -fpic
-
-1.12.27 2006-09-28
- * Merged mls user and range_transition support in modules
- from Darrel Goeddel
-
-1.12.26 2006-09-05
- * Merged range transition enhancements and user format changes
- Darrel Goeddel
-
-1.12.25 2006-08-24
- * Merged conditionally expand neverallows patch from Jeremy Mowery.
- * Merged refactor expander patch from Jeremy Mowery.
-
-1.12.24 2006-08-03
- * Merged libsepol unit tests from Joshua Brindle.
-
-1.12.23 2006-08-03
- * Merged symtab datum patch from Karl MacMillan.
-
-1.12.22 2006-08-03
- * Merged netfilter contexts support from Chris PeBenito.
-
-1.12.21 2006-07-28
- * Merged helpful hierarchy check errors patch from Joshua Brindle.
-
-1.12.20 2006-07-25
- * Merged semodule_deps patch from Karl MacMillan.
- This adds source module names to the avrule decls.
-
-1.12.19 2006-06-29
- * Lindent.
-
-1.12.18 2006-06-26
- * Merged optionals in base take 2 patch set from Joshua Brindle.
-
-1.12.17 2006-05-30
- * Revert 1.12.16.
-
-1.12.16 2006-05-30
- * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
- replacing the prior patch.
-
-1.12.15 2006-05-30
- * Merged fixes for several memory leaks in the error paths during
- policy read from Serge Hallyn.
-
-1.12.14 2006-05-25
- * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
- based on bug report and suggested fix by Cedric Roux.
-
-1.12.13 2006-05-24
- * Merged sens_copy_callback, check_role_hierarchy_callback,
- and node_from_record fixes from Serge Hallyn.
-
-1.12.12 2006-05-22
- * Added sepol_policydb_compat_net() interface for testing whether
- a policy requires the compatibility support for network checks
- to be enabled in the kernel.
-
-1.12.11 2006-05-17
- * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
- Reworked to use calloc in the first place, and converted some other
- malloc/memset pairs to calloc calls.
-
-1.12.10 2006-05-08
- * Merged patch to revert role/user decl upgrade from Karl MacMillan.
-
-1.12.9 2006-05-08
- * Dropped tests from all Makefile target.
-
-1.12.8 2006-05-05
- * Merged fix warnings patch from Karl MacMillan.
-
-1.12.7 2006-05-05
- * Merged libsepol test framework patch from Karl MacMillan.
-
-1.12.6 2006-04-28
- * Fixed cond_normalize to traverse the entire cond list at link time.
-
-1.12.5 2006-04-03
- * Merged fix for leak of optional package sections from Ivan Gyurdiev.
-
-1.12.4 2006-03-29
- * Generalize test for bitmap overflow in ebitmap_set_bit.
-
-1.12.3 2006-03-27
- * Fixed attr_convert_callback and expand_convert_type_set
- typemap bug.
-
-1.12.2 2006-03-24
- * Fixed avrule_block_write num_decls endian bug.
-
-1.12.1 2006-03-20
- * Fixed sepol_module_package_write buffer overflow bug.
-
-1.12 2006-03-14
- * Updated version for release.
-
-1.11.20 2006-03-08
- * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
- * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
-
-1.11.19 2006-02-21
- * Merged sepol_policydb_mls_enabled interface and error handling
- changes from Ivan Gyurdiev.
-
-1.11.18 2006-02-16
- * Merged node_expand_addr bugfix and node_compare* change from
- Ivan Gyurdiev.
-
-1.11.17 2006-02-15
- * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
- * Merged bug fix patch from Ivan Gyurdiev.
-
-1.11.16 2006-02-14
- * Added a defined flag to level_datum_t for use by checkpolicy.
-
-1.11.15 2006-02-14
- * Merged nodecon support patch from Ivan Gyurdiev.
- * Merged cleanups patch from Ivan Gyurdiev.
-
-1.11.14 2006-02-13
- * Merged optionals in base patch from Joshua Brindle.
-
-1.11.13 2006-02-07
- * Merged seuser/user_extra support patch from Joshua Brindle.
- * Merged fix patch from Ivan Gyurdiev.
-
-1.11.12 2006-02-02
- * Merged clone record on set_con patch from Ivan Gyurdiev.
-
-1.11.11 2006-02-01
- * Merged assertion copying bugfix from Joshua Brindle.
- * Merged sepol_av_to_string patch from Joshua Brindle.
-
-1.11.10 2006-01-30
- * Merged cond_expr mapping and package section count bug fixes
- from Joshua Brindle.
- * Merged improve port/fcontext API patch from Ivan Gyurdiev.
- * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
-
-1.11.9 2006-01-12
- * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
-
-1.11.8 2006-01-09
- * Merged 2nd const in APIs patch from Ivan Gyurdiev.
-
-1.11.7 2006-01-06
- * Merged const in APIs patch from Ivan Gyurdiev.
- * Merged compare2 function patch from Ivan Gyurdiev.
-
-1.11.6 2006-01-06
- * Fixed hierarchy checker to only check allow rules.
-
-1.11.5 2006-01-05
- * Merged further fixes from Russell Coker, specifically:
- - av_to_string overflow checking
- - sepol_context_to_string error handling
- - hierarchy checking memory leak fixes and optimizations
- - avrule_block_read variable initialization
- * Marked deprecated code in genbools and genusers.
-
-1.11.4 2006-01-05
- * Merged bugfix for sepol_port_modify from Russell Coker.
-
-1.11.3 2006-01-05
- * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
- * Merged port ordering patch from Ivan Gyurdiev.
-
-1.11.2 2006-01-04
- * Merged patch series from Ivan Gyurdiev.
- This includes patches to:
- - support ordering of records in compare function
- - enable port interfaces
- - add interfaces for context validity and range checks
- - add include guards
-
-1.11.1 2005-12-16
- * Fixed mls_range_cpy bug.
-
-1.10 2005-12-07
- * Updated version for release.
-
-1.9.42 2005-12-05
- * Dropped handle from user_del_role interface.
-
-1.9.41 2005-11-28
- * Merged remove defrole from sepol patch from Ivan Gyurdiev.
-
-1.9.40 2005-11-15
- * Merged module function and map file cleanup from Ivan Gyurdiev.
- * Merged MLS and genusers cleanups from Ivan Gyurdiev.
-
-1.9.39 2005-11-09
- Prepare for removal of booleans* and *.users files.
- * Cleaned up sepol_genbools to not regenerate the image if
- there were no changes in the boolean values, including the
- degenerate case where there are no booleans or booleans.local
- files.
- * Cleaned up sepol_genusers to not warn on missing local.users.
-
-1.9.38 2005-11-08
- * Removed sepol_port_* from libsepol.map, as the port interfaces
- are not yet stable.
-
-1.9.37 2005-11-04
- * Merged context destroy cleanup patch from Ivan Gyurdiev.
-
-1.9.36 2005-11-03
- * Merged context_to_string interface change patch from Ivan Gyurdiev.
-
-1.9.35 2005-11-01
- * Added src/dso.h and src/*_internal.h.
- Added hidden_def for exported symbols used within libsepol.
- Added hidden for symbols that should not be exported by
- the wildcards in libsepol.map.
-
-1.9.34 2005-10-31
- * Merged record interface, record bugfix, and set_roles patches
- from Ivan Gyurdiev.
-
-1.9.33 2005-10-27
- * Merged count specification change from Ivan Gyurdiev.
-
-1.9.32 2005-10-26
- * Added further checking and error reporting to
- sepol_module_package_read and _info.
-
-1.9.31 2005-10-26
- * Merged sepol handle passing, DEBUG conversion, and memory leak
- fix patches from Ivan Gyurdiev.
-
-1.9.30 2005-10-25
- * Removed processing of system.users from sepol_genusers and
- dropped delusers logic.
-
-1.9.29 2005-10-25
- * Removed policydb_destroy from error path of policydb_read,
- since create/init/destroy/free of policydb is handled by the
- caller now.
- * Fixed sepol_module_package_read to handle a failed policydb_read
- properly.
-
-1.9.28 2005-10-25
- * Merged query/exists and count patches from Ivan Gyurdiev.
