selinux-commits

[Selinux-commits] SF.net SVN: selinux: [1992] trunk

[<ssm...@us...>]

Revision: 1992
Author:   ssmalley
Date:     2006-08-24 09:01:45 -0700 (Thu, 24 Aug 2006)
ViewCVS:  http://svn.sourceforge.net/selinux/?rev=1992&view=rev

Log Message:
-----------
Author: Caleb Case
Email: cc...@tr...
Subject: make indent target update
Date: Thu, 17 Aug 2006 16:43:22 -0400

The current make indent invokes the distclean target which removes generated files.  This approach instead pushes the decision of which files to indent down into the respective makefiles and does not force a distclean.  Tests are not indented.

Acked-by:  Stephen Smalley <sd...@ty...>
Acked-by:  Karl MacMillan <kma...@me...>

Modified Paths:
--------------
    trunk/Makefile
    trunk/checkpolicy/Makefile
    trunk/libselinux/Makefile
    trunk/libselinux/include/Makefile
    trunk/libselinux/src/Makefile
    trunk/libselinux/utils/Makefile
    trunk/libsemanage/Makefile
    trunk/libsemanage/include/Makefile
    trunk/libsemanage/src/Makefile
    trunk/libsepol/Makefile
    trunk/libsepol/include/Makefile
    trunk/libsepol/src/Makefile
    trunk/libsepol/utils/Makefile
    trunk/policycoreutils/Makefile
    trunk/policycoreutils/audit2allow/Makefile
    trunk/policycoreutils/audit2why/Makefile
    trunk/policycoreutils/load_policy/Makefile
    trunk/policycoreutils/newrole/Makefile
    trunk/policycoreutils/po/Makefile
    trunk/policycoreutils/restorecon/Makefile
    trunk/policycoreutils/restorecond/Makefile
    trunk/policycoreutils/run_init/Makefile
    trunk/policycoreutils/scripts/Makefile
    trunk/policycoreutils/secon/Makefile
    trunk/policycoreutils/semanage/Makefile
    trunk/policycoreutils/semodule/Makefile
    trunk/policycoreutils/semodule_deps/Makefile
    trunk/policycoreutils/semodule_expand/Makefile
    trunk/policycoreutils/semodule_link/Makefile
    trunk/policycoreutils/semodule_package/Makefile
    trunk/policycoreutils/sestatus/Makefile
    trunk/policycoreutils/setfiles/Makefile
    trunk/policycoreutils/setsebool/Makefile
Modified: trunk/Makefile
===================================================================
--- trunk/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -31,5 +31,7 @@
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
 
-indent: distclean # do not indent the generated files
-	find . -name "*.[ch]" -exec sh ./Lindent {} \;		
+indent:
+	@for subdir in $(SUBDIRS); do \
+		(cd $$subdir && $(MAKE) $@) || exit 1; \
+	done

Modified: trunk/checkpolicy/Makefile
===================================================================
--- trunk/checkpolicy/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/checkpolicy/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -18,6 +18,8 @@
 
 LDLIBS=$(LIBDIR)/libsepol.a -lfl
 
+GENERATED=lex.yy.c y.tab.c y.tab.h
+
 all:  $(TARGETS)
 	$(MAKE) -C test
 
@@ -55,3 +57,5 @@
 	-rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c
 	$(MAKE) -C test clean
 
+indent:
+	../Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))

Modified: trunk/libselinux/Makefile
===================================================================
--- trunk/libselinux/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libselinux/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -21,4 +21,9 @@
 	$(MAKE) -C src $@
 	$(MAKE) -C utils clean
 
-test:
\ No newline at end of file
+indent:
+	$(MAKE) -C src $@
+	$(MAKE) -C utils $@
+	$(MAKE) -C include $@
+
+test:

Modified: trunk/libselinux/include/Makefile
===================================================================
--- trunk/libselinux/include/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libselinux/include/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -5,3 +5,7 @@
 install:
 	test -d $(INCDIR) || install -m 755 -d $(INCDIR)
 	install -m 644 $(wildcard selinux/*.h) $(INCDIR)
+
+indent:
+	../../Lindent $(wildcard selinux/*.h)
+

Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libselinux/src/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -31,6 +31,8 @@
 
 SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
 
+GENERATED=$(SWIGCOUT)
+
 all: $(LIBA) $(LIBSO) 
 
 pywrap: all $(SWIGSO)
@@ -80,3 +82,7 @@
 
 distclean: clean
 	rm -f $(SWIGCOUT) $(SWIGFILES)
+
+indent:
+	../../Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
+

Modified: trunk/libselinux/utils/Makefile
===================================================================
--- trunk/libselinux/utils/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libselinux/utils/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -18,5 +18,8 @@
 clean:
 	rm -f $(TARGETS) *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel:
 

Modified: trunk/libsemanage/Makefile
===================================================================
--- trunk/libsemanage/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsemanage/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -19,4 +19,8 @@
 	$(MAKE) -C src $@
 	$(MAKE) -C tests $@
 
+indent:
+	$(MAKE) -C src $@
+	$(MAKE) -C include $@
+
 test:

Modified: trunk/libsemanage/include/Makefile
===================================================================
--- trunk/libsemanage/include/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsemanage/include/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -5,3 +5,6 @@
 install:
 	test -d $(INCDIR) || install -m 755 -d $(INCDIR)
 	install -m 644 $(wildcard semanage/*.h) $(INCDIR)
+
+indent:
+	../../Lindent $(wildcard semanage/*.h)

Modified: trunk/libsemanage/src/Makefile
===================================================================
--- trunk/libsemanage/src/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsemanage/src/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -37,6 +37,8 @@
 
 SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
 
+GENERATED=$(SWIGCOUT) $(wildcard conf-*.[ch])
+
 all: $(LIBA) $(LIBSO) 
 
 pywrap: all $(SWIGLOBJ) $(SWIGSO) 
@@ -96,4 +98,7 @@
 distclean: clean
 	rm -f $(SWIGCOUT) $(SWIGFILES)
 
+indent:
+	../../Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
+
 .PHONY: all clean pywrap swigify install install-pywrap distclean

Modified: trunk/libsepol/Makefile
===================================================================
--- trunk/libsepol/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsepol/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -16,6 +16,11 @@
 	$(MAKE) -C utils clean
 	$(MAKE) -C tests clean
 
+indent:
+	$(MAKE) -C src $@
+	$(MAKE) -C include $@
+	$(MAKE) -C utils $@
+
 test:
 	$(MAKE) -C tests test
 

Modified: trunk/libsepol/include/Makefile
===================================================================
--- trunk/libsepol/include/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsepol/include/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -7,3 +7,6 @@
 	test -d $(INCDIR)/policydb || install -m 755 -d $(INCDIR)/policydb
 	install -m 644 $(wildcard sepol/*.h) $(INCDIR)
 	install -m 644 $(wildcard sepol/policydb/*.h) $(INCDIR)/policydb
+
+indent:
+	../../Lindent $(wildcard sepol/*.h)

Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsepol/src/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -42,3 +42,6 @@
 clean: 
 	-rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/libsepol/utils/Makefile
===================================================================
--- trunk/libsepol/utils/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/libsepol/utils/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -17,5 +17,8 @@
 clean:
 	-rm -f $(TARGETS) *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel:
 

Modified: trunk/policycoreutils/Makefile
===================================================================
--- trunk/policycoreutils/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -1,6 +1,6 @@
 SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
 
-all install relabel clean: 
+all install relabel clean indent:
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done

Modified: trunk/policycoreutils/audit2allow/Makefile
===================================================================
--- trunk/policycoreutils/audit2allow/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/audit2allow/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -21,4 +21,6 @@
 
 clean:
 
+indent:
+
 relabel:

Modified: trunk/policycoreutils/audit2why/Makefile
===================================================================
--- trunk/policycoreutils/audit2why/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/audit2why/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -24,4 +24,7 @@
 clean:
 	-rm -f $(TARGETS) *.o
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel:

Modified: trunk/policycoreutils/load_policy/Makefile
===================================================================
--- trunk/policycoreutils/load_policy/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/load_policy/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -21,5 +21,8 @@
 clean:
 	-rm -f $(TARGETS) *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel:
 	/sbin/restorecon $(SBINDIR)/load_policy 

Modified: trunk/policycoreutils/newrole/Makefile
===================================================================
--- trunk/policycoreutils/newrole/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/newrole/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -52,5 +52,8 @@
 clean:
 	rm -f $(TARGETS) *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel: install
 	/sbin/restorecon $(BINDIR)/newrole

Modified: trunk/policycoreutils/po/Makefile
===================================================================
--- trunk/policycoreutils/po/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/po/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -64,6 +64,8 @@
 	@rm -fv *mo *~ .depend
 	@rm -rf tmp
 
+indent:
+
 install: $(MOFILES)
 	@for n in $(MOFILES); do \
 	    l=`basename $$n .mo`; \

Modified: trunk/policycoreutils/restorecon/Makefile
===================================================================
--- trunk/policycoreutils/restorecon/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/restorecon/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -21,5 +21,8 @@
 clean:
 	-rm -f restorecon *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel: install
 	/sbin/restorecon $(SBINDIR)/restorecon

Modified: trunk/policycoreutils/restorecond/Makefile
===================================================================
--- trunk/policycoreutils/restorecond/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/restorecond/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -30,3 +30,6 @@
 clean:
 	-rm -f restorecond *.o *~
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/policycoreutils/run_init/Makefile
===================================================================
--- trunk/policycoreutils/run_init/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/run_init/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -45,5 +45,8 @@
 clean:
 	-rm -f $(TARGETS) *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel: install
 	/sbin/restorecon $(SBINDIR)/run_init $(SBINDIR)/open_init_pty

Modified: trunk/policycoreutils/scripts/Makefile
===================================================================
--- trunk/policycoreutils/scripts/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/scripts/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -21,4 +21,6 @@
 
 clean:
 
+indent:
+
 relabel:

Modified: trunk/policycoreutils/secon/Makefile
===================================================================
--- trunk/policycoreutils/secon/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/secon/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -29,6 +29,9 @@
 clean:
 	rm -f *.o core* secon *~ *.bak
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 bare: clean
 
 .PHONY: clean bare

Modified: trunk/policycoreutils/semanage/Makefile
===================================================================
--- trunk/policycoreutils/semanage/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/semanage/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -20,4 +20,6 @@
 
 clean:
 
+indent:
+
 relabel:

Modified: trunk/policycoreutils/semodule/Makefile
===================================================================
--- trunk/policycoreutils/semodule/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/semodule/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -23,4 +23,8 @@
 relabel:
 
 clean:
-	-rm -f semodule *.o 
+	-rm -f semodule *.o
+
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/policycoreutils/semodule_deps/Makefile
===================================================================
--- trunk/policycoreutils/semodule_deps/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/semodule_deps/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -22,4 +22,8 @@
 relabel:
 
 clean:
-	-rm -f semodule_deps *.o 
+	-rm -f semodule_deps *.o
+
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/policycoreutils/semodule_expand/Makefile
===================================================================
--- trunk/policycoreutils/semodule_expand/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/semodule_expand/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -22,4 +22,8 @@
 relabel:
 
 clean:
-	-rm -f semodule_expand *.o 
+	-rm -f semodule_expand *.o
+
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/policycoreutils/semodule_link/Makefile
===================================================================
--- trunk/policycoreutils/semodule_link/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/semodule_link/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -22,4 +22,8 @@
 relabel:
 
 clean:
-	-rm -f semodule_link *.o 
+	-rm -f semodule_link *.o
+
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/policycoreutils/semodule_package/Makefile
===================================================================
--- trunk/policycoreutils/semodule_package/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/semodule_package/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -22,4 +22,8 @@
 relabel:
 
 clean:
-	-rm -f semodule_package *.o 
+	-rm -f semodule_package *.o
+
+indent:
+	../../Lindent $(wildcard *.[ch])
+

Modified: trunk/policycoreutils/sestatus/Makefile
===================================================================
--- trunk/policycoreutils/sestatus/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/sestatus/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -24,4 +24,7 @@
 clean:
 	rm -f sestatus *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel:

Modified: trunk/policycoreutils/setfiles/Makefile
===================================================================
--- trunk/policycoreutils/setfiles/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/setfiles/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -28,5 +28,8 @@
 clean:
 	rm -f setfiles *.o 
 
+indent:
+	../../Lindent $(wildcard *.[ch])
+
 relabel: install
 	/sbin/restorecon $(SBINDIR)/setfiles

Modified: trunk/policycoreutils/setsebool/Makefile
===================================================================
--- trunk/policycoreutils/setsebool/Makefile	2006-08-24 15:57:08 UTC (rev 1991)
+++ trunk/policycoreutils/setsebool/Makefile	2006-08-24 16:01:45 UTC (rev 1992)
@@ -23,4 +23,8 @@
 relabel:
 
 clean:
-	-rm -f setsebool *.o 
+	-rm -f setsebool *.o
+
+indent:
+	../../Lindent $(wildcard *.[ch])
+


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2015] trunk

[<mad...@us...>]

Revision: 2015
          http://svn.sourceforge.net/selinux/?rev=2015&view=rev
Author:   madmethod
Date:     2006-09-05 07:27:29 -0700 (Tue, 05 Sep 2006)

Log Message:
-----------
Author: Darrel Goeddel
Email: dgo...@Tr...
Subject: support for extended range_transitions
Date: Mon, 28 Aug 2006 11:24:25 -0500

Introduce support for kernel policy format version 21, base policy format version
6, and policy module format 6.  These new formats allow for the definition of
range_transitions on security classes other than "process".  The new module and
base formats (both 6) also move expansion of the range_transition statements
from compile time to the actual expansion phase.  This change should allow for
using range_transitions in policy modules (with a bit more work in the future)
with another change in format.

The current range_transition statements are of the form:
   range_transition <source types> <target types> <new range>
These statements affect process transitions only.  The new supported format is:
   range_transition <source types> <target types>:<target classes> <new range>
With this format it is possible to to specify a new range for operations such
as file creation.  The old style statements are still allowed and they
implicitly refer to the "process" security class, thereby retaining the same
behavior as before.

The new kernel format now stores the security class on which the rule operates.
When dealing with older kernel policy formats, the "process" security class is
implicit.

The new module and base formats now store a representation of the rule just (the
new addition to the avrule_decl structure) and are expanded at the proper time.
The previous implementation expanded the rules at compilation time and could
produce an incomplete set of transitions if type attributes were used in the
statement. 
Here is how range_transition statements are handled for the various formats:
 for kernel policy version up to 18, there are no range_transition
 for kernel policy versions 19 and 20, a list of old-style (no class specified)
   range_trans structures are encoded
 for kernel policy versions 21 and up, a list of new-style (class specified)
   range_trans structures are encoded

 for base policy versions up to 5, there are no range_transitions
 for base policy version 5, a compile-time generated list of old-style (no
   class specified) range_trans structures are encoded as they are in kernel
   formats 19 and 20
 for base policy versions 6 and up, an expressive rule stating the intention
   of the statement is stored - that will be properly linked and expanded
   for further usage

 for module policy versions up to 6, there are no range_transitions
 for base policy versions 6 and up, an expressive rule stating the intention
   of the statement is stored jut like in base policy version 6 (of course we
   still need more work to get them in there, but the format is supportive).

Signed-off-by:  Darrel Goeddel <dgo...@tr...>
Acked-by:  Stephen Smalley <sd...@ty...>

Modified Paths:
--------------
    trunk/checkpolicy/module_compiler.c
    trunk/checkpolicy/module_compiler.h
    trunk/checkpolicy/policy_parse.y
    trunk/libsepol/include/sepol/policydb/context.h
    trunk/libsepol/include/sepol/policydb/mls_types.h
    trunk/libsepol/include/sepol/policydb/policydb.h
    trunk/libsepol/src/avrule_block.c
    trunk/libsepol/src/expand.c
    trunk/libsepol/src/mls.c
    trunk/libsepol/src/policydb.c
    trunk/libsepol/src/write.c

Modified: trunk/checkpolicy/module_compiler.c
===================================================================
--- trunk/checkpolicy/module_compiler.c	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/checkpolicy/module_compiler.c	2006-09-05 14:27:29 UTC (rev 2015)
@@ -1100,6 +1100,18 @@
 	decl->role_allow_rules = role_allow_rules;
 }
 
+/* this doesn't actually append, but really prepends it */
+void append_range_trans(range_trans_rule_t * range_tr_rules)
+{
+	avrule_decl_t *decl = stack_top->decl;
+
+	/* range transitions are not allowed within conditionals */
+	assert(stack_top->type == 1);
+
+	range_tr_rules->next = decl->range_tr_rules;
+	decl->range_tr_rules = range_tr_rules;
+}
+
 int begin_optional(int pass)
 {
 	avrule_block_t *block = NULL;

Modified: trunk/checkpolicy/module_compiler.h
===================================================================
--- trunk/checkpolicy/module_compiler.h	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/checkpolicy/module_compiler.h	2006-09-05 14:27:29 UTC (rev 2015)
@@ -77,6 +77,7 @@
 void append_avrule(avrule_t * avrule);
 void append_role_trans(role_trans_rule_t * role_tr_rules);
 void append_role_allow(role_allow_rule_t * role_allow_rules);
+void append_range_trans(range_trans_rule_t * range_tr_rules);
 
 /* Create a new optional block and add it to the global policy.
  * During the second pass resolve the block's requirements.  Return 0

Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/checkpolicy/policy_parse.y	2006-09-05 14:27:29 UTC (rev 2015)
@@ -101,7 +101,7 @@
 static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
 static role_datum_t *define_role_dom(role_datum_t *r);
 static int define_role_trans(void);
-static int define_range_trans(void);
+static int define_range_trans(int class_specified);
 static int define_role_allow(void);
 static int define_constraint(constraint_expr_t *expr);
 static int define_validatetrans(constraint_expr_t *expr);
@@ -436,7 +436,9 @@
                         {if (define_compute_type(AVRULE_CHANGE)) return -1;}
     			;
 range_trans_def		: RANGE_TRANSITION names names mls_range_def ';'
-			{ if (define_range_trans()) return -1; }
+			{ if (define_range_trans(0)) return -1; }
+			| RANGE_TRANSITION names names ':' names mls_range_def ';'
+			{ if (define_range_trans(1)) return -1; }
 			;
 te_avtab_def		: allow_def
 			| auditallow_def
@@ -4472,15 +4474,12 @@
 	return define_genfs_context_helper(queue_remove(id_queue), has_type);
 }
 
-static int define_range_trans(void)
+static int define_range_trans(int class_specified)
 {
 	char *id;
 	level_datum_t *levdatum = 0;
-	mls_range_t range;
-	type_set_t doms, types;
-	ebitmap_node_t *snode, *tnode;
-	range_trans_t *rt = 0;
-	unsigned int i, j;
+	class_datum_t *cladatum;
+	range_trans_rule_t *rule;
 	int l, add = 1;
 
 	if (!mlspol) {
@@ -4493,6 +4492,9 @@
 			free(id);
 		while ((id = queue_remove(id_queue)))
 			free(id);
+		if (class_specified)
+			while ((id = queue_remove(id_queue)))
+				free(id);
 		id = queue_remove(id_queue);
 		free(id);
 		for (l = 0; l < 2; l++) {
@@ -4507,43 +4509,78 @@
 		return 0;
 	}
 
-	type_set_init(&doms);
-	type_set_init(&types);
+	rule = malloc(sizeof(struct range_trans_rule));
+	if (!rule) {
+		yyerror("out of memory");
+		return -1;
+	}
+	range_trans_rule_init(rule);
 
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&doms, id, &add, 0))
-			return -1;
+		if (set_types(&rule->stypes, id, &add, 0))
+			goto out;
 	}
 	add = 1;
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&types, id, &add, 0))
-			return -1;
+		if (set_types(&rule->ttypes, id, &add, 0))
+			goto out;
 	}
 
+	if (class_specified) {
+		while ((id = queue_remove(id_queue))) {
+			if (!is_id_in_scope(SYM_CLASSES, id)) {
+				yyerror2("class %s is not within scope", id);
+				free(id);
+				goto out;
+			}
+			cladatum = hashtab_search(policydbp->p_classes.table,
+			                          id);
+			if (!cladatum) {
+				sprintf(errormsg, "unknown class %s", id);
+				yyerror(errormsg);
+				goto out;
+			}
+
+			ebitmap_set_bit(&rule->tclasses, cladatum->s.value,
+			                TRUE);
+			free(id);
+		}
+	} else {
+		cladatum = hashtab_search(policydbp->p_classes.table,
+		                          "process");
+		if (!cladatum) {
+			sprintf(errormsg, "could not find process class for "
+			        "legacy range_transition statement\n");
+			yyerror(errormsg);
+			goto out;
+		}
+
+		ebitmap_set_bit(&rule->tclasses, cladatum->s.value, TRUE);
+	}
+
 	id = (char *)queue_remove(id_queue);
 	if (!id) {
 		yyerror("no range in range_transition definition?");
-		return -1;
+		goto out;
 	}
 	for (l = 0; l < 2; l++) {
 		levdatum = hashtab_search(policydbp->p_levels.table, id);
 		if (!levdatum) {
 			sprintf(errormsg,
-				"unknown level %s used in range_transition definition",
-				id);
+				"unknown level %s used in range_transition "
+			        "definition", id);
 			yyerror(errormsg);
 			free(id);
-			return -1;
+			goto out;
 		}
 		free(id);
-		range.level[l].sens = levdatum->level->sens;
+		rule->trange.level[l].sens = levdatum->level->sens;
 
-		ebitmap_init(&range.level[l].cat);
-
 		while ((id = queue_remove(id_queue))) {
-			if (parse_categories(id, levdatum, &range.level[l].cat)) {
+			if (parse_categories(id, levdatum,
+			                     &rule->trange.level[l].cat)) {
 				free(id);
-				return -1;
+				goto out;
 			}
 			free(id);
 		}
@@ -4553,73 +4590,24 @@
 			break;
 	}
 	if (l == 0) {
-		range.level[1].sens = range.level[0].sens;
-		if (ebitmap_cpy(&range.level[1].cat, &range.level[0].cat)) {
+		if (mls_level_cpy(&rule->trange.level[1],
+		                  &rule->trange.level[0])) {
 			yyerror("out of memory");
-			return -1;
+			goto out;
 		}
 	}
-
-	if (!mls_level_dom(&range.level[1], &range.level[0])) {
-		yyerror
-		    ("range_transition high level does not dominate low level");
-		return -1;
+	if (!mls_level_dom(&rule->trange.level[1], &rule->trange.level[0])) {
+		yyerror("range_transition high level does not dominate "
+		        "low level");
+		goto out;
 	}
 
-	/* FIXME: this expands type_sets at compile time which is inappropriate, the type_sets
-	 * should be stored which is a format change */
-	ebitmap_for_each_bit(&doms.types, snode, i) {
-		if (!ebitmap_node_get_bit(snode, i))
-			continue;
-		ebitmap_for_each_bit(&types.types, tnode, j) {
-			if (!ebitmap_node_get_bit(tnode, j))
-				continue;
-
-			for (rt = policydbp->range_tr; rt; rt = rt->next) {
-				if (rt->dom == (i + 1) && rt->type == (j + 1)) {
-					sprintf(errormsg,
-						"duplicate range_transition defined for (%s,%s)",
-						policydbp->
-						p_type_val_to_name[i],
-						policydbp->
-						p_type_val_to_name[j]);
-					yyerror(errormsg);
-					return -1;
-				}
-			}
-
-			rt = malloc(sizeof(range_trans_t));
-			if (!rt) {
-				yyerror("out of memory");
-				return -1;
-			}
-			memset(rt, 0, sizeof(range_trans_t));
-			rt->dom = i + 1;
-			rt->type = j + 1;
-			rt->range.level[0].sens = range.level[0].sens;
-			if (ebitmap_cpy(&rt->range.level[0].cat,
-					&range.level[0].cat)) {
-				yyerror("out of memory");
-				free(rt);
-				return -1;
-			}
-			rt->range.level[1].sens = range.level[1].sens;
-			if (ebitmap_cpy(&rt->range.level[1].cat,
-					&range.level[1].cat)) {
-				yyerror("out of memory");
-				free(rt);
-				return -1;
-			}
-			rt->next = policydbp->range_tr;
-			policydbp->range_tr = rt;
-		}
-	}
-
-	type_set_destroy(&doms);
-	type_set_destroy(&types);
-	ebitmap_destroy(&range.level[0].cat);
-	ebitmap_destroy(&range.level[1].cat);
+	append_range_trans(rule);
 	return 0;
+
+out:
+	range_trans_rule_destroy(rule);
+	return -1;
 }
 
 

Modified: trunk/libsepol/include/sepol/policydb/context.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/context.h	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/include/sepol/policydb/context.h	2006-09-05 14:27:29 UTC (rev 2015)
@@ -36,8 +36,7 @@
 
 static inline void mls_context_init(context_struct_t * c)
 {
-	mls_level_init(&c->range.level[0]);
-	mls_level_init(&c->range.level[1]);
+	mls_range_init(&c->range);
 }
 
 static inline int mls_context_cpy(context_struct_t * dst,
@@ -62,8 +61,7 @@
 	if (c == NULL)
 		return;
 
-	mls_level_destroy(&c->range.level[0]);
-	mls_level_destroy(&c->range.level[1]);
+	mls_range_destroy(&c->range);
 	mls_context_init(c);
 }
 

Modified: trunk/libsepol/include/sepol/policydb/mls_types.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/mls_types.h	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/include/sepol/policydb/mls_types.h	2006-09-05 14:27:29 UTC (rev 2015)
@@ -107,4 +107,22 @@
 	return -1;
 }
 
+static inline void mls_range_init(struct mls_range *r)
+{
+	mls_level_init(&r->level[0]);
+	mls_level_init(&r->level[1]);
+}
+
+static inline void mls_range_destroy(struct mls_range *r)
+{
+	mls_level_destroy(&r->level[0]);
+	mls_level_destroy(&r->level[1]);
+}
+
+static inline int mls_range_eq(struct mls_range *r1, struct mls_range *r2)
+{
+	return (mls_level_eq(&r1->level[0], &r2->level[0]) &&
+	        mls_level_eq(&r1->level[1], &r2->level[1]));
+}
+
 #endif

Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-05 14:27:29 UTC (rev 2015)
@@ -168,9 +168,10 @@
 } cat_datum_t;
 
 typedef struct range_trans {
-	uint32_t dom;		/* current process domain */
-	uint32_t type;		/* program executable type */
-	mls_range_t range;	/* new range */
+	uint32_t source_type;
+	uint32_t target_type;
+	uint32_t target_class;
+	mls_range_t target_range;
 	struct range_trans *next;
 } range_trans_t;
 
@@ -228,6 +229,14 @@
 	struct role_allow_rule *next;
 } role_allow_rule_t;
 
+typedef struct range_trans_rule {
+	type_set_t stypes;
+	type_set_t ttypes;
+	ebitmap_t tclasses;
+	mls_range_t trange;
+	struct range_trans_rule *next;
+} range_trans_rule_t;
+
 /*
  * The configuration data includes security contexts for 
  * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 
@@ -325,6 +334,7 @@
 	avrule_t *avrules;
 	role_trans_rule_t *role_tr_rules;
 	role_allow_rule_t *role_allow_rules;
+	range_trans_rule_t *range_tr_rules;
 	scope_index_t required;	/* symbols needed to activate this block */
 	scope_index_t declared;	/* symbols declared within this block */
 
@@ -513,6 +523,9 @@
 extern void role_allow_rule_init(role_allow_rule_t * x);
 extern void role_allow_rule_destroy(role_allow_rule_t * x);
 extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
+extern void range_trans_rule_init(range_trans_rule_t *x);
+extern void range_trans_rule_destroy(range_trans_rule_t *x);
+extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
 extern void type_datum_init(type_datum_t * x);
 extern void type_datum_destroy(type_datum_t * x);
 extern void user_datum_init(user_datum_t * x);
@@ -562,18 +575,20 @@
 #define POLICYDB_VERSION_VALIDATETRANS	19
 #define POLICYDB_VERSION_MLS		19
 #define POLICYDB_VERSION_AVTAB		20
+#define POLICYDB_VERSION_RANGETRANS	21
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_AVTAB
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE	   4
 #define MOD_POLICYDB_VERSION_VALIDATETRANS 5
 #define MOD_POLICYDB_VERSION_MLS	   5
+#define MOD_POLICYDB_VERSION_RANGETRANS	   6
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_RANGETRANS
 
 #define POLICYDB_CONFIG_MLS    1
 

Modified: trunk/libsepol/src/avrule_block.c
===================================================================
--- trunk/libsepol/src/avrule_block.c	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/src/avrule_block.c	2006-09-05 14:27:29 UTC (rev 2015)
@@ -99,6 +99,7 @@
 	avrule_list_destroy(x->avrules);
 	role_trans_rule_list_destroy(x->role_tr_rules);
 	role_allow_rule_list_destroy(x->role_allow_rules);
+	range_trans_rule_list_destroy(x->range_tr_rules);
 	scope_index_destroy(&x->required);
 	scope_index_destroy(&x->declared);
 	symtabs_destroy(x->symtab);

Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/src/expand.c	2006-09-05 14:27:29 UTC (rev 2015)
@@ -964,6 +964,113 @@
 	return 0;
 }
 
+static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
+			      mls_range_t * trange, expand_state_t * state)
+{
+	range_trans_t *rt, *check_rt = state->out->range_tr;
+
+	/* check for duplicates/conflicts */
+	while (check_rt) {
+		if ((check_rt->source_type == stype) &&
+		    (check_rt->target_type == ttype) &&
+		    (check_rt->target_class == tclass)) {
+			if (mls_range_eq(&check_rt->target_range, trange)) {
+				/* duplicate */
+				break;
+			} else {
+				/* conflict */
+				ERR(state->handle,
+				    "Conflicting range trans rule %s %s : %s",
+				    state->out->p_type_val_to_name[stype - 1],
+				    state->out->p_type_val_to_name[ttype - 1],
+				    state->out->p_class_val_to_name[tclass]);
+				return -1;
+			}
+		}
+		check_rt = check_rt->next;
+	}
+	if (check_rt)		/* this is a dup - skip */
+		return 0;
+
+	rt = (range_trans_t *) calloc(1, sizeof(range_trans_t));
+	if (!rt) {
+		ERR(state->handle, "Out of memory!");
+		return -1;
+	}
+
+	rt->next = state->out->range_tr;
+	state->out->range_tr = rt;
+
+	rt->source_type = stype;
+	rt->target_type = ttype;
+	rt->target_class = tclass;
+	if (mls_range_cpy(&rt->target_range, trange)) {
+		ERR(state->handle, "Out of memory!");
+		return -1;
+	}
+
+	return 0;
+}
+
+static int expand_range_trans(expand_state_t * state,
+			      range_trans_rule_t * rules)
+{
+	unsigned int i, j, k;
+	range_trans_rule_t *rule;
+
+	ebitmap_t stypes, ttypes;
+	ebitmap_node_t *snode, *tnode, *cnode;
+
+	for (rule = rules; rule; rule = rule->next) {
+		ebitmap_init(&stypes);
+		ebitmap_init(&ttypes);
+
+		/* expand the type sets */
+		if (expand_convert_type_set(state->out, state->typemap,
+					    &rule->stypes, &stypes, 1)) {
+			ERR(state->handle, "Out of memory!");
+			return -1;
+		}
+		if (expand_convert_type_set(state->out, state->typemap,
+					    &rule->ttypes, &ttypes, 1)) {
+			ebitmap_destroy(&stypes);
+			ERR(state->handle, "Out of memory!");
+			return -1;
+		}
+
+		/* loop on source type */
+		ebitmap_for_each_bit(&stypes, snode, i) {
+			if (!ebitmap_node_get_bit(snode, i))
+				continue;
+			/* loop on target type */
+			ebitmap_for_each_bit(&ttypes, tnode, j) {
+				if (!ebitmap_node_get_bit(tnode, j))
+					continue;
+				/* loop on target class */
+				ebitmap_for_each_bit(&rule->tclasses, cnode, k) {
+					if (!ebitmap_node_get_bit(cnode, k))
+						continue;
+
+					if (exp_rangetr_helper(i + 1,
+							       j + 1,
+							       k,
+							       &rule->trange,
+							       state)) {
+						ebitmap_destroy(&stypes);
+						ebitmap_destroy(&ttypes);
+						return -1;
+					}
+				}
+			}
+		}
+
+		ebitmap_destroy(&stypes);
+		ebitmap_destroy(&ttypes);
+	}
+
+	return 0;
+}
+
 /* Search for an AV tab node within a hash table with the given key.
  * If the node does not exist, create it and return it; otherwise
  * return the pre-existing one.
@@ -1522,14 +1629,17 @@
 			goto out_of_mem;
 		}
 		memset(new_range, 0, sizeof(*new_range));
-		new_range->dom = state->typemap[range->dom - 1];
-		new_range->type = state->typemap[range->type - 1];
-		if (mls_level_clone
-		    (&new_range->range.level[0], &range->range.level[0]) == -1
-		    || mls_level_clone(&new_range->range.level[1],
-				       &range->range.level[1])) {
+		new_range->source_type = state->typemap[range->source_type - 1];
+		new_range->target_type = state->typemap[range->target_type - 1];
+		new_range->target_class = range->target_class;
+		if (mls_level_clone(&new_range->target_range.level[0],
+				    &range->target_range.level[0])) {
 			goto out_of_mem;
 		}
+		if (mls_level_clone(&new_range->target_range.level[1],
+				    &range->target_range.level[1])) {
+			goto out_of_mem;
+		}
 		new_range->next = NULL;
 		if (last_new_range == NULL) {
 			state->out->range_tr = last_new_range = new_range;
@@ -1544,8 +1654,8 @@
       out_of_mem:
 	ERR(state->handle, "Out of memory!");
 	if (new_range) {
-		ebitmap_destroy(&new_range->range.level[0].cat);
-		ebitmap_destroy(&new_range->range.level[1].cat);
+		ebitmap_destroy(&new_range->target_range.level[0].cat);
+		ebitmap_destroy(&new_range->target_range.level[1].cat);
 		free(new_range);
 	}
 	return -1;
@@ -1933,6 +2043,11 @@
 			goto cleanup;
 		}
 