-
-1.9.27 2005-10-25
- * Merged fix for pruned types in expand code from Joshua Brindle.
- * Merged new module package format code from Joshua Brindle.
-
-1.9.26 2005-10-24
- * Merged context interface cleanup, record conversion code,
- key passing, and bug fix patches from Ivan Gyurdiev.
-
-1.9.25 2005-10-21
- * Merged users cleanup patch from Ivan Gyurdiev.
-
-1.9.24 2005-10-21
- * Merged user record memory leak fix from Ivan Gyurdiev.
- * Merged reorganize users patch from Ivan Gyurdiev.
-
-1.9.23 2005-10-19
- * Added check flag to expand_module() to control assertion
- and hierarchy checking on expansion.
-
-1.9.22 2005-10-19
- * Reworked check_assertions() and hierarchy_check_constraints()
- to take handles and use callback-based error reporting.
- * Changed expand_module() to call check_assertions() and
- hierarchy_check_constraints() prior to returning the expanded
- policy.
-
-1.9.21 2005-10-18
- * Changed sepol_module_package_set_file_contexts to copy the
- file contexts data since it is internally managed.
-
-1.9.20 2005-10-18
- * Added sepol_policy_file_set_handle interface to associate
- a handle with a policy file.
- * Added handle argument to policydb_from_image/to_image.
- * Added sepol_module_package_set_file_contexts interface.
- * Dropped sepol_module_package_create_file interface.
- * Reworked policydb_read/write, policydb_from_image/to_image,
- and sepol_module_package_read/write to use callback-based error
- reporting system rather than DEBUG.
-
-1.9.19 2005-10-17
- * Reworked link_packages, link_modules, and expand_module to use
- callback-based error reporting system rather than error buffering.
-
-1.9.18 2005-10-14
- * Merged conditional expression mapping fix in the module linking
- code from Joshua Brindle.
-
-1.9.17 2005-10-13
- * Hid sepol_module_package type definition, and added get interfaces.
-
-1.9.16 2005-10-13
- * Merged new callback-based error reporting system from Ivan
- Gyurdiev.
-
-1.9.15 2005-10-13
- * Merged support for require blocks inside conditionals from
- Joshua Brindle (Tresys).
-
-1.9.14 2005-10-07
- * Fixed use of policydb_from_image/to_image to ensure proper
- init of policydb.
-
-1.9.13 2005-10-07
- * Isolated policydb internal headers under <sepol/policydb/*.h>.
- These headers should only be used by users of the static libsepol.
- Created new <sepol/policydb.h> with new public types and interfaces
- for shared libsepol.
- Created new <sepol/module.h> with public types and interfaces moved
- or wrapped from old module.h, link.h, and expand.h, adjusted for
- new public types for policydb and policy_file.
- Added public interfaces to libsepol.map.
- Some implementation changes visible to users of the static libsepol:
- 1) policydb_read no longer calls policydb_init.
- Caller must do so first.
- 2) policydb_init no longer takes policy_type argument.
- Caller must set policy_type separately.
- 3) expand_module automatically enables the global branch.
- Caller no longer needs to do so.
- 4) policydb_write uses the policy_type and policyvers from the
- policydb itself, and sepol_set_policyvers() has been removed.
-
-1.9.12 2005-10-06
- * Merged function renaming and static cleanup from Ivan Gyurdiev.
-
-1.9.11 2005-10-05
- * Merged bug fix for check_assertions handling of no assertions
- from Joshua Brindle (Tresys).
-
-1.9.10 2005-10-04
- * Merged iterate patch from Ivan Gyurdiev.
-
-1.9.9 2005-10-03
- * Merged MLS in modules patch from Joshua Brindle (Tresys).
-
-1.9.8 2005-09-30
- * Merged pointer typedef elimination patch from Ivan Gyurdiev.
- * Merged user list function, new mls functions, and bugfix patch
- from Ivan Gyurdiev.
-
-1.9.7 2005-09-28
- * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
-
-1.9.6 2005-09-23
- * Merged bug fix patches from Joshua Brindle (Tresys).
-
-1.9.5 2005-09-21
- * Merged boolean record and memory leak fix patches from Ivan
- Gyurdiev.
-
-1.9.4 2005-09-19
- * Merged interface record patch from Ivan Gyurdiev.
-
-1.9.3 2005-09-14
- * Merged fix for sepol_enable/disable_debug from Ivan
- Gyurdiev.
-
-1.9.2 2005-09-14
- * Merged stddef.h patch and debug conversion patch from
- Ivan Gyurdiev.
-
-1.9.1 2005-09-09
- * Fixed expand_avtab and expand_cond_av_list to keep separate
- entries with identical keys but different enabled flags.
-
-1.8 2005-09-06
- * Updated version for release.
-
-1.7.24 2005-08-31
- * Fixed symtab_insert return value for duplicate declarations.
-
-1.7.23 2005-08-31
- * Merged fix for memory error in policy_module_destroy from
- Jason Tang (Tresys).
-
-1.7.22 2005-08-26
- * Merged fix for memory leak in sepol_context_to_sid from
- Jason Tang (Tresys).
-
-1.7.21 2005-08-25
- * Merged fixes for resource leaks on error paths and
- change to scope_destroy from Joshua Brindle (Tresys).
-
-1.7.20 2005-08-23
- * Merged more fixes for resource leaks on error paths
- from Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.7.19 2005-08-19
- * Changed to treat all type conflicts as fatal errors.
-
-1.7.18 2005-08-18
- * Merged several error handling fixes from
- Serge Hallyn (IBM). Bugs found by Coverity.
-
-1.7.17 2005-08-15
- * Fixed further memory leaks found by valgrind.
-
-1.7.16 2005-08-15
- * Fixed several memory leaks found by valgrind.
-
-1.7.15 2005-08-12
- * Fixed empty list test in cond_write_av_list. Bug found by
- Coverity, reported by Serge Hallyn (IBM).
- * Merged patch to policydb_write to check errors
- when writing the type->attribute reverse map from
- Serge Hallyn (IBM). Bug found by Coverity.
- * Fixed policydb_destroy to properly handle NULL type_attr_map
- or attr_type_map.
-
-1.7.14 2005-08-12
- * Fixed use of uninitialized data by expand_avtab_node by
- clearing type_val_to_struct in policydb_index_others.
-
-1.7.13 2005-08-11
- * Improved memory use by SELinux by both reducing the avtab
- node size and reducing the number of avtab nodes (by not
- expanding attributes in TE rules when possible). Added
- expand_avtab and expand_cond_av_list functions for use by
- assertion checker, hierarchy checker, compatibility code,
- and dispol. Added new inline ebitmap operators and converted
- existing users of ebitmaps to the new operators for greater
- efficiency.
- Note: The binary policy format version has been incremented to
- version 20 as a result of these changes.
-
-1.7.12 2005-08-10
- * Fixed bug in constraint_node_clone handling of name sets.
-
-1.7.11 2005-08-08
- * Fix range_trans_clone to map the type values properly.
-
-1.7.10 2005-08-02
- * Merged patch to move module read/write code from libsemanage
- to libsepol from Jason Tang (Tresys).
-
-1.7.9 2005-08-02
- * Enabled further compiler warning flags and fixed them.
-
-1.7.8 2005-08-02
- * Merged user, context, port records patch from Ivan Gyurdiev.
- * Merged key extract function patch from Ivan Gyurdiev.
-
-1.7.7 2005-07-27
- * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
-
-1.7.6 2005-07-26
- * Merged context reorganization, memory leak fixes,
- port and interface loading, replacements for genusers and
- genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
- * Merged uninitialized variable bugfix from Dan Walsh.
-
-1.7.5 2005-07-18
- * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
- * Removed genpolbools and genpolusers utilities.
-
-1.7.4 2005-07-18
- * Merged hierarchy check fix from Joshua Brindle (Tresys).
-
-1.7.3 2005-07-13
- * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
-
-1.7.2 2005-07-11
- * Merged genbools debugging message cleanup from Red Hat.
-
-1.7.1 2005-07-06
- * Merged loadable module support from Tresys Technology.
-
-1.6 2005-06-20
- * Updated version for release.
-
-1.5.10 2005-05-19
- * License changed to LGPL v2.1, see COPYING.
-
-1.5.9 2005-05-16
- * Added sepol_genbools_policydb and sepol_genusers_policydb for
- audit2why.
-
-1.5.8 2005-05-13
- * Added sepol_ prefix to Flask types to avoid
- namespace collision with libselinux.
-
-1.5.7 2005-05-13
- * Added sepol_compute_av_reason() for audit2why.
-
-1.5.6 2005-04-25
- * Fixed bug in role hierarchy checker.
-
-1.5.5 2005-04-13
- * Merged hierarchical type/role patch from Tresys Technology.
- * Merged MLS fixes from Darrel Goeddel of TCS.
-
-1.5.4 2005-04-13
- * Changed sepol_genusers to not delete users by default,
- and added a sepol_set_delusers function to enable deletion.
- Also, removed special case handling of system_u and user_u.
-
-1.5.3 2005-03-29
- * Merged booleans.local patch from Dan Walsh.
-
-1.5.2 2005-03-16
- * Added man page for sepol_check_context.
-
-1.5.1 2005-03-15
- * Added man page for sepol_genusers function.
- * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
-
-1.4 2005-03-09
- * Updated version for release.
-
-1.3.8 2005-03-08
- * Cleaned up error handling in sepol_genusers and sepol_genbools.
-
-1.3.7 2005-02-28
- * Merged sepol_debug and fclose patch from Dan Walsh.
-
-1.3.6 2005-02-22
- * Changed sepol_genusers to also use getline and correctly handle
- EOL.
-
-1.3.5 2005-02-17
- * Merged range_transition support from Darrel Goeddel (TCS).
-
-1.3.4 2005-02-16
- * Added sepol_genusers function.
-
-1.3.3 2005-02-14
- * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
-
-1.3.2 2005-02-09
- * Changed relabel Makefile target to use restorecon.
-
-1.3.1 2005-01-26
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
-
-1.2.1 2005-01-19
- * Merged build fix patch from Manoj Srivastava.
-
-1.2 2004-10-07
- * MLS build fixes.
- * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
-
-1.0 2004-08-19
- * Initial public release.
-
-0.4 2004-08-13
- * Merged patch from Dan Walsh to ignore case on booleans.
- * Changed sepol_genbools* to preserve the original policy version.
- * Replaced exported global variables with set functions.
- * Moved genpolbools utility from checkpolicy to libsepol.
- * Added man pages for sepol_genbools* and genpolbools.
-
-0.3 2004-08-10
- * Added ChangeLog, COPYING, spec file.
- * Added sepol_genbools_array() for load_policy.
- * Created libsepol.map to limit exported symbols in shared library.
-
-0.2 2004-08-09
- * Exported other functions for checkpolicy and friends.
- * Renamed service and sidtab functions to avoid libselinux conflict.
- * Removed original code from checkpolicy, which now uses libsepol.
- * Code cleanup: kill legacy references to kernel types/functions.
-
-0.1 2004-08-06
- * Moved checkpolicy core logic into a library.
- * Exported sepol_genbools() for load_policy.
Copied: tags/libsepol_1_15_2/libsepol/ChangeLog (from rev 2075, trunk/libsepol/ChangeLog)
===================================================================
--- tags/libsepol_1_15_2/libsepol/ChangeLog (rev 0)
+++ tags/libsepol_1_15_2/libsepol/ChangeLog 2006-10-31 18:39:13 UTC (rev 2076)
@@ -0,0 +1,585 @@
+1.15.2 2006-10-31
+ * Merged fix from Karl MacMillan for a segfault when linking
+ non-MLS modules with users in them.
+
+1.15.1 2006-10-24
+ * Merged fix for version comparison that was preventing range
+ transition rules from being written for a version 5 base policy
+ from Darrel Goeddel.
+
+1.14 2006-10-17
+ * Updated version for release.
+
+1.12.28 2006-09-28
+ * Build libsepol's static object files with -fpic
+
+1.12.27 2006-09-28
+ * Merged mls user and range_transition support in modules
+ from Darrel Goeddel
+
+1.12.26 2006-09-05
+ * Merged range transition enhancements and user format changes
+ Darrel Goeddel
+
+1.12.25 2006-08-24
+ * Merged conditionally expand neverallows patch from Jeremy Mowery.
+ * Merged refactor expander patch from Jeremy Mowery.
+
+1.12.24 2006-08-03
+ * Merged libsepol unit tests from Joshua Brindle.
+
+1.12.23 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.12.22 2006-08-03
+ * Merged netfilter contexts support from Chris PeBenito.
+
+1.12.21 2006-07-28
+ * Merged helpful hierarchy check errors patch from Joshua Brindle.
+
+1.12.20 2006-07-25
+ * Merged semodule_deps patch from Karl MacMillan.
+ This adds source module names to the avrule decls.
+
+1.12.19 2006-06-29
+ * Lindent.
+
+1.12.18 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.12.17 2006-05-30
+ * Revert 1.12.16.
+
+1.12.16 2006-05-30
+ * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
+ replacing the prior patch.
+
+1.12.15 2006-05-30
+ * Merged fixes for several memory leaks in the error paths during
+ policy read from Serge Hallyn.
+
+1.12.14 2006-05-25
+ * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
+ based on bug report and suggested fix by Cedric Roux.
+
+1.12.13 2006-05-24
+ * Merged sens_copy_callback, check_role_hierarchy_callback,
+ and node_from_record fixes from Serge Hallyn.
+
+1.12.12 2006-05-22
+ * Added sepol_policydb_compat_net() interface for testing whether
+ a policy requires the compatibility support for network checks
+ to be enabled in the kernel.
+
+1.12.11 2006-05-17
+ * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
+ Reworked to use calloc in the first place, and converted some other
+ malloc/memset pairs to calloc calls.
+
+1.12.10 2006-05-08
+ * Merged patch to revert role/user decl upgrade from Karl MacMillan.
+
+1.12.9 2006-05-08
+ * Dropped tests from all Makefile target.
+
+1.12.8 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.12.7 2006-05-05
+ * Merged libsepol test framework patch from Karl MacMillan.
+
+1.12.6 2006-04-28
+ * Fixed cond_normalize to traverse the entire cond list at link time.
+
+1.12.5 2006-04-03
+ * Merged fix for leak of optional package sections from Ivan Gyurdiev.
+
+1.12.4 2006-03-29
+ * Generalize test for bitmap overflow in ebitmap_set_bit.
+
+1.12.3 2006-03-27
+ * Fixed attr_convert_callback and expand_convert_type_set
+ typemap bug.
+
+1.12.2 2006-03-24
+ * Fixed avrule_block_write num_decls endian bug.
+
+1.12.1 2006-03-20
+ * Fixed sepol_module_package_write buffer overflow bug.
+
+1.12 2006-03-14
+ * Updated version for release.
+
+1.11.20 2006-03-08
+ * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
+ * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
+
+1.11.19 2006-02-21
+ * Merged sepol_policydb_mls_enabled interface and error handling
+ changes from Ivan Gyurdiev.
+
+1.11.18 2006-02-16
+ * Merged node_expand_addr bugfix and node_compare* change from
+ Ivan Gyurdiev.
+
+1.11.17 2006-02-15
+ * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
+ * Merged bug fix patch from Ivan Gyurdiev.
+
+1.11.16 2006-02-14
+ * Added a defined flag to level_datum_t for use by checkpolicy.
+
+1.11.15 2006-02-14
+ * Merged nodecon support patch from Ivan Gyurdiev.
+ * Merged cleanups patch from Ivan Gyurdiev.
+
+1.11.14 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.11.13 2006-02-07
+ * Merged seuser/user_extra support patch from Joshua Brindle.
+ * Merged fix patch from Ivan Gyurdiev.
+
+1.11.12 2006-02-02
+ * Merged clone record on set_con patch from Ivan Gyurdiev.
+
+1.11.11 2006-02-01
+ * Merged assertion copying bugfix from Joshua Brindle.
+ * Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.11.10 2006-01-30
+ * Merged cond_expr mapping and package section count bug fixes
+ from Joshua Brindle.
+ * Merged improve port/fcontext API patch from Ivan Gyurdiev.
+ * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
+
+1.11.9 2006-01-12
+ * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
+
+1.11.8 2006-01-09
+ * Merged 2nd const in APIs patch from Ivan Gyurdiev.
+
+1.11.7 2006-01-06
+ * Merged const in APIs patch from Ivan Gyurdiev.
+ * Merged compare2 function patch from Ivan Gyurdiev.
+
+1.11.6 2006-01-06
+ * Fixed hierarchy checker to only check allow rules.
+
+1.11.5 2006-01-05
+ * Merged further fixes from Russell Coker, specifically:
+ - av_to_string overflow checking
+ - sepol_context_to_string error handling
+ - hierarchy checking memory leak fixes and optimizations
+ - avrule_block_read variable initialization
+ * Marked deprecated code in genbools and genusers.
+
+1.11.4 2006-01-05
+ * Merged bugfix for sepol_port_modify from Russell Coker.
+
+1.11.3 2006-01-05
+ * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
+ * Merged port ordering patch from Ivan Gyurdiev.
+
+1.11.2 2006-01-04
+ * Merged patch series from Ivan Gyurdiev.
+ This includes patches to:
+ - support ordering of records in compare function
+ - enable port interfaces
+ - add interfaces for context validity and range checks
+ - add include guards
+
+1.11.1 2005-12-16
+ * Fixed mls_range_cpy bug.
+
+1.10 2005-12-07
+ * Updated version for release.
+
+1.9.42 2005-12-05
+ * Dropped handle from user_del_role interface.
+
+1.9.41 2005-11-28
+ * Merged remove defrole from sepol patch from Ivan Gyurdiev.
+
+1.9.40 2005-11-15
+ * Merged module function and map file cleanup from Ivan Gyurdiev.
+ * Merged MLS and genusers cleanups from Ivan Gyurdiev.
+
+1.9.39 2005-11-09
+ Prepare for removal of booleans* and *.users files.
+ * Cleaned up sepol_genbools to not regenerate the image if
+ there were no changes in the boolean values, including the
+ degenerate case where there are no booleans or booleans.local
+ files.
+ * Cleaned up sepol_genusers to not warn on missing local.users.
+
+1.9.38 2005-11-08
+ * Removed sepol_port_* from libsepol.map, as the port interfaces
+ are not yet stable.
+
+1.9.37 2005-11-04
+ * Merged context destroy cleanup patch from Ivan Gyurdiev.
+
+1.9.36 2005-11-03
+ * Merged context_to_string interface change patch from Ivan Gyurdiev.
+
+1.9.35 2005-11-01
+ * Added src/dso.h and src/*_internal.h.
+ Added hidden_def for exported symbols used within libsepol.
+ Added hidden for symbols that should not be exported by
+ the wildcards in libsepol.map.
+
+1.9.34 2005-10-31
+ * Merged record interface, record bugfix, and set_roles patches
+ from Ivan Gyurdiev.
+
+1.9.33 2005-10-27
+ * Merged count specification change from Ivan Gyurdiev.
+
+1.9.32 2005-10-26
+ * Added further checking and error reporting to
+ sepol_module_package_read and _info.
+
+1.9.31 2005-10-26
+ * Merged sepol handle passing, DEBUG conversion, and memory leak
+ fix patches from Ivan Gyurdiev.
+
+1.9.30 2005-10-25
+ * Removed processing of system.users from sepol_genusers and
+ dropped delusers logic.
+
+1.9.29 2005-10-25
+ * Removed policydb_destroy from error path of policydb_read,
+ since create/init/destroy/free of policydb is handled by the
+ caller now.
+ * Fixed sepol_module_package_read to handle a failed policydb_read
+ properly.
+
+1.9.28 2005-10-25
+ * Merged query/exists and count patches from Ivan Gyurdiev.
+
+1.9.27 2005-10-25
+ * Merged fix for pruned types in expand code from Joshua Brindle.
+ * Merged new module package format code from Joshua Brindle.
+
+1.9.26 2005-10-24
+ * Merged context interface cleanup, record conversion code,
+ key passing, and bug fix patches from Ivan Gyurdiev.
+
+1.9.25 2005-10-21
+ * Merged users cleanup patch from Ivan Gyurdiev.
+
+1.9.24 2005-10-21
+ * Merged user record memory leak fix from Ivan Gyurdiev.
+ * Merged reorganize users patch from Ivan Gyurdiev.
+
+1.9.23 2005-10-19
+ * Added check flag to expand_module() to control assertion
+ and hierarchy checking on expansion.
+
+1.9.22 2005-10-19
+ * Reworked check_assertions() and hierarchy_check_constraints()
+ to take handles and use callback-based error reporting.
+ * Changed expand_module() to call check_assertions() and
+ hierarchy_check_constraints() prior to returning the expanded
+ policy.
+
+1.9.21 2005-10-18
+ * Changed sepol_module_package_set_file_contexts to copy the
+ file contexts data since it is internally managed.
+
+1.9.20 2005-10-18
+ * Added sepol_policy_file_set_handle interface to associate
+ a handle with a policy file.
+ * Added handle argument to policydb_from_image/to_image.
+ * Added sepol_module_package_set_file_contexts interface.
+ * Dropped sepol_module_package_create_file interface.
+ * Reworked policydb_read/write, policydb_from_image/to_image,
+ and sepol_module_package_read/write to use callback-based error
+ reporting system rather than DEBUG.
+
+1.9.19 2005-10-17
+ * Reworked link_packages, link_modules, and expand_module to use
+ callback-based error reporting system rather than error buffering.
+
+1.9.18 2005-10-14
+ * Merged conditional expression mapping fix in the module linking
+ code from Joshua Brindle.
+
+1.9.17 2005-10-13
+ * Hid sepol_module_package type definition, and added get interfaces.
+
+1.9.16 2005-10-13
+ * Merged new callback-based error reporting system from Ivan
+ Gyurdiev.
+
+1.9.15 2005-10-13
+ * Merged support for require blocks inside conditionals from
+ Joshua Brindle (Tresys).
+
+1.9.14 2005-10-07
+ * Fixed use of policydb_from_image/to_image to ensure proper
+ init of policydb.
+
+1.9.13 2005-10-07
+ * Isolated policydb internal headers under <sepol/policydb/*.h>.
+ These headers should only be used by users of the static libsepol.
+ Created new <sepol/policydb.h> with new public types and interfaces
+ for shared libsepol.
+ Created new <sepol/module.h> with public types and interfaces moved
+ or wrapped from old module.h, link.h, and expand.h, adjusted for
+ new public types for policydb and policy_file.
+ Added public interfaces to libsepol.map.
+ Some implementation changes visible to users of the static libsepol:
+ 1) policydb_read no longer calls policydb_init.
+ Caller must do so first.
+ 2) policydb_init no longer takes policy_type argument.
+ Caller must set policy_type separately.
+ 3) expand_module automatically enables the global branch.
+ Caller no longer needs to do so.
+ 4) policydb_write uses the policy_type and policyvers from the
+ policydb itself, and sepol_set_policyvers() has been removed.
+
+1.9.12 2005-10-06
+ * Merged function renaming and static cleanup from Ivan Gyurdiev.
+
+1.9.11 2005-10-05
+ * Merged bug fix for check_assertions handling of no assertions
+ from Joshua Brindle (Tresys).
+
+1.9.10 2005-10-04
+ * Merged iterate patch from Ivan Gyurdiev.
+
+1.9.9 2005-10-03
+ * Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.9.8 2005-09-30
+ * Merged pointer typedef elimination patch from Ivan Gyurdiev.
+ * Merged user list function, new mls functions, and bugfix patch
+ from Ivan Gyurdiev.
+
+1.9.7 2005-09-28
+ * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
+
+1.9.6 2005-09-23
+ * Merged bug fix patches from Joshua Brindle (Tresys).
+
+1.9.5 2005-09-21
+ * Merged boolean record and memory leak fix patches from Ivan
+ Gyurdiev.
+
+1.9.4 2005-09-19
+ * Merged interface record patch from Ivan Gyurdiev.
+
+1.9.3 2005-09-14
+ * Merged fix for sepol_enable/disable_debug from Ivan
+ Gyurdiev.