+		/* expand the range transition rules */
+		if ((base->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS) &&
+		    expand_range_trans(state, decl->range_tr_rules))
+			goto cleanup;
+
 		/* copy rules */
 		cur_avrule = decl->avrules;
 		while (cur_avrule != NULL) {
@@ -2146,7 +2261,8 @@
 	if (genfs_copy(&state))
 		goto cleanup;
 
-	if (range_trans_clone(&state) == -1) {
+	if ((base->policyvers < MOD_POLICYDB_VERSION_RANGETRANS) &&
+	    range_trans_clone(&state) == -1) {
 		goto cleanup;
 	}
 

Modified: trunk/libsepol/src/mls.c
===================================================================
--- trunk/libsepol/src/mls.c	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/src/mls.c	2006-09-05 14:27:29 UTC (rev 2015)
@@ -608,23 +608,20 @@
 		    sepol_security_class_t tclass,
 		    uint32_t specified, context_struct_t * newcontext)
 {
+	range_trans_t *rtr;
 	if (!policydb->mls)
 		return 0;
 
 	switch (specified) {
 	case AVTAB_TRANSITION:
-		if (tclass == SECCLASS_PROCESS) {
-			range_trans_t *rangetr;
-
-			/* Look for a range transition rule. */
-			for (rangetr = policydb->range_tr; rangetr;
-			     rangetr = rangetr->next) {
-				if (rangetr->dom == scontext->type &&
-				    rangetr->type == tcontext->type) {
-					/* Set the range from the rule */
-					return mls_range_set(newcontext,
-							     &rangetr->range);
-				}
+		/* Look for a range transition rule. */
+		for (rtr = policydb->range_tr; rtr; rtr = rtr->next) {
+			if (rtr->source_type == scontext->type &&
+			    rtr->target_type == tcontext->type &&
+			    rtr->target_class == tclass) {
+				/* Set the range from the rule */
+				return mls_range_set(newcontext,
+						     &rtr->target_range);
 			}
 		}
 		/* Fallthrough */

Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/src/policydb.c	2006-09-05 14:27:29 UTC (rev 2015)
@@ -48,6 +48,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/avrule_block.h>
 #include <sepol/policydb/util.h>
+#include <sepol/policydb/flask.h>
 
 #include "private.h"
 #include "debug.h"
@@ -92,6 +93,12 @@
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_RANGETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -104,6 +111,12 @@
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_RANGETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 },
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -114,7 +127,12 @@
 	 .version = MOD_POLICYDB_VERSION_MLS,
 	 .sym_num = SYM_NUM,
 	 .ocon_num = 0,
-	 }
+	 },
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_RANGETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = 0},
 };
 
 #if 0
@@ -307,6 +325,32 @@
 	}
 }
 
+void range_trans_rule_init(range_trans_rule_t * x)
+{
+	type_set_init(&x->stypes);
+	type_set_init(&x->ttypes);
+	ebitmap_init(&x->tclasses);
+	mls_range_init(&x->trange);
+}
+
+void range_trans_rule_destroy(range_trans_rule_t * x)
+{
+	type_set_destroy(&x->stypes);
+	type_set_destroy(&x->ttypes);
+	ebitmap_destroy(&x->tclasses);
+	mls_range_destroy(&x->trange);
+}
+
+void range_trans_rule_list_destroy(range_trans_rule_t * x)
+{
+	while (x != NULL) {
+		range_trans_rule_t *next = x->next;
+		range_trans_rule_destroy(x);
+		free(x);
+		x = next;
+	}
+}
+
 void avrule_list_destroy(avrule_t * x)
 {
 	avrule_t *next, *cur;
@@ -954,15 +998,15 @@
 
 	for (rt = p->range_tr; rt; rt = rt->next) {
 		if (lrt) {
-			ebitmap_destroy(&lrt->range.level[0].cat);
-			ebitmap_destroy(&lrt->range.level[1].cat);
+			ebitmap_destroy(&lrt->target_range.level[0].cat);
+			ebitmap_destroy(&lrt->target_range.level[1].cat);
 			free(lrt);
 		}
 		lrt = rt;
 	}
 	if (lrt) {
-		ebitmap_destroy(&lrt->range.level[0].cat);
-		ebitmap_destroy(&lrt->range.level[1].cat);
+		ebitmap_destroy(&lrt->target_range.level[0].cat);
+		ebitmap_destroy(&lrt->target_range.level[1].cat);
 		free(lrt);
 	}
 
@@ -2260,6 +2304,8 @@
 	uint32_t *buf, nel;
 	range_trans_t *rt, *lrt;
 	unsigned int i;
+	int new_rangetr = (p->policy_type == POLICY_KERN &&
+			   p->policyvers >= POLICYDB_VERSION_RANGETRANS);
 
 	buf = next_entry(fp, sizeof(uint32_t));
 	if (!buf)
@@ -2277,9 +2323,16 @@
 		buf = next_entry(fp, (sizeof(uint32_t) * 2));
 		if (!buf)
 			return -1;
-		rt->dom = le32_to_cpu(buf[0]);
-		rt->type = le32_to_cpu(buf[1]);
-		if (mls_read_range_helper(&rt->range, fp))
+		rt->source_type = le32_to_cpu(buf[0]);
+		rt->target_type = le32_to_cpu(buf[1]);
+		if (new_rangetr) {
+			buf = next_entry(fp, (sizeof(uint32_t)));
+			if (!buf)
+				return -1;
+			rt->target_class = le32_to_cpu(buf[0]);
+		} else
+			rt->target_class = SECCLASS_PROCESS;
+		if (mls_read_range_helper(&rt->target_range, fp))
 			return -1;
 		lrt = rt;
 	}
@@ -2393,6 +2446,47 @@
 	return 0;
 }
 
+static int range_trans_rule_read(range_trans_rule_t ** r,
+				 struct policy_file *fp)
+{
+	uint32_t *buf, nel;
+	unsigned int i;
+	range_trans_rule_t *rt, *lrt = NULL;
+
+	buf = next_entry(fp, sizeof(uint32_t));
+	if (!buf)
+		return -1;
+	nel = le32_to_cpu(buf[0]);
+	for (i = 0; i < nel; i++) {
+		rt = malloc(sizeof(range_trans_rule_t));
+		if (!rt) {
+			return -1;
+		}
+		range_trans_rule_init(rt);
+
+		if (lrt)
+			lrt->next = rt;
+		else
+			*r = rt;
+
+		if (type_set_read(&rt->stypes, fp))
+			return -1;
+
+		if (type_set_read(&rt->ttypes, fp))
+			return -1;
+
+		if (ebitmap_read(&rt->tclasses, fp))
+			return -1;
+
+		if (mls_read_range_helper(&rt->trange, fp))
+			return -1;
+
+		lrt = rt;
+	}
+
+	return 0;
+}
+
 static int scope_index_read(scope_index_t * scope_index,
 			    unsigned int num_scope_syms, struct policy_file *fp)
 {
@@ -2440,6 +2534,10 @@
 	    role_allow_rule_read(&decl->role_allow_rules, fp) == -1) {
 		return -1;
 	}
+	if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
+	    range_trans_rule_read(&decl->range_tr_rules, fp) == -1) {
+		return -1;
+	}
 	if (scope_index_read(&decl->required, num_scope_syms, fp) == -1 ||
 	    scope_index_read(&decl->declared, num_scope_syms, fp) == -1) {
 		return -1;
@@ -2835,7 +2933,8 @@
 	if ((p->policy_type == POLICY_KERN
 	     && p->policyvers >= POLICYDB_VERSION_MLS)
 	    || (p->policy_type == POLICY_BASE
-		&& p->policyvers >= MOD_POLICYDB_VERSION_MLS)) {
+		&& p->policyvers >= MOD_POLICYDB_VERSION_MLS
+		&& p->policyvers < MOD_POLICYDB_VERSION_RANGETRANS)) {
 		if (range_read(p, fp)) {
 			goto bad;
 		}

Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c	2006-09-01 19:28:23 UTC (rev 2014)
+++ trunk/libsepol/src/write.c	2006-09-05 14:27:29 UTC (rev 2015)
@@ -39,6 +39,7 @@
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/expand.h>
+#include <sepol/policydb/flask.h>
 
 #include "debug.h"
 #include "private.h"
@@ -1124,21 +1125,44 @@
 {
 	size_t nel, items;
 	struct range_trans *rt;
-	uint32_t buf[32];
+	uint32_t buf[2];
+	int new_rangetr = (p->policy_type == POLICY_KERN &&
+			   p->policyvers >= POLICYDB_VERSION_RANGETRANS);
+	int warning_issued = 0;
+
 	nel = 0;
-	for (rt = p->range_tr; rt; rt = rt->next)
-		nel++;
+	for (rt = p->range_tr; rt; rt = rt->next) {
+		/* all range_transitions are written for the new format, only
+		   process related range_transitions are written for the old
+		   format, so count accordingly */
+		if (new_rangetr || rt->target_class == SECCLASS_PROCESS)
+			nel++;
+	}
 	buf[0] = cpu_to_le32(nel);
 	items = put_entry(buf, sizeof(uint32_t), 1, fp);
 	if (items != 1)
 		return POLICYDB_ERROR;
 	for (rt = p->range_tr; rt; rt = rt->next) {
-		buf[0] = cpu_to_le32(rt->dom);
-		buf[1] = cpu_to_le32(rt->type);
+		if (!new_rangetr && rt->target_class != SECCLASS_PROCESS) {
+			if (!warning_issued)
+				WARN(fp->handle, "Discarding range_transition "
+				     "rules for security classes other than "
+				     "\"process\"");
+			warning_issued = 1;
+			continue;
+		}
+		buf[0] = cpu_to_le32(rt->source_type);
+		buf[1] = cpu_to_le32(rt->target_type);
 		items = put_entry(buf, sizeof(uint32_t), 2, fp);
 		if (items != 2)
 			return POLICYDB_ERROR;
-		if (mls_write_range_helper(&rt->range, fp))
+		if (new_rangetr) {
+			buf[0] = cpu_to_le32(rt->target_class);
+			items = put_entry(buf, sizeof(uint32_t), 1, fp);
+			if (items != 1)
+				return POLICYDB_ERROR;
+		}
+		if (mls_write_range_helper(&rt->target_range, fp))
 			return POLICYDB_ERROR;
 	}
 	return POLICYDB_SUCCESS;
@@ -1264,6 +1288,33 @@
 	return POLICYDB_SUCCESS;
 }
 
+static int range_trans_rule_write(range_trans_rule_t * t,
+				  struct policy_file *fp)
+{
+	int nel = 0;
+	size_t items;
+	uint32_t buf[1];
+	range_trans_rule_t *rt;
+
+	for (rt = t; rt; rt = rt->next)
+		nel++;
+	buf[0] = cpu_to_le32(nel);
+	items = put_entry(buf, sizeof(uint32_t), 1, fp);
+	if (items != 1)
+		return POLICYDB_ERROR;
+	for (rt = t; rt; rt = rt->next) {
+		if (type_set_write(&rt->stypes, fp))
+			return POLICYDB_ERROR;
+		if (type_set_write(&rt->ttypes, fp))
+			return POLICYDB_ERROR;
+		if (ebitmap_write(&rt->tclasses, fp))
+			return POLICYDB_ERROR;
+		if (mls_write_range_helper(&rt->trange, fp))
+			return POLICYDB_ERROR;
+	}
+	return POLICYDB_SUCCESS;
+}
+
 static int scope_index_write(scope_index_t * scope_index,
 			     unsigned int num_scope_syms,
 			     struct policy_file *fp)
@@ -1304,6 +1355,10 @@
 	    role_allow_rule_write(decl->role_allow_rules, fp) == -1) {
 		return POLICYDB_ERROR;
 	}
+	if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
+	    range_trans_rule_write(decl->range_tr_rules, fp) == -1) {
+		return POLICYDB_ERROR;
+	}
 	if (scope_index_write(&decl->required, num_scope_syms, fp) == -1 ||
 	    scope_index_write(&decl->declared, num_scope_syms, fp) == -1) {
 		return POLICYDB_ERROR;
@@ -1528,6 +1583,7 @@
 	if ((p->policyvers >= POLICYDB_VERSION_MLS
 	     && p->policy_type == POLICY_KERN)
 	    || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+		&& p->policyvers < MOD_POLICYDB_VERSION_MLS
 		&& p->policy_type == POLICY_BASE)) {
 		if (range_write(p, fp)) {
 			return POLICYDB_ERROR;


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2016] trunk

[<mad...@us...>]

Revision: 2016
          http://svn.sourceforge.net/selinux/?rev=2016&view=rev
Author:   madmethod
Date:     2006-09-05 07:27:55 -0700 (Tue, 05 Sep 2006)

Log Message:
-----------
Author: Darrel Goeddel
Email: dgo...@Tr...
Subject: semantic MLS representation for range_trans_rules
Date: Thu, 31 Aug 2006 08:42:35 -0500

Here is a second take on the previous patch.  The changes are:
- create functions to initialize and destroy mls_semantic_cat structs
- move the definitions of the semantic_cat related functions to mls.c and just
  declare the functions in mls_types.h
- fix a problem with compiling non-MLS policies (do not attempt expansion of
  mls_semantic_cat structs because the MLS symbols will not be available)

---

Introduce a semantic representation for MLS levels and ranges to be used in
modular policy formats.  This will allow expansion of levels such as "s0:c1.c5"
to happen at module expansion time.  The range_trans_rules were updated to use
this new semantic format.

All range_transitions are now represented as range_trans_rules when in a modular
format (old range_trans structs are converted when the policy is read).  The
semantic rules are expanded along with other rules when the module is expanded.

The ebitmap used for classes in the range_trans_rules has also been fixed to use
the standard "value - 1" indexing.


Signed-off-by:  Darrel Goeddel <dgo...@tr...>
Acked-By: Joshua Brindle <jbr...@tr...>
Acked-by:  Stephen Smalley <sd...@ty...>

Modified Paths:
--------------
    trunk/checkpolicy/policy_parse.y
    trunk/libsepol/include/sepol/policydb/expand.h
    trunk/libsepol/include/sepol/policydb/mls_types.h
    trunk/libsepol/include/sepol/policydb/policydb.h
    trunk/libsepol/src/expand.c
    trunk/libsepol/src/mls.c
    trunk/libsepol/src/policydb.c
    trunk/libsepol/src/write.c

Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/checkpolicy/policy_parse.y	2006-09-05 14:27:55 UTC (rev 2016)
@@ -3616,6 +3616,65 @@
 	return 0;
 }
 
+static int
+parse_semantic_categories(char *id, level_datum_t * levdatum,
+                          mls_semantic_cat_t ** cats)
+{
+	cat_datum_t *cdatum;
+	mls_semantic_cat_t *newcat;
+	unsigned int range_start, range_end;
+
+	if (id_has_dot(id)) {
+		char *id_start = id;
+		char *id_end = strchr(id, '.');
+
+		*(id_end++) = '\0';
+
+		cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+							(hashtab_key_t)
+							id_start);
+		if (!cdatum) {
+			sprintf(errormsg, "unknown category %s", id_start);
+			yyerror(errormsg);
+			return -1;
+		}
+		range_start = cdatum->s.value;
+
+		cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+							(hashtab_key_t) id_end);
+		if (!cdatum) {
+			sprintf(errormsg, "unknown category %s", id_end);
+			yyerror(errormsg);
+			return -1;
+		}
+		range_end = cdatum->s.value;
+	} else {
+		cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+							(hashtab_key_t) id);
+		if (!cdatum) {
+			sprintf(errormsg, "unknown category %s", id);
+			yyerror(errormsg);
+			return -1;
+		}
+		range_start = range_end = cdatum->s.value;
+	}
+
+	newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+	if (!newcat) {
+		yyerror("out of memory");
+		return -1;
+	}
+
+	mls_semantic_cat_init(newcat);
+	newcat->next = *cats;
+	newcat->low = range_start;
+	newcat->high = range_end;
+
+	*cats = newcat;
+
+	return 0;
+}
+
 static int define_user(void)
 {
 	char *id;
@@ -4541,7 +4600,7 @@
 				goto out;
 			}
 
-			ebitmap_set_bit(&rule->tclasses, cladatum->s.value,
+			ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
 			                TRUE);
 			free(id);
 		}
@@ -4555,7 +4614,7 @@
 			goto out;
 		}
 
-		ebitmap_set_bit(&rule->tclasses, cladatum->s.value, TRUE);
+		ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
 	}
 
 	id = (char *)queue_remove(id_queue);
@@ -4574,11 +4633,12 @@
 			goto out;
 		}
 		free(id);
+
 		rule->trange.level[l].sens = levdatum->level->sens;
 
 		while ((id = queue_remove(id_queue))) {
-			if (parse_categories(id, levdatum,
-			                     &rule->trange.level[l].cat)) {
+			if (parse_semantic_categories(id, levdatum,
+			                          &rule->trange.level[l].cat)) {
 				free(id);
 				goto out;
 			}
@@ -4590,17 +4650,12 @@
 			break;
 	}
 	if (l == 0) {
-		if (mls_level_cpy(&rule->trange.level[1],
-		                  &rule->trange.level[0])) {
+		if (mls_semantic_level_cpy(&rule->trange.level[1],
+		                           &rule->trange.level[0])) {
 			yyerror("out of memory");
 			goto out;
 		}
 	}
-	if (!mls_level_dom(&rule->trange.level[1], &rule->trange.level[0])) {
-		yyerror("range_transition high level does not dominate "
-		        "low level");
-		goto out;
-	}
 
 	append_range_trans(rule);
 	return 0;

Modified: trunk/libsepol/include/sepol/policydb/expand.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/expand.h	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/include/sepol/policydb/expand.h	2006-09-05 14:27:55 UTC (rev 2016)
@@ -58,6 +58,10 @@
 extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
 			   unsigned char alwaysexpand);
 extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
+                                     policydb_t *p, sepol_handle_t *h);
+extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
+                                     policydb_t *p, sepol_handle_t *h);
 extern int expand_rule(sepol_handle_t * handle,
 		       policydb_t * source_pol,
 		       avrule_t * source_rule, avtab_t * dest_avtab,

Modified: trunk/libsepol/include/sepol/policydb/mls_types.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/mls_types.h	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/include/sepol/policydb/mls_types.h	2006-09-05 14:27:55 UTC (rev 2016)
@@ -32,6 +32,7 @@
 #define _SEPOL_POLICYDB_MLS_TYPES_H_
 
 #include <stdint.h>
+#include <stdlib.h>
 #include <sepol/policydb/ebitmap.h>
 #include <sepol/policydb/flask_types.h>
 
@@ -125,4 +126,28 @@
 	        mls_level_eq(&r1->level[1], &r2->level[1]));
 }
 
+typedef struct mls_semantic_cat {
+	uint32_t low;	/* first bit this struct represents */
+	uint32_t high;	/* last bit represented - equals low for a single cat */
+	struct mls_semantic_cat *next;
+} mls_semantic_cat_t;
+
+typedef struct mls_semantic_level {
+	uint32_t sens;
+	mls_semantic_cat_t *cat;
+} mls_semantic_level_t;
+
+typedef struct mls_semantic_range {
+	mls_semantic_level_t level[2];
+} mls_semantic_range_t;
+
+extern void mls_semantic_cat_init(mls_semantic_cat_t *c);
+extern void mls_semantic_cat_destroy(mls_semantic_cat_t *c);
+extern void mls_semantic_level_init(mls_semantic_level_t *l);
+extern void mls_semantic_level_destroy(mls_semantic_level_t *l);
+extern int mls_semantic_level_cpy(mls_semantic_level_t *dst, mls_semantic_level_t *src);
+extern void mls_semantic_range_init(mls_semantic_range_t *r);
+extern void mls_semantic_range_destroy(mls_semantic_range_t *r);
+extern int mls_semantic_range_cpy(mls_semantic_range_t *dst, mls_semantic_range_t *src);
+
 #endif

Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-05 14:27:55 UTC (rev 2016)
@@ -233,7 +233,7 @@
 	type_set_t stypes;
 	type_set_t ttypes;
 	ebitmap_t tclasses;
-	mls_range_t trange;
+	mls_semantic_range_t trange;
 	struct range_trans_rule *next;
 } range_trans_rule_t;
 

Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/src/expand.c	2006-09-05 14:27:55 UTC (rev 2016)
@@ -580,12 +580,64 @@
 	return 0;
 }
 
-static int mls_level_clone(mls_level_t * dst, mls_level_t * src)
+int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+			      policydb_t * p, sepol_handle_t * h)
 {
-	dst->sens = src->sens;
-	if (ebitmap_cpy(&dst->cat, &src->cat)) {
+	mls_semantic_cat_t *cat;
+	level_datum_t *levdatum;
+	unsigned int i;
+
+	mls_level_init(l);
+
+	if (!p->mls)
+		return 0;
+
+	l->sens = sl->sens;
+	levdatum = (level_datum_t *) hashtab_search(p->p_levels.table,
+						    p->p_sens_val_to_name[l->
+									  sens -
+									  1]);
+	for (cat = sl->cat; cat; cat = cat->next) {
+		if (cat->low > cat->high) {
+			ERR(h, "Category range is not valid %s.%s",
+			    p->p_cat_val_to_name[cat->low - 1],
+			    p->p_cat_val_to_name[cat->high - 1]);
+			return -1;
+		}
+		for (i = cat->low - 1; i < cat->high; i++) {
+			if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
+				ERR(h, "Category %s can not be associate with "
+				    "level %s",
+				    p->p_cat_val_to_name[i],
+				    p->p_sens_val_to_name[l->sens - 1]);
+			}
+			if (ebitmap_set_bit(&l->cat, i, 1)) {
+				ERR(h, "Out of memory!");
+				return -1;
+			}
+		}
+	}
+
+	return 0;
+}
+
+int mls_semantic_range_expand(mls_semantic_range_t * sr, mls_range_t * r,
+			      policydb_t * p, sepol_handle_t * h)
+{
+	if (mls_semantic_level_expand(&sr->level[0], &r->level[0], p, h) < 0)
 		return -1;
+
+	if (mls_semantic_level_expand(&sr->level[1], &r->level[1], p, h) < 0) {
+		mls_semantic_level_destroy(&sr->level[0]);
+		return -1;
 	}
+
+	if (!mls_level_dom(&r->level[1], &r->level[0])) {
+		mls_range_destroy(r);
+		ERR(h, "MLS range high level does not dominate low level");
+		return -1;
+	}
+
 	return 0;
 }
 
@@ -641,12 +693,9 @@
 		}
 
 		/* clone MLS stuff */
-		if (mls_level_clone
-		    (&new_user->range.level[0], &user->range.level[0]) == -1
-		    || mls_level_clone(&new_user->range.level[1],
-				       &user->range.level[1]) == -1
-		    || mls_level_clone(&new_user->dfltlevel,
-				       &user->dfltlevel) == -1) {
+		if (mls_range_cpy(&new_user->range, &user->range) == -1
+		    || mls_level_cpy(&new_user->dfltlevel,
+				     &user->dfltlevel) == -1) {
 			ERR(state->handle, "Out of memory!");
 			return -1;
 		}
@@ -749,7 +798,7 @@
 		goto out_of_mem;
 	}
 
-	if (mls_level_clone(new_level->level, level->level)) {
+	if (mls_level_cpy(new_level->level, level->level)) {
 		goto out_of_mem;
 	}
 	new_level->isalias = level->isalias;
@@ -965,16 +1014,23 @@
 }
 
 static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
-			      mls_range_t * trange, expand_state_t * state)
+			      mls_semantic_range_t * trange,
+			      expand_state_t * state)
 {
 	range_trans_t *rt, *check_rt = state->out->range_tr;
+	mls_range_t exp_range;
+	int rc = -1;
 
+	if (mls_semantic_range_expand(trange, &exp_range, state->out,
+				      state->handle))
+		goto out;
+
 	/* check for duplicates/conflicts */
 	while (check_rt) {
 		if ((check_rt->source_type == stype) &&
 		    (check_rt->target_type == ttype) &&
 		    (check_rt->target_class == tclass)) {
-			if (mls_range_eq(&check_rt->target_range, trange)) {
+			if (mls_range_eq(&check_rt->target_range, &exp_range)) {
 				/* duplicate */
 				break;
 			} else {
@@ -983,19 +1039,23 @@
 				    "Conflicting range trans rule %s %s : %s",
 				    state->out->p_type_val_to_name[stype - 1],
 				    state->out->p_type_val_to_name[ttype - 1],
-				    state->out->p_class_val_to_name[tclass]);
-				return -1;
+				    state->out->p_class_val_to_name[tclass -
+								    1]);
+				goto out;
 			}
 		}
 		check_rt = check_rt->next;
 	}
-	if (check_rt)		/* this is a dup - skip */
-		return 0;
+	if (check_rt) {
+		/* this is a dup - skip */
+		rc = 0;
+		goto out;
+	}
 
 	rt = (range_trans_t *) calloc(1, sizeof(range_trans_t));
 	if (!rt) {
 		ERR(state->handle, "Out of memory!");
-		return -1;
+		goto out;
 	}
 
 	rt->next = state->out->range_tr;
@@ -1004,12 +1064,16 @@
 	rt->source_type = stype;
 	rt->target_type = ttype;
 	rt->target_class = tclass;
-	if (mls_range_cpy(&rt->target_range, trange)) {
+	if (mls_range_cpy(&rt->target_range, &exp_range)) {
 		ERR(state->handle, "Out of memory!");
-		return -1;
+		goto out;
 	}
 
-	return 0;
+	rc = 0;
+
+      out:
+	mls_range_destroy(&exp_range);
+	return rc;
 }
 
 static int expand_range_trans(expand_state_t * state,
@@ -1021,6 +1085,9 @@
 	ebitmap_t stypes, ttypes;
 	ebitmap_node_t *snode, *tnode, *cnode;
 
+	if (state->verbose)
+		INFO(state->handle, "expanding range transitions");
+
 	for (rule = rules; rule; rule = rule->next) {
 		ebitmap_init(&stypes);
 		ebitmap_init(&ttypes);
@@ -1053,7 +1120,7 @@
 
 					if (exp_rangetr_helper(i + 1,
 							       j + 1,
-							       k,
+							       k + 1,
 							       &rule->trange,
 							       state)) {
 						ebitmap_destroy(&stypes);
@@ -1615,52 +1682,6 @@
 	return 0;
 }
 
-static int range_trans_clone(expand_state_t * state)
-{
-	range_trans_t *range = state->base->range_tr, *last_new_range = NULL,
-	    *new_range = NULL;
-	state->out->range_tr = NULL;
-
-	if (state->verbose)
-		INFO(state->handle, "copying range transitions");
-
-	while (range != NULL) {
-		if ((new_range = malloc(sizeof(*new_range))) == NULL) {
-			goto out_of_mem;
-		}
-		memset(new_range, 0, sizeof(*new_range));
-		new_range->source_type = state->typemap[range->source_type - 1];
-		new_range->target_type = state->typemap[range->target_type - 1];
-		new_range->target_class = range->target_class;
-		if (mls_level_clone(&new_range->target_range.level[0],
-				    &range->target_range.level[0])) {
-			goto out_of_mem;
-		}
-		if (mls_level_clone(&new_range->target_range.level[1],
-				    &range->target_range.level[1])) {
-			goto out_of_mem;
-		}
-		new_range->next = NULL;
-		if (last_new_range == NULL) {
-			state->out->range_tr = last_new_range = new_range;
-		} else {
-			last_new_range->next = new_range;
-			last_new_range = new_range;
-		}
-		range = range->next;
-	}
-	return 0;
-
-      out_of_mem:
-	ERR(state->handle, "Out of memory!");
-	if (new_range) {
-		ebitmap_destroy(&new_range->target_range.level[0].cat);
-		ebitmap_destroy(&new_range->target_range.level[1].cat);
-		free(new_range);
-	}
-	return -1;
-}
-
 static int type_attr_map(hashtab_key_t key
 			 __attribute__ ((unused)), hashtab_datum_t datum,
 			 void *ptr)
@@ -2044,8 +2065,7 @@
 		}
 
 		/* expand the range transition rules */
-		if ((base->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS) &&
-		    expand_range_trans(state, decl->range_tr_rules))
+		if (expand_range_trans(state, decl->range_tr_rules))
 			goto cleanup;
 
 		/* copy rules */
@@ -2261,11 +2281,6 @@
 	if (genfs_copy(&state))
 		goto cleanup;
 
-	if ((base->policyvers < MOD_POLICYDB_VERSION_RANGETRANS) &&
-	    range_trans_clone(&state) == -1) {
-		goto cleanup;
-	}
-
 	/* Build the type<->attribute maps and remove attributes. */
 	state.out->attr_type_map = malloc(state.out->p_types.nprim *
 					  sizeof(ebitmap_t));

Modified: trunk/libsepol/src/mls.c
===================================================================
--- trunk/libsepol/src/mls.c	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/src/mls.c	2006-09-05 14:27:55 UTC (rev 2016)
@@ -705,3 +705,94 @@
 	free(con);
 	return ret;
 }
+
+void mls_semantic_cat_init(mls_semantic_cat_t * c)
+{
+	memset(c, 0, sizeof(mls_semantic_cat_t));
+}
+
+void mls_semantic_cat_destroy(mls_semantic_cat_t * c __attribute__ ((unused)))
+{
+	/* it's currently a simple struct - really nothing to destroy */
+	return;
+}
+
+void mls_semantic_level_init(mls_semantic_level_t * l)
+{
+	memset(l, 0, sizeof(mls_semantic_level_t));
+}
+
+void mls_semantic_level_destroy(mls_semantic_level_t * l)
+{
+	mls_semantic_cat_t *cur, *next;
+
+	if (l == NULL)
+		return;
+
+	next = l->cat;
+	while (next) {
+		cur = next;
+		next = cur->next;
+		mls_semantic_cat_destroy(cur);
+		free(cur);
+	}
+}
+
+int mls_semantic_level_cpy(mls_semantic_level_t * dst,
+			   mls_semantic_level_t * src)
+{
+	mls_semantic_cat_t *cat, *newcat, *lnewcat = NULL;
+
+	mls_semantic_level_init(dst);
+	dst->sens = src->sens;
+	cat = src->cat;
+	while (cat) {
+		newcat =
+		    (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+		if (!newcat)
+			goto err;
+
+		mls_semantic_cat_init(newcat);
+		if (lnewcat)
+			lnewcat->next = newcat;
+		else
+			dst->cat = newcat;
+
+		newcat->low = cat->low;
+		newcat->high = cat->high;
+
+		lnewcat = newcat;
+		cat = cat->next;
+	}
+	return 0;
+
+      err:
+	mls_semantic_level_destroy(dst);
+	return -1;
+}
+
+void mls_semantic_range_init(mls_semantic_range_t * r)
+{
+	mls_semantic_level_init(&r->level[0]);
+	mls_semantic_level_init(&r->level[1]);
+}
+
+void mls_semantic_range_destroy(mls_semantic_range_t * r)
+{
+	mls_semantic_level_destroy(&r->level[0]);
+	mls_semantic_level_destroy(&r->level[1]);
+}
+
+int mls_semantic_range_cpy(mls_semantic_range_t * dst,
+			   mls_semantic_range_t * src)
+{
+	if (mls_semantic_level_cpy(&dst->level[0], &src->level[0]) < 0)
+		return -1;
+
+	if (mls_semantic_level_cpy(&dst->level[1], &src->level[1]) < 0) {
+		mls_semantic_level_destroy(&dst->level[0]);
+		return -1;
+	}
+
+	return 0;
+}

Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/src/policydb.c	2006-09-05 14:27:55 UTC (rev 2016)
@@ -233,6 +233,8 @@
 {
 	memset(x, 0, sizeof(user_datum_t));
 	role_set_init(&x->roles);
+	mls_range_init(&x->range);
+	mls_level_init(&x->dfltlevel);
 	ebitmap_init(&x->cache);
 }
 
@@ -240,9 +242,8 @@
 {
 	if (x != NULL) {
 		role_set_destroy(&x->roles);
-		ebitmap_destroy(&x->range.level[0].cat);
-		ebitmap_destroy(&x->range.level[1].cat);
-		ebitmap_destroy(&x->dfltlevel.cat);
+		mls_range_destroy(&x->range);
+		mls_level_destroy(&x->dfltlevel);
 		ebitmap_destroy(&x->cache);
 	}
 }
@@ -330,7 +331,8 @@
 	type_set_init(&x->stypes);
 	type_set_init(&x->ttypes);
 	ebitmap_init(&x->tclasses);
-	mls_range_init(&x->trange);
+	mls_semantic_range_init(&x->trange);
+	x->next = NULL;
 }
 
 void range_trans_rule_destroy(range_trans_rule_t * x)
@@ -338,7 +340,7 @@
 	type_set_destroy(&x->stypes);
 	type_set_destroy(&x->ttypes);
 	ebitmap_destroy(&x->tclasses);
-	mls_range_destroy(&x->trange);
+	mls_semantic_range_destroy(&x->trange);
 }
 
 void range_trans_rule_list_destroy(range_trans_rule_t * x)
@@ -1348,6 +1350,116 @@
 }
 
 /*
+ * Read a semantic MLS level structure from a policydb binary 
+ * representation file.
+ */
+static int mls_read_semantic_level_helper(mls_semantic_level_t * l,
+					  struct policy_file *fp)
+{
+	uint32_t *buf, ncat;
+	unsigned int i;
+	mls_semantic_cat_t *cat;
+
+	mls_semantic_level_init(l);
+
+	buf = next_entry(fp, sizeof(uint32_t) * 2);
+	if (!buf) {
+		ERR(fp->handle, "truncated level");
+		goto bad;
+	}
+	l->sens = le32_to_cpu(buf[0]);
+
+	ncat = le32_to_cpu(buf[1]);
+	for (i = 0; i < ncat; i++) {
+		cat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+		if (!cat) {
+			ERR(fp->handle, "out of memory");
+			goto bad;
+		}
+
+		mls_semantic_cat_init(cat);
+		cat->next = l->cat;
+		l->cat = cat;
+
+		buf = next_entry(fp, sizeof(uint32_t) * 2);
+		if (!buf) {
+			ERR(fp->handle, "error reading level categories");
+			goto bad;
+		}
+		cat->low = le32_to_cpu(buf[0]);
+		cat->high = le32_to_cpu(buf[1]);
+	}
+
+	return 0;
+
+      bad:
+	return -EINVAL;
+}
+
+/*
+ * Read a semantic MLS range structure from a policydb binary 
+ * representation file.
+ */
+static int mls_read_semantic_range_helper(mls_semantic_range_t * r,
+					  struct policy_file *fp)
+{
+	int rc;
+
+	rc = mls_read_semantic_level_helper(&r->level[0], fp);
+	if (rc)
+		return rc;
+
+	rc = mls_read_semantic_level_helper(&r->level[1], fp);
+
+	return rc;
+}
+
+static int mls_level_to_semantic(mls_level_t * l, mls_semantic_level_t * sl)
+{
+	unsigned int i;
+	ebitmap_node_t *cnode;
+	mls_semantic_cat_t *open_cat = NULL;
+
+	mls_semantic_level_init(sl);
+	sl->sens = l->sens;
+	ebitmap_for_each_bit(&l->cat, cnode, i) {
+		if (ebitmap_node_get_bit(cnode, i)) {
+			if (open_cat)
+				continue;
+			open_cat = (mls_semantic_cat_t *)
+			    malloc(sizeof(mls_semantic_cat_t));
+			if (!open_cat)
+				return -1;
+
+			mls_semantic_cat_init(open_cat);
+			open_cat->low = i + 1;
+			open_cat->next = sl->cat;
+			sl->cat = open_cat;
+		} else {
+			if (!open_cat)
+				continue;
+			open_cat->high = i;
+			open_cat = NULL;
+		}
+	}
+	if (open_cat)
+		open_cat->high = i;
+
+	return 0;
+}
+
+static int mls_range_to_semantic(mls_range_t * r, mls_semantic_range_t * sr)
+{
+	if (mls_level_to_semantic(&r->level[0], &sr->level[0]))
+		return -1;
+
+	if (mls_level_to_semantic(&r->level[1], &sr->level[1]))
+		return -1;
+
+	return 0;
+}
+
+/*
  * Read and validate a security context structure
  * from a policydb binary representation file.
  */
@@ -2303,6 +2415,7 @@
 {
 	uint32_t *buf, nel;
 	range_trans_t *rt, *lrt;
+	range_trans_rule_t *rtr, *lrtr = NULL;
 	unsigned int i;
 	int new_rangetr = (p->policy_type == POLICY_KERN &&
 			   p->policyvers >= POLICYDB_VERSION_RANGETRANS);
@@ -2336,6 +2449,58 @@
 			return -1;
 		lrt = rt;
 	}
+
+	/* if this is a kernel policy, we are done - otherwise we need to
+	 * convert these structs to range_trans_rule_ts */
+	if (p->policy_type == POLICY_KERN)
+		return 0;
+
+	/* create range_trans_rules_ts that correspond to the range_trans_ts
+	 * that were just read in from an older policy */
+	for (rt = p->range_tr; rt; rt = rt->next) {
+		rtr = malloc(sizeof(range_trans_rule_t));
+		if (!rtr) {
+			return -1;
+		}
+		range_trans_rule_init(rtr);
+
+		if (lrtr)
+			lrtr->next = rtr;
+		else
+			p->global->enabled->range_tr_rules = rtr;
+
+		if (ebitmap_set_bit(&rtr->stypes.types, rt->source_type - 1, 1))
+			return -1;
+
+		if (ebitmap_set_bit(&rtr->ttypes.types, rt->target_type - 1, 1))
+			return -1;
+
+		if (ebitmap_set_bit(&rtr->tclasses, rt->target_class - 1, 1))
+			return -1;
+
+		if (mls_range_to_semantic(&rt->target_range, &rtr->trange))
+			return -1;
+
+		lrtr = rtr;
+	}
+
+	/* now destroy the range_trans_ts */
+	lrt = NULL;
+	for (rt = p->range_tr; rt; rt = rt->next) {
+		if (lrt) {
+			ebitmap_destroy(&lrt->target_range.level[0].cat);
+			ebitmap_destroy(&lrt->target_range.level[1].cat);
+			free(lrt);
+		}
+		lrt = rt;
+	}
+	if (lrt) {
+		ebitmap_destroy(&lrt->target_range.level[0].cat);
+		ebitmap_destroy(&lrt->target_range.level[1].cat);
+		free(lrt);
+	}
+	p->range_tr = NULL;
+
 	return 0;
 }
 
@@ -2478,7 +2643,7 @@
 		if (ebitmap_read(&rt->tclasses, fp))
 			return -1;
 
-		if (mls_read_range_helper(&rt->trange, fp))
+		if (mls_read_semantic_range_helper(&rt->trange, fp))
 			return -1;
 
 		lrt = rt;

Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c	2006-09-05 14:27:29 UTC (rev 2015)
+++ trunk/libsepol/src/write.c	2006-09-05 14:27:55 UTC (rev 2016)
@@ -308,6 +308,55 @@
 }
 
 /*
+ * Write a semantic MLS level structure to a policydb binary 
+ * representation file.
+ */
+static int mls_write_semantic_level_helper(mls_semantic_level_t * l,
+					   struct policy_file *fp)
+{
+	uint32_t buf[2], ncat = 0;
+	size_t items;
+	mls_semantic_cat_t *cat;
+
+	for (cat = l->cat; cat; cat = cat->next)
+		ncat++;
+
+	buf[0] = cpu_to_le32(l->sens);
+	buf[1] = cpu_to_le32(ncat);
+	items = put_entry(buf, sizeof(uint32_t), 2, fp);
+	if (items != 2)
+		return POLICYDB_ERROR;
+
+	for (cat = l->cat; cat; cat = cat->next) {
+		buf[0] = cpu_to_le32(cat->low);
+		buf[1] = cpu_to_le32(cat->high);
+		items = put_entry(buf, sizeof(uint32_t), 2, fp);
+		if (items != 2)
+			return POLICYDB_ERROR;
+	}
+
+	return POLICYDB_SUCCESS;
+}
+
+/*
+ * Read a semantic MLS range structure to a policydb binary 
+ * representation file.
+ */
+static int mls_write_semantic_range_helper(mls_semantic_range_t * r,
+					   struct policy_file *fp)
+{
+	int rc;
+
+	rc = mls_write_semantic_level_helper(&r->level[0], fp);
+	if (rc)
+		return rc;
+
+	rc = mls_write_semantic_level_helper(&r->level[1], fp);
+
+	return rc;
+}
+
+/*
  * Write a MLS level structure to a policydb binary 
  * representation file.
  */
@@ -1309,7 +1358,7 @@
 			return POLICYDB_ERROR;
 		if (ebitmap_write(&rt->tclasses, fp))
 			return POLICYDB_ERROR;
-		if (mls_write_range_helper(&rt->trange, fp))
+		if (mls_write_semantic_range_helper(&rt->trange, fp))
 			return POLICYDB_ERROR;
 	}
 	return POLICYDB_SUCCESS;


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2017] trunk

[<mad...@us...>]

Revision: 2017
          http://svn.sourceforge.net/selinux/?rev=2017&view=rev
Author:   madmethod
Date:     2006-09-05 07:28:31 -0700 (Tue, 05 Sep 2006)

Log Message:
-----------
Author: Darrel Goeddel
Email: dgo...@Tr...
Subject: semantic MLS representation for users
Date: Thu, 31 Aug 2006 17:21:21 -0500

Here is a second take on the previous patch.  The changes are:
- no longer create semantic representation of user MLS fields when
  reading in a kernel format policy
- no longer copy the semantic representation of user MLS fields
  when expanding users
- no longer deal attempt to expand the semantic MLS components when
  caching user information if the policy is already in kernel format
  (the semantic info is no longer there)

---

Use the semantic representation for user_datums in modular policy formats.

All user_datums in a modular format use the semantic representation of the MLS
range and dfltlevel.  There is also the possibility of having an expanded
version of that data also present in the user_datum.  This is used much like
the role cache in the user_datum.  When the user are indexed, the MLS info is
expanded.  This info may be used to check the validity of context.  This
expansion is not used when writing out a kernel format policy - the expansion
is performed again to ensure that the data it is present and in sync with the
rest of the policy.

Like the range_trans structs, user_datums from older modular formats will have
their MLS data converted to the new semantic structs.


Signed-off-by:  Darrel Goeddel <dgo...@tr...>
Acked-By: Joshua Brindle <jbr...@tr...>

Modified Paths:
--------------
    trunk/checkpolicy/policy_parse.y
    trunk/libsepol/include/sepol/policydb/policydb.h
    trunk/libsepol/src/expand.c
    trunk/libsepol/src/mls.c
    trunk/libsepol/src/policydb.c
    trunk/libsepol/src/users.c
    trunk/libsepol/src/write.c

Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/checkpolicy/policy_parse.y	2006-09-05 14:28:31 UTC (rev 2017)
@@ -3737,11 +3737,10 @@
 		free(id);
 
 		usrdatum->dfltlevel.sens = levdatum->level->sens;
-		ebitmap_init(&usrdatum->dfltlevel.cat);
 
 		while ((id = queue_remove(id_queue))) {
-			if (parse_categories(id, levdatum,
-					     &usrdatum->dfltlevel.cat)) {
+			if (parse_semantic_categories(id, levdatum,
+			                            &usrdatum->dfltlevel.cat)) {
 				free(id);
 				return -1;
 			}
@@ -3763,13 +3762,12 @@
 				return -1;
 			}
 			free(id);
+
 			usrdatum->range.level[l].sens = levdatum->level->sens;
-			ebitmap_init(&usrdatum->range.level[l].cat);
 
 			while ((id = queue_remove(id_queue))) {
-				if (parse_categories(id, levdatum,
-						     &usrdatum->range.level[l].
-						     cat)) {
+				if (parse_semantic_categories(id, levdatum,
+				               &usrdatum->range.level[l].cat)) {
 					free(id);
 					return -1;
 				}
@@ -3782,33 +3780,14 @@
 		}
 
 		if (l == 0) {
-			usrdatum->range.level[1].sens =
-			    usrdatum->range.level[0].sens;
-			if (ebitmap_cpy(&usrdatum->range.level[1].cat,
-					&usrdatum->range.level[0].cat)) {
+			if (mls_semantic_level_cpy(&usrdatum->range.level[1],
+			                           &usrdatum->range.level[0])) {
 				yyerror("out of memory");
-				goto out;
+				return -1;
 			}
 		}
-		if (!mls_level_dom(&usrdatum->range.level[1],
-				   &usrdatum->range.level[0])) {
-			yyerror("high level does not dominate low level");
-			goto out;
-		}
-		if (!mls_level_between(&usrdatum->dfltlevel,
-				       &usrdatum->range.level[0],
-				       &usrdatum->range.level[1])) {
-			yyerror("default level not within user range");
-			goto out;
-		}
 	}
 	return 0;
-
-      out:
-	ebitmap_destroy(&usrdatum->dfltlevel.cat);
-	ebitmap_destroy(&usrdatum->range.level[0].cat);
-	ebitmap_destroy(&usrdatum->range.level[1].cat);
-	return -1;
 }
 
 static int parse_security_context(context_struct_t * c)

Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-05 14:28:31 UTC (rev 2017)
@@ -149,9 +149,11 @@
 typedef struct user_datum {
 	symtab_datum_t s;
 	role_set_t roles;	/* set of authorized roles for user */
-	mls_range_t range;	/* MLS range (min. - max.) for user */
-	mls_level_t dfltlevel;	/* default login MLS level for user */
+	mls_semantic_range_t range;	/* MLS range (min. - max.) for user */
+	mls_semantic_level_t dfltlevel;	/* default login MLS level for user */
 	ebitmap_t cache;	/* This is an expanded set used for context validation during parsing */
+	mls_range_t exp_range;     /* expanded range used for validation */
+	mls_level_t exp_dfltlevel; /* expanded range used for validation */
 } user_datum_t;
 
 /* Sensitivity attributes */
@@ -586,9 +588,10 @@
 #define MOD_POLICYDB_VERSION_VALIDATETRANS 5
 #define MOD_POLICYDB_VERSION_MLS	   5
 #define MOD_POLICYDB_VERSION_RANGETRANS	   6
+#define MOD_POLICYDB_VERSION_MLS_USERS	   6
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_RANGETRANS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
 
 #define POLICYDB_CONFIG_MLS    1
 

Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/expand.c	2006-09-05 14:28:31 UTC (rev 2017)
@@ -692,13 +692,46 @@
 			return -1;
 		}
 
-		/* clone MLS stuff */
-		if (mls_range_cpy(&new_user->range, &user->range) == -1
-		    || mls_level_cpy(&new_user->dfltlevel,
-				     &user->dfltlevel) == -1) {
-			ERR(state->handle, "Out of memory!");
+		/* expand the semantic MLS info */
+		if (mls_semantic_range_expand(&user->range,
+					      &new_user->exp_range,
+					      state->out, state->handle)) {
 			return -1;
 		}
+		if (mls_semantic_level_expand(&user->dfltlevel,
+					      &new_user->exp_dfltlevel,
+					      state->out, state->handle)) {
+			return -1;
+		}
+		if (!mls_level_between(&new_user->exp_dfltlevel,
+				       &new_user->exp_range.level[0],
+				       &new_user->exp_range.level[1])) {
+			ERR(state->handle, "default level not within user "
+			    "range");
+			return -1;
+		}
+	} else {
+		/* require that the MLS info match */
+		mls_range_t tmp_range;
+		mls_level_t tmp_level;
+
+		if (mls_semantic_range_expand(&user->range, &tmp_range,
+					      state->out, state->handle)) {
+			return -1;
+		}
+		if (mls_semantic_level_expand(&user->dfltlevel, &tmp_level,
+					      state->out, state->handle)) {
+			mls_range_destroy(&tmp_range);
+			return -1;
+		}
+		if (!mls_range_eq(&new_user->exp_range, &tmp_range) ||
+		    !mls_level_eq(&new_user->exp_dfltlevel, &tmp_level)) {
+			mls_range_destroy(&tmp_range);
+			mls_level_destroy(&tmp_level);
+			return -1;
+		}
+		mls_range_destroy(&tmp_range);
+		mls_level_destroy(&tmp_level);
 	}
 
 	ebitmap_init(&tmp_union);
@@ -788,7 +821,7 @@
 	}
 
 	if (state->verbose)
-		INFO(state->handle, "copying senitivity level %s", id);
+		INFO(state->handle, "copying sensitivity level %s", id);
 
 	if ((new_level =
 	     (level_datum_t *) calloc(1, sizeof(*new_level))) == NULL
@@ -2207,6 +2240,17 @@
 	if (hashtab_map(state.base->p_roles.table, role_copy_callback, &state))
 		goto cleanup;
 
+	/* copy MLS's sensitivity level and categories - this needs to be done
+	 * before expanding users (they need to be indexed too) */
+	if (hashtab_map(state.base->p_levels.table, sens_copy_callback, &state))
+		goto cleanup;
+	if (hashtab_map(state.base->p_cats.table, cats_copy_callback, &state))
+		goto cleanup;
+	if (policydb_index_others(handle, out, verbose)) {
+		ERR(handle, "Error while indexing out symbols");
+		goto cleanup;
+	}
+
 	/* copy users */
 	if (hashtab_map(state.base->p_users.table, user_copy_callback, &state))
 		goto cleanup;
@@ -2215,13 +2259,6 @@
 	if (hashtab_map(state.base->p_bools.table, bool_copy_callback, &state))
 		goto cleanup;
 
-	/* now copy MLS's sensitivity level and categories */
-	if (hashtab_map(state.base->p_levels.table, sens_copy_callback, &state)
-	    || hashtab_map(state.base->p_cats.table, cats_copy_callback,
-			   &state)) {
-		goto cleanup;
-	}
-
 	if (policydb_index_classes(out)) {
 		ERR(handle, "Error while indexing out classes");
 		goto cleanup;

Modified: trunk/libsepol/src/mls.c
===================================================================
--- trunk/libsepol/src/mls.c	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/mls.c	2006-09-05 14:28:31 UTC (rev 2017)
@@ -310,7 +310,7 @@
 	if (!c->user || c->user > p->p_users.nprim)
 		return 0;
 	usrdatum = p->user_val_to_struct[c->user - 1];
-	if (!mls_range_contains(usrdatum->range, c->range))
+	if (!mls_range_contains(usrdatum->exp_range, c->range))
 		return 0;	/* user may not be associated with range */
 
 	return 1;
@@ -512,9 +512,9 @@
 	if (mls) {
 		mls_level_t *fromcon_sen = &(fromcon->range.level[0]);
 		mls_level_t *fromcon_clr = &(fromcon->range.level[1]);
-		mls_level_t *user_low = &(user->range.level[0]);
-		mls_level_t *user_clr = &(user->range.level[1]);
-		mls_level_t *user_def = &(user->dfltlevel);
+		mls_level_t *user_low = &(user->exp_range.level[0]);
+		mls_level_t *user_clr = &(user->exp_range.level[1]);
+		mls_level_t *user_def = &(user->exp_dfltlevel);
 		mls_level_t *usercon_sen = &(usercon->range.level[0]);
 		mls_level_t *usercon_clr = &(usercon->range.level[1]);
 

Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/policydb.c	2006-09-05 14:28:31 UTC (rev 2017)
@@ -112,7 +112,7 @@
 	 },
 	{
 	 .type = POLICY_BASE,
-	 .version = MOD_POLICYDB_VERSION_RANGETRANS,
+	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
 	 .sym_num = SYM_NUM,
 	 .ocon_num = OCON_NODE6 + 1,
 	 },
@@ -130,7 +130,7 @@
 	 },
 	{
 	 .type = POLICY_MOD,
-	 .version = MOD_POLICYDB_VERSION_RANGETRANS,
+	 .version = MOD_POLICYDB_VERSION_MLS_USERS,
 	 .sym_num = SYM_NUM,
 	 .ocon_num = 0},
 };
@@ -233,18 +233,22 @@
 {
 	memset(x, 0, sizeof(user_datum_t));
 	role_set_init(&x->roles);
-	mls_range_init(&x->range);
-	mls_level_init(&x->dfltlevel);
+	mls_semantic_range_init(&x->range);
+	mls_semantic_level_init(&x->dfltlevel);
 	ebitmap_init(&x->cache);
+	mls_range_init(&x->exp_range);
+	mls_level_init(&x->exp_dfltlevel);
 }
 
 void user_datum_destroy(user_datum_t * x)
 {
 	if (x != NULL) {
 		role_set_destroy(&x->roles);
-		mls_range_destroy(&x->range);
-		mls_level_destroy(&x->dfltlevel);
+		mls_semantic_range_destroy(&x->range);
+		mls_semantic_level_destroy(&x->dfltlevel);
 		ebitmap_destroy(&x->cache);
+		mls_range_destroy(&x->exp_range);
+		mls_level_destroy(&x->exp_dfltlevel);
 	}
 }
 
@@ -498,6 +502,20 @@
 		return -1;
 	}
 
+	if (p->policy_type != POLICY_KERN) {
+		mls_range_destroy(&user->exp_range);
+		if (mls_semantic_range_expand(&user->range,
+					      &user->exp_range, p, NULL)) {
+			return -1;
+		}
+
+		mls_level_destroy(&user->exp_dfltlevel);
+		if (mls_semantic_level_expand(&user->dfltlevel,
+					      &user->exp_dfltlevel, p, NULL)) {
+			return -1;
+		}
+	}
+
 	return 0;
 }
 
@@ -2235,18 +2253,38 @@
 			goto bad;
 	}
 
-	/* users aren't allowed in mls modules but they can be required, the mls fields will be empty,
-	 * user declarations in non-mls modules will also have empty mls fields */
+	/* users were not allowed in mls modules before version
+	 * MOD_POLICYDB_VERSION_MLS_USERS, but they could have been
+	 * required - the mls fields will be empty.  user declarations in
+	 * non-mls modules will also have empty mls fields */
 	if ((p->policy_type == POLICY_KERN
 	     && p->policyvers >= POLICYDB_VERSION_MLS)
 	    || (p->policy_type == POLICY_MOD
-		&& p->policyvers >= MOD_POLICYDB_VERSION_MLS)
+		&& p->policyvers >= MOD_POLICYDB_VERSION_MLS
+		&& p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS)
 	    || (p->policy_type == POLICY_BASE
-		&& p->policyvers >= MOD_POLICYDB_VERSION_MLS)) {
-		if (mls_read_range_helper(&usrdatum->range, fp))
+		&& p->policyvers >= MOD_POLICYDB_VERSION_MLS
+		&& p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS)) {
+		if (mls_read_range_helper(&usrdatum->exp_range, fp))
 			goto bad;
-		if (mls_read_level(&usrdatum->dfltlevel, fp))
+		if (mls_read_level(&usrdatum->exp_dfltlevel, fp))
 			goto bad;
+		if (p->policy_type != POLICY_KERN) {
+			if (mls_range_to_semantic(&usrdatum->exp_range,
+						  &usrdatum->range))
+				goto bad;
+			if (mls_level_to_semantic(&usrdatum->exp_dfltlevel,
+						  &usrdatum->dfltlevel))
+				goto bad;
+		}
+	} else if ((p->policy_type == POLICY_MOD
+		    && p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS)
+		   || (p->policy_type == POLICY_BASE
+		       && p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS)) {
+		if (mls_read_semantic_range_helper(&usrdatum->range, fp))
+			goto bad;
+		if (mls_read_semantic_level_helper(&usrdatum->dfltlevel, fp))
+			goto bad;
 	}
 
 	if (hashtab_insert(h, key, usrdatum))

Modified: trunk/libsepol/src/users.c
===================================================================
--- trunk/libsepol/src/users.c	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/users.c	2006-09-05 14:28:31 UTC (rev 2017)
@@ -47,13 +47,13 @@
 
 		context_init(&context);
 		if (mls_level_cpy(&context.range.level[0],
-				  &usrdatum->dfltlevel) < 0) {
+				  &usrdatum->exp_dfltlevel) < 0) {
 			ERR(handle, "could not copy MLS level");
 			context_destroy(&context);
 			goto err;
 		}
 		if (mls_level_cpy(&context.range.level[1],
-				  &usrdatum->dfltlevel) < 0) {
+				  &usrdatum->exp_dfltlevel) < 0) {
 			ERR(handle, "could not copy MLS level");
 			context_destroy(&context);
 			goto err;
@@ -71,7 +71,7 @@
 		free(str);
 
 		context_init(&context);
-		if (mls_range_cpy(&context.range, &usrdatum->range) < 0) {
+		if (mls_range_cpy(&context.range, &usrdatum->exp_range) < 0) {
 			ERR(handle, "could not copy MLS range");
 			context_destroy(&context);
 			goto err;
@@ -191,8 +191,8 @@
 			context_destroy(&context);
 			goto err;
 		}
-		if (mls_level_cpy(&usrdatum->dfltlevel, &context.range.level[0])
-		    < 0) {
+		if (mls_level_cpy(&usrdatum->exp_dfltlevel,
+				  &context.range.level[0]) < 0) {
 			ERR(handle, "could not copy MLS level %s", cmls_level);
 			context_destroy(&context);
 			goto err;
@@ -211,13 +211,12 @@
 			context_destroy(&context);
 			goto err;
 		}
-		if (mls_range_cpy(&usrdatum->range, &context.range) < 0) {
+		if (mls_range_cpy(&usrdatum->exp_range, &context.range) < 0) {
 			ERR(handle, "could not copy MLS range %s", cmls_range);
 			context_destroy(&context);
 			goto err;
 		}
 		context_destroy(&context);
-
 	} else if (cmls_level != NULL || cmls_range != NULL) {
 		ERR(handle, "MLS is disabled, but MLS level/range "
 		    "was found for user %s", cname);

Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c	2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/write.c	2006-09-05 14:28:31 UTC (rev 2017)
@@ -1005,18 +1005,27 @@
 		if (role_set_write(&usrdatum->roles, fp))
 			return POLICYDB_ERROR;
 	}
-	/* Users are allowed in non-mls modules, so the empty field will be present
-	   in modules with users >= MOD_POLICYDB_VERSION_MLS */
+
 	if ((p->policyvers >= POLICYDB_VERSION_MLS
 	     && p->policy_type == POLICY_KERN)
 	    || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+		&& p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS
 		&& p->policy_type == POLICY_MOD)
 	    || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+		&& p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS
 		&& p->policy_type == POLICY_BASE)) {
-		if (mls_write_range_helper(&usrdatum->range, fp))
+		if (mls_write_range_helper(&usrdatum->exp_range, fp))
 			return POLICYDB_ERROR;
-		if (mls_write_level(&usrdatum->dfltlevel, fp))
+		if (mls_write_level(&usrdatum->exp_dfltlevel, fp))
 			return POLICYDB_ERROR;
+	} else if ((p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS
+		    && p->policy_type == POLICY_MOD)
+		   || (p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS
+		       && p->policy_type == POLICY_BASE)) {
+		if (mls_write_semantic_range_helper(&usrdatum->range, fp))
+			return -1;
+		if (mls_write_semantic_level_helper(&usrdatum->dfltlevel, fp))
+			return -1;
 	}
 
 	return POLICYDB_SUCCESS;


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2033] trunk

[<mad...@us...>]

Revision: 2033
          http://svn.sourceforge.net/selinux/?rev=2033&view=rev
Author:   madmethod
Date:     2006-09-28 05:11:42 -0700 (Thu, 28 Sep 2006)

Log Message:
-----------
Author: Darrel Goeddel
Email: dgo...@Tr...
Subject: allow range_transitions and MLS users in modules
Date: Tue, 26 Sep 2006 12:49:15 -0500

- Add the ability to require MLS sensitivities and categories in policy
modules.
- Remove the restrictions on defining users in MLS-enabled modules.
- Handle range_trans_rules in modules.
- Cleanup some uses of calloc/memset

This all allows range_transition statements to be used in policy modules
and allows definition of users in MLS policy modules.