+
+1.9.2 2005-09-14
+ * Merged stddef.h patch and debug conversion patch from
+ Ivan Gyurdiev.
+
+1.9.1 2005-09-09
+ * Fixed expand_avtab and expand_cond_av_list to keep separate
+ entries with identical keys but different enabled flags.
+
+1.8 2005-09-06
+ * Updated version for release.
+
+1.7.24 2005-08-31
+ * Fixed symtab_insert return value for duplicate declarations.
+
+1.7.23 2005-08-31
+ * Merged fix for memory error in policy_module_destroy from
+ Jason Tang (Tresys).
+
+1.7.22 2005-08-26
+ * Merged fix for memory leak in sepol_context_to_sid from
+ Jason Tang (Tresys).
+
+1.7.21 2005-08-25
+ * Merged fixes for resource leaks on error paths and
+ change to scope_destroy from Joshua Brindle (Tresys).
+
+1.7.20 2005-08-23
+ * Merged more fixes for resource leaks on error paths
+ from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.19 2005-08-19
+ * Changed to treat all type conflicts as fatal errors.
+
+1.7.18 2005-08-18
+ * Merged several error handling fixes from
+ Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.17 2005-08-15
+ * Fixed further memory leaks found by valgrind.
+
+1.7.16 2005-08-15
+ * Fixed several memory leaks found by valgrind.
+
+1.7.15 2005-08-12
+ * Fixed empty list test in cond_write_av_list. Bug found by
+ Coverity, reported by Serge Hallyn (IBM).
+ * Merged patch to policydb_write to check errors
+ when writing the type->attribute reverse map from
+ Serge Hallyn (IBM). Bug found by Coverity.
+ * Fixed policydb_destroy to properly handle NULL type_attr_map
+ or attr_type_map.
+
+1.7.14 2005-08-12
+ * Fixed use of uninitialized data by expand_avtab_node by
+ clearing type_val_to_struct in policydb_index_others.
+
+1.7.13 2005-08-11
+ * Improved memory use by SELinux by both reducing the avtab
+ node size and reducing the number of avtab nodes (by not
+ expanding attributes in TE rules when possible). Added
+ expand_avtab and expand_cond_av_list functions for use by
+ assertion checker, hierarchy checker, compatibility code,
+ and dispol. Added new inline ebitmap operators and converted
+ existing users of ebitmaps to the new operators for greater
+ efficiency.
+ Note: The binary policy format version has been incremented to
+ version 20 as a result of these changes.
+
+1.7.12 2005-08-10
+ * Fixed bug in constraint_node_clone handling of name sets.
+
+1.7.11 2005-08-08
+ * Fix range_trans_clone to map the type values properly.
+
+1.7.10 2005-08-02
+ * Merged patch to move module read/write code from libsemanage
+ to libsepol from Jason Tang (Tresys).
+
+1.7.9 2005-08-02
+ * Enabled further compiler warning flags and fixed them.
+
+1.7.8 2005-08-02
+ * Merged user, context, port records patch from Ivan Gyurdiev.
+ * Merged key extract function patch from Ivan Gyurdiev.
+
+1.7.7 2005-07-27
+ * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
+
+1.7.6 2005-07-26
+ * Merged context reorganization, memory leak fixes,
+ port and interface loading, replacements for genusers and
+ genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
+ * Merged uninitialized variable bugfix from Dan Walsh.
+
+1.7.5 2005-07-18
+ * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
+ * Removed genpolbools and genpolusers utilities.
+
+1.7.4 2005-07-18
+ * Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.7.3 2005-07-13
+ * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
+
+1.7.2 2005-07-11
+ * Merged genbools debugging message cleanup from Red Hat.
+
+1.7.1 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.6 2005-06-20
+ * Updated version for release.
+
+1.5.10 2005-05-19
+ * License changed to LGPL v2.1, see COPYING.
+
+1.5.9 2005-05-16
+ * Added sepol_genbools_policydb and sepol_genusers_policydb for
+ audit2why.
+
+1.5.8 2005-05-13
+ * Added sepol_ prefix to Flask types to avoid
+ namespace collision with libselinux.
+
+1.5.7 2005-05-13
+ * Added sepol_compute_av_reason() for audit2why.
+
+1.5.6 2005-04-25
+ * Fixed bug in role hierarchy checker.
+
+1.5.5 2005-04-13
+ * Merged hierarchical type/role patch from Tresys Technology.
+ * Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.5.4 2005-04-13
+ * Changed sepol_genusers to not delete users by default,
+ and added a sepol_set_delusers function to enable deletion.
+ Also, removed special case handling of system_u and user_u.
+
+1.5.3 2005-03-29
+ * Merged booleans.local patch from Dan Walsh.
+
+1.5.2 2005-03-16
+ * Added man page for sepol_check_context.
+
+1.5.1 2005-03-15
+ * Added man page for sepol_genusers function.
+ * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
+
+1.4 2005-03-09
+ * Updated version for release.
+
+1.3.8 2005-03-08
+ * Cleaned up error handling in sepol_genusers and sepol_genbools.
+
+1.3.7 2005-02-28
+ * Merged sepol_debug and fclose patch from Dan Walsh.
+
+1.3.6 2005-02-22
+ * Changed sepol_genusers to also use getline and correctly handle
+ EOL.
+
+1.3.5 2005-02-17
+ * Merged range_transition support from Darrel Goeddel (TCS).
+
+1.3.4 2005-02-16
+ * Added sepol_genusers function.
+
+1.3.3 2005-02-14
+ * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
+
+1.3.2 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.3.1 2005-01-26
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.2.1 2005-01-19
+ * Merged build fix patch from Manoj Srivastava.
+
+1.2 2004-10-07
+ * MLS build fixes.
+ * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
+
+1.0 2004-08-19
+ * Initial public release.
+
+0.4 2004-08-13
+ * Merged patch from Dan Walsh to ignore case on booleans.
+ * Changed sepol_genbools* to preserve the original policy version.
+ * Replaced exported global variables with set functions.
+ * Moved genpolbools utility from checkpolicy to libsepol.
+ * Added man pages for sepol_genbools* and genpolbools.
+
+0.3 2004-08-10
+ * Added ChangeLog, COPYING, spec file.
+ * Added sepol_genbools_array() for load_policy.
+ * Created libsepol.map to limit exported symbols in shared library.
+
+0.2 2004-08-09
+ * Exported other functions for checkpolicy and friends.
+ * Renamed service and sidtab functions to avoid libselinux conflict.
+ * Removed original code from checkpolicy, which now uses libsepol.
+ * Code cleanup: kill legacy references to kernel types/functions.
+
+0.1 2004-08-06
+ * Moved checkpolicy core logic into a library.
+ * Exported sepol_genbools() for load_policy.