Signed-Off-By: Darrel Goeddel <dgo...@Tr...>

Acked-By: Joshua Brindle <jbr...@tr...>

Modified Paths:
--------------
    trunk/checkpolicy/module_compiler.c
    trunk/checkpolicy/module_compiler.h
    trunk/checkpolicy/policy_parse.y
    trunk/libsepol/include/sepol/policydb/policydb.h
    trunk/libsepol/src/expand.c
    trunk/libsepol/src/link.c
    trunk/libsepol/src/policydb.c

Modified: trunk/checkpolicy/module_compiler.c
===================================================================
--- trunk/checkpolicy/module_compiler.c	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/checkpolicy/module_compiler.c	2006-09-28 12:11:42 UTC (rev 2033)
@@ -937,6 +937,122 @@
 	}
 }
 
+int require_sens(int pass)
+{
+	char *id = queue_remove(id_queue);
+	level_datum_t *level = NULL;
+	int retval;
+	if (pass == 2) {
+		free(id);
+		return 0;
+	}
+	if (!id) {
+		yyerror("no sensitivity name");
+		return -1;
+	}
+	level = malloc(sizeof(level_datum_t));
+	if (!level) {
+		free(id);
+		yyerror("Out of memory!");
+		return -1;
+	}
+	level_datum_init(level);
+	level->level = malloc(sizeof(mls_level_t));
+	if (!level->level) {
+		free(id);
+		level_datum_destroy(level);
+		free(level);
+		yyerror("Out of memory!");
+		return -1;
+	}
+	mls_level_init(level->level);
+	retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
+				&level->level->sens, &level->level->sens);
+	if (retval != 0) {
+		free(id);
+		mls_level_destroy(level->level);
+		free(level->level);
+		level_datum_destroy(level);
+		free(level);
+	}
+	switch (retval) {
+	case -3:{
+			yyerror("Out of memory!");
+			return -1;
+		}
+	case -2:{
+			yyerror("duplicate declaration of sensitivity");
+			return -1;
+		}
+	case -1:{
+			yyerror("could not require sensitivity here");
+			return -1;
+		}
+	case 0:{
+			return 0;
+		}
+	case 1:{
+			return 0;	/* sensitivity already required */
+		}
+	default:{
+			assert(0);	/* should never get here */
+		}
+	}
+}
+
+int require_cat(int pass)
+{
+	char *id = queue_remove(id_queue);
+	cat_datum_t *cat = NULL;
+	int retval;
+	if (pass == 2) {
+		free(id);
+		return 0;
+	}
+	if (!id) {
+		yyerror("no category name");
+		return -1;
+	}
+	cat = malloc(sizeof(cat_datum_t));
+	if (!cat) {
+		free(id);
+		yyerror("Out of memory!");
+		return -1;
+	}
+	cat_datum_init(cat);
+
+	retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
+				&cat->s.value, &cat->s.value);
+	if (retval != 0) {
+		free(id);
+		cat_datum_destroy(cat);
+		free(cat);
+	}
+	switch (retval) {
+	case -3:{
+			yyerror("Out of memory!");
+			return -1;
+		}
+	case -2:{
+			yyerror("duplicate declaration of category");
+			return -1;
+		}
+	case -1:{
+			yyerror("could not require category here");
+			return -1;
+		}
+	case 0:{
+			return 0;
+		}
+	case 1:{
+			return 0;	/* category already required */
+		}
+	default:{
+			assert(0);	/* should never get here */
+		}
+	}
+}
+
 static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
 {
 	int i;

Modified: trunk/checkpolicy/module_compiler.h
===================================================================
--- trunk/checkpolicy/module_compiler.h	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/checkpolicy/module_compiler.h	2006-09-28 12:11:42 UTC (rev 2033)
@@ -56,6 +56,8 @@
 int require_attribute(int pass);
 int require_user(int pass);
 int require_bool(int pass);
+int require_sens(int pass);
+int require_cat(int pass);
 
 /* Check if an identifier is within the scope of the current
  * declaration or any of its parents.  Return 1 if it is, 0 if not.

Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/checkpolicy/policy_parse.y	2006-09-28 12:11:42 UTC (rev 2033)
@@ -834,10 +834,8 @@
                         | ATTRIBUTE   { $$ = require_attribute; }
                         | USER        { $$ = require_user; }
                         | BOOL        { $$ = require_bool; }
-/* MLS-enabled modules are not implemented at this time.
                         | SENSITIVITY { $$ = require_sens; }
                         | CATEGORY    { $$ = require_cat; }
-*/
                         ;
 require_id_list         : identifier
                         { if ($<require_func>0 (pass)) return -1; }
@@ -1301,7 +1299,7 @@
 		yyerror("out of memory");
 		goto bad;
 	}
-	memset(level, 0, sizeof(mls_level_t));
+	mls_level_init(level);
 	level->sens = 0;	/* actual value set in define_dominance */
 	ebitmap_init(&level->cat);	/* actual value set in define_level */
 
@@ -1310,7 +1308,7 @@
 		yyerror("out of memory");
 		goto bad;
 	}
-	memset(datum, 0, sizeof(level_datum_t));
+	level_datum_init(datum);
 	datum->isalias = FALSE;
 	datum->level = level;
 
@@ -1347,7 +1345,7 @@
 			yyerror("out of memory");
 			goto bad_alias;
 		}
-		memset(aliasdatum, 0, sizeof(level_datum_t));
+		level_datum_init(aliasdatum);
 		aliasdatum->isalias = TRUE;
 		aliasdatum->level = level;
 
@@ -1384,15 +1382,19 @@
 		free(id);
 	if (level)
 		free(level);
-	if (datum)
+	if (datum) {
+		level_datum_destroy(datum);
 		free(datum);
+	}
 	return -1;
 
       bad_alias:
 	if (id)
 		free(id);
-	if (aliasdatum)
+	if (aliasdatum) {
+		level_datum_destroy(aliasdatum);
 		free(aliasdatum);
+	}
 	return -1;
 }
 
@@ -1480,7 +1482,7 @@
 		yyerror("out of memory");
 		goto bad;
 	}
-	memset(datum, 0, sizeof(cat_datum_t));
+	cat_datum_init(datum);
 	datum->isalias = FALSE;
 
 	ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
@@ -1517,7 +1519,7 @@
 			yyerror("out of memory");
 			goto bad_alias;
 		}
-		memset(aliasdatum, 0, sizeof(cat_datum_t));
+		cat_datum_init(aliasdatum);
 		aliasdatum->isalias = TRUE;
 		aliasdatum->s.value = datum->s.value;
 
@@ -1554,15 +1556,19 @@
       bad:
 	if (id)
 		free(id);
-	if (datum)
+	if (datum) {
+		cat_datum_destroy(datum);
 		free(datum);
+	}
 	return -1;
 
       bad_alias:
 	if (id)
 		free(id);
-	if (aliasdatum)
+	if (aliasdatum) {
+		cat_datum_destroy(aliasdatum);
 		free(aliasdatum);
+	}
 	return -1;
 }
 
@@ -3682,11 +3688,6 @@
 	level_datum_t *levdatum;
 	int l;
 
-	if (policydbp->policy_type == POLICY_MOD && mlspol) {
-		yyerror("Users cannot be declared in MLS modules");
-		return -1;
-	}
-
 	if (pass == 1) {
 		while ((id = queue_remove(id_queue)))
 			free(id);

Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/libsepol/include/sepol/policydb/policydb.h	2006-09-28 12:11:42 UTC (rev 2033)
@@ -532,6 +532,10 @@
 extern void type_datum_destroy(type_datum_t * x);
 extern void user_datum_init(user_datum_t * x);
 extern void user_datum_destroy(user_datum_t * x);
+extern void level_datum_init(level_datum_t * x);
+extern void level_datum_destroy(level_datum_t * x);
+extern void cat_datum_init(cat_datum_t * x);
+extern void cat_datum_destroy(cat_datum_t * x);
 
 extern int check_assertions(sepol_handle_t * handle,
 			    policydb_t * p, avrule_t * avrules);

Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/libsepol/src/expand.c	2006-09-28 12:11:42 UTC (rev 2033)
@@ -823,13 +823,17 @@
 	if (state->verbose)
 		INFO(state->handle, "copying sensitivity level %s", id);
 
-	if ((new_level =
-	     (level_datum_t *) calloc(1, sizeof(*new_level))) == NULL
-	    || (new_level->level =
-		(mls_level_t *) calloc(1, sizeof(mls_level_t))) == NULL
-	    || (new_id = strdup(id)) == NULL) {
+	new_level = (level_datum_t *) malloc(sizeof(level_datum_t));
+	if (!new_level)
 		goto out_of_mem;
-	}
+	level_datum_init(new_level);
+	new_level->level = (mls_level_t *) malloc(sizeof(mls_level_t));
+	if (!new_level->level)
+		goto out_of_mem;
+	mls_level_init(new_level->level);
+	new_id = strdup(id);
+	if (!new_id)
+		goto out_of_mem;
 
 	if (mls_level_cpy(new_level->level, level->level)) {
 		goto out_of_mem;
@@ -847,9 +851,10 @@
       out_of_mem:
 	ERR(state->handle, "Out of memory!");
 	if (new_level != NULL && new_level->level != NULL) {
-		ebitmap_destroy(&new_level->level->cat);
+		mls_level_destroy(new_level->level);
 		free(new_level->level);
 	}
+	level_datum_destroy(new_level);
 	free(new_level);
 	free(new_id);
 	return -1;
@@ -870,10 +875,13 @@
 	if (state->verbose)
 		INFO(state->handle, "copying category attribute %s", id);
 
-	if ((new_cat = (cat_datum_t *) calloc(1, sizeof(*new_cat))) == NULL ||
-	    (new_id = strdup(id)) == NULL) {
+	new_cat = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+	if (!new_cat)
 		goto out_of_mem;
-	}
+	cat_datum_init(new_cat);
+	new_id = strdup(id);
+	if (!new_id)
+		goto out_of_mem;
 
 	new_cat->s.value = cat->s.value;
 	new_cat->isalias = cat->isalias;
@@ -887,6 +895,7 @@
 
       out_of_mem:
 	ERR(state->handle, "Out of memory!");
+	cat_datum_destroy(new_cat);
 	free(new_cat);
 	free(new_id);
 	return -1;

Modified: trunk/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/libsepol/src/link.c	2006-09-28 12:11:42 UTC (rev 2033)
@@ -468,25 +468,8 @@
 	char *id = key, *new_id = NULL;
 	user_datum_t *user, *base_user, *new_user = NULL;
 	link_state_t *state = (link_state_t *) data;
-	scope_datum_t *scope;
 
 	user = (user_datum_t *) datum;
-	if (state->base->mls) {
-		scope =
-		    hashtab_search(state->cur->policy->p_users_scope.table, id);
-		if (!scope) {
-			ERR(state->handle,
-			    "No scope information for user %s in module %s\n",
-			    id, state->cur_mod_name);
-			return -1;
-		}
-		if (scope->scope == SCOPE_DECL) {
-			ERR(state->handle,
-			    "Users cannot be declared in MLS modules");
-			return -1;
-		}
-		/* required users fall through */
-	}
 
 	base_user = hashtab_search(state->base->p_users.table, id);
 	if (base_user == NULL) {
@@ -502,9 +485,8 @@
 			goto cleanup;
 		}
 		user_datum_init(new_user);
-		/* new_users's roles field will be copied during
-		   fix_user_callback().  the MLS fields are currently
-		   unimplemented */
+		/* new_users's roles and MLS fields will be copied during
+		   user_fix_callback(). */
 
 		new_user->s.value = state->base->p_users.nprim + 1;
 
@@ -592,10 +574,72 @@
 	return -1;
 }
 
+static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+			      void *data)
+{
+	char *id = key;
+	level_datum_t *level, *base_level;
+	link_state_t *state = (link_state_t *) data;
+	scope_datum_t *scope;
+
+	level = (level_datum_t *) datum;
+
+	base_level = hashtab_search(state->base->p_levels.table, id);
+	if (!base_level) {
+		scope =
+		    hashtab_search(state->cur->policy->p_sens_scope.table, id);
+		if (!scope)
+			return -SEPOL_LINK_ERROR;
+		if (scope->scope == SCOPE_DECL) {
+			/* disallow declarations in modules */
+			ERR(state->handle,
+			    "%s: Modules may not declare new sensitivities.",
+			    state->cur_mod_name);
+			return -SEPOL_LINK_NOTSUP;
+		}
+	}
+
+	state->cur->map[SYM_LEVELS][level->level->sens - 1] =
+	    base_level->level->sens;
+
+	return 0;
+}
+
+static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+			     void *data)
+{
+	char *id = key;
+	cat_datum_t *cat, *base_cat;
+	link_state_t *state = (link_state_t *) data;
+	scope_datum_t *scope;
+
+	cat = (cat_datum_t *) datum;
+
+	base_cat = hashtab_search(state->base->p_cats.table, id);
+	if (!base_cat) {
+		scope =
+		    hashtab_search(state->cur->policy->p_cat_scope.table, id);
+		if (!scope)
+			return -SEPOL_LINK_ERROR;
+		if (scope->scope == SCOPE_DECL) {
+			/* disallow declarations in modules */
+			ERR(state->handle,
+			    "%s: Modules may not declare new categories.",
+			    state->cur_mod_name);
+			return -SEPOL_LINK_NOTSUP;
+		}
+	}
+
+	state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value;
+
+	return 0;
+}
+
 static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key,
 					hashtab_datum_t datum, void *datap) = {
 NULL, class_copy_callback, role_copy_callback, type_copy_callback,
-	    user_copy_callback, bool_copy_callback, NULL, NULL};
+	    user_copy_callback, bool_copy_callback, sens_copy_callback,
+	    cat_copy_callback};
 
 /* The aliases have to be copied after the types and attributes to be
  * certain that the base symbol table will have the type that the
@@ -783,6 +827,43 @@
 	return -1;
 }
 
+static int mls_level_convert(mls_semantic_level_t * src,
+			     mls_semantic_level_t * dst, policy_module_t * mod)
+{
+	mls_semantic_cat_t *src_cat, *new_cat;
+
+	assert(mod->map[SYM_LEVELS][src->sens - 1]);
+	dst->sens = mod->map[SYM_LEVELS][src->sens - 1];
+
+	for (src_cat = src->cat; src_cat; src_cat = src_cat->next) {
+		new_cat =
+		    (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+		if (!new_cat)
+			return -1;
+		mls_semantic_cat_init(new_cat);
+
+		new_cat->next = dst->cat;
+		dst->cat = new_cat;
+
+		assert(mod->map[SYM_CATS][src_cat->low - 1]);
+		dst->cat->low = mod->map[SYM_CATS][src_cat->low - 1];
+		assert(mod->map[SYM_CATS][src_cat->high - 1]);
+		dst->cat->high = mod->map[SYM_CATS][src_cat->high - 1];
+	}
+
+	return 0;
+}
+
+static int mls_range_convert(mls_semantic_range_t * src,
+			     mls_semantic_range_t * dst, policy_module_t * mod)
+{
+	if (mls_level_convert(&src->level[0], &dst->level[0], mod))
+		return -1;
+	if (mls_level_convert(&src->level[1], &dst->level[1], mod))
+		return -1;
+	return 0;
+}
+
 static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
 			     void *data)
 {
@@ -893,13 +974,16 @@
 	user_datum_t *user, *new_user = NULL;
 	link_state_t *state = (link_state_t *) data;
 	policy_module_t *mod = state->cur;
+	symtab_t *usertab;
 
 	user = (user_datum_t *) datum;
 
 	if (state->dest_decl == NULL)
-		return 0;
+		usertab = &state->base->p_users;
+	else
+		usertab = &state->dest_decl->p_users;
 
-	new_user = hashtab_search(state->dest_decl->p_users.table, id);
+	new_user = hashtab_search(usertab->table, id);
 	assert(new_user != NULL);
 
 	if (state->verbose) {
@@ -910,6 +994,12 @@
 		goto cleanup;
 	}
 
+	if (mls_range_convert(&user->range, &new_user->range, mod))
+		goto cleanup;
+
+	if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod))
+		goto cleanup;
+
 	return 0;
 
       cleanup:
@@ -1096,6 +1186,55 @@
 	return -1;
 }
 
+static int copy_range_trans_list(range_trans_rule_t * rules,
+				 range_trans_rule_t ** dst,
+				 policy_module_t * mod, link_state_t * state)
+{
+	range_trans_rule_t *rule, *new_rule = NULL;
+	unsigned int i;
+	ebitmap_node_t *cnode;
+
+	for (rule = rules; rule; rule = rule->next) {
+		new_rule =
+		    (range_trans_rule_t *) malloc(sizeof(range_trans_rule_t));
+		if (!new_rule)
+			goto cleanup;
+
+		range_trans_rule_init(new_rule);
+
+		new_rule->next = *dst;
+		*dst = new_rule;
+
+		if (type_set_convert(&rule->stypes, &new_rule->stypes,
+				     mod, state))
+			goto cleanup;
+
+		if (type_set_convert(&rule->ttypes, &new_rule->ttypes,
+				     mod, state))
+			goto cleanup;
+
+		ebitmap_for_each_bit(&rule->tclasses, cnode, i) {
+			if (ebitmap_node_get_bit(cnode, i)) {
+				assert(mod->map[SYM_CLASSES][i]);
+				if (ebitmap_set_bit
+				    (&new_rule->tclasses,
+				     mod->map[SYM_CLASSES][i] - 1, 1)) {
+					goto cleanup;
+				}
+			}
+		}
+
+		if (mls_range_convert(&rule->trange, &new_rule->trange, mod))
+			goto cleanup;
+	}
+	return 0;
+
+      cleanup:
+	ERR(state->handle, "Out of memory!");
+	range_trans_rule_list_destroy(new_rule);
+	return -1;
+}
+
 static int copy_cond_list(cond_node_t * list, cond_node_t ** dst,
 			  policy_module_t * module, link_state_t * state)
 {
@@ -1278,6 +1417,10 @@
 		return -1;
 	}
 
+	if (copy_range_trans_list(src_decl->range_tr_rules,
+				  &dest_decl->range_tr_rules, module, state))
+		return -1;
+
 	/* finally copy any identifiers local to this declaration */
 	ret = copy_identifiers(state, src_decl->symtab, dest_decl);
 	if (ret < 0) {

Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c	2006-09-18 19:13:13 UTC (rev 2032)
+++ trunk/libsepol/src/policydb.c	2006-09-28 12:11:42 UTC (rev 2033)
@@ -252,6 +252,29 @@
 	}
 }
 
+void level_datum_init(level_datum_t * x)
+{
+	memset(x, 0, sizeof(level_datum_t));
+}
+
+void level_datum_destroy(level_datum_t * x __attribute__ ((unused)))
+{
+	/* the mls_level_t referenced by the level_datum is managed
+	 * separately for now, so there is nothing to destroy */
+	return;
+}
+
+void cat_datum_init(cat_datum_t * x)
+{
+	memset(x, 0, sizeof(cat_datum_t));
+}
+
+void cat_datum_destroy(cat_datum_t * x __attribute__ ((unused)))
+{
+	/* it's currently a simple struct - really nothing to destroy */
+	return;
+}
+
 void class_perm_node_init(class_perm_node_t * x)
 {
 	memset(x, 0, sizeof(class_perm_node_t));
@@ -502,7 +525,11 @@
 		return -1;
 	}
 
-	if (p->policy_type != POLICY_KERN) {
+	/* we do not expand user's MLS info in kernel policies because the
+	 * semantic representation is not present and we do not expand user's
+	 * MLS info in module policies because all of the necessary mls
+	 * information is not present */
+	if (p->policy_type != POLICY_KERN && p->policy_type != POLICY_MOD) {
 		mls_range_destroy(&user->exp_range);
 		if (mls_semantic_range_expand(&user->range,
 					      &user->exp_range, p, NULL)) {
@@ -907,9 +934,10 @@
 	if (key)
 		free(key);
 	levdatum = (level_datum_t *) datum;
-	ebitmap_destroy(&levdatum->level->cat);
+	mls_level_destroy(levdatum->level);
 	free(levdatum->level);
-	free(datum);
+	level_datum_destroy(levdatum);
+	free(levdatum);
 	return 0;
 }
 
@@ -918,6 +946,7 @@
 {
 	if (key)
 		free(key);
+	cat_datum_destroy((cat_datum_t *) datum);
 	free(datum);
 	return 0;
 }
@@ -2199,7 +2228,7 @@
 {
 	uint32_t *buf;
 
-	memset(lp, 0, sizeof(mls_level_t));
+	mls_level_init(lp);
 
 	buf = next_entry(fp, sizeof(uint32_t));
 	if (!buf) {
@@ -2305,9 +2334,10 @@
 	level_datum_t *levdatum;
 	uint32_t *buf, len;
 
-	levdatum = calloc(1, sizeof(level_datum_t));
+	levdatum = malloc(sizeof(level_datum_t));
 	if (!levdatum)
 		return -1;
+	level_datum_init(levdatum);
 
 	buf = next_entry(fp, (sizeof(uint32_t) * 2));
 	if (!buf)
@@ -2347,9 +2377,10 @@
 	cat_datum_t *catdatum;
 	uint32_t *buf, len;
 
-	catdatum = calloc(1, sizeof(cat_datum_t));
+	catdatum = malloc(sizeof(cat_datum_t));
 	if (!catdatum)
 		return -1;
+	cat_datum_init(catdatum);
 
 	buf = next_entry(fp, (sizeof(uint32_t) * 3));
 	if (!buf)


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2034] trunk

[<mad...@us...>]

Revision: 2034
          http://svn.sourceforge.net/selinux/?rev=2034&view=rev
Author:   madmethod
Date:     2006-09-28 05:14:22 -0700 (Thu, 28 Sep 2006)

Log Message:
-----------
version bumps and changelog additions

Modified Paths:
--------------
    trunk/checkpolicy/ChangeLog
    trunk/checkpolicy/VERSION
    trunk/libsepol/ChangeLog
    trunk/libsepol/VERSION

Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog	2006-09-28 12:11:42 UTC (rev 2033)
+++ trunk/checkpolicy/ChangeLog	2006-09-28 12:14:22 UTC (rev 2034)
@@ -1,3 +1,7 @@
+1.30.12 2006-09-28
+	* Merged user and range_transition support for modules from 
+	  Darrel Goeddel
+
 1.30.11 2006-09-05
 	* merged range_transition enhancements and user module format
 	  changes from Darrel Goeddel

Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION	2006-09-28 12:11:42 UTC (rev 2033)
+++ trunk/checkpolicy/VERSION	2006-09-28 12:14:22 UTC (rev 2034)
@@ -1 +1 @@
-1.30.11
+1.30.12

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2006-09-28 12:11:42 UTC (rev 2033)
+++ trunk/libsepol/ChangeLog	2006-09-28 12:14:22 UTC (rev 2034)
@@ -1,3 +1,7 @@
+1.12.27 2006-09-28
+	* Merged mls user and range_transition support in modules
+	  from Darrel Goeddel
+
 1.12.26 2006-09-05
 	* Merged range transition enhancements and user format changes
 	  Darrel Goeddel

Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION	2006-09-28 12:11:42 UTC (rev 2033)
+++ trunk/libsepol/VERSION	2006-09-28 12:14:22 UTC (rev 2034)
@@ -1 +1 @@
-1.12.26
+1.12.27


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2045] trunk

[<ssm...@us...>]

Revision: 2045
          http://svn.sourceforge.net/selinux/?rev=2045&view=rev
Author:   ssmalley
Date:     2006-09-29 08:34:57 -0700 (Fri, 29 Sep 2006)

Log Message:
-----------
make indent

Modified Paths:
--------------
    trunk/libselinux/src/setrans_client.c
    trunk/policycoreutils/newrole/newrole.c

Modified: trunk/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c	2006-09-29 15:33:28 UTC (rev 2044)
+++ trunk/libselinux/src/setrans_client.c	2006-09-29 15:34:57 UTC (rev 2045)
@@ -88,13 +88,14 @@
 	iov[4].iov_len = data2_size;
 	memset(&msgh, 0, sizeof(msgh));
 	msgh.msg_iov = iov;
-	msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
+	msgh.msg_iovlen = sizeof(iov) / sizeof(iov[0]);
 
 	expected = 0;
-	for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
+	for (i = 0; i < sizeof(iov) / sizeof(iov[0]); i++)
 		expected += iov[i].iov_len;
 
-	while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) && (errno == EINTR)) ;
+	while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0)
+	       && (errno == EINTR)) ;
 	if (count < 0 || count != expected)
 		return -1;
 

Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c	2006-09-29 15:33:28 UTC (rev 2044)
+++ trunk/policycoreutils/newrole/newrole.c	2006-09-29 15:34:57 UTC (rev 2045)
@@ -411,31 +411,33 @@
 		return -1;
 	}
 	if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
-				old_context ? old_context : "?",
-				new_context ? new_context : "?") < 0) {
+		     old_context ? old_context : "?",
+		     new_context ? new_context : "?") < 0) {
 		fprintf(stderr, _("Error allocating memory.\n"));
 		rc = -1;
 		goto out;
 	}
 	rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
-			msg, NULL, NULL, ttyn, success);
+				    msg, NULL, NULL, ttyn, success);
 	if (rc <= 0) {
 		fprintf(stderr, _("Error sending audit message.\n"));
 		rc = -1;
 		goto out;
 	}
 	rc = 0;
-out:
+      out:
 	free(msg);
 	close(audit_fd);
 	return rc;
 }
 #else
 static inline
-int send_audit_message(int success __attribute__((unused)),
-		       security_context_t old_context __attribute__((unused)),
-		       security_context_t new_context __attribute__((unused)),
-		       const char *ttyn __attribute__((unused)))
+    int send_audit_message(int success __attribute__ ((unused)),
+			   security_context_t old_context
+			   __attribute__ ((unused)),
+			   security_context_t new_context
+			   __attribute__ ((unused)), const char *ttyn
+			   __attribute__ ((unused)))
 {
 	return 0;
 }


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2046] trunk

[<ssm...@us...>]

Revision: 2046
          http://svn.sourceforge.net/selinux/?rev=2046&view=rev
Author:   ssmalley
Date:     2006-09-29 08:37:44 -0700 (Fri, 29 Sep 2006)

Log Message:
-----------
Bump versions

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/VERSION
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2006-09-29 15:34:57 UTC (rev 2045)
+++ trunk/libselinux/ChangeLog	2006-09-29 15:37:44 UTC (rev 2046)
@@ -1,3 +1,4 @@
+1.30.29 2006-09-29
 	* Merged av_permissions.h update from Steve Grubb,
 	  adding setsockcreate and polmatch definitions.
 

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2006-09-29 15:34:57 UTC (rev 2045)
+++ trunk/libselinux/VERSION	2006-09-29 15:37:44 UTC (rev 2046)
@@ -1 +1 @@
-1.30.28
+1.30.29

Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog	2006-09-29 15:34:57 UTC (rev 2045)
+++ trunk/libsemanage/ChangeLog	2006-09-29 15:37:44 UTC (rev 2046)
@@ -1,3 +1,4 @@
+1.6.17 2006-09-29
 	* Merged patch to skip reload if no active store exists and
 	  the store path doesn't match the active store path from Dan Walsh.
 	* Merged patch to not destroy sepol handle on error path of

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2006-09-29 15:34:57 UTC (rev 2045)
+++ trunk/libsemanage/VERSION	2006-09-29 15:37:44 UTC (rev 2046)
@@ -1 +1 @@
-1.6.16
+1.6.17

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2006-09-29 15:34:57 UTC (rev 2045)
+++ trunk/policycoreutils/ChangeLog	2006-09-29 15:37:44 UTC (rev 2046)
@@ -1,3 +1,4 @@
+1.30.30 2006-09-29
 	* Merged newrole auditing of failures due to user actions from
 	  Michael Thompson.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2006-09-29 15:34:57 UTC (rev 2045)
+++ trunk/policycoreutils/VERSION	2006-09-29 15:37:44 UTC (rev 2046)
@@ -1 +1 @@
-1.30.29
+1.30.30


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2060] trunk

[<ssm...@us...>]

Revision: 2060
          http://svn.sourceforge.net/selinux/?rev=2060&view=rev
Author:   ssmalley
Date:     2006-10-17 08:59:33 -0700 (Tue, 17 Oct 2006)

Log Message:
-----------
Bump versions to next even for stable release.

Modified Paths:
--------------
    trunk/checkpolicy/ChangeLog
    trunk/checkpolicy/VERSION
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/VERSION
    trunk/libsepol/ChangeLog
    trunk/libsepol/VERSION
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION

Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/checkpolicy/ChangeLog	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1,3 +1,6 @@
+1.32 2006-10-17
+	* Updated version for release.
+
 1.30.12 2006-09-28
 	* Merged user and range_transition support for modules from 
 	  Darrel Goeddel

Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/checkpolicy/VERSION	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1 +1 @@
-1.30.12
+1.32

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/libselinux/ChangeLog	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1,3 +1,6 @@
+1.32 2006-10-17
+	* Updated version for release.
+
 1.30.30 2006-10-05
 	* Merged patch from Darrel Goeddel to always use untranslated
 	  contexts in the userspace AVC.

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/libselinux/VERSION	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1 +1 @@
-1.30.30
+1.32

Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/libsemanage/ChangeLog	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1,3 +1,6 @@
+1.8 2006-10-17
+	* Updated version for release.
+
 1.6.17 2006-09-29
 	* Merged patch to skip reload if no active store exists and
 	  the store path doesn't match the active store path from Dan Walsh.

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/libsemanage/VERSION	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1 +1 @@
-1.6.17
+1.8

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/libsepol/ChangeLog	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1,3 +1,6 @@
+1.14 2006-10-17
+	* Updated version for release.
+
 1.12.28 2006-09-28
 	* Build libsepol's static object files with -fpic
 

Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/libsepol/VERSION	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1 +1 @@
-1.12.28
+1.14

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/policycoreutils/ChangeLog	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1,3 +1,6 @@
+1.32 2006-10-17
+	* Updated version for release.
+
 1.30.31 2006-10-17
 	* Merged audit2allow -l fix from Yuichi Nakamura.
 	* Merged restorecon -i and -o - support from Karl MacMillan.

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2006-10-17 15:44:41 UTC (rev 2059)
+++ trunk/policycoreutils/VERSION	2006-10-17 15:59:33 UTC (rev 2060)
@@ -1 +1 @@
-1.30.31
+1.32


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2101] trunk

[<kma...@us...>]

Revision: 2101
          http://svn.sourceforge.net/selinux/?rev=2101&view=rev
Author:   kmacmillan
Date:     2006-11-27 11:04:31 -0800 (Mon, 27 Nov 2006)

Log Message:
-----------
Author: Manoj Srivastava
Email: man...@st...
Subject: Compiling libsepol with -fPIC instead of -fpic
Date: Wed, 15 Nov 2006 00:45:25 -0600

Hi,

        I've had reports of packages filing to compile on SPARC
 hardware when linked with  libsepol1 which was compiled with
 -fpic. We seem to be hitting the global offset table size limit;
,----[ GCC manual ]
| `-fpic'
|      Generate position-independent code (PIC) suitable for use in a
|      shared library, if supported for the target machine.  Such code
|      accesses all constant addresses through a global offset table
|      (GOT).  The dynamic loader resolves the GOT entries when the
|      program starts (the dynamic loader is not part of GCC; it is part
|      of the operating system).  If the GOT size for the linked
|      executable exceeds a machine-specific maximum size, you get an
|      error message from the linker indicating that `-fpic' does not
|      work; in that case, recompile with `-fPIC' instead.  (These
|      maximums are 8k on the SPARC and 32k on the m68k and RS/6000.  The
|      386 has no such limit.)
`----

        Simply recompiling with -fPIC corrects the problem.

        manoj

Acked-by:  Stephen Smalley <sd...@ty...>
Acked-by:  Karl MacMillan <kma...@me...>

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libselinux/src/Makefile
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/src/Makefile
    trunk/libsepol/ChangeLog
    trunk/libsepol/src/Makefile

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libselinux/ChangeLog	2006-11-27 19:04:31 UTC (rev 2101)
@@ -1,3 +1,8 @@
+1.33.2 2006-11-27
+	* Merged patch to compile wit -fPIC instead of -fpic from
+	  Manoj Srivastava to prevent hitting the global offest table
+	  limit. Patch changed to include libselinux and libsemanage in
+	  addition to libselinux.
 1.33.1 2006-10-19
 	* Merged updated flask definitions from Darrel Goeddel.
  	  This adds the context security class, and also adds

Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile	2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libselinux/src/Makefile	2006-11-27 19:04:31 UTC (rev 2101)
@@ -42,7 +42,7 @@
 	$(RANLIB) $@
 
 $(SWIGLOBJ): $(SWIGCOUT)
-	$(CC) $(CFLAGS) -I$(PYINC) -fpic -DSHARED -c -o $@ $<
+	$(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
 
 $(SWIGSO): $(SWIGLOBJ)
 	$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
@@ -55,7 +55,7 @@
 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
 
 %.lo:  %.c policy.h
-	$(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
+	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
 
 $(SWIGCOUT): $(SWIGIF)
 	$(SWIG) $^

Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog	2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsemanage/ChangeLog	2006-11-27 19:04:31 UTC (rev 2101)
@@ -1,3 +1,8 @@
+1.8.1 2006-11-27
+	* Merged patch to compile wit -fPIC instead of -fpic from
+	  Manoj Srivastava to prevent hitting the global offest table
+	  limit. Patch changed to include libselinux and libsemanage in
+	  addition to libselinux.
 1.8 2006-10-17
 	* Updated version for release.
 