Deleted: tags/libsepol_1_15_2/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-10-24 16:09:54 UTC (rev 2074)
+++ tags/libsepol_1_15_2/libsepol/VERSION 2006-10-31 18:39:13 UTC (rev 2076)
@@ -1 +0,0 @@
-1.15.1
Copied: tags/libsepol_1_15_2/libsepol/VERSION (from rev 2075, trunk/libsepol/VERSION)
===================================================================
--- tags/libsepol_1_15_2/libsepol/VERSION (rev 0)
+++ tags/libsepol_1_15_2/libsepol/VERSION 2006-10-31 18:39:13 UTC (rev 2076)
@@ -0,0 +1 @@
+1.15.2
Deleted: tags/libsepol_1_15_2/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c 2006-10-24 16:09:54 UTC (rev 2074)
+++ tags/libsepol_1_15_2/libsepol/src/link.c 2006-10-31 18:39:13 UTC (rev 2076)
@@ -1,2216 +0,0 @@
-/* Authors: Karl MacMillan <kma...@tr...>
- * Joshua Brindle <jbr...@tr...>
- * Jason Tang <jt...@tr...>
- *
- * Copyright (C) 2004-2005 Tresys Technology, LLC
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/conditional.h>
-#include <sepol/policydb/hashtab.h>
-#include <sepol/policydb/avrule_block.h>
-#include <sepol/policydb/link.h>
-#include <sepol/policydb/util.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-
-#include "debug.h"
-
-#undef min
-#define min(a,b) (((a) < (b)) ? (a) : (b))
-
-typedef struct policy_module {
- policydb_t *policy;
- uint32_t num_decls;
- uint32_t *map[SYM_NUM];
- uint32_t *avdecl_map;
- uint32_t **perm_map;
- uint32_t *perm_map_len;
-
- /* a pointer to within the base module's avrule_block chain to
- * where this module's global now resides */
- avrule_block_t *base_global;
-} policy_module_t;
-
-typedef struct link_state {
- int verbose;
- policydb_t *base;
- avrule_block_t *last_avrule_block, *last_base_avrule_block;
- uint32_t next_decl_id, current_decl_id;
-
- /* temporary variables, used during hashtab_map() calls */
- policy_module_t *cur;
- char *cur_mod_name;
- avrule_decl_t *dest_decl;
- class_datum_t *src_class, *dest_class;
- char *dest_class_name;
- char dest_class_req; /* flag indicating the class was not declared */
- uint32_t symbol_num;
- /* used to report the name of the module if dependancy error occurs */
- policydb_t **decl_to_mod;
-
- /* error reporting fields */
- sepol_handle_t *handle;
-} link_state_t;
-
-typedef struct missing_requirement {
- uint32_t symbol_type;
- uint32_t symbol_value;
- uint32_t perm_value;
-} missing_requirement_t;
-
-static const char *symtab_names[SYM_NUM] = {
- "common", "class", "role", "type/attribute", "user",
- "bool", "level", "category"
-};
-
-/* Deallocates all elements within a module, but NOT the policydb_t
- * structure within, as well as the pointer itself. */
-static void policy_module_destroy(policy_module_t * mod)
-{
- unsigned int i;
- if (mod == NULL) {
- return;
- }
- for (i = 0; i < SYM_NUM; i++) {
- free(mod->map[i]);
- }
- for (i = 0; mod->perm_map != NULL && i < mod->policy->p_classes.nprim;
- i++) {
- free(mod->perm_map[i]);
- }
- free(mod->perm_map);
- free(mod->perm_map_len);
- free(mod->avdecl_map);
- free(mod);
-}
-
-/***** functions that copy identifiers from a module to base *****/
-
-/* Note: there is currently no scoping for permissions, which causes some
- * strange side-effects. The current approach is this:
- *
- * a) perm is required and the class _and_ perm are declared in base: only add a mapping.
- * b) perm is required and the class and perm are _not_ declared in base: simply add the permissions
- * to the object class. This means that the requirements for the decl are the union of the permissions
- * required for all decls, but who cares.
- * c) perm is required, the class is declared in base, but the perm is not present. Nothing we can do
- * here because we can't mark a single permission as required, so we bail with a requirement error
- * _even_ if we are in an optional.
- *
- * A is correct behavior, b is wrong but not too bad, c is totall wrong for optionals. Fixing this requires
- * a format change.
- */
-static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *perm_id = key, *new_id = NULL;
- perm_datum_t *perm, *new_perm = NULL, *dest_perm;
- link_state_t *state = (link_state_t *) data;
-
- class_datum_t *src_class = state->src_class;
- class_datum_t *dest_class = state->dest_class;
- policy_module_t *mod = state->cur;
- uint32_t sclassi = src_class->s.value - 1;
- int ret;
-
- perm = (perm_datum_t *) datum;
- dest_perm = hashtab_search(dest_class->permissions.table, perm_id);
- if (dest_perm == NULL && dest_class->comdatum != NULL) {
- dest_perm =
- hashtab_search(dest_class->comdatum->permissions.table,
- perm_id);
- }
-
- if (dest_perm == NULL) {
- /* If the object class was not declared in the base, add the perm
- * to the object class. */
- if (state->dest_class_req) {
- /* If the class was required (not declared), insert the new permission */
- new_id = strdup(perm_id);
- if (new_id == NULL) {
- ERR(state->handle, "Memory error");
- ret = -SEPOL_LINK_ERROR;
- goto err;
- }
- new_perm =
- (perm_datum_t *) calloc(1, sizeof(perm_datum_t));
- if (new_perm == NULL) {
- ERR(state->handle, "Memory error");
- ret = -SEPOL_LINK_ERROR;
- goto err;
- }
- ret = hashtab_insert(dest_class->permissions.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_perm);
- if (ret) {
- ERR(state->handle,
- "could not insert permission into class\n");
- goto err;
- }
- new_perm->s.value = dest_class->permissions.nprim + 1;
- dest_perm = new_perm;
- } else {
- /* this is case c from above */
- ERR(state->handle,
- "Module %s depends on permission %s in class %s, not satisfied",
- state->cur_mod_name, perm_id,
- state->dest_class_name);
- return -SEPOL_LINK_REQNOTMET;
- }
- }
-
- /* build the mapping for permissions encompassing this class.
- * unlike symbols, the permission map translates between
- * module permission bit to target permission bit. that bit
- * may have originated from the class -or- it could be from
- * the class's common parent.*/
- if (perm->s.value > mod->perm_map_len[sclassi]) {
- uint32_t *newmap = calloc(perm->s.value, sizeof(*newmap));
- if (newmap == NULL) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
- memcpy(newmap, mod->perm_map[sclassi],
- mod->perm_map_len[sclassi] * sizeof(*newmap));
- free(mod->perm_map[sclassi]);
- mod->perm_map[sclassi] = newmap;
- mod->perm_map_len[sclassi] = perm->s.value;
- }
- mod->perm_map[sclassi][perm->s.value - 1] = dest_perm->s.value;
-
- return 0;
- err:
- free(new_id);
- free(new_perm);
- return ret;
-}
-
-static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *id = key, *new_id = NULL;
- class_datum_t *cladatum, *new_class = NULL;
- link_state_t *state = (link_state_t *) data;
- scope_datum_t *scope = NULL;
- int ret;
-
- cladatum = (class_datum_t *) datum;
- state->dest_class_req = 0;
-
- new_class = hashtab_search(state->base->p_classes.table, id);
- /* If there is not an object class already in the base symtab that means
- * that either a) a module is trying to declare a new object class (which
- * the compiler should prevent) or b) an object class was required that is
- * not in the base.