Modified: trunk/libsemanage/src/Makefile
===================================================================
--- trunk/libsemanage/src/Makefile	2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsemanage/src/Makefile	2006-11-27 19:04:31 UTC (rev 2101)
@@ -44,7 +44,7 @@
 pywrap: all $(SWIGLOBJ) $(SWIGSO) 
 
 $(SWIGLOBJ): $(SWIGCOUT)
-	$(CC) $(CFLAGS) -I$(PYINC) -fpic -DSHARED -c -o $@ $<
+	$(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
 
 $(SWIGSO): $(SWIGLOBJ)
 	$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lsemanage -l$(PYLIBVER) -L$(LIBDIR) -Wl,-soname,$@,-z,defs
@@ -69,7 +69,7 @@
 	$(CC) $(CFLAGS) -c -o $@ $<
 
 %.lo:  %.c
-	$(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
+	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
 
 $(SWIGCOUT): $(SWIGIF)
 	$(SWIG) $^

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsepol/ChangeLog	2006-11-27 19:04:31 UTC (rev 2101)
@@ -1,3 +1,8 @@
+1.15.3 2006-11-27
+	* Merged patch to compile wit -fPIC instead of -fpic from
+	  Manoj Srivastava to prevent hitting the global offest table
+	  limit. Patch changed to include libselinux and libsemanage in
+	  addition to libselinux.
 1.15.2 2006-10-31
 	* Merged fix from Karl MacMillan for a segfault when linking
 	  non-MLS modules with users in them.

Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile	2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsepol/src/Makefile	2006-11-27 19:04:31 UTC (rev 2101)
@@ -24,10 +24,10 @@
 	ln -sf $@ $(TARGET) 
 
 %.o:  %.c 
-	$(CC) $(CFLAGS) -fpic -c -o $@ $<
+	$(CC) $(CFLAGS) -fPIC -c -o $@ $<
 
 %.lo:  %.c
-	$(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
+	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
 
 install: all
 	test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2102] trunk

[<kma...@us...>]

Revision: 2102
          http://svn.sourceforge.net/selinux/?rev=2102&view=rev
Author:   kmacmillan
Date:     2006-11-27 11:08:33 -0800 (Mon, 27 Nov 2006)

Log Message:
-----------
libsepol 1.15.3 libsemanage 1.8.1 libselinux 1.33.2

Modified Paths:
--------------
    trunk/libselinux/VERSION
    trunk/libsemanage/VERSION
    trunk/libsepol/VERSION

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2006-11-27 19:04:31 UTC (rev 2101)
+++ trunk/libselinux/VERSION	2006-11-27 19:08:33 UTC (rev 2102)
@@ -1 +1 @@
-1.33.1
+1.33.2

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2006-11-27 19:04:31 UTC (rev 2101)
+++ trunk/libsemanage/VERSION	2006-11-27 19:08:33 UTC (rev 2102)
@@ -1 +1 @@
-1.8
+1.8.1

Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION	2006-11-27 19:04:31 UTC (rev 2101)
+++ trunk/libsepol/VERSION	2006-11-27 19:08:33 UTC (rev 2102)
@@ -1 +1 @@
-1.15.2
+1.15.3


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2186] trunk

[<ssm...@us...>]

Revision: 2186
          http://svn.sourceforge.net/selinux/?rev=2186&view=rev
Author:   ssmalley
Date:     2007-01-17 07:59:39 -0800 (Wed, 17 Jan 2007)

Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Patch to make man -k selinux return all man pages.
Date: Tue, 16 Jan 2007 17:35:20 -0500

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/libselinux/man/man3/avc_add_callback.3
    trunk/libselinux/man/man3/avc_cache_stats.3
    trunk/libselinux/man/man3/avc_context_to_sid.3
    trunk/libselinux/man/man3/avc_has_perm.3
    trunk/libselinux/man/man3/avc_init.3
    trunk/libselinux/man/man3/context_new.3
    trunk/libselinux/man/man3/freecon.3
    trunk/libselinux/man/man3/get_ordered_context_list.3
    trunk/libselinux/man/man3/getcon.3
    trunk/libselinux/man/man3/getexeccon.3
    trunk/libselinux/man/man3/getfilecon.3
    trunk/libselinux/man/man3/getfscreatecon.3
    trunk/libselinux/man/man3/getseuserbyname.3
    trunk/libselinux/man/man3/is_context_customizable.3
    trunk/libselinux/man/man3/is_selinux_enabled.3
    trunk/libselinux/man/man3/matchmediacon.3
    trunk/libselinux/man/man3/matchpathcon.3
    trunk/libselinux/man/man3/security_check_context.3
    trunk/libselinux/man/man3/security_compute_av.3
    trunk/libselinux/man/man3/security_getenforce.3
    trunk/libselinux/man/man3/security_load_booleans.3
    trunk/libselinux/man/man3/security_load_policy.3
    trunk/libselinux/man/man3/security_policyvers.3
    trunk/libselinux/man/man3/selinux_binary_policy_path.3
    trunk/libselinux/man/man3/selinux_check_securetty_context.3
    trunk/libselinux/man/man3/selinux_getenforcemode.3
    trunk/libselinux/man/man3/selinux_policy_root.3
    trunk/libselinux/man/man3/setfilecon.3
    trunk/libselinux/man/man8/avcstat.8
    trunk/libselinux/man/man8/getenforce.8
    trunk/libselinux/man/man8/getsebool.8
    trunk/libselinux/man/man8/matchpathcon.8
    trunk/libselinux/man/man8/selinuxenabled.8
    trunk/libselinux/man/man8/setenforce.8
    trunk/libselinux/man/man8/togglesebool.8
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION
    trunk/policycoreutils/audit2allow/audit2allow.1
    trunk/policycoreutils/load_policy/load_policy.8
    trunk/policycoreutils/newrole/newrole.1
    trunk/policycoreutils/restorecon/restorecon.8
    trunk/policycoreutils/restorecond/restorecond.8
    trunk/policycoreutils/run_init/run_init.8
    trunk/policycoreutils/scripts/chcat.8
    trunk/policycoreutils/scripts/fixfiles.8
    trunk/policycoreutils/scripts/genhomedircon.8
    trunk/policycoreutils/secon/secon.1
    trunk/policycoreutils/semodule_deps/semodule_deps.8
    trunk/policycoreutils/setfiles/setfiles.8

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/ChangeLog	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,3 +1,6 @@
+1.33.6 2006-01-17
+	* Merged man page updates to make "apropos selinux" work from Dan Walsh.
+
 1.33.5 2006-01-16
 	* Merged getdefaultcon utility from Dan Walsh.
 

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/VERSION	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1 +1 @@
-1.33.5
+1.33.6

Modified: trunk/libselinux/man/man3/avc_add_callback.3
===================================================================
--- trunk/libselinux/man/man3/avc_add_callback.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/avc_add_callback.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -3,7 +3,7 @@
 .\" Author: Eamon Walsh (ew...@ep...) 2004
 .TH "avc_add_callback" "3" "9 June 2004" "" "SE Linux API documentation"
 .SH "NAME"
-avc_add_callback \- additional event notification for userspace object managers.
+avc_add_callback \- additional event notification for SELinux userspace object managers.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .br
@@ -181,3 +181,4 @@
 .BR avc_context_to_sid (3),
 .BR avc_cache_stats (3),
 .BR security_compute_av (3)
+.BR selinux (8)

Modified: trunk/libselinux/man/man3/avc_cache_stats.3
===================================================================
--- trunk/libselinux/man/man3/avc_cache_stats.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/avc_cache_stats.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -3,7 +3,7 @@
 .\" Author: Eamon Walsh (ew...@ep...) 2004
 .TH "avc_cache_stats" "3" "27 May 2004" "" "SE Linux API documentation"
 .SH "NAME"
-avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace AVC statistics.
+avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .br
@@ -96,3 +96,4 @@
 .BR avc_has_perm (3),
 .BR avc_context_to_sid (3),
 .BR avc_add_callback (3)
+.BR selinux (8)

Modified: trunk/libselinux/man/man3/avc_context_to_sid.3
===================================================================
--- trunk/libselinux/man/man3/avc_context_to_sid.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/avc_context_to_sid.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -3,7 +3,7 @@
 .\" Author: Eamon Walsh (ew...@ep...) 2004
 .TH "avc_context_to_sid" "3" "27 May 2004" "" "SE Linux API documentation"
 .SH "NAME"
-avc_context_to_sid, avc_sid_to_context, sidput, sidget \- obtain and manipulate security ID's.
+avc_context_to_sid, avc_sid_to_context, sidput, sidget \- obtain and manipulate SELinux security ID's.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .br
@@ -88,3 +88,4 @@
 .BR avc_add_callback (3),
 .BR getcon (3),
 .BR freecon (3)
+.BR selinux (8)

Modified: trunk/libselinux/man/man3/avc_has_perm.3
===================================================================
--- trunk/libselinux/man/man3/avc_has_perm.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/avc_has_perm.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -152,3 +152,4 @@
 .BR avc_cache_stats (3),
 .BR avc_add_callback (3),
 .BR security_compute_av (3)
+.BR selinux(8)

Modified: trunk/libselinux/man/man3/avc_init.3
===================================================================
--- trunk/libselinux/man/man3/avc_init.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/avc_init.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -3,7 +3,7 @@
 .\" Author: Eamon Walsh (ew...@ep...) 2004
 .TH "avc_init" "3" "27 May 2004" "" "SE Linux API documentation"
 .SH "NAME"
-avc_init, avc_destroy, avc_reset, avc_cleanup \- userspace AVC setup and teardown.
+avc_init, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .br
@@ -209,3 +209,5 @@
 .BR avc_cache_stats (3),
 .BR avc_add_callback (3),
 .BR security_compute_av (3)
+.BR selinux (8)
+

Modified: trunk/libselinux/man/man3/context_new.3
===================================================================
--- trunk/libselinux/man/man3/context_new.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/context_new.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -56,3 +56,6 @@
 On success, zero is returned. On failure, -1 is returned and errno is
 set appropriately.
 
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/freecon.3
===================================================================
--- trunk/libselinux/man/man3/freecon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/freecon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "freecon" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-freecon, freeconary \- free memory associated with SE Linux security contexts.
+freecon, freeconary \- free memory associated with SELinux security contexts.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -14,3 +14,7 @@
 
 .B freeconary
 frees the memory allocated for a context array.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/get_ordered_context_list.3
===================================================================
--- trunk/libselinux/man/man3/get_ordered_context_list.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/get_ordered_context_list.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "get_ordered_context_list" "3" "1 January 2004" "ru...@co..." "SE Linux"
 .SH "NAME"
-get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine context(s) for user sessions
+get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine SELinux context(s) for user sessions
 
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -77,4 +77,4 @@
 The other functions return 0 for success or -1 for errors.
 
 .SH "SEE ALSO"
-.BR freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)"
+.BR selinux "(8), " freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)"

Modified: trunk/libselinux/man/man3/getcon.3
===================================================================
--- trunk/libselinux/man/man3/getcon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/getcon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "getcon" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-getcon, getprevcon, getpidcon \- get SE Linux security context of a process.
+getcon, getprevcon, getpidcon \- get SELinux security context of a process.
 .br
 getpeercon - get security context of a peer socket.
 .br
@@ -59,4 +59,4 @@
 On error -1 is returned.  On success 0 is returned.
 
 .SH "SEE ALSO"
-.BR freecon "(3), " setexeccon "(3)"
+.BR selinux "(8), " freecon "(3), " setexeccon "(3)"

Modified: trunk/libselinux/man/man3/getexeccon.3
===================================================================
--- trunk/libselinux/man/man3/getexeccon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/getexeccon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "getexeccon" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-getexeccon, setexeccon \- get or set the SE Linux security context used for executing a new process.
+getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.
 .br
 rpm_execcon \- run a helper for rpm in an appropriate security context
 
@@ -55,6 +55,6 @@
 rpm_execcon only returns upon errors, as it calls execve(2).
 
 .SH "SEE ALSO"
-.BR freecon "(3), " getcon "(3)"
+.BR selinux "(8), " freecon "(3), " getcon "(3)"
 
 

Modified: trunk/libselinux/man/man3/getfilecon.3
===================================================================
--- trunk/libselinux/man/man3/getfilecon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/getfilecon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "getfilecon" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-getfilecon, fgetfilecon, lgetfilecon \- get SE Linux security context of a file
+getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -40,4 +40,4 @@
 here.
 
 .SH "SEE ALSO"
-.BR freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
+.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"

Modified: trunk/libselinux/man/man3/getfscreatecon.3
===================================================================
--- trunk/libselinux/man/man3/getfscreatecon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/getfscreatecon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "getfscreatecon" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-getfscreatecon, setfscreatecon \- get or set the SE Linux security context used for creating a new file system object.
+getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object.
 
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -35,4 +35,4 @@
 On success 0 is returned.
 
 .SH "SEE ALSO"
-.BR freecon "(3), " getcon "(3), " getexeccon "(3)"
+.BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)"

Modified: trunk/libselinux/man/man3/getseuserbyname.3
===================================================================
--- trunk/libselinux/man/man3/getseuserbyname.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/getseuserbyname.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -23,3 +23,6 @@
 The errors documented for the stat(2) system call are also applicable
 here.
 
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/is_context_customizable.3
===================================================================
--- trunk/libselinux/man/man3/is_context_customizable.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/is_context_customizable.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "is_context_customizable" "3" "10 January 2005" "dw...@re..." "SELinux API documentation"
 .SH "NAME"
-is_context_customizable \- check whether context type is customizable by the administrator.
+is_context_customizable \- check whether SELinux context type is customizable by the administrator.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -20,3 +20,6 @@
 .SH "FILE"
 /etc/selinux/SELINUXTYPE/context/customizable_types
 
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/is_selinux_enabled.3
===================================================================
--- trunk/libselinux/man/man3/is_selinux_enabled.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/is_selinux_enabled.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "is_selinux_enabled" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-is_selinux_enabled \- check whether SE Linux is enabled
+is_selinux_enabled \- check whether SELinux is enabled
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -9,3 +9,7 @@
 .SH "DESCRIPTION"
 .B is_selinux_enabled
 returns 1 if SE Linux is running or 0 if it is not.  May change soon.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/matchmediacon.3
===================================================================
--- trunk/libselinux/man/man3/matchmediacon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/matchmediacon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "matchmediacon" "3" "15 November 2004" "dw...@re..." "SE Linux API documentation"
 .SH "NAME"
-matchmediacon \- get the default security context for the specified mediatype from the policy.
+matchmediacon \- get the default SELinux security context for the specified mediatype from the policy.
 
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -23,4 +23,4 @@
 /etc/selinux/POLICYTYPE/contexts/files/media
 
 .SH "SEE ALSO"
-.BR freecon "(3)
+.BR selinux "(8), " freecon "(3)

Modified: trunk/libselinux/man/man3/matchpathcon.3
===================================================================
--- trunk/libselinux/man/man3/matchpathcon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/matchpathcon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "matchpathcon" "3" "16 March 2005" "sd...@ty..." "SE Linux API documentation"
 .SH "NAME"
-matchpathcon \- get the default security context for the specified path from the file contexts configuration.
+matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
 
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -117,4 +117,4 @@
 Returns 0 on success or -1 otherwise.
 
 .SH "SEE ALSO"
-.BR freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
+.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"

Modified: trunk/libselinux/man/man3/security_check_context.3
===================================================================
--- trunk/libselinux/man/man3/security_check_context.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/security_check_context.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "security_check_context" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-security_check_context \- check the validity of a context
+security_check_context \- check the validity of a SELinux context
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -10,3 +10,7 @@
 .B security_check_context
 returns 0 if SE Linux is running and the context is valid, otherwise it
 returns -1.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/security_compute_av.3
===================================================================
--- trunk/libselinux/man/man3/security_compute_av.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/security_compute_av.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,7 +1,7 @@
 .TH "security_compute_av" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
 security_compute_av, security_compute_create, security_compute_relabel, security_compute_user \- query
-the SE Linux policy database in the kernel.
+the SELinux policy database in the kernel.
 
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -51,4 +51,4 @@
 0 for success and on error -1 is returned.
 
 .SH "SEE ALSO"
-.BR getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"
+.BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"

Modified: trunk/libselinux/man/man3/security_getenforce.3
===================================================================
--- trunk/libselinux/man/man3/security_getenforce.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/security_getenforce.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "security_getenforce" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-security_getenforce, security_setenforce \- get or set the enforcing state of SE Linux
+security_getenforce, security_setenforce \- get or set the enforcing state of SELinux
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -17,3 +17,7 @@
 sets SE Linux to enforcing mode if the value 1 is passed in, and sets it to
 permissive mode if 0 is passed in.  On success 0 is returned, on error -1 is
 returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/security_load_booleans.3
===================================================================
--- trunk/libselinux/man/man3/security_load_booleans.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/security_load_booleans.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -56,4 +56,4 @@
 This manual page was written by Dan Walsh <dw...@re...>.
 
 .SH "SEE ALSO"
-getsebool(8), booleans(8), togglesebool(8)
+selinux(8), getsebool(8), booleans(8), togglesebool(8)

Modified: trunk/libselinux/man/man3/security_load_policy.3
===================================================================
--- trunk/libselinux/man/man3/security_load_policy.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/security_load_policy.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "security_load_policy" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-security_load_policy \- load a new policy
+security_load_policy \- load a new SELinux policy
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -9,3 +9,7 @@
 .SH "DESCRIPTION"
 .B security_load_policy
 loads a new policy, returns 0 for success and -1 for error.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/security_policyvers.3
===================================================================
--- trunk/libselinux/man/man3/security_policyvers.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/security_policyvers.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "security_policyvers" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-security_policyvers \- get the version of the SE Linux policy
+security_policyvers \- get the version of the SELinux policy
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -10,3 +10,7 @@
 .B security_policyvers
 returns the version of the policy (a positive integer) on success, or -1 on
 error.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/selinux_binary_policy_path.3
===================================================================
--- trunk/libselinux/man/man3/selinux_binary_policy_path.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/selinux_binary_policy_path.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -4,7 +4,7 @@
 selinux_failsafe_context_path, selinux_removable_context_path,
 selinux_default_context_path, selinux_user_contexts_path,
 selinux_file_context_path, selinux_media_context_path,
-selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active policy configuration
+selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration
 directories and files.
 
 .SH "SYNOPSIS"
@@ -65,3 +65,6 @@
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dw...@re...>.
 
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/selinux_check_securetty_context.3
===================================================================
--- trunk/libselinux/man/man3/selinux_check_securetty_context.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/selinux_check_securetty_context.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "selinux_check_securetty_context" "3" "1 January 2007" "dw...@re..." "SE Linux API documentation"
 .SH "NAME"
-selinux_check_securetty_context \- check whether a tty security context is defined as a securetty context
+selinux_check_securetty_context \- check whether a SELinux tty security context is defined as a securetty context
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -10,3 +10,7 @@
 .B selinux_check_securetty_context
 returns 0 if tty_context is a securetty context
 returns < 0 otherwise. 
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+

Modified: trunk/libselinux/man/man3/selinux_getenforcemode.3
===================================================================
--- trunk/libselinux/man/man3/selinux_getenforcemode.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/selinux_getenforcemode.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "selinux_getenforcemode" "3" "25 May 2004" "dw...@re..." "SE Linux API documentation"
 .SH "NAME"
-selinux_getenforcemode \- get the enforcing state of SE Linux
+selinux_getenforcemode \- get the enforcing state of SELinux
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@@ -19,4 +19,7 @@
 On success, zero is returned.
 On failure, -1 is returned.
 
+.SH "SEE ALSO"
+.BR selinux "(8)"
 
+

Modified: trunk/libselinux/man/man3/selinux_policy_root.3
===================================================================
--- trunk/libselinux/man/man3/selinux_policy_root.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/selinux_policy_root.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -14,4 +14,7 @@
 On success, returns a directory path containing the SELinux policy files.
 On failure, NULL is returned.
 
+.SH "SEE ALSO"
+.BR selinux "(8)"
 
+

Modified: trunk/libselinux/man/man3/setfilecon.3
===================================================================
--- trunk/libselinux/man/man3/setfilecon.3	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man3/setfilecon.3	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "setfilecon" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-setfilecon, fsetfilecon, lsetfilecon \- set SE Linux security context of a file
+setfilecon, fsetfilecon, lsetfilecon \- set SELinux security context of a file
 
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -38,4 +38,4 @@
 here.
 
 .SH "SEE ALSO"
-.BR freecon "(3), " getfilecon "(3), " setfscreatecon "(3)"
+.BR selinux "(3), " freecon "(3), " getfilecon "(3), " setfscreatecon "(3)"

Modified: trunk/libselinux/man/man8/avcstat.8
===================================================================
--- trunk/libselinux/man/man8/avcstat.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/avcstat.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -22,6 +22,9 @@
 .B \-f
 Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'.
 
+.SH "SEE ALSO"
+selinux(8)
+
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dw...@re...>.
 The program was written by James Morris <jm...@re...>.

Modified: trunk/libselinux/man/man8/getenforce.8
===================================================================
--- trunk/libselinux/man/man8/getenforce.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/getenforce.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -12,4 +12,4 @@
 Dan Walsh, <dw...@re...>
 
 .SH "SEE ALSO"
-setenforce(8), selinuxenabled(8)
+selinux(8), setenforce(8), selinuxenabled(8)

Modified: trunk/libselinux/man/man8/getsebool.8
===================================================================
--- trunk/libselinux/man/man8/getsebool.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/getsebool.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -26,9 +26,10 @@
 .B \-a
 Show all SELinux booleans.
 
+.SH "SEE ALSO"
+selinux(8), setsebool(8), booleans(8)
+
 .SH AUTHOR	
 This manual page was written by Dan Walsh <dw...@re...>.
 The program was written by Tresys Technology.
 
-.SH "SEE ALSO"
-setsebool(8), booleans(8)

Modified: trunk/libselinux/man/man8/matchpathcon.8
===================================================================
--- trunk/libselinux/man/man8/matchpathcon.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/matchpathcon.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "matchpathcon" "8" "21 April 2005" "dw...@re..." "SE Linux Command Line documentation"
 .SH "NAME"
-matchpathcon \- get the default security context for the specified path from the file contexts configuration.
+matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
 
 .SH "SYNOPSIS"
 .B matchpathcon [-V] [-N] [-n] [-f file_contexts_file ] [-p prefix ] filepath...
@@ -27,4 +27,5 @@
 This manual page was written by Dan Walsh <dw...@re...>.
 
 .SH "SEE ALSO"
+.BR selinux "(8), "
 .BR mathpathcon "(3), " 

Modified: trunk/libselinux/man/man8/selinuxenabled.8
===================================================================
--- trunk/libselinux/man/man8/selinuxenabled.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/selinuxenabled.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -13,4 +13,4 @@
 Dan Walsh, <dw...@re...>
 
 .SH "SEE ALSO"
-setenforce(8), getenforce(8)
+selinux(8), setenforce(8), getenforce(8)

Modified: trunk/libselinux/man/man8/setenforce.8
===================================================================
--- trunk/libselinux/man/man8/setenforce.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/setenforce.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -17,7 +17,7 @@
 Dan Walsh, <dw...@re...>
 
 .SH "SEE ALSO"
-getenforce(8), selinuxenabled(8)
+selinux(8), getenforce(8), selinuxenabled(8)
 
 .SH FILES
 /etc/grub.conf, /etc/selinux/config

Modified: trunk/libselinux/man/man8/togglesebool.8
===================================================================
--- trunk/libselinux/man/man8/togglesebool.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/libselinux/man/man8/togglesebool.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "togglesebool" "1" "26 Oct 2004" "sg...@re..." "SELinux Command Line documentation"
 .SH "NAME"
-togglesebool \- flip the current value of a boolean
+togglesebool \- flip the current value of a SELinux boolean
 .SH "SYNOPSIS"
 .B togglesebool boolean...
 
@@ -14,4 +14,4 @@
 This man page was written by Steve Grubb <sg...@re...>
 
 .SH "SEE ALSO"
-booleans(8), getsebool(8), setsebool(8)
+selinux(8), booleans(8), getsebool(8), setsebool(8)

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/ChangeLog	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,3 +1,7 @@
+1.33.15 2007-01-17
+	* Merged unicode-to-string fix for seobject audit from Dan Walsh.
+	* Merged man page updates to make "apropos selinux" work from Dan Walsh.
+
 1.33.14 2007-01-16
 	* Merged newrole man page patch from Michael Thompson.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/VERSION	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1 +1 @@
-1.33.14
+1.33.15

Modified: trunk/policycoreutils/audit2allow/audit2allow.1
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow.1	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/audit2allow/audit2allow.1	2007-01-17 15:59:39 UTC (rev 2186)
@@ -24,7 +24,7 @@
 .\"
 .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
 .SH NAME
-audit2allow \- generate policy allow rules from logs of denied operations
+audit2allow \- generate SELinux policy allow rules from logs of denied operations
 .SH SYNOPSIS
 .B audit2allow
 .RI [ options "] "

Modified: trunk/policycoreutils/load_policy/load_policy.8
===================================================================
--- trunk/policycoreutils/load_policy/load_policy.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/load_policy/load_policy.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH LOAD_POLICY "8" "May 2003" "Security Enhanced Linux" NSA
 .SH NAME
-load_policy \- load a new policy into the kernel
+load_policy \- load a new SELinux policy into the kernel
 
 .SH SYNOPSIS
 .B load_policy 

Modified: trunk/policycoreutils/newrole/newrole.1
===================================================================
--- trunk/policycoreutils/newrole/newrole.1	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/newrole/newrole.1	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH NEWROLE "1" "October 2000" "Security Enhanced Linux" NSA
 .SH NAME
-newrole \- run a shell with a new role
+newrole \- run a shell with a new SELinux role
 .SH SYNOPSIS
 .B newrole
 [\fB-r\fR|\fB--role\fR]

Modified: trunk/policycoreutils/restorecon/restorecon.8
===================================================================
--- trunk/policycoreutils/restorecon/restorecon.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/restorecon/restorecon.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "restorecon" "8" "2002031409" "" ""
 .SH "NAME"
-restorecon \- set file security contexts.
+restorecon \- restore file(s) default SELinux security contexts.
 
 .SH "SYNOPSIS"
 .B restorecon

Modified: trunk/policycoreutils/restorecond/restorecond.8
===================================================================
--- trunk/policycoreutils/restorecond/restorecond.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/restorecond/restorecond.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "restorecond" "8" "2002031409" "" ""
 .SH "NAME"
-restorecond \- daemon that watches for file creation and then corrects file context
+restorecond \- daemon that watches for file creation and then sets the default SELinux file context
 
 .SH "SYNOPSIS"
 .B restorecond  [\-d]

Modified: trunk/policycoreutils/run_init/run_init.8
===================================================================
--- trunk/policycoreutils/run_init/run_init.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/run_init/run_init.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH RUN_INIT "8" "May 2003" "Security Enhanced Linux" NSA
 .SH NAME
-run_init \- run an init script in the proper context
+run_init \- run an init script in the proper SELinux context
 .SH SYNOPSIS
 .B run_init 
 \fISCRIPT\fR [[\fIARGS\fR]...] 

Modified: trunk/policycoreutils/scripts/chcat.8
===================================================================
--- trunk/policycoreutils/scripts/chcat.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/scripts/chcat.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH CHCAT "8" "September 2005" "chcat" "User Commands"
 .SH NAME
-chcat \- change file security category
+chcat \- change file SELinux security category
 .SH SYNOPSIS
 .B chcat
 \fICATEGORY FILE\fR...

Modified: trunk/policycoreutils/scripts/fixfiles.8
===================================================================
--- trunk/policycoreutils/scripts/fixfiles.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/scripts/fixfiles.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "fixfiles" "8" "2002031409" "" ""
 .SH "NAME"
-fixfiles \- fix file security contexts.
+fixfiles \- fix file SELinux security contexts.
 
 .SH "SYNOPSIS"
 .B fixfiles [-F] [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel | verify }"

Modified: trunk/policycoreutils/scripts/genhomedircon.8
===================================================================
--- trunk/policycoreutils/scripts/genhomedircon.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/scripts/genhomedircon.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -24,7 +24,7 @@
 .\"
 .TH GENHOMEDIRCON "8" "January 2005" "Security Enhanced Linux" ""
 .SH NAME
-genhomedircon \- generate file context configuration entries for user home directories 
+genhomedircon \- generate SELinux file context configuration entries for user home directories 
 .SH SYNOPSIS
 .B genhomedircon [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ] [-h]
 

Modified: trunk/policycoreutils/secon/secon.1
===================================================================
--- trunk/policycoreutils/secon/secon.1	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/secon/secon.1	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH SECON "1" "April 2006" "Security Enhanced Linux" NSA
 .SH NAME
-secon \- See a context, from a file, program or user input.
+secon \- See an SELinux context, from a file, program or user input.
 .SH SYNOPSIS
 .B secon
 [\fB-hVurtscmPRfLp\fR]

Modified: trunk/policycoreutils/semodule_deps/semodule_deps.8
===================================================================
--- trunk/policycoreutils/semodule_deps/semodule_deps.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/semodule_deps/semodule_deps.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH SEMODULE_DEPS "8" "June 2006" "Security Enhanced Linux" NSA
 .SH NAME 
-semodule_deps \- show the dependencies between policy packages.
+semodule_deps \- show the dependencies between SELinux policy packages.
 
 .SH SYNOPSIS
 .B semodule_deps [-v -g -b] basemodpkg modpkg1 [modpkg2 ... ]

Modified: trunk/policycoreutils/setfiles/setfiles.8
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.8	2007-01-17 15:54:23 UTC (rev 2185)
+++ trunk/policycoreutils/setfiles/setfiles.8	2007-01-17 15:59:39 UTC (rev 2186)
@@ -1,6 +1,6 @@
 .TH "setfiles" "8" "2002031409" "" ""
 .SH "NAME"
-setfiles \- set file security contexts.
+setfiles \- set file SELinux security contexts.
 
 .SH "SYNOPSIS"
 .B setfiles


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2197] trunk

[<ssm...@us...>]

Revision: 2197
          http://svn.sourceforge.net/selinux/?rev=2197&view=rev
Author:   ssmalley
Date:     2007-01-18 07:07:38 -0800 (Thu, 18 Jan 2007)

Log Message:
-----------
Update versions for stable branch

Modified Paths:
--------------
    trunk/checkpolicy/ChangeLog
    trunk/checkpolicy/VERSION
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/VERSION
    trunk/libsepol/ChangeLog
    trunk/libsepol/VERSION
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION

Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/checkpolicy/ChangeLog	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1,3 +1,6 @@
+1.34.0 2007-01-18
+	* Updated version for stable branch.
+
 1.33.1 2006-11-13
 	* Collapse user identifiers and identifiers together.
 

Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/checkpolicy/VERSION	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1 +1 @@
-1.33.1
+1.34.0

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/libselinux/ChangeLog	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1,10 +1,13 @@
-1.33.6 2006-01-17
+1.34.0 2007-01-18
+	* Updated version for stable branch.	
+
+1.33.6 2007-01-17
 	* Merged man page updates to make "apropos selinux" work from Dan Walsh.
 