- */
- if (new_class == NULL) {
- scope =
- hashtab_search(state->cur->policy->p_classes_scope.table,
- id);
- if (scope == NULL) {
- ret = -SEPOL_LINK_ERROR;
- goto err;
- }
- if (scope->scope == SCOPE_DECL) {
- /* disallow declarations in modules */
- ERR(state->handle,
- "%s: Modules may not yet declare new classes.",
- state->cur_mod_name);
- ret = -SEPOL_LINK_NOTSUP;
- goto err;
- } else {
- /* It would be nice to error early here because the requirement is
- * not met, but we cannot because the decl might be optional (in which
- * case we should record the requirement so that it is just turned
- * off). Note: this will break horribly if modules can declare object
- * classes because the class numbers will be all wrong (i.e., they
- * might be assigned in the order they were required rather than the
- * current scheme which ensures correct numbering by ordering the
- * declarations properly). This can't be fixed until some infrastructure
- * for querying the object class numbers is in place. */
- state->dest_class_req = 1;
- new_class =
- (class_datum_t *) calloc(1, sizeof(class_datum_t));
- if (new_class == NULL) {
- ERR(state->handle, "Memory error\n");
- ret = -SEPOL_LINK_ERROR;
- goto err;
- }
- if (symtab_init
- (&new_class->permissions, PERM_SYMTAB_SIZE)) {
- ret = -SEPOL_LINK_ERROR;
- goto err;
- }
- new_id = strdup(id);
- if (new_id == NULL) {
- ERR(state->handle, "Memory error\n");
- ret = -SEPOL_LINK_ERROR;
- goto err;
- }
- ret = hashtab_insert(state->base->p_classes.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_class);
- if (ret) {
- ERR(state->handle,
- "could not insert new class into symtab");
- goto err;
- }
- new_class->s.value = ++(state->base->p_classes.nprim);
- }
- }
-
- state->cur->map[SYM_CLASSES][cladatum->s.value - 1] =
- new_class->s.value;
-
- /* copy permissions */
- state->src_class = cladatum;
- state->dest_class = new_class;
- state->dest_class_name = (char *)key;
-
- ret =
- hashtab_map(cladatum->permissions.table, permission_copy_callback,
- state);
- if (ret != 0) {
- return ret;
- }
-
- return 0;
- err:
- free(new_class);
- free(new_id);
- return ret;
-}
-
-static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id = key, *new_id = NULL;
- role_datum_t *role, *base_role, *new_role = NULL;
- link_state_t *state = (link_state_t *) data;
-
- role = (role_datum_t *) datum;
-
- base_role = hashtab_search(state->base->p_roles.table, id);
- if (base_role == NULL) {
- if (state->verbose)
- INFO(state->handle, "copying role %s", id);
-
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
-
- if ((new_role =
- (role_datum_t *) malloc(sizeof(*new_role))) == NULL) {
- goto cleanup;
- }
- role_datum_init(new_role);
-
- /* new_role's dominates and types field will be copied
- * during role_fix_callback() */
- new_role->s.value = state->base->p_roles.nprim + 1;
-
- ret = hashtab_insert(state->base->p_roles.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_role);
- if (ret) {
- goto cleanup;
- }
- state->base->p_roles.nprim++;
- base_role = new_role;
- }
-
- if (state->dest_decl) {
- new_id = NULL;
- if ((new_role = malloc(sizeof(*new_role))) == NULL) {
- goto cleanup;
- }
- role_datum_init(new_role);
- new_role->s.value = base_role->s.value;
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
- if (hashtab_insert
- (state->dest_decl->p_roles.table, new_id, new_role)) {
- goto cleanup;
- }
- state->dest_decl->p_roles.nprim++;
- }
-
- state->cur->map[SYM_ROLES][role->s.value - 1] = base_role->s.value;
- return 0;
-
- cleanup:
- ERR(state->handle, "Out of memory!");
- role_datum_destroy(new_role);
- free(new_id);
- free(new_role);
- return -1;
-}
-
-/* Copy types and attributes from a module into the base module. The
- * attributes are copied, but the types that make up this attribute
- * are delayed type_fix_callback(). */
-static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id = key, *new_id = NULL;
- type_datum_t *type, *base_type, *new_type = NULL;
- link_state_t *state = (link_state_t *) data;
-
- type = (type_datum_t *) datum;
- if ((type->flavor == TYPE_TYPE && !type->primary)
- || type->flavor == TYPE_ALIAS) {
- /* aliases are handled later, in alias_copy_callback() */
- return 0;
- }
-
- base_type = hashtab_search(state->base->p_types.table, id);
- if (base_type != NULL) {
- /* type already exists. check that it is what this
- * module expected. duplicate declarations (e.g., two
- * modules both declare type foo_t) is checked during
- * scope_copy_callback(). */
- if (type->flavor == TYPE_ATTRIB
- && base_type->flavor != TYPE_ATTRIB) {
- ERR(state->handle,
- "%s: Expected %s to be an attribute, but it was already declared as a type.",
- state->cur_mod_name, id);
- return -1;
- } else if (type->flavor != TYPE_ATTRIB
- && base_type->flavor == TYPE_ATTRIB) {
- ERR(state->handle,
- "%s: Expected %s to be a type, but it was already declared as an attribute.",
- state->cur_mod_name, id);
- return -1;
- }
- } else {
- if (state->verbose)
- INFO(state->handle, "copying type %s", id);
-
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
-
- if ((new_type =
- (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) {
- goto cleanup;
- }
- new_type->primary = type->primary;
- new_type->flavor = type->flavor;
- /* for attributes, the writing of new_type->types is
- done in type_fix_callback() */
-
- new_type->s.value = state->base->p_types.nprim + 1;
-
- ret = hashtab_insert(state->base->p_types.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_type);
- if (ret) {
- goto cleanup;
- }
- state->base->p_types.nprim++;
- base_type = new_type;
- }
-
- if (state->dest_decl) {
- new_id = NULL;
- if ((new_type = calloc(1, sizeof(*new_type))) == NULL) {
- goto cleanup;
- }
- new_type->primary = type->primary;
- new_type->flavor = type->flavor;
- new_type->s.value = base_type->s.value;
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
- if (hashtab_insert
- (state->dest_decl->p_types.table, new_id, new_type)) {
- goto cleanup;
- }
- state->dest_decl->p_types.nprim++;
- }
-
- state->cur->map[SYM_TYPES][type->s.value - 1] = base_type->s.value;
- return 0;
-
- cleanup:
- ERR(state->handle, "Out of memory!");
- free(new_id);
- free(new_type);
- return -1;
-}
-
-static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id = key, *new_id = NULL;
- user_datum_t *user, *base_user, *new_user = NULL;
- link_state_t *state = (link_state_t *) data;
-
- user = (user_datum_t *) datum;
-
- base_user = hashtab_search(state->base->p_users.table, id);
- if (base_user == NULL) {
- if (state->verbose)
- INFO(state->handle, "copying user %s", id);
-
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
-
- if ((new_user =
- (user_datum_t *) malloc(sizeof(*new_user))) == NULL) {
- goto cleanup;
- }
- user_datum_init(new_user);
- /* new_users's roles and MLS fields will be copied during
- user_fix_callback(). */
-
- new_user->s.value = state->base->p_users.nprim + 1;
-
- ret = hashtab_insert(state->base->p_users.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_user);
- if (ret) {
- goto cleanup;
- }
- state->base->p_users.nprim++;
- base_user = new_user;
- }
-
- if (state->dest_decl) {
- new_id = NULL;
- if ((new_user = malloc(sizeof(*new_user))) == NULL) {
- goto cleanup;
- }
- user_datum_init(new_user);
- new_user->s.value = base_user->s.value;
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
- if (hashtab_insert
- (state->dest_decl->p_users.table, new_id, new_user)) {
- goto cleanup;
- }
- state->dest_decl->p_users.nprim++;
- }
-
- state->cur->map[SYM_USERS][user->s.value - 1] = base_user->s.value;
- return 0;
-
- cleanup:
- ERR(state->handle, "Out of memory!");
- user_datum_destroy(new_user);
- free(new_id);
- free(new_user);
- return -1;
-}
-
-static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- int ret;
- char *id = key, *new_id = NULL;
- cond_bool_datum_t *booldatum, *base_bool, *new_bool = NULL;
- link_state_t *state = (link_state_t *) data;
-
- booldatum = (cond_bool_datum_t *) datum;
-
- base_bool = hashtab_search(state->base->p_bools.table, id);
- if (base_bool == NULL) {
- if (state->verbose)
- INFO(state->handle, "copying boolean %s", id);
-
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
-
- if ((new_bool =
- (cond_bool_datum_t *) malloc(sizeof(*new_bool))) == NULL) {
- goto cleanup;
- }
- new_bool->state = booldatum->state;
- new_bool->s.value = state->base->p_bools.nprim + 1;
-
- ret = hashtab_insert(state->base->p_bools.table,
- (hashtab_key_t) new_id,
- (hashtab_datum_t) new_bool);
- if (ret) {
- goto cleanup;
- }
- state->base->p_bools.nprim++;
- base_bool = new_bool;
-
- }
-
- state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value;
- return 0;
-
- cleanup:
- ERR(state->handle, "Out of memory!");
- cond_destroy_bool(new_id, new_bool, NULL);
- return -1;
-}
-
-static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *id = key;
- level_datum_t *level, *base_level;
- link_state_t *state = (link_state_t *) data;
- scope_datum_t *scope;
-
- level = (level_datum_t *) datum;
-
- base_level = hashtab_search(state->base->p_levels.table, id);
- if (!base_level) {
- scope =
- hashtab_search(state->cur->policy->p_sens_scope.table, id);
- if (!scope)
- return -SEPOL_LINK_ERROR;
- if (scope->scope == SCOPE_DECL) {
- /* disallow declarations in modules */
- ERR(state->handle,
- "%s: Modules may not declare new sensitivities.",
- state->cur_mod_name);
- return -SEPOL_LINK_NOTSUP;
- }
- }
-
- state->cur->map[SYM_LEVELS][level->level->sens - 1] =
- base_level->level->sens;
-
- return 0;
-}
-
-static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *id = key;
- cat_datum_t *cat, *base_cat;
- link_state_t *state = (link_state_t *) data;
- scope_datum_t *scope;
-
- cat = (cat_datum_t *) datum;
-
- base_cat = hashtab_search(state->base->p_cats.table, id);
- if (!base_cat) {
- scope =
- hashtab_search(state->cur->policy->p_cat_scope.table, id);
- if (!scope)
- return -SEPOL_LINK_ERROR;
- if (scope->scope == SCOPE_DECL) {
- /* disallow declarations in modules */
- ERR(state->handle,
- "%s: Modules may not declare new categories.",
- state->cur_mod_name);
- return -SEPOL_LINK_NOTSUP;
- }
- }
-
- state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value;
-
- return 0;
-}
-
-static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key,
- hashtab_datum_t datum, void *datap) = {
-NULL, class_copy_callback, role_copy_callback, type_copy_callback,
- user_copy_callback, bool_copy_callback, sens_copy_callback,
- cat_copy_callback};
-
-/* The aliases have to be copied after the types and attributes to be
- * certain that the base symbol table will have the type that the
- * alias refers. Otherwise, we won't be able to find the type value
- * for the alias. We can't depend on the declaration ordering because
- * of the hash table.