-1.33.5 2006-01-16
+1.33.5 2007-01-16
 	* Merged getdefaultcon utility from Dan Walsh.
 
-1.33.4 2006-01-11
+1.33.4 2007-01-11
 	* Merged selinux_check_securetty_context() and support from Dan Walsh.
 
 1.33.3 2007-01-04

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/libselinux/VERSION	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1 +1 @@
-1.33.6
+1.34.0

Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/libsemanage/ChangeLog	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1,3 +1,6 @@
+1.10.0 2007-01-18
+	* Updated version for stable branch.
+
 1.9.2 2007-01-08
 	* Merged patch to optionally reduce disk usage by removing 
 	  the backup module store and linked policy from Karl MacMillan

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/libsemanage/VERSION	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1 +1 @@
-1.9.2
+1.10.0

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/libsepol/ChangeLog	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1,3 +1,6 @@
+1.16.0 2007-01-18
+	* Updated version for stable branch.
+
 1.15.3 2006-11-27
 	* Merged patch to compile wit -fPIC instead of -fpic from
 	  Manoj Srivastava to prevent hitting the global offest table

Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/libsepol/VERSION	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1 +1 @@
-1.15.3
+1.16.0

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/policycoreutils/ChangeLog	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1,3 +1,6 @@
+1.34.0 2007-01-18
+	* Updated version for stable branch.
+
 1.33.16 2007-01-18
 	* Merged po file updates from Dan Walsh.
 	* Removed update-po from all target in po/Makefile.

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-01-18 14:59:20 UTC (rev 2196)
+++ trunk/policycoreutils/VERSION	2007-01-18 15:07:38 UTC (rev 2197)
@@ -1 +1 @@
-1.33.16
+1.34.0


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2207] trunk

[<ssm...@us...>]

Revision: 2207
          http://svn.sourceforge.net/selinux/?rev=2207&view=rev
Author:   ssmalley
Date:     2007-01-26 12:55:38 -0800 (Fri, 26 Jan 2007)

Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: libselinux python binding segfault patch
Date: Wed, 24 Jan 2007 12:25:34 -0500

This patch fixes a segfault in the python binding when getfilecon is 
called with a non existant file.

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/libselinux/src/selinuxswig.i
    trunk/libselinux/src/selinuxswig_wrap.c
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/VERSION
    trunk/libsemanage/src/semanageswig_python.i
    trunk/libsemanage/src/semanageswig_wrap.c

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libselinux/ChangeLog	2007-01-26 20:55:38 UTC (rev 2207)
@@ -1,3 +1,6 @@
+1.34.1 2007-01-26
+	* Merged python binding fixes from Dan Walsh.
+
 1.34.0 2007-01-18
 	* Updated version for stable branch.	
 

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libselinux/VERSION	2007-01-26 20:55:38 UTC (rev 2207)
@@ -1 +1 @@
-1.34.0
+1.34.1

Modified: trunk/libselinux/src/selinuxswig.i
===================================================================
--- trunk/libselinux/src/selinuxswig.i	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libselinux/src/selinuxswig.i	2007-01-26 20:55:38 UTC (rev 2207)
@@ -25,7 +25,7 @@
 %apply int *OUTPUT { int * };
 %apply int *OUTPUT { size_t * };
 
-%typemap(in, numinputs=0) security_context_t *(security_context_t temp) {
+%typemap(in, numinputs=0) security_context_t *(security_context_t temp=NULL) {
 	$1 = &temp;
 }
 %typemap(argout) security_context_t * (char *temp) {

Modified: trunk/libselinux/src/selinuxswig_wrap.c
===================================================================
--- trunk/libselinux/src/selinuxswig_wrap.c	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libselinux/src/selinuxswig_wrap.c	2007-01-26 20:55:38 UTC (rev 2207)
@@ -2831,7 +2831,7 @@
   PyObject *resultobj = 0;
   security_context_t *arg1 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp1 ;
+  security_context_t temp1 = NULL ;
   char *temp10 ;
   
   {
@@ -2878,7 +2878,7 @@
   int result;
   int val1 ;
   int ecode1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -2910,7 +2910,7 @@
   PyObject *resultobj = 0;
   security_context_t *arg1 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp1 ;
+  security_context_t temp1 = NULL ;
   char *temp10 ;
   
   {
@@ -2936,7 +2936,7 @@
   PyObject *resultobj = 0;
   security_context_t *arg1 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp1 ;
+  security_context_t temp1 = NULL ;
   char *temp10 ;
   
   {
@@ -2980,7 +2980,7 @@
   PyObject *resultobj = 0;
   security_context_t *arg1 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp1 ;
+  security_context_t temp1 = NULL ;
   char *temp10 ;
   
   {
@@ -3024,7 +3024,7 @@
   PyObject *resultobj = 0;
   security_context_t *arg1 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp1 ;
+  security_context_t temp1 = NULL ;
   char *temp10 ;
   
   {
@@ -3068,7 +3068,7 @@
   PyObject *resultobj = 0;
   security_context_t *arg1 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp1 ;
+  security_context_t temp1 = NULL ;
   char *temp10 ;
   
   {
@@ -3116,7 +3116,7 @@
   int res1 ;
   char *buf1 = 0 ;
   int alloc1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -3154,7 +3154,7 @@
   int res1 ;
   char *buf1 = 0 ;
   int alloc1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -3191,7 +3191,7 @@
   int result;
   int val1 ;
   int ecode1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -3313,7 +3313,7 @@
   int result;
   int val1 ;
   int ecode1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -3474,7 +3474,7 @@
   security_context_t arg1 ;
   security_context_t *arg2 = (security_context_t *) 0 ;
   int result;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -3734,7 +3734,7 @@
   int alloc1 = 0 ;
   unsigned int val2 ;
   int ecode2 = 0 ;
-  security_context_t temp3 ;
+  security_context_t temp3 = NULL ;
   char *temp30 ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
@@ -3778,7 +3778,7 @@
   int res1 ;
   char *buf1 = 0 ;
   int alloc1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -4212,7 +4212,7 @@
   int res1 ;
   char *buf1 = 0 ;
   int alloc1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   
@@ -4250,7 +4250,7 @@
   int res1 ;
   char *buf1 = 0 ;
   int alloc1 = 0 ;
-  security_context_t temp2 ;
+  security_context_t temp2 = NULL ;
   char *temp20 ;
   PyObject * obj0 = 0 ;
   

Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libsemanage/ChangeLog	2007-01-26 20:55:38 UTC (rev 2207)
@@ -1,3 +1,6 @@
+1.10.1 2007-01-26
+	* Merged python binding fix from Dan Walsh.
+
 1.10.0 2007-01-18
 	* Updated version for stable branch.
 

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libsemanage/VERSION	2007-01-26 20:55:38 UTC (rev 2207)
@@ -1 +1 @@
-1.10.0
+1.10.1

Modified: trunk/libsemanage/src/semanageswig_python.i
===================================================================
--- trunk/libsemanage/src/semanageswig_python.i	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libsemanage/src/semanageswig_python.i	2007-01-26 20:55:38 UTC (rev 2207)
@@ -99,7 +99,7 @@
 %apply int *OUTPUT { size_t * };
 %apply int *OUTPUT { unsigned int * };
 
-%typemap(in, numinputs=0) char **(char *temp) {
+%typemap(in, numinputs=0) char **(char *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -108,7 +108,7 @@
 	free(*$1);
 }
 
-%typemap(in, numinputs=0) char ***(char **temp) {
+%typemap(in, numinputs=0) char ***(char **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -136,7 +136,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_module_info_t ** parameter */
-%typemap(in, numinputs=0) semanage_module_info_t **(semanage_module_info_t *temp) {
+%typemap(in, numinputs=0) semanage_module_info_t **(semanage_module_info_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -148,7 +148,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_context_t ** parameter */
-%typemap(in, numinputs=0) semanage_context_t **(semanage_context_t *temp) {
+%typemap(in, numinputs=0) semanage_context_t **(semanage_context_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -160,7 +160,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_bool_t *** parameter */
-%typemap(in, numinputs=0) semanage_bool_t ***(semanage_bool_t **temp) {
+%typemap(in, numinputs=0) semanage_bool_t ***(semanage_bool_t **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -183,7 +183,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_bool_t **(semanage_bool_t *temp) {
+%typemap(in, numinputs=0) semanage_bool_t **(semanage_bool_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -195,7 +195,7 @@
 	$result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_bool_key_t **(semanage_bool_key_t *temp) {
+%typemap(in, numinputs=0) semanage_bool_key_t **(semanage_bool_key_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -203,7 +203,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_fcontext_t *** parameter */
-%typemap(in, numinputs=0) semanage_fcontext_t ***(semanage_fcontext_t **temp) {
+%typemap(in, numinputs=0) semanage_fcontext_t ***(semanage_fcontext_t **temp=NULL) {
         $1 = &temp;
 }
 
@@ -226,7 +226,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_fcontext_t **(semanage_fcontext_t *temp) {
+%typemap(in, numinputs=0) semanage_fcontext_t **(semanage_fcontext_t *temp=NULL) {
         $1 = &temp;
 }
 
@@ -238,7 +238,7 @@
         $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_fcontext_key_t **(semanage_fcontext_key_t *temp) {
+%typemap(in, numinputs=0) semanage_fcontext_key_t **(semanage_fcontext_key_t *temp=NULL) {
         $1 = &temp;
 }
 
@@ -246,7 +246,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_iface_t *** parameter */
-%typemap(in, numinputs=0) semanage_iface_t ***(semanage_iface_t **temp) {
+%typemap(in, numinputs=0) semanage_iface_t ***(semanage_iface_t **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -270,7 +270,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_iface_t **(semanage_iface_t *temp) {
+%typemap(in, numinputs=0) semanage_iface_t **(semanage_iface_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -282,7 +282,7 @@
 	$result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_iface_key_t **(semanage_iface_key_t *temp) {
+%typemap(in, numinputs=0) semanage_iface_key_t **(semanage_iface_key_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -290,7 +290,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_seuser_t *** parameter */
-%typemap(in, numinputs=0) semanage_seuser_t ***(semanage_seuser_t **temp) {
+%typemap(in, numinputs=0) semanage_seuser_t ***(semanage_seuser_t **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -314,7 +314,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_seuser_t **(semanage_seuser_t *temp) {
+%typemap(in, numinputs=0) semanage_seuser_t **(semanage_seuser_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -326,7 +326,7 @@
 	$result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_seuser_key_t **(semanage_seuser_key_t *temp) {
+%typemap(in, numinputs=0) semanage_seuser_key_t **(semanage_seuser_key_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -334,7 +334,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_user_t *** parameter */
-%typemap(in, numinputs=0) semanage_user_t ***(semanage_user_t **temp) {
+%typemap(in, numinputs=0) semanage_user_t ***(semanage_user_t **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -357,7 +357,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_user_t **(semanage_user_t *temp) {
+%typemap(in, numinputs=0) semanage_user_t **(semanage_user_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -369,7 +369,7 @@
 	$result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_user_key_t **(semanage_user_key_t *temp) {
+%typemap(in, numinputs=0) semanage_user_key_t **(semanage_user_key_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -377,7 +377,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_port_t *** parameter */
-%typemap(in, numinputs=0) semanage_port_t ***(semanage_port_t **temp) {
+%typemap(in, numinputs=0) semanage_port_t ***(semanage_port_t **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -400,7 +400,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_port_t **(semanage_port_t *temp) {
+%typemap(in, numinputs=0) semanage_port_t **(semanage_port_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -412,7 +412,7 @@
 	$result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_port_key_t **(semanage_port_key_t *temp) {
+%typemap(in, numinputs=0) semanage_port_key_t **(semanage_port_key_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -420,7 +420,7 @@
 
 /* the wrapper will setup this parameter for passing... the resulting python functions
    will not take the semanage_node_t *** parameter */
-%typemap(in, numinputs=0) semanage_node_t ***(semanage_node_t **temp) {
+%typemap(in, numinputs=0) semanage_node_t ***(semanage_node_t **temp=NULL) {
 	$1 = &temp;
 }
 
@@ -443,7 +443,7 @@
 	}
 }
 
-%typemap(in, numinputs=0) semanage_node_t **(semanage_node_t *temp) {
+%typemap(in, numinputs=0) semanage_node_t **(semanage_node_t *temp=NULL) {
 	$1 = &temp;
 }
 
@@ -456,7 +456,7 @@
 	$result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0));
 }
 
-%typemap(in, numinputs=0) semanage_node_key_t **(semanage_node_key_t *temp) {
+%typemap(in, numinputs=0) semanage_node_key_t **(semanage_node_key_t *temp=NULL) {
 	$1 = &temp;
 }
 

Modified: trunk/libsemanage/src/semanageswig_wrap.c
===================================================================
--- trunk/libsemanage/src/semanageswig_wrap.c	2007-01-25 12:13:58 UTC (rev 2206)
+++ trunk/libsemanage/src/semanageswig_wrap.c	2007-01-26 20:55:38 UTC (rev 2207)
@@ -3528,7 +3528,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_module_info_t *temp2 ;
+  semanage_module_info_t *temp2 = NULL ;
   int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -3923,7 +3923,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_context_t *temp2 ;
+  semanage_context_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -3956,7 +3956,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_context_t *temp3 ;
+  semanage_context_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4017,7 +4017,7 @@
   int res2 ;
   char *buf2 = 0 ;
   int alloc2 = 0 ;
-  semanage_context_t *temp3 ;
+  semanage_context_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4058,7 +4058,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char *temp3 ;
+  char *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4099,7 +4099,7 @@
   int res2 ;
   char *buf2 = 0 ;
   int alloc2 = 0 ;
-  semanage_bool_key_t *temp3 ;
+  semanage_bool_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4140,7 +4140,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_bool_key_t *temp3 ;
+  semanage_bool_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4376,7 +4376,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_bool_t *temp2 ;
+  semanage_bool_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -4409,7 +4409,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_bool_t *temp3 ;
+  semanage_bool_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4469,7 +4469,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_bool_t *temp3 ;
+  semanage_bool_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4616,7 +4616,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_bool_t **temp2 ;
+  semanage_bool_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -4734,7 +4734,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_bool_t *temp3 ;
+  semanage_bool_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -4881,7 +4881,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_bool_t **temp2 ;
+  semanage_bool_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -4968,7 +4968,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_bool_t *temp3 ;
+  semanage_bool_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -5115,7 +5115,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_bool_t **temp2 ;
+  semanage_bool_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -5225,7 +5225,7 @@
   int res2 ;
   char *buf2 = 0 ;
   int alloc2 = 0 ;
-  semanage_iface_key_t *temp3 ;
+  semanage_iface_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -5266,7 +5266,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_iface_key_t *temp3 ;
+  semanage_iface_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -5512,7 +5512,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_iface_t *temp2 ;
+  semanage_iface_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -5545,7 +5545,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_iface_t *temp3 ;
+  semanage_iface_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -5676,7 +5676,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_iface_t *temp3 ;
+  semanage_iface_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -5823,7 +5823,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_iface_t **temp2 ;
+  semanage_iface_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -5870,7 +5870,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_iface_t *temp3 ;
+  semanage_iface_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -6017,7 +6017,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_iface_t **temp2 ;
+  semanage_iface_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -6065,7 +6065,7 @@
   int res2 ;
   char *buf2 = 0 ;
   int alloc2 = 0 ;
-  semanage_user_key_t *temp3 ;
+  semanage_user_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -6106,7 +6106,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_user_key_t *temp3 ;
+  semanage_user_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -6621,7 +6621,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char **temp3 ;
+  char **temp3 = NULL ;
   unsigned int temp4 ;
   int res4 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -6675,7 +6675,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char *temp3 ;
+  char *temp3 = NULL ;
   unsigned int val4 ;
   int ecode4 = 0 ;
   PyObject * obj0 = 0 ;
@@ -6720,7 +6720,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_user_t *temp2 ;
+  semanage_user_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -6753,7 +6753,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_user_t *temp3 ;
+  semanage_user_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -6884,7 +6884,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_user_t *temp3 ;
+  semanage_user_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -7031,7 +7031,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_user_t **temp2 ;
+  semanage_user_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -7078,7 +7078,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_user_t *temp3 ;
+  semanage_user_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -7225,7 +7225,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_user_t **temp2 ;
+  semanage_user_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -7340,7 +7340,7 @@
   int ecode3 = 0 ;
   int val4 ;
   int ecode4 = 0 ;
-  semanage_port_key_t *temp5 ;
+  semanage_port_key_t *temp5 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   PyObject * obj2 = 0 ;
@@ -7391,7 +7391,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_port_key_t *temp3 ;
+  semanage_port_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -7697,7 +7697,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_port_t *temp2 ;
+  semanage_port_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -7730,7 +7730,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_port_t *temp3 ;
+  semanage_port_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -7861,7 +7861,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_port_t *temp3 ;
+  semanage_port_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -8008,7 +8008,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_port_t **temp2 ;
+  semanage_port_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -8055,7 +8055,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_port_t *temp3 ;
+  semanage_port_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -8202,7 +8202,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_port_t **temp2 ;
+  semanage_port_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -8315,7 +8315,7 @@
   int alloc2 = 0 ;
   int val3 ;
   int ecode3 = 0 ;
-  semanage_fcontext_key_t *temp4 ;
+  semanage_fcontext_key_t *temp4 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   PyObject * obj2 = 0 ;
@@ -8362,7 +8362,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_fcontext_key_t *temp3 ;
+  semanage_fcontext_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -8620,7 +8620,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_fcontext_t *temp2 ;
+  semanage_fcontext_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -8653,7 +8653,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_fcontext_t *temp3 ;
+  semanage_fcontext_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -8784,7 +8784,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_fcontext_t *temp3 ;
+  semanage_fcontext_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -8931,7 +8931,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_fcontext_t **temp2 ;
+  semanage_fcontext_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -8978,7 +8978,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_fcontext_t *temp3 ;
+  semanage_fcontext_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -9125,7 +9125,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_fcontext_t **temp2 ;
+  semanage_fcontext_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -9173,7 +9173,7 @@
   int res2 ;
   char *buf2 = 0 ;
   int alloc2 = 0 ;
-  semanage_seuser_key_t *temp3 ;
+  semanage_seuser_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -9214,7 +9214,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_seuser_key_t *temp3 ;
+  semanage_seuser_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -9528,7 +9528,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_seuser_t *temp2 ;
+  semanage_seuser_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -9561,7 +9561,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_seuser_t *temp3 ;
+  semanage_seuser_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -9692,7 +9692,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_seuser_t *temp3 ;
+  semanage_seuser_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -9839,7 +9839,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_seuser_t **temp2 ;
+  semanage_seuser_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -9886,7 +9886,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_seuser_t *temp3 ;
+  semanage_seuser_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -10033,7 +10033,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_seuser_t **temp2 ;
+  semanage_seuser_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -10150,7 +10150,7 @@
   int alloc3 = 0 ;
   int val4 ;
   int ecode4 = 0 ;
-  semanage_node_key_t *temp5 ;
+  semanage_node_key_t *temp5 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   PyObject * obj2 = 0 ;
@@ -10205,7 +10205,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_node_key_t *temp3 ;
+  semanage_node_key_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -10265,7 +10265,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char *temp3 ;
+  char *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -10306,7 +10306,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char *temp3 ;
+  char *temp3 = NULL ;
   size_t temp4 ;
   int res4 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -10459,7 +10459,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char *temp3 ;
+  char *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -10500,7 +10500,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  char *temp3 ;
+  char *temp3 = NULL ;
   size_t temp4 ;
   int res4 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -10786,7 +10786,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_node_t *temp2 ;
+  semanage_node_t *temp2 = NULL ;
   PyObject * obj0 = 0 ;
   
   {
@@ -10819,7 +10819,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_node_t *temp3 ;
+  semanage_node_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -10950,7 +10950,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_node_t *temp3 ;
+  semanage_node_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -11097,7 +11097,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_node_t **temp2 ;
+  semanage_node_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;
@@ -11144,7 +11144,7 @@
   int res1 = 0 ;
   void *argp2 = 0 ;
   int res2 = 0 ;
-  semanage_node_t *temp3 ;
+  semanage_node_t *temp3 = NULL ;
   PyObject * obj0 = 0 ;
   PyObject * obj1 = 0 ;
   
@@ -11291,7 +11291,7 @@
   int result;
   void *argp1 = 0 ;
   int res1 = 0 ;
-  semanage_node_t **temp2 ;
+  semanage_node_t **temp2 = NULL ;
   unsigned int temp3 ;
   int res3 = SWIG_TMPOBJ ;
   PyObject * obj0 = 0 ;


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2217] trunk

[<kma...@us...>]

Revision: 2217
          http://svn.sourceforge.net/selinux/?rev=2217&view=rev
Author:   kmacmillan
Date:     2007-02-01 13:29:28 -0800 (Thu, 01 Feb 2007)

Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: add central errno.h to libsepol
Date: Thu, 18 Jan 2007 10:31:45 -0500

On Tue, 2007-01-16 at 09:59 -0500, Karl MacMillan wrote:
> Stephen Smalley wrote:
> > On Mon, 2007-01-15 at 17:57 -0500, Karl MacMillan wrote:
> >> The attached patch adds a central errno.h to libsepol and converts 
> >> several existing error numbers. This will unify the error numbers, 
> >> remove duplication, and prevent overlapping error numbers (a source of 
> >> potential bugs). Existing return values from functions exposed as part 
> >> of the binary interface are not changed.
> > 
> > I'm not enthusiastic about diverging the errno values from the system
> > values for e.g. ENOMEM and friends.  I'd prefer to keep them the same,
> > and use some other part of the value space for any custom error values
> > defined by libsepol.
> 
> I think that practically we are going to end up diverging from system 
> errno values to some extent. For example, -EPERM is -1 and I think that 
> trying to change every function that returns -1 for general error is 
> going to be hard.
> 
> The updated patch aligns them more closely, however.
> 
>    Also, I'm not sure about referring to this as
> > errno.h, as libsepol is _not_ setting errno to these values; it uses
> > these values as internal return values for conveying error information.
> 
> Changed to errcodes.h.
> 
> > The functions that do happen to explicitly set errno are using
> > traditional errno values.
> 
> I explicitly did not change those return values.
> 
> In addition to the changes noted above, I removed the license statements 
> from the header files, which I took as the consensus from the other 
> discussion in this thread. Updated patch attached.
> 
> The attached patch adds a central header for error and return codes 
> (errcodes.h) to libsepol and converts several existing error numbers. 
> This will unify the error numbers, remove duplication, and prevent 
> overlapping error numbers (a source of potential bugs). Existing return 
> values from functions exposed as part of the binary interface are not 
> changed.
> 
> Signed-off-by: Karl MacMillan <kma...@me...>
> 
>   checkpolicy/policy_parse.y                    |   15 ++---
>   libsepol/include/sepol/errcodes.h             |   25 ++++++++
>   libsepol/include/sepol/policydb/hashtab.h     |   23 +++-----
>   libsepol/include/sepol/policydb/link.h        |   29 +---------
>   libsepol/src/avtab.c                          |   18 +++---
>   libsepol/src/expand.c                         |    7 +-
>   libsepol/src/hashtab.c                        |   45 +++++++++++-----
>   libsepol/src/link.c                           |   33 ++++++-----
>   libsepol/src/policydb.c                       |    6 +-
>   libsepol/src/private.h                        |    4 +
>   policycoreutils/semodule_deps/semodule_deps.c |    9 +--
>   11 files changed, 122 insertions(+), 92 deletions(-)

Acked-by:  Stephen Smalley <sd...@ty...>

(for trunk only, not stable)

-- 
Stephen Smalley
National Security Agency

Modified Paths:
--------------
    trunk/checkpolicy/policy_parse.y
    trunk/libsepol/ChangeLog
    trunk/libsepol/include/sepol/policydb/hashtab.h
    trunk/libsepol/include/sepol/policydb/link.h
    trunk/libsepol/src/avtab.c
    trunk/libsepol/src/expand.c
    trunk/libsepol/src/hashtab.c
    trunk/libsepol/src/link.c
    trunk/libsepol/src/policydb.c
    trunk/libsepol/src/private.h
    trunk/policycoreutils/semodule_deps/semodule_deps.c

Added Paths:
-----------
    trunk/libsepol/include/sepol/errcodes.h

Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/checkpolicy/policy_parse.y	2007-02-01 21:29:28 UTC (rev 2217)
@@ -13,13 +13,14 @@
  * 	Added conditional policy language extensions
  *
  * Updated: Joshua Brindle <jbr...@tr...>
- *	    Karl MacMillan <kma...@tr...>
+ *	    Karl MacMillan <kma...@me...>
  *          Jason Tang     <jt...@tr...>
  *
  *	Added support for binary policy modules
  *
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat Inc.
  *	This program is free software; you can redistribute it and/or modify
  *  	it under the terms of the GNU General Public License as published by
  *	the Free Software Foundation, version 2.
@@ -1059,11 +1060,11 @@
 	ret = hashtab_insert(policydbp->p_commons.table,
 			     (hashtab_key_t) id, (hashtab_datum_t) comdatum);
 
-	if (ret == HASHTAB_PRESENT) {
+	if (ret == SEPOL_EEXIST) {
 		yyerror("duplicate common definition");
 		goto bad;
 	}
-	if (ret == HASHTAB_OVERFLOW) {
+	if (ret == SEPOL_ENOMEM) {
 		yyerror("hash table overflow");
 		goto bad;
 	}
@@ -1091,14 +1092,14 @@
 				     (hashtab_key_t) perm,
 				     (hashtab_datum_t) perdatum);
 
-		if (ret == HASHTAB_PRESENT) {
+		if (ret == SEPOL_EEXIST) {
 			sprintf(errormsg,
 				"duplicate permission %s in common %s", perm,
 				id);
 			yyerror(errormsg);
 			goto bad_perm;
 		}
-		if (ret == HASHTAB_OVERFLOW) {
+		if (ret == SEPOL_ENOMEM) {
 			yyerror("hash table overflow");
 			goto bad_perm;
 		}
@@ -1220,12 +1221,12 @@
 				     (hashtab_key_t) id,
 				     (hashtab_datum_t) perdatum);
 
-		if (ret == HASHTAB_PRESENT) {
+		if (ret == SEPOL_EEXIST) {
 			sprintf(errormsg, "duplicate permission %s", id);
 			yyerror(errormsg);
 			goto bad;
 		}
-		if (ret == HASHTAB_OVERFLOW) {
+		if (ret == SEPOL_ENOMEM) {
 			yyerror("hash table overflow");
 			goto bad;
 		}

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/ChangeLog	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,3 +1,5 @@
+	* Merged patch to add errcodes.h to libsepol by Karl MacMillan.
+	
 1.16.0 2007-01-18
 	* Updated version for stable branch.
 

Added: trunk/libsepol/include/sepol/errcodes.h
===================================================================
--- trunk/libsepol/include/sepol/errcodes.h	                        (rev 0)
+++ trunk/libsepol/include/sepol/errcodes.h	2007-02-01 21:29:28 UTC (rev 2217)
@@ -0,0 +1,25 @@
+/* Author: Karl MacMillan <kma...@me...> */
+
+#ifndef __sepol_errno_h__
+#define __sepol_errno_h__
+
+#include <errno.h>
+
+#define SEPOL_OK             0
+
+/* These first error codes are defined for compatibility with
+ * previous version of libsepol. In the future, custome error
+ * codes that don't map to system error codes should be defined
+ * outside of the range of system error codes.
+ */
+#define SEPOL_ERR            -1
+#define SEPOL_ENOTSUP        -2  /* feature not supported in module language */
+#define SEPOL_EREQ           -3  /* requirements not met */
+
+/* Error codes that map to system error codes */
+#define SEPOL_ENOMEM         -ENOMEM
+#define SEPOL_ERANGE         -ERANGE
+#define SEPOL_EEXIST         -EEXIST
+#define SEPOL_ENOENT         -ENOENT
+
+#endif

Modified: trunk/libsepol/include/sepol/policydb/hashtab.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/hashtab.h	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/include/sepol/policydb/hashtab.h	2007-02-01 21:29:28 UTC (rev 2217)
@@ -14,8 +14,9 @@
 #ifndef _SEPOL_POLICYDB_HASHTAB_H_
 #define _SEPOL_POLICYDB_HASHTAB_H_
 
+#include <sepol/errcodes.h>
+
 #include <stdint.h>
-#include <errno.h>
 #include <stdio.h>
 
 typedef char *hashtab_key_t;	/* generic key type */
@@ -39,12 +40,6 @@
 
 typedef hashtab_val_t *hashtab_t;
 
-/* Define status codes for hash table functions */
-#define HASHTAB_SUCCESS     0
-#define HASHTAB_OVERFLOW    -ENOMEM
-#define HASHTAB_PRESENT     -EEXIST
-#define HASHTAB_MISSING     -ENOENT
-
 /*
    Creates a new hash table with the specified characteristics.
 
@@ -61,9 +56,9 @@
 /*
    Inserts the specified (key, datum) pair into the specified hash table.
 
-   Returns HASHTAB_OVERFLOW if insufficient space is available or
-   HASHTAB_PRESENT  if there is already an entry with the same key or
-   HASHTAB_SUCCESS otherwise.
+   Returns SEPOL_ENOMEM if insufficient space is available or
+   SEPOL_EEXIST  if there is already an entry with the same key or
+   SEPOL_OK otherwise.
  */
 extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d);
 
@@ -72,8 +67,8 @@
    Applies the specified destroy function to (key,datum,args) for
    the entry.
 
-   Returns HASHTAB_MISSING if no entry has the specified key or
-   HASHTAB_SUCCESS otherwise.
+   Returns SEPOL_ENOENT if no entry has the specified key or
+   SEPOL_OK otherwise.
  */
 extern int hashtab_remove(hashtab_t h, hashtab_key_t k,
 			  void (*destroy) (hashtab_key_t k,
@@ -86,8 +81,8 @@
    then the specified destroy function is applied to (key,datum,args)
    for the entry prior to replacing the entry's contents.
 
-   Returns HASHTAB_OVERFLOW if insufficient space is available or
-   HASHTAB_SUCCESS otherwise.
+   Returns SEPOL_ENOMEM if insufficient space is available or
+   SEPOL_OK otherwise.
  */
 extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
 			   void (*destroy) (hashtab_key_t k,

Modified: trunk/libsepol/include/sepol/policydb/link.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/link.h	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/include/sepol/policydb/link.h	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,39 +1,18 @@
 /* Authors: Jason Tang <jt...@tr...>
  *	    Joshua Brindle <jbr...@tr...>
- *          Karl MacMillan <kma...@tr...>
- *
- * A set of utility functions that aid policy decision when dealing
- * with hierarchal items.
- *
- * Copyright (C) 2005 Tresys Technology, LLC
- *
- *  This library is free software; you can redistribute it and/or
- *  modify it under the terms of the GNU Lesser General Public
- *  License as published by the Free Software Foundation; either
- *  version 2.1 of the License, or (at your option) any later version.
- *
- *  This library is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- *  Lesser General Public License for more details.
- *
- *  You should have received a copy of the GNU Lesser General Public
- *  License along with this library; if not, write to the Free Software
- *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *          Karl MacMillan <kma...@me...>
  */
 
 #ifndef _SEPOL_POLICYDB_LINK_H
 #define _SEPOL_POLICYDB_LINK_H
 
 #include <sepol/handle.h>
+#include <sepol/errcodes.h>
 #include <sepol/policydb/policydb.h>
-#include <stddef.h>
 
-/* error codes */
-#define SEPOL_LINK_ERROR      1	/* general error */
-#define SEPOL_LINK_NOTSUP     2	/* feature not supported in module language */
-#define SEPOL_LINK_REQNOTMET  3	/* requirements not met */
 
+#include <stddef.h>
+
 extern int link_modules(sepol_handle_t * handle,
 			policydb_t * b, policydb_t ** mods, int len,
 			int verbose);

Modified: trunk/libsepol/src/avtab.c
===================================================================
--- trunk/libsepol/src/avtab.c	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/src/avtab.c	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,7 +1,8 @@
 
 /* Author : Stephen Smalley, <sd...@ep...> */
 
-/* Updated: Frank Mayer <ma...@tr...> and Karl MacMillan <kma...@tr...>
+/* Updated: Frank Mayer <ma...@tr...>
+ *          and Karl MacMillan <kma...@me...>
  *
  * 	Added conditional policy language extensions
  *
@@ -9,8 +10,10 @@
  *
  *      Code cleanup
  *
+ * Updated: Karl MacMillan <kma...@me...>
+ *
  * Copyright (C) 2003 Tresys Technology, LLC
- * Copyright (C) 2003 Red Hat, Inc.
+ * Copyright (C) 2003,2007 Red Hat, Inc.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -36,6 +39,7 @@
 #include <stdlib.h>
 #include <sepol/policydb/avtab.h>
 #include <sepol/policydb/policydb.h>
+#include <sepol/errcodes.h>
 
 #include "debug.h"
 #include "private.h"
@@ -77,7 +81,7 @@
 	    key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
 
 	if (!h)
-		return -ENOMEM;
+		return SEPOL_ENOMEM;
 
 	hvalue = AVTAB_HASH(key);
 	for (prev = NULL, cur = h->htable[hvalue];
@@ -86,7 +90,7 @@
 		    key->target_type == cur->key.target_type &&
 		    key->target_class == cur->key.target_class &&
 		    (specified & cur->key.specified))
-			return -EEXIST;
+			return SEPOL_EEXIST;
 		if (key->source_type < cur->key.source_type)
 			break;
 		if (key->source_type == cur->key.source_type &&
@@ -100,7 +104,7 @@
 
 	newnode = avtab_insert_node(h, hvalue, prev, key, datum);
 	if (!newnode)
-		return -ENOMEM;
+		return SEPOL_ENOMEM;
 
 	return 0;
 }
@@ -470,9 +474,9 @@
 	for (i = 0; i < nel; i++) {
 		rc = avtab_read_item(fp, vers, a, avtab_insertf, NULL);
 		if (rc) {
-			if (rc == -ENOMEM)
+			if (rc == SEPOL_ENOMEM)
 				ERR(fp->handle, "out of memory");
-			if (rc == -EEXIST)
+			if (rc == SEPOL_EEXIST)
 				ERR(fp->handle, "duplicate entry");
 			ERR(fp->handle, "failed on entry %d of %u", i, nel);
 			goto bad;

Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/src/expand.c	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,8 +1,9 @@
-/* Authors: Karl MacMillan <kma...@tr...>
+/* Authors: Karl MacMillan <kma...@me...>
  *          Jason Tang <jt...@tr...>
  *	    Joshua Brindle <jbr...@tr...>
  *
  * Copyright (C) 2004-2005 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat, Inc.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -84,7 +85,7 @@
 	if (!new_type) {
 		ERR(state->handle, "Out of memory!");
 		free(new_id);
-		return -ENOMEM;
+		return SEPOL_ENOMEM;
 	}
 	memset(new_type, 0, sizeof(type_datum_t));
 
@@ -467,7 +468,7 @@
 	if (!new_alias) {
 		ERR(state->handle, "Out of memory!");
 		free(new_id);
-		return -ENOMEM;
+		return SEPOL_ENOMEM;
 	}
 	memset(new_alias, 0, sizeof(type_datum_t));
 	if (alias->flavor == TYPE_TYPE)

Modified: trunk/libsepol/src/hashtab.c
===================================================================
--- trunk/libsepol/src/hashtab.c	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/src/hashtab.c	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,6 +1,27 @@
 
 /* Author : Stephen Smalley, <sd...@ep...> */
 
+/*
+ * Updated : Karl MacMillan <kma...@me...>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+
 /* FLASK */
 
 /*
@@ -48,7 +69,7 @@
 	hashtab_ptr_t prev, cur, newnode;
 
 	if (!h)
-		return HASHTAB_OVERFLOW;
+		return SEPOL_ENOMEM;
 
 	hvalue = h->hash_value(h, key);
 	prev = NULL;
@@ -59,11 +80,11 @@
 	}
 
 	if (cur && (h->keycmp(h, key, cur->key) == 0))
-		return HASHTAB_PRESENT;
+		return SEPOL_EEXIST;
 
 	newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
 	if (newnode == NULL)
-		return HASHTAB_OVERFLOW;
+		return SEPOL_ENOMEM;
 	memset(newnode, 0, sizeof(struct hashtab_node));
 	newnode->key = key;
 	newnode->datum = datum;
@@ -76,7 +97,7 @@
 	}
 
 	h->nel++;
-	return HASHTAB_SUCCESS;
+	return SEPOL_OK;
 }
 
 int hashtab_remove(hashtab_t h, hashtab_key_t key,
@@ -87,7 +108,7 @@
 	hashtab_ptr_t cur, last;
 
 	if (!h)
-		return HASHTAB_MISSING;
+		return SEPOL_ENOENT;
 
 	hvalue = h->hash_value(h, key);
 	last = NULL;
@@ -98,7 +119,7 @@
 	}
 
 	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
-		return HASHTAB_MISSING;
+		return SEPOL_ENOENT;
 
 	if (last == NULL)
 		h->htable[hvalue] = cur->next;
@@ -109,7 +130,7 @@
 		destroy(cur->key, cur->datum, args);
 	free(cur);
 	h->nel--;
-	return HASHTAB_SUCCESS;
+	return SEPOL_OK;
 }
 
 int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
@@ -120,7 +141,7 @@
 	hashtab_ptr_t prev, cur, newnode;
 
 	if (!h)
-		return HASHTAB_OVERFLOW;
+		return SEPOL_ENOMEM;
 
 	hvalue = h->hash_value(h, key);
 	prev = NULL;
@@ -138,7 +159,7 @@
 	} else {
 		newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
 		if (newnode == NULL)
-			return HASHTAB_OVERFLOW;
+			return SEPOL_ENOMEM;
 		memset(newnode, 0, sizeof(struct hashtab_node));
 		newnode->key = key;
 		newnode->datum = datum;
@@ -151,7 +172,7 @@
 		}
 	}
 
-	return HASHTAB_SUCCESS;
+	return SEPOL_OK;
 }
 
 hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key)
@@ -206,7 +227,7 @@
 	hashtab_ptr_t cur;
 
 	if (!h)
-		return HASHTAB_SUCCESS;
+		return SEPOL_OK;
 
 	for (i = 0; i < h->size; i++) {
 		cur = h->htable[i];
@@ -217,7 +238,7 @@
 			cur = cur->next;
 		}
 	}
-	return HASHTAB_SUCCESS;
+	return SEPOL_OK;
 }
 
 void hashtab_map_remove_on_error(hashtab_t h,

Modified: trunk/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/src/link.c	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,8 +1,9 @@
-/* Authors: Karl MacMillan <kma...@tr...>
+/* Authors: Karl MacMillan <kma...@me...>
  *	    Joshua Brindle <jbr...@tr...>
  *          Jason Tang <jt...@tr...>
  *
  * Copyright (C) 2004-2005 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat, Inc.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -148,14 +149,14 @@
 			new_id = strdup(perm_id);
 			if (new_id == NULL) {
 				ERR(state->handle, "Memory error");
-				ret = -SEPOL_LINK_ERROR;
+				ret = SEPOL_ERR;
 				goto err;
 			}
 			new_perm =
 			    (perm_datum_t *) calloc(1, sizeof(perm_datum_t));
 			if (new_perm == NULL) {
 				ERR(state->handle, "Memory error");
-				ret = -SEPOL_LINK_ERROR;
+				ret = SEPOL_ERR;
 				goto err;
 			}
 			ret = hashtab_insert(dest_class->permissions.table,
@@ -174,7 +175,7 @@
 			    "Module %s depends on permission %s in class %s, not satisfied",
 			    state->cur_mod_name, perm_id,
 			    state->dest_class_name);
-			return -SEPOL_LINK_REQNOTMET;
+			return SEPOL_EREQ;
 		}
 	}
 
@@ -227,7 +228,7 @@
 		    hashtab_search(state->cur->policy->p_classes_scope.table,
 				   id);
 		if (scope == NULL) {
-			ret = -SEPOL_LINK_ERROR;
+			ret = SEPOL_ERR;
 			goto err;
 		}
 		if (scope->scope == SCOPE_DECL) {
@@ -235,7 +236,7 @@
 			ERR(state->handle,
 			    "%s: Modules may not yet declare new classes.",
 			    state->cur_mod_name);
-			ret = -SEPOL_LINK_NOTSUP;
+			ret = SEPOL_ENOTSUP;
 			goto err;
 		} else {
 			/* It would be nice to error early here because the requirement is
@@ -252,18 +253,18 @@
 			    (class_datum_t *) calloc(1, sizeof(class_datum_t));
 			if (new_class == NULL) {
 				ERR(state->handle, "Memory error\n");
-				ret = -SEPOL_LINK_ERROR;
+				ret = SEPOL_ERR;
 				goto err;
 			}
 			if (symtab_init
 			    (&new_class->permissions, PERM_SYMTAB_SIZE)) {
-				ret = -SEPOL_LINK_ERROR;
+				ret = SEPOL_ERR;
 				goto err;
 			}
 			new_id = strdup(id);
 			if (new_id == NULL) {
 				ERR(state->handle, "Memory error\n");
-				ret = -SEPOL_LINK_ERROR;
+				ret = SEPOL_ERR;
 				goto err;
 			}
 			ret = hashtab_insert(state->base->p_classes.table,
@@ -589,13 +590,13 @@
 		scope =
 		    hashtab_search(state->cur->policy->p_sens_scope.table, id);
 		if (!scope)
-			return -SEPOL_LINK_ERROR;
+			return SEPOL_ERR;
 		if (scope->scope == SCOPE_DECL) {
 			/* disallow declarations in modules */
 			ERR(state->handle,
 			    "%s: Modules may not declare new sensitivities.",
 			    state->cur_mod_name);
-			return -SEPOL_LINK_NOTSUP;
+			return SEPOL_ENOTSUP;
 		}
 	}
 
@@ -620,13 +621,13 @@
 		scope =
 		    hashtab_search(state->cur->policy->p_cat_scope.table, id);
 		if (!scope)
-			return -SEPOL_LINK_ERROR;
+			return SEPOL_ERR;
 		if (scope->scope == SCOPE_DECL) {
 			/* disallow declarations in modules */
 			ERR(state->handle,
 			    "%s: Modules may not declare new categories.",
 			    state->cur_mod_name);
-			return -SEPOL_LINK_NOTSUP;
+			return SEPOL_ENOTSUP;
 		}
 	}
 
@@ -1916,7 +1917,7 @@
 			}
 			rc = is_decl_requires_met(state, decl, &req);
 			if (rc < 0) {
-				ret = -SEPOL_LINK_ERROR;
+				ret = SEPOL_ERR;
 				goto out;
 			} else if (rc == 0) {
 				decl->enabled = 0;
@@ -1925,7 +1926,7 @@
 				if (!(block->flags & AVRULE_OPTIONAL)) {
 					print_missing_requirements(state, block,
 								   &req);
-					ret = -SEPOL_LINK_REQNOTMET;
+					ret = SEPOL_EREQ;
 					goto out;
 				}
 			}
@@ -2209,7 +2210,7 @@
 	}
 
 	if (enable_avrules(&state, state.base)) {
-		retval = -SEPOL_LINK_REQNOTMET;
+		retval = SEPOL_EREQ;
 		goto cleanup;
 	}
 

Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/src/policydb.c	2007-02-01 21:29:28 UTC (rev 2217)
@@ -17,7 +17,7 @@
  *
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2005 Tresys Technology, LLC
- * Copyright (C) 2003 - 2004 Red Hat, Inc.
+ * Copyright (C) 2003 - 2007 Red Hat, Inc.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -1176,9 +1176,9 @@
 		 * (i.e. aliases) */
 		if (value)
 			*value = ++pol->symtab[sym].nprim;
-	} else if (rc == HASHTAB_PRESENT && scope == SCOPE_REQ) {
+	} else if (rc == SEPOL_EEXIST && scope == SCOPE_REQ) {
 		retval = 1;	/* symbol not added -- need to free() later */
-	} else if (rc == HASHTAB_PRESENT && scope == SCOPE_DECL) {
+	} else if (rc == SEPOL_EEXIST && scope == SCOPE_DECL) {
 		if (sym == SYM_ROLES || sym == SYM_USERS) {
 			/* allow multiple declarations for these two */
 			retval = 1;

Modified: trunk/libsepol/src/private.h
===================================================================
--- trunk/libsepol/src/private.h	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/libsepol/src/private.h	2007-02-01 21:29:28 UTC (rev 2217)
@@ -2,9 +2,11 @@
 
 /* Endian conversion for reading and writing binary policies */
 
+#include <sepol/policydb/policydb.h>
+
 #include <byteswap.h>
 #include <endian.h>
-#include <sepol/policydb/policydb.h>
+#include <errno.h>
 
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 #define cpu_to_le16(x) (x)

Modified: trunk/policycoreutils/semodule_deps/semodule_deps.c
===================================================================
--- trunk/policycoreutils/semodule_deps/semodule_deps.c	2007-02-01 21:21:17 UTC (rev 2216)
+++ trunk/policycoreutils/semodule_deps/semodule_deps.c	2007-02-01 21:29:28 UTC (rev 2217)
@@ -1,7 +1,7 @@
 /* Authors: Karl MacMillan <kma...@me...>
  *
  * Copyright (C) 2006 Tresys Technology, LLC
- * Copyright (C) 2006 Red Hat, Inc.
+ * Copyright (C) 2006-2007 Red Hat, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,6 +16,7 @@
  * of avrule_blocks - even in an ABI safe way - seems undesirable.
  */
 #include <sepol/module.h>
+#include <sepol/errno.h>
 #include <sepol/policydb/policydb.h>
 
 #include <getopt.h>
@@ -201,15 +202,15 @@
 						    hashtab_insert(mods,
 								   mod_name,
 								   reqs);
-						if (ret != HASHTAB_SUCCESS)
+						if (ret != SEPOL_OK)
 							return ret;
 					}
 					ret =
 					    hashtab_insert(reqs, req_name,
 							   NULL);
 					if (!
-					    (ret == HASHTAB_PRESENT
-					     || ret == HASHTAB_SUCCESS))
+					    (ret == SEPOL_EEXIST
+					     || ret == SEPOL_OK))
 						return -1;
 				}
 			}


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2219] trunk

[<ssm...@us...>]

Revision: 2219
          http://svn.sourceforge.net/selinux/?rev=2219&view=rev
Author:   ssmalley
Date:     2007-02-05 10:01:59 -0800 (Mon, 05 Feb 2007)

Log Message:
-----------
Fix Changelog dates.

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libsepol/ChangeLog

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-02-01 21:30:18 UTC (rev 2218)
+++ trunk/libselinux/ChangeLog	2007-02-05 18:01:59 UTC (rev 2219)
@@ -1,4 +1,4 @@
-2.0.0 2007-01-01
+2.0.0 2007-02-01
 	* Merged patch from Todd Miller to remove sscanf in matchpathcon.c because
 	  of the use of the non-standard format %as. (original patch changed
 	  for style).

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2007-02-01 21:30:18 UTC (rev 2218)
+++ trunk/libsepol/ChangeLog	2007-02-05 18:01:59 UTC (rev 2219)
@@ -1,4 +1,4 @@
-2.0.0 2007-01-01
+2.0.0 2007-02-01
 	* Merged patch to add errcodes.h to libsepol by Karl MacMillan.
 	
 1.16.0 2007-01-18


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2220] trunk

[<ssm...@us...>]

Revision: 2220
          http://svn.sourceforge.net/selinux/?rev=2220&view=rev
Author:   ssmalley
Date:     2007-02-05 11:01:07 -0800 (Mon, 05 Feb 2007)

Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: add sepolgen
Date: Wed, 31 Jan 2007 11:43:14 -0500

The patch at [1] adds the sepolgen python library for policy generation 
and a new implementation of audit2allow based on this library. The 
library has facilities for:

* parsing audit messages
* parsing and representing policy (including refpolicy interfaces)
* manipulating / transforming policy (e.g., adding require statements)
* generating policy from access requests / audit messages (including 
calls to refpolicy interfaces)
* outputting policy as text
* compiling policy modules

All of the requested updates from the previous review have been made.

Notes for packaging:

* This adds a new dependency between policycoreutils and sepolgen
* The tool sepolgen-ifgen needs to be run to extract information from 
the reference policy headers for audit2allow to generate refpolicy. The 
rpm spec file at 
http://hg.et.redhat.com/selinux/madison?f=b26375c7641a;file=madison.spec 
shows how I did this.
* Audit2allow currently has a few regressions from the old version. This 
will be fixed soon.

[1] 
http://people.redhat.com/kmacmill/patches/selinux/sepolgen-initial-submission.patch.gz

Signed-off-by: Karl MacMillan <kma...@me...>

Modified Paths:
--------------
    trunk/Makefile
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION
    trunk/policycoreutils/audit2allow/Makefile
    trunk/policycoreutils/audit2allow/audit2allow

Added Paths:
-----------
    trunk/policycoreutils/audit2allow/sepolgen-ifgen
    trunk/sepolgen/
    trunk/sepolgen/COPYING
    trunk/sepolgen/HACKING
    trunk/sepolgen/Makefile
    trunk/sepolgen/VERSION
    trunk/sepolgen/src/
    trunk/sepolgen/src/Makefile
    trunk/sepolgen/src/sepolgen/
    trunk/sepolgen/src/sepolgen/Makefile
    trunk/sepolgen/src/sepolgen/__init__.py
    trunk/sepolgen/src/sepolgen/access.py
    trunk/sepolgen/src/sepolgen/audit.py
    trunk/sepolgen/src/sepolgen/classperms.py
    trunk/sepolgen/src/sepolgen/defaults.py
    trunk/sepolgen/src/sepolgen/interfaces.py
    trunk/sepolgen/src/sepolgen/lex.py
    trunk/sepolgen/src/sepolgen/matching.py
    trunk/sepolgen/src/sepolgen/module.py
    trunk/sepolgen/src/sepolgen/objectmodel.py
    trunk/sepolgen/src/sepolgen/output.py
    trunk/sepolgen/src/sepolgen/policygen.py
    trunk/sepolgen/src/sepolgen/refparser.py
    trunk/sepolgen/src/sepolgen/refpolicy.py
    trunk/sepolgen/src/sepolgen/sepolgeni18n.py
    trunk/sepolgen/src/sepolgen/util.py
    trunk/sepolgen/src/sepolgen/yacc.py
    trunk/sepolgen/src/share/
    trunk/sepolgen/src/share/Makefile
    trunk/sepolgen/src/share/perm_map
    trunk/sepolgen/tests/
    trunk/sepolgen/tests/Makefile
    trunk/sepolgen/tests/audit.txt
    trunk/sepolgen/tests/module_compile_test.te
    trunk/sepolgen/tests/perm_map
    trunk/sepolgen/tests/run-tests.py
    trunk/sepolgen/tests/test_access.py
    trunk/sepolgen/tests/test_audit.py
    trunk/sepolgen/tests/test_data/
    trunk/sepolgen/tests/test_data/audit.log
    trunk/sepolgen/tests/test_data/httpd.log
    trunk/sepolgen/tests/test_data/short.log
    trunk/sepolgen/tests/test_interfaces.py
    trunk/sepolgen/tests/test_matching.py
    trunk/sepolgen/tests/test_module.py
    trunk/sepolgen/tests/test_objectmodel.py
    trunk/sepolgen/tests/test_policygen.py
    trunk/sepolgen/tests/test_refparser.py
    trunk/sepolgen/tests/test_refpolicy.py

Removed Paths:
-------------
    trunk/policycoreutils/audit2allow/avc.py

Modified: trunk/Makefile
===================================================================
--- trunk/Makefile	2007-02-05 18:01:59 UTC (rev 2219)
+++ trunk/Makefile	2007-02-05 19:01:07 UTC (rev 2220)
@@ -1,4 +1,4 @@
-SUBDIRS=libsepol libselinux libsemanage checkpolicy policycoreutils # policy
+SUBDIRS=libsepol libselinux libsemanage sepolgen checkpolicy policycoreutils # policy
 PYSUBDIRS=libselinux libsemanage
 
 ifeq ($(DEBUG),1)

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-02-05 18:01:59 UTC (rev 2219)
+++ trunk/policycoreutils/ChangeLog	2007-02-05 19:01:07 UTC (rev 2220)
@@ -1,3 +1,9 @@
+2.0.0 2007-02-05
+	* Merged new audit2allow from Karl MacMillan.
+	  This audit2allow depends on the new sepolgen python module.
+	  Note that you must run the sepolgen-ifgen tool to generate
+	  the data needed by audit2allow to generate refpolicy. 
+
 1.34.1 2007-01-22
 	* Fixed newrole non-pam build.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-02-05 18:01:59 UTC (rev 2219)
+++ trunk/policycoreutils/VERSION	2007-02-05 19:01:07 UTC (rev 2220)
@@ -1 +1 @@
-1.34.1
+2.0.0

Modified: trunk/policycoreutils/audit2allow/Makefile
===================================================================
--- trunk/policycoreutils/audit2allow/Makefile	2007-02-05 18:01:59 UTC (rev 2219)
+++ trunk/policycoreutils/audit2allow/Makefile	2007-02-05 19:01:07 UTC (rev 2220)
@@ -4,23 +4,19 @@
 LIBDIR ?= $(PREFIX)/lib
 MANDIR ?= $(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale
-PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
-PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
 
-TARGETS=audit2allow
+all: ;
 
-all: $(TARGETS)
-
 install: all
 	-mkdir -p $(BINDIR)
-	install -m 755 $(TARGETS) $(BINDIR)
+	install -m 755 audit2allow $(BINDIR)
+	install -m 755 sepolgen-ifgen $(BINDIR)
 	-mkdir -p $(MANDIR)/man1
 	install -m 644 audit2allow.1 $(MANDIR)/man1/
-	test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
-	install -m 755 avc.py $(PYTHONLIBDIR)/site-packages
 
 clean:
+	rm -f *~
 
-indent:
+indent: ;
 
-relabel:
+relabel: ;

Modified: trunk/policycoreutils/audit2allow/audit2allow
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow	2007-02-05 18:01:59 UTC (rev 2219)
+++ trunk/policycoreutils/audit2allow/audit2allow	2007-02-05 19:01:07 UTC (rev 2220)
@@ -1,226 +1,268 @@
 #! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat 
+# Authors: Karl MacMillan <kma...@me...>
+#
+# Copyright (C) 2006 Red Hat 
 # see file 'COPYING' for use and warranty information
 #
-# Audit2allow is a rewrite of prior perl script.
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
 #
-# Based off original audit2allow perl script: which credits
-#    newrules.pl, Copyright (C) 2001 Justin R. Smith (js...@mc...)
-#    2003 Oct 11: Add -l option by Yuichi Nakamura(yn...@us...)
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
 #
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of the GNU General Public License as
-#    published by the Free Software Foundation; either version 2 of
-#    the License, or (at your option) any later version.
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program; if not, write to the Free Software
-#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
-#                                        02111-1307  USA
-#
-#  
-from avc import *
 
-if __name__ == '__main__':
-	import commands, sys, os, getopt, selinux
-        import gettext
-	import re
+import sys
+import tempfile
+
+import sepolgen.audit as audit
+import sepolgen.policygen as policygen
+import sepolgen.interfaces as interfaces
+import sepolgen.output as output
+import sepolgen.objectmodel as objectmodel
+import sepolgen.defaults as defaults
+import sepolgen.module as module
+from sepolgen.sepolgeni18n import _
+
+class AuditToPolicy:
+    VERSION = "%prog .1"
+    SYSLOG = "/var/log/messages"
+
+    def __init__(self):
+        self.__options = None
+        self.__parser = None
+        self.__avs = None
+
+    def __parse_options(self):
+        from optparse import OptionParser
+
+        parser = OptionParser(version=self.VERSION)
+        parser.add_option("-a", "--audit", action="store_true", dest="audit", default=False,
+                          help="read input from audit log - conflicts with -i")
+        parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
+                          help="read input from dmesg - conflicts with --audit and --input")
+        parser.add_option("-i", "--input", dest="input",
+                          help="read input from <input> - conflicts with -a")
+        parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
+                          help="read input only after the last reload")
+        parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False,
+                          help="generate require statements for rules")
+        parser.add_option("-m", "--module", dest="module",
+                          help="set the module name - implies --requires")
+        parser.add_option("-M", "--module-package", dest="module_package",
+                          help="generate a module package - conflicts with -o and -m")
+        parser.add_option("-o", "--output", dest="output",
+                          help="append output to <filename>, conflicts with -M")
+        parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
+                          default=False, help="generate refpolicy style output")
+        parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
+                          default=False, help="explain generated output")
+        parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
+                          default=False, help="fully explain generated output")
+        parser.add_option("-t", "--type", help="only process messages with a type that matches this regex",
+                          dest="type")
+        parser.add_option("--perm-map", dest="perm_map", help="file name of perm map")
+        parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
+        parser.add_option("--debug", dest="debug", action="store_true", default=False,
+                          help="leave generated modules for -M")
+
+        options, args = parser.parse_args()
+
+        # Make -d, -a, and -i conflict
+        if options.audit is True:
+            if options.input is not None:
+                sys.stderr.write("error: --audit conflicts with --input\n")
+            if options.dmesg is True:
+                sys.stderr.write("error: --audit conflicts with --dmesg\n")
+        if options.input is not None and options.dmesg is True:
+            sys.stderr.write("error: --input conflicts with --dmesg\n")
+
+        # Turn on requires generation if a module name is given. Also verify
+        # the module name.
+        if options.module:
+            name = options.module
+        else:
+            name = options.module_package
+        if name:
+            options.requires = True
+            if not module.is_valid_name(name):
+                sys.stderr.write("only letters and numbers allowed in module names\n")
+                sys.exit(2)
+            
+
+        # Make -M and -o conflict
+        if options.module_package:
+            if options.output:
+                sys.stderr.write("error: --module-package conflicts with --output\n")
+                sys.exit(2)
+            if options.module:
+                sys.stderr.write("error: --module-package conflicts with --module\n")
+                sys.exit(2)
+
+        self.__options = options
+
+    def __read_input(self):
+        parser = audit.AuditParser(last_load_only=self.__options.lastreload)
+
+        filename = None
+        messages = None
+        f = None
+
+        # Figure out what input we want
+        if self.__options.input is not None:
+            filename = self.__options.input
+        elif self.__options.dmesg:
+            messages = audit.get_dmesg_msgs()
+        elif self.__options.audit:
+            try:
+                messages = audit.get_audit_msgs()
+            except OSError, e:
+                sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
+                sys.exit(1)
+        else:
+            # This is the default if no input is specified
+            f = sys.stdin
+
+        # Get the input
+        if filename is not None:
+            try:
+                f = open(filename)
+            except IOError, e:
+                sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e)))
+                sys.exit(1)
+                
+        if f is not None:
+            parser.parse_file(f)
+            f.close()
+
+        if messages is not None:
+            parser.parse_string(messages)
+        
+        self.__parser = parser
+
+    def __process_input(self):
+        if self.__options.type:
+            filter = audit.TypeFilter(self.__options.type)
+            self.__avs = self.__parser.to_access(filter)
+        else:
+            self.__avs = self.__parser.to_access()
+
+    def __load_interface_info(self):
+        # Load interface info file
+        if self.__options.interface_info:
+            fn = self.__options.interface_info
+        else:
+            fn = defaults.interface_info()
         try:
-                gettext.install('policycoreutils')
+            fd = open(fn)
         except:
-                pass
-	def get_mls_flag():
-		if selinux.is_selinux_mls_enabled():
-			return "-M"
-		else:
-			return ""
+            sys.stderr.write("could not open interface info [%s]\n" % fn)
+            sys.exit(1)
 
-	def usage(msg = ""):
-		print _('audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
-		-a, --all        read input from audit and message log, conflicts with -i\n\
-		-d, --dmesg      read input from output of /bin/dmesg\n\
-		-h, --help       display this message\n\
-		-i, --input      read input from <inputfile> conflicts with -a\n\
-		-l, --lastreload read input only after last \"load_policy\"\n\
-		-m, --module     generate module/require output <modulename> \n\
-		-M               generate loadable module package, conflicts with -o\n\
-		-o, --output     append output to <outputfile>, conflicts with -M\n\
-		-r, --requires   generate require output \n\
-		-t, --tefile     Add input from Existing Type Enforcement file\n\
-		-f, --fcfile     Existing Type Enforcement file, requires -M\n\
-		-v, --verbose    verbose output\n\
-                -A, --analyze    Analyze output\n\
-                ')
-		if msg != "":
-			print msg
-		sys.exit(1)
-		
-	def verify_module(module):
-		m = re.findall("[^a-zA-Z0-9]", module)
-		if len(m) != 0:
-			usage(_("Alphanumeric Charaters Only"))
-		
-	def errorExit(error):
-		sys.stderr.write("%s: " % sys.argv[0])
-		sys.stderr.write("%s\n" % error)
-		sys.stderr.flush()
-		sys.exit(1)
+        ifs = interfaces.InterfaceSet()
+        ifs.from_file(fd)
+        fd.close()
 
-	#
-	# 
-	#
-	try:
-		last_reload = 0
-		inputfd = sys.stdin
-		output = sys.stdout
-		module = ""
-		requires = 0
-		verbose = 0
-		auditlogs = 0
-		buildPP = 0
-		input_ind = 0
-		output_ind = 0
-		ref_ind = False
-		analyze = False
-		te_inputs = []
+        # Also load perm maps
+        if self.__options.perm_map:
+            fn = self.__options.perm_map
+        else:
+            fn = defaults.perm_map()
+        try:
+            fd = open(fn)
+        except:
+            sys.stderr.write("could not open perm map [%s]\n" % fn)
+            sys.exit(1)
 
-		fc_file = ""
-		gopts, cmds = getopt.getopt(sys.argv[1:],
-					    'Aadf:hi:lm:M:o:rt:vR',
-					    ['all',
-                                             'analyze',
-                                             'dmesg',
-					     'fcfile=',
-					     'help',
-					     'input=',
-					     'lastreload',
-					     'module=',
-					     'output=',
-					     'requires',
-					     'reference',
-					     'tefile=',
-					     'verbose'
-					     ])
-		for o,a in gopts:
-			if o == "-a" or o == "--all":
-				if input_ind:
-					usage()
-				inputfd = open("/var/log/messages", "r")
-				auditlogs = 1
-			if o == "-d"  or o == "--dmesg":
-				inputfd = os.popen("/bin/dmesg", "r")
-			if o == "-f" or o == "--fcfile":
-				if a[0] == "-":
-					usage()
-				fc_file = a
-			if o == "-h" or o == "--help":
-				usage()
-			if o == "-i"or o == "--input":
-				if auditlogs  or a[0] == "-":
-					usage()
-				input_ind = 1
-				inputfd = open(a, "r")
-			if o == '--lastreload' or o == "-l":
-				last_reload = 1
-			if o == "-m" or o == "--module":
-				if module != "" or a[0] == "-":
-					usage()
-				module = a
-				verify_module(module)
-			if o == "-M":
-				if module != "" or output_ind  or a[0] == "-":
-					usage()
-				module = a
-				verify_module(module)
-				outfile = a+".te"
-				buildPP = 1
-				if not os.path.exists("/usr/bin/checkmodule"):
-					errorExit("-M Requires the checkmodule command, you need to install the checkpolicy rpm package")
-				output = open(outfile, "w")
-			if o == "-r" or o == "--requires":
-				requires = 1
-			if o == "-t" or o == "--tefile":
-				te_inputs.append(open(a, "r"))
-                                
-			if o == "-R" or o == "--reference":
-				ref_ind = True
-				
-			if o == "-o" or o == "--output":
-				if module != ""  or a[0] == "-":
-					usage()
-				output = open(a, "a")
-				output_ind = 1
-			if o == "-v" or o == "--verbose":
-				verbose = 1
-				
-			if o == "-A" or o == "--analyze":
-				analyze = True
-				
-		if len(cmds) != 0:
-			usage()
+        perm_maps = objectmodel.PermMappings()
+        perm_maps.from_file(fd)
+        
+        return (ifs, perm_maps)
+        
+            
+    def __output(self):
+        g = policygen.PolicyGenerator()
+        
+        if self.__options.module:
+            g.set_module_name(self.__options.module)
+        
+        # Interface generation
+        if self.__options.refpolicy:
+            ifs, perm_maps = self.__load_interface_info()
+            g.set_gen_refpol(ifs, perm_maps)
 