- */
-static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
- void *data)
-{
- char *id = key, *new_id = NULL, *target_id;
- type_datum_t *type, *base_type, *new_type = NULL, *target_type;
- link_state_t *state = (link_state_t *) data;
- policy_module_t *mod = state->cur;
- int primval;
-
- type = (type_datum_t *) datum;
- /* there are 2 kinds of aliases. Ones with their own value (TYPE_ALIAS)
- * and ones with the value of their primary (TYPE_TYPE && type->primary = 0)
- */
- if (!
- (type->flavor == TYPE_ALIAS
- || (type->flavor == TYPE_TYPE && !type->primary))) {
- /* ignore types and attributes -- they were handled in
- * type_copy_callback() */
- return 0;
- }
-
- if (type->flavor == TYPE_ALIAS)
- primval = type->primary;
- else
- primval = type->s.value;
-
- target_id = mod->policy->p_type_val_to_name[primval - 1];
- target_type = hashtab_search(state->base->p_types.table, target_id);
- if (target_type == NULL) {
- ERR(state->handle, "%s: Could not find type %s for alias %s.",
- state->cur_mod_name, target_id, id);
- return -1;
- }
-
- base_type = hashtab_search(state->base->p_types.table, id);
- if (base_type == NULL) {
- if (state->verbose)
- INFO(state->handle, "copying alias %s", id);
-
- if ((new_type =
- (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) {
- goto cleanup;
- }
- /* the linked copy always has TYPE_ALIAS style aliases */
- new_type->primary = target_type->s.value;
- new_type->flavor = TYPE_ALIAS;
- new_type->s.value = state->base->p_types.nprim + 1;
- if ((new_id = strdup(id)) == NULL) {
- goto cleanup;
- }
- if (hashtab_insert
- (state->base->p_types.table, new_id, new_type)) {
- goto cleanup;
- }
- state->base->p_types.nprim++;
- base_type = new_type;
- } else {
-
- /* if this already exists and isn't an alias it was required by another module (or base)
- * and inserted into the hashtable as a type, fix it up now */
-
- if (base_type->flavor == TYPE_ALIAS) {
- /* error checking */
- assert(base_type->primary == target_type->s.value);
- assert(base_type->primary ==
- mod->map[SYM_TYPES][primval - 1]);
- assert(mod->map[SYM_TYPES][type->s.value - 1] ==
- base_type->primary);
- return 0;
- }
-
- if (base_type->flavor == TYPE_ATTRIB) {
- ERR(state->handle,
- "%s is an alias of an attribute, not allowed", id);
- return -1;
- }
-
- base_type->fla...
[truncated message content] |
|
From: <ssm...@us...> - 2007-01-05 13:30:22
|
Revision: 2129
http://svn.sourceforge.net/selinux/?rev=2129&view=rev
Author: ssmalley
Date: 2007-01-05 05:30:20 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move aside so we can move it under its own subdir.
Added Paths:
-----------
tags/libselinux_1_33_2x/
Removed Paths:
-------------
tags/libselinux_1_33_2/
Copied: tags/libselinux_1_33_2x (from rev 2128, tags/libselinux_1_33_2)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 13:31:50
|
Revision: 2131
http://svn.sourceforge.net/selinux/?rev=2131&view=rev
Author: ssmalley
Date: 2007-01-05 05:31:46 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move under a libselinux/ subdir to match the other tags.
Added Paths:
-----------
tags/libselinux_1_33_2/libselinux/
Removed Paths:
-------------
tags/libselinux_1_33_2x/
Copied: tags/libselinux_1_33_2/libselinux (from rev 2130, tags/libselinux_1_33_2x)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 13:37:33
|
Revision: 2132
http://svn.sourceforge.net/selinux/?rev=2132&view=rev
Author: ssmalley
Date: 2007-01-05 05:37:30 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move aside so we can re-create as a subdir.
Added Paths:
-----------
tags/libsemanage_1_9_1x/
Removed Paths:
-------------
tags/libsemanage_1_9_1/
Copied: tags/libsemanage_1_9_1x (from rev 2131, tags/libsemanage_1_9_1)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 13:38:08
|
Revision: 2134
http://svn.sourceforge.net/selinux/?rev=2134&view=rev
Author: ssmalley
Date: 2007-01-05 05:38:07 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move to a libsemanage/ subdir to match other tags.
Added Paths:
-----------
tags/libsemanage_1_9_1/libsemanage/
Removed Paths:
-------------
tags/libsemanage_1_9_1x/
Copied: tags/libsemanage_1_9_1/libsemanage (from rev 2133, tags/libsemanage_1_9_1x)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 13:39:59
|
Revision: 2135
http://svn.sourceforge.net/selinux/?rev=2135&view=rev
Author: ssmalley
Date: 2007-01-05 05:39:55 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move aside so we can fix to use a subdir.
Added Paths:
-----------
tags/libsepol_1_15_3x/
Removed Paths:
-------------
tags/libsepol_1_15_3/
Copied: tags/libsepol_1_15_3x (from rev 2134, tags/libsepol_1_15_3)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 13:40:52
|
Revision: 2137
http://svn.sourceforge.net/selinux/?rev=2137&view=rev
Author: ssmalley
Date: 2007-01-05 05:40:51 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move to libsepol/ subdir
Added Paths:
-----------
tags/libsepol_1_15_3/libsepol/
Removed Paths:
-------------
tags/libsepol_1_15_3x/
Copied: tags/libsepol_1_15_3/libsepol (from rev 2136, tags/libsepol_1_15_3x)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 14:14:33
|
Revision: 2138
http://svn.sourceforge.net/selinux/?rev=2138&view=rev
Author: ssmalley
Date: 2007-01-05 06:14:31 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move aside.
Added Paths:
-----------
tags/policycoreutils_1_33_2x/
Removed Paths:
-------------
tags/policycoreutils_1_33_2/
Copied: tags/policycoreutils_1_33_2x (from rev 2137, tags/policycoreutils_1_33_2)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 14:14:39
|
Revision: 2140
http://svn.sourceforge.net/selinux/?rev=2140&view=rev
Author: ssmalley
Date: 2007-01-05 06:14:37 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move into place.
Added Paths:
-----------
tags/policycoreutils_1_33_2/policycoreutils/
Removed Paths:
-------------
tags/policycoreutils_1_33_2x/
Copied: tags/policycoreutils_1_33_2/policycoreutils (from rev 2139, tags/policycoreutils_1_33_2x)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-01-05 14:14:44
|
Revision: 2141
http://svn.sourceforge.net/selinux/?rev=2141&view=rev
Author: ssmalley
Date: 2007-01-05 06:14:42 -0800 (Fri, 05 Jan 2007)
Log Message:
-----------
Move aside.
Added Paths:
-----------
tags/policycoreutils_1_33_5x/
Removed Paths:
-------------
tags/policycoreutils_1_33_5/
Copied: tags/policycoreutils_1_33_5x (from rev 2140, tags/policycoreutils_1_33_5)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X