-		if fc_file != "" and not buildPP:
-			usage("Error %s: Option -fc requires -M" % sys.argv[0])
-			
-                serules = SERules(last_reload, verbose)
+        # Explanation
+        if self.__options.verbose:
+            g.set_gen_explain(policygen.SHORT_EXPLANATION)
+        if self.__options.explain_long:
+            g.set_gen_explain(policygen.LONG_EXPLANATION)
 
-                for i in te_inputs:
-                    te = TERules(serules)
-                    te.load(i)
+        # Requires
+        if self.__options.requires:
+            g.set_gen_requires(True)
 
-                serules.load(inputfd)
+        # Generate the policy
+        g.add_access(self.__avs)
 
+        # Output
+        writer = output.ModuleWriter()
 
-		if ref_ind:
-			serules.gen_reference_policy()
+        # Module package
+        if self.__options.module_package:
+            g.set_module_name(self.__options.module_package)
 
-		if analyze:
-			serules.analyze()
-			sys.exit(0)
+            fd = tempfile.NamedTemporaryFile()
+            writer.write(g.get_module(), fd)
+            fd.flush()
+            
+            mc = module.ModuleCompiler()
+            if self.__options.debug:
+                clean = False
+            else:
+                clean = True
 
-		if auditlogs and os.path.exists("/var/log/audit/audit.log"):
-			inputfd = os.popen("ausearch -m avc,MAC_POLICY_LOAD")
-			serules.load(inputfd)
+            if self.__options.refpolicy:
+                mc.refpolicy = True
+                
+            try:
+                mc.create_module_package(fd.name, self.__options.module_package + ".pp",
+                                         cleanup=clean)
+            except RuntimeError, e:
+                print e
+                sys.exit(1)
 
-		if buildPP:
-			print (_("Generating type enforcment file: %s.te") % module)
-		output.write(serules.out(requires, module))
-		output.flush()
-		if buildPP:
-			if ref_ind:
-				rc, type = selinux.selinux_getpolicytype()
-				cmd = "make -f /usr/share/selinux/%s/include/Makefile %s.pp" % (type, module)
-				print _("Compiling policy")
-				print cmd
-				rc = commands.getstatusoutput(cmd)
-			else:
-				cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
-				print _("Compiling policy")
-				print cmd
-				rc = commands.getstatusoutput(cmd)
-				if rc[0] == 0:
-					cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
-					if fc_file != "":
-						cmd = "%s -f %s" % (cmd, fc_file)
-					
-					print cmd
-					rc = commands.getstatusoutput(cmd)
-			if rc[0] == 0:
-				print _("\n******************** IMPORTANT ***********************\n")
-				print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
-			else:
-				errorExit(rc[1])
+            # This should unlink the temporary file
+            fd.close()
+            sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
+            sys.stdout.write((_("To make this policy package active, execute:" +\
+                                "\n\nsemodule -i %s.pp\n\n") % self.__options.module_package))
+            
+        else:
+            # File or stdout
+            if self.__options.module:
+                g.set_module_name(self.__options.module)
 
-	except getopt.error, error:
-		errorExit(_("Options Error: %s ") % error.msg)
-	except ValueError, error:
-		errorExit(error.args[0])
-	except IOError, error:
-		errorExit(error)
-	except KeyboardInterrupt, error:
-		sys.exit(0)
+            if self.__options.output:
+                fd = open(self.__options.output, "w")
+            else:
+                fd = sys.stdout
+            writer.write(g.get_module(), fd)
+        
+    def main(self):
+        try:
+            self.__parse_options()
+            self.__read_input()
+            self.__process_input()
+            self.__output()
+        except KeyboardInterrupt:
+            sys.exit(0)
+
+if __name__ == "__main__":
+    app = AuditToPolicy()
+    app.main()

Deleted: trunk/policycoreutils/audit2allow/avc.py
===================================================================
--- trunk/policycoreutils/audit2allow/avc.py	2007-02-05 18:01:59 UTC (rev 2219)
+++ trunk/policycoreutils/audit2allow/avc.py	2007-02-05 19:01:07 UTC (rev 2220)
@@ -1,553 +0,0 @@
-#! /usr/bin/python -E
-# Copyright (C) 2006 Red Hat 
-# see file 'COPYING' for use and warranty information
-#
-# avc.py is a plugin modules used by audit2allow and other objects to process
-# avc messages from the log files
-#
-# Based off original audit2allow perl script: which credits
-#    newrules.pl, Copyright (C) 2001 Justin R. Smith (js...@mc...)
-#    2003 Oct 11: Add -l option by Yuichi Nakamura(yn...@us...)
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of the GNU General Public License as
-#    published by the Free Software Foundation; either version 2 of
-#    the License, or (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program; if not, write to the Free Software
-#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
-#                                        02111-1307  USA
-#
-#  
-import sys, os, pwd, string, re, selinux
-
-obj = "(\{[^\}]*\}|[^ \t:]*)"
-allow_regexp = "(allow|dontaudit)[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)
-awk_script = '/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\
-        IFACEFILE=FILENAME\n\
-	IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\
-	IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\
-}\n\
-\n\
-/^[[:blank:]]*(allow|dontaudit)[[:blank:]]+.*;[[:blank:]]*$/ {\n\
-\n\
-  if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\
-		ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\
-		ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\
-		print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\
-	}\n\
-}\
-'
-
-class context:
-    def __init__(self, scontext):
-        self.scontext = scontext
-        con=scontext.split(":")
-        self.user = con[0]
-        self.role = con[1]
-        self.type = con[2]
-        if len(con) > 3:
-            self.mls = con[3]
-        else:
-            self.mls = "s0"
-        
-    def __str__(self):
-        return self.scontext
-
-class accessTrans:
-    def __init__(self):
-        self.dict = {}
-	try:
-		fd = open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt")
-	except IOError, error:
-		raise IOError("Reference policy generation requires the policy development package selinux-policy-devel.\n%s" % error)
-        records = fd.read().split("\n")
-        regexp = "^define *\(`([^']*)' *, *` *\{([^}]*)}'"
-        for r in records:
-            m = re.match(regexp,r)
-            if m != None:
-                self.dict[m.groups()[0]] = m.groups()[1].split()
-        fd.close()
-    def get(self, var):
-        l = []
-        for v in var:
-            if v in self.dict.keys():
-                l += self.dict[v]
-            else:
-                if v not in ("{", "}"):
-                    l.append(v)
-        return l
-
-class interfaces:
-    def __init__(self):
-        self.dict = {}
-        trans = accessTrans()
-	(input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null")
-	input.write(awk_script)
-	input.close()
-	records = output.read().split("\n")
-	input.close()
-        if len(records) > 0:
-            regexp = "([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
-            for r in records:
-                m = re.match(regexp,r)
-                if m == None:
-                    continue
-                val = m.groups()
-                file = os.path.basename(val[0]).split(".")[0]
-                iface = val[1]
-                Scon = val[3].split()
-                Tcon = val[4].split()
-                Class = val[5].split()
-                Access = trans.get(val[6].split())
-                for s in Scon:
-                    for t in Tcon:
-                        for c in Class:
-                            if (s, t, c) not in self.dict.keys():
-                                self.dict[(s, t, c)] = []
-                            self.dict[(s, t, c)].append((Access, file, iface))
-    def out(self):
-        keys = self.dict.keys()
-        keys.sort()
-        for k in keys:
-            print k
-            for i in self.dict[k]:
-                print "\t", i
-                
-    def match(self, Scon, Tcon, Class, Access):
-        keys = self.dict.keys()
-        ret = []
-        if (Scon, Tcon, Class) in keys:
-            for i in self.dict[(Scon, Tcon, Class)]:
-                if Access in i[0]:
-                    if i[2].find(Access) >= 0:
-                        ret.insert(0, i)
-                    else:
-                        ret.append(i)
-            return ret
-        if ("$1", Tcon, Class) in keys:
-            for i in self.dict[("$1", Tcon, Class)]:
-                if Access in i[0]:
-                    if i[2].find(Access) >= 0:
-                        ret.insert(0, i)
-                    else:
-                        ret.append(i)
-            return ret
-        if (Scon, "$1", Class) in keys:
-            for i in self.dict[(Scon, "$1", Class)]:
-                if Access in i[0]:
-                    if i[2].find(Access) >= 0:
-                        ret.insert(0, i)
-                    else:
-                        ret.append(i)
-            return ret
-        else:
-            return ret
-
-import glob, imp
-pluginPath = "/usr/share/selinux/plugins" 
-if not pluginPath in sys.path:
-    sys.path.append(pluginPath)
-
-class Analyze:
-	def __init__(self):
-            self.plugins = []
-            for p in glob.glob("/usr/share/selinux/plugins/*.py"):
-                plugin = os.path.basename(p)[:-3]
-                self.plugins.append(imp.load_module(plugin, *imp.find_module(plugin)))
-                
-        def process(self, AVCS):
-            ret = []
-            avcs = AVCS
-            for p in self.plugins:
-                if avcs == None:
-                    break;
-                r = p.analyze(avcs)
-                if len(r) == 0:
-                    continue
-                avcs = r[1]
-                if len(r[0]) > 0:
-                    ret.append(r[0])
-            return ret
-                
-class serule:
-	def __init__(self, key):
-		self.type = key[0]
-		self.source = key[1]
-		self.target = key[2]
-		self.seclass = key[3]
-                self.access = []
-		self.avcinfo = {}
-		self.iface = None
-		
-	def add(self, avc):
-		for a in avc[0]:
-			if a not in self.avcinfo.keys():
-				self.avcinfo[a] = []
-                                self.access.append(a)
-			self.avcinfo[a].append(avc[1:])
-
-	def getAccess(self):
-		if len(self.access) == 1:
-                        return self.access[0]
-		else:
-                        self.access.sort()
-			return "{ " + string.join(self.access) +" }"
-
-	def getName(self):
-            print self.avcinfo
-                    
-	def out(self, verbose = 0):
-		ret = ""
-		ret = ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess())
-		if verbose:
-			keys = self.avcinfo.keys()
-			keys.sort()
-			for i in keys:
-				for x in self.avcinfo[i]:
-					ret = ret+"\n\t#TYPE=AVC  MSG=%s  " % x[0]
-					if len(x[1]):
-						ret=ret+"COMM=%s  " % x[1]
-					if len(x[2]):
-						ret=ret+"NAME=%s  " % x[2]
-					ret = ret + " : " + i 
-		return ret
-		
-	def gen_reference_policy(self, iface):
-		ret = ""
-		Scon = self.source
-		Tcon = self.gettarget()
-		Class = self.seclass
-		Access = self.getAccess()
-		m = iface.match(Scon,Tcon,Class,Access)
-		if len(m) == 0:
-			return self.out()
-		else:
-			file = m[0][1]
-			ret = "\n#%s\n"% self.out()
-			ret += "optional_policy(`\n" 
-			first = True
-			for i in m:
-				if file != i[1]:
-					ret += "')\ngen_require(`%s', `\n" % i[1]
-					file = i[1]
-					first = True
-				if first:
-					ret += "\t%s(%s)\n" % (i[2], Scon)
-					first = False
-				else:
-					ret += "#\t%s(%s)\n" % (i[2], Scon)
-			ret += "');"
-		return ret
-		
-	def gettarget(self):
-		if self.source == self.target:
-			return "self"
-		else:
-			return self.target
-
-def warning(error):
-    sys.stderr.write("%s: " % sys.argv[0])
-    sys.stderr.write("%s\n" % error)
-    sys.stderr.flush()
-
-
-class TERules:
-	def __init__(self, serules):
-		self.VALID_CMDS = ("allow", "dontaudit", "auditallow")
-                self.serules = serules
-
-        def load(self, input):
-		line = input.readline()
-                while line:
-                    rec = line.split()
-                    if len(rec) and rec[0] in self.VALID_CMDS:
-                        self.add_terule(line)
-                    line = input.readline()
-
-	def add_terule(self, rule):
-		rc = rule.split(":")
-		rules = rc[0].split()
-		type = rules[0]
-		(sources, targets) = self.rules_split(rules[1:])
-		rules = rc[1].split()
-		(classes, access) = self.rules_split(rules)
-		for scon in sources:
-			for tcon in targets:
-				for seclass in classes:
-					self.serules.add_rule(type, scon, tcon, seclass,access)
-		
-	def rules_split(self, rules):
-		(idx, target ) = self.get_target(0, rules)
-		(idx, subject) = self.get_target(idx, rules)
-		return (target, subject)
-
-	def get_target(self, i, rule):
-		target = []
-		if rule[i][0] == "{":
-			for t in rule[i].split("{"):
-				if len(t):
-					target.append(t)
-			i = i+1
-			for s in rule[i:]:
-				if s.find("}") >= 0:
-					for s1 in s.split("}"):
-						if len(s1):
-							target.append(s1)
-						i = i+1
-						return (i, target)
-
-				target.append(s)
-				i = i+1
-		else:
-			if rule[i].find(";") >= 0:
-				for s1 in rule[i].split(";"):
-					if len(s1):
-						target.append(s1)
-			else:
-				target.append(rule[i])
-
-		i = i+1
-		return (i, target)
-
-
-ALLOW = 0
-STYPE = 1
-TTYPE = 2
-CLASS = 3
-COMM = 1
-NAME = 3
-
-class SERules:
-	def __init__(self, last_reload = 0, verbose = 0):
-		self.last_reload = last_reload
-                self.initialize()
-		self.gen_ref_policy = False
-		self.verbose = verbose
-                self.AVCS = []
-                self.INVALID_SIDS = {}
-
-        def initialize(self):
-       		self.seRules = {}
-		self.classes = {}
-		self.types = []
-		self.roles = []
-
-	def load(self, input):
-		dict = []
-		found = 0
-		line = input.readline()
-                while line:
-                    rec = line.split()
-                    for i in rec:
-                        if i == "avc:" or i == "message=avc:" or i == "msg='avc:":
-                            found = 1
-                        else:
-                            if i == "security_compute_sid:":
-                                self.security_compute_sid(rec)
-                                found = 1
-                            elif i == "type=MAC_POLICY_LOAD" and self.last_reload:
-                                self.initialize()
-                                break
-                            else:
-                                dict.append(i)
-                                
-                    if not found:
-                        regexp = "audit\(\d+\.\d+:\d+\): policy loaded"
-                        m = re.match(regexp, line)
-                        if m !=None:
-                            found =1
-                            dict.append("load_policy")
-                            dict.append("granted")
-                        
-                    if found:
-                        self.translate(dict)
-                        found = 0
-                        dict = []
-                    line = input.readline()
-				
-
-        def translate(self,dict):
-                AVC = {}
-		AVC["access"] = []
-		if "load_policy" in dict and self.last_reload:
-                        self.initialize()
-
-		if "granted" in dict:
-			return
-		try:
-			for i in range (0, len(dict)):
-				if dict[i] == "{":
-					i = i+1
-					while i<len(dict) and dict[i] != "}":
-						AVC["access"].append(dict[i])
-						i = i+1
-					continue
-			
-				t = dict[i].split('=')
-				if len(t) < 2:
-					continue
-                                AVC[t[0]] = t[1]
-
-                        for i in ("scontext", "tcontext", "tclass"):
-                            if i not in AVC.keys():
-                                return
-                        if len(AVC["access"]) == 0:
-                                return
-                            
-		except IndexError, e:
-			warning("Bad AVC Line: %s" % avc)
-			return
-			
-		self.add_allow(AVC)
-
-        def security_compute_sid(self, rec):
-            dict={}
-            for i in rec:
-                t = i.split('=')
-                if len(t) < 2:
-                    continue
-                dict[t[0]]=t[1]
-            try:
-                r = context(dict["scontext"]).role
-                t = context(dict["tcontext"]).type
-		self.add_type(t)
-		self.add_role(r)
-                self.INVALID_SIDS[(r,t)]=rec
-            except:
-                return
-
-        def add_avc(self, AVC):
-            for a in self.AVCS:
-                if a["tclass"] == AVC["tclass"] and a["access"] == AVC["access"] and a["tcontext"] == AVC["tcontext"] and a["scontext"] == AVC["scontext"] and a["comm"] == AVC["comm"] and a["name"] == AVC["name"]:
-                    return
-            self.AVCS.append(AVC)
-                
-	def add_rule(self, rule_type, scon, tcon, tclass, access, msg = "", comm = "", name = ""):
-                AVC = {}
-                AVC["tclass"] = tclass
-                AVC["access"] = access
-                AVC["tcon"] = tcon
-                AVC["scon"] = scon
-                AVC["comm"] = comm
-                AVC["name"] = name
-                self.add_avc(AVC)
-
-		self.add_class(tclass, access)
-		self.add_type(tcon)
-		self.add_type(scon)
-                key = (rule_type, scon, tcon, seclass)
-		if key not in self.seRules.keys():
-			self.seRules[key] = serule(key)
-		self.seRules[key].add((access, msg, comm, name ))
-
-	def add_allow(self, AVC):
-		self.add_class(AVC["tclass"], AVC["access"])
-                tcontext = context(AVC["tcontext"])
-                scontext = context(AVC["scontext"])
-
-		self.add_type(tcontext.type)
-		self.add_type(scontext.type)
-
-		self.add_role(scontext.role)
-
-                key = ("allow", scontext.type, tcontext.type, AVC["tclass"])
-		if key not in self.seRules.keys():
-			self.seRules[key] = serule(key)
-
-                avckeys = AVC.keys()
-	        for i in ( "name", "comm", "msg" ):
- 	               if i not in avckeys:
-        	            AVC[i] = ""
-
-                self.add_avc(AVC)
-                self.seRules[key].add((AVC["access"], AVC["msg"], AVC["comm"], AVC["name"]))
-
-        def add_class(self,seclass, access):
-		if seclass not in self.classes.keys():
-				self.classes[seclass] = []
-		for a in access:
-			if a not in self.classes[seclass]:
-				self.classes[seclass].append(a)
-				
-	def add_role(self,role):
-		if role not in self.roles:
-				self.roles.append(role)
-
-	def add_type(self,type):
-		if type not in self.types:
-				self.types.append(type)
-
-	def gen_reference_policy(self):
-		self.gen_ref_policy = True
-		self.iface = interfaces()
-
-	def gen_module(self, module):
-            if self.gen_ref_policy:
-		return "policy_module(%s, 1.0);" % module
-            else:
-		return "module %s 1.0;" % module
-
-	def gen_requires(self):
-		self.roles.sort()
-		self.types.sort()
-		keys = self.classes.keys()
-		keys.sort()
-		rec = "\n\nrequire {\n"
-                if not self.gen_ref_policy:
-                    for i in keys:
-			access = self.classes[i]
-			if len(access) > 1:
-				access.sort()
-				rec += "\tclass %s {" % i
-				for a in access:
-					rec += " %s" % a
-				rec += " }; \n"
-			else:
-				rec += "\tclass %s %s;\n" % (i, access[0])
-				
-		for i in self.types:
-			rec += "\ttype %s; \n" % i
-
-                if not self.gen_ref_policy:
-                    for i in self.roles:
-			rec += "\trole %s; \n" % i
-
-		rec += "};\n\n"
-		return rec
-	
-	def analyze(self):
-            a = Analyze()
-            for i in a.process(self.AVCS):
-                print i[0][0]
-                print ""
-                
-	def out(self, require = 0, module = ""):
-		rec = ""
-		if len(self.seRules.keys()) == 0 and len(self.INVALID_SIDS) == 0:
-		       raise(ValueError("No AVC messages found."))
-		if module != "":
-			rec += self.gen_module(module)
-			rec += self.gen_requires()
-		else:
-			if require:
-				rec+=self.gen_requires()
-
-                for i in self.INVALID_SIDS.keys():
-                    rec += "role %s types %s;\n" % i
-                    
-		keys = self.seRules.keys()
-		keys.sort()
-		for i in keys:
-			if self.gen_ref_policy:
-				rec += self.seRules[i].gen_reference_policy(self.iface)+"\n"
-			else:
-				rec += self.seRules[i].out(self.verbose)+"\n"
-		return rec
-

Added: trunk/policycoreutils/audit2allow/sepolgen-ifgen
===================================================================
--- trunk/policycoreutils/audit2allow/sepolgen-ifgen	                        (rev 0)
+++ trunk/policycoreutils/audit2allow/sepolgen-ifgen	2007-02-05 19:01:07 UTC (rev 2220)
@@ -0,0 +1,84 @@
+#! /usr/bin/python -E
+#
+# Authors: Karl MacMillan <kma...@me...>
+#
+# Copyright (C) 2006 Red Hat 
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+# Parse interfaces and output extracted information about them
+# suitable for policy generation. By default writes the output
+# to the default location (obtained from sepolgen.defaults), but
+# will output to another file provided as an argument:
+#   sepolgen-ifgen [headers] [output-filename]
+
+
+import sys
+import os
+
+import sepolgen.refparser as refparser
+import sepolgen.defaults as defaults
+import sepolgen.interfaces as interfaces
+
+
+VERSION = "%prog .1"
+
+def parse_options():
+    from optparse import OptionParser
+
+    parser = OptionParser(version=VERSION)
+    parser.add_option("-o", "--output", dest="output", default=defaults.interface_info(),
+                      help="filename to store output")
+    parser.add_option("-i", "--interfaces", dest="headers", default=defaults.headers(),
+                      help="location of the interface header files")
+    parser.add_option("-v", "--verbose", action="store_true", default=False,
+                      help="print debuging output")                      
+    options, args = parser.parse_args()
+    
+    return options
+
+
+def main():
+    options = parse_options()
+
+    # Open the output first to generate errors before parsing
+    try:
+        f = open(options.output, "w")
+    except IOError, e:
+        sys.stderr.write("could not open output file [%s]\n" % options.output)
+        return 1
+
+    if options.verbose:
+        log = sys.stdout
+    else:
+        log = None
+
+    try:
+        headers = refparser.parse_headers(options.headers, output=log)
+    except ValueError, e:
+        print "error parsing headers"
+        print str(e)
+        return 1
+
+    if_set = interfaces.InterfaceSet(output=log)
+    if_set.add_headers(headers)
+    if_set.to_file(f)
+    f.close()
+
+    return 0
+    
+if __name__ == "__main__":
+    sys.exit(main())

Added: trunk/sepolgen/COPYING
===================================================================
--- trunk/sepolgen/COPYING	                        (rev 0)
+++ trunk/sepolgen/COPYING	2007-02-05 19:01:07 UTC (rev 2220)
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free So...
 
[truncated message content]

[Selinux-commits] SF.net SVN: selinux: [2229] trunk

[<kma...@us...>]

Revision: 2229
          http://svn.sourceforge.net/selinux/?rev=2229&view=rev
Author:   kmacmillan
Date:     2007-02-08 06:59:08 -0800 (Thu, 08 Feb 2007)

Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Small patch to allow semodule_deps to build
Date: Wed, 07 Feb 2007 16:52:14 -0500

Acked-by: Karl MacMillan <kma...@me...>

Modified Paths:
--------------
    trunk/libselinux/src/matchpathcon.c
    trunk/policycoreutils/semodule_deps/semodule_deps.c

Modified: trunk/libselinux/src/matchpathcon.c
===================================================================
--- trunk/libselinux/src/matchpathcon.c	2007-02-06 16:42:56 UTC (rev 2228)
+++ trunk/libselinux/src/matchpathcon.c	2007-02-08 14:59:08 UTC (rev 2229)
@@ -443,7 +443,7 @@
 static int process_line(const char *path, const char *prefix, char *line_buf,
 			int pass, unsigned lineno)
 {
-	int items, len, regerr, ret;
+	int len, regerr, ret;
 	char *buf_p, *ptr;
 	char *regex, *type, *context;
 	const char *reg_buf;
@@ -460,42 +460,42 @@
 	if (*buf_p == '#' || *buf_p == 0)
 		return 0;
 
-	items = 0;
 	regex = strtok_r(buf_p, " \t", &ptr);
-	if (regex)
-		items += 1;
-	type = strtok_r(NULL, " \t", &ptr);
-	if (type)
-		items += 1;
-	context = strtok_r(NULL, " \t", &ptr);
-	if (context)
-		items += 1;
-	
-	if (items < 2) {
+	if (!regex) {
 		myprintf("%s:  line %d is missing fields, skipping\n", path,
 			 lineno);
-		return 0;
-	} else if (items == 2) {
-		/* The type field is optional. */
-		context = type;
-		type = NULL;
+		return 0;		
+	} else {
+		regex = strdup(regex);
+		if (!regex) {
+			return -1;
+		}
 	}
 
-	regex = strdup(regex);
-	if (!regex) {
-		return -1;
-	}
-	if (type) {
+	type = strtok_r(NULL, " \t", &ptr);
+	if (!type) {
+		myprintf("%s:  line %d is missing fields, skipping\n", path,
+			 lineno);
+		return 0;		
+	} else {
 		type = strdup(type);
 		if (!type) {
 			ret = -1;
 			goto finish;
 		}
 	}
-	context = strdup(context);
+
+	context = strtok_r(NULL, " \t", &ptr);
 	if (!context) {
-		ret = -1;
-		goto finish;
+		/* The type field is optional. */
+		context = type;
+		type = NULL;
+	} else {
+		context = strdup(context);
+		if (!context) {
+			ret = -1;
+			goto finish;
+		}
 	}
 
 	reg_buf = regex;

Modified: trunk/policycoreutils/semodule_deps/semodule_deps.c
===================================================================
--- trunk/policycoreutils/semodule_deps/semodule_deps.c	2007-02-06 16:42:56 UTC (rev 2228)
+++ trunk/policycoreutils/semodule_deps/semodule_deps.c	2007-02-08 14:59:08 UTC (rev 2229)
@@ -16,7 +16,7 @@
  * of avrule_blocks - even in an ABI safe way - seems undesirable.
  */
 #include <sepol/module.h>
-#include <sepol/errno.h>
+#include <sepol/errcodes.h>
 #include <sepol/policydb/policydb.h>
 
 #include <getopt.h>


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2230] trunk

[<kma...@us...>]

Revision: 2230
          http://svn.sourceforge.net/selinux/?rev=2230&view=rev
Author:   kmacmillan
Date:     2007-02-08 07:13:49 -0800 (Thu, 08 Feb 2007)

Log Message:
-----------
rollback previous accidental commit

Modified Paths:
--------------
    trunk/libselinux/src/matchpathcon.c
    trunk/policycoreutils/semodule_deps/semodule_deps.c

Modified: trunk/libselinux/src/matchpathcon.c
===================================================================
--- trunk/libselinux/src/matchpathcon.c	2007-02-08 14:59:08 UTC (rev 2229)
+++ trunk/libselinux/src/matchpathcon.c	2007-02-08 15:13:49 UTC (rev 2230)
@@ -443,7 +443,7 @@
 static int process_line(const char *path, const char *prefix, char *line_buf,
 			int pass, unsigned lineno)
 {
-	int len, regerr, ret;
+	int items, len, regerr, ret;
 	char *buf_p, *ptr;
 	char *regex, *type, *context;
 	const char *reg_buf;
@@ -460,42 +460,42 @@
 	if (*buf_p == '#' || *buf_p == 0)
 		return 0;
 
+	items = 0;
 	regex = strtok_r(buf_p, " \t", &ptr);
-	if (!regex) {
+	if (regex)
+		items += 1;
+	type = strtok_r(NULL, " \t", &ptr);
+	if (type)
+		items += 1;
+	context = strtok_r(NULL, " \t", &ptr);
+	if (context)
+		items += 1;
+	
+	if (items < 2) {
 		myprintf("%s:  line %d is missing fields, skipping\n", path,
 			 lineno);
-		return 0;		
-	} else {
-		regex = strdup(regex);
-		if (!regex) {
-			return -1;
-		}
+		return 0;
+	} else if (items == 2) {
+		/* The type field is optional. */
+		context = type;
+		type = NULL;
 	}
 
-	type = strtok_r(NULL, " \t", &ptr);
-	if (!type) {
-		myprintf("%s:  line %d is missing fields, skipping\n", path,
-			 lineno);
-		return 0;		
-	} else {
+	regex = strdup(regex);
+	if (!regex) {
+		return -1;
+	}
+	if (type) {
 		type = strdup(type);
 		if (!type) {
 			ret = -1;
 			goto finish;
 		}
 	}
-
-	context = strtok_r(NULL, " \t", &ptr);
+	context = strdup(context);
 	if (!context) {
-		/* The type field is optional. */
-		context = type;
-		type = NULL;
-	} else {
-		context = strdup(context);
-		if (!context) {
-			ret = -1;
-			goto finish;
-		}
+		ret = -1;
+		goto finish;
 	}
 
 	reg_buf = regex;

Modified: trunk/policycoreutils/semodule_deps/semodule_deps.c
===================================================================
--- trunk/policycoreutils/semodule_deps/semodule_deps.c	2007-02-08 14:59:08 UTC (rev 2229)
+++ trunk/policycoreutils/semodule_deps/semodule_deps.c	2007-02-08 15:13:49 UTC (rev 2230)
@@ -16,7 +16,7 @@
  * of avrule_blocks - even in an ABI safe way - seems undesirable.
  */
 #include <sepol/module.h>
-#include <sepol/errcodes.h>
+#include <sepol/errno.h>
 #include <sepol/policydb/policydb.h>
 
 #include <getopt.h>


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2241] trunk

[<ssm...@us...>]

Revision: 2241
          http://svn.sourceforge.net/selinux/?rev=2241&view=rev
Author:   ssmalley
Date:     2007-02-20 06:03:10 -0800 (Tue, 20 Feb 2007)

Log Message:
-----------
Update ChangeLogs and VERSIONs.

Modified Paths:
--------------
    trunk/checkpolicy/ChangeLog
    trunk/checkpolicy/VERSION
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/VERSION
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION

Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/checkpolicy/ChangeLog	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1,3 +1,6 @@
+2.0.1 2007-02-20
+	* Merged patch to allow dots in class identifiers from Caleb Case.
+
 2.0.0 2007-02-01
 	* Merged patch to use new libsepol error codes by Karl MacMillan.
 

Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/checkpolicy/VERSION	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1 +1 @@
-2.0.0
+2.0.1

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/libselinux/ChangeLog	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1,3 +1,6 @@
+2.0.1 2007-02-20
+	* Merged patch from Todd Miller to convert int types over to C99 style.
+
 2.0.0 2007-02-01
 	* Merged patch from Todd Miller to remove sscanf in matchpathcon.c because
 	  of the use of the non-standard format %as. (original patch changed

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/libselinux/VERSION	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1 +1 @@
-2.0.0
+2.0.1

Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/libsemanage/ChangeLog	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1,3 +1,8 @@
+2.0.0 2007-02-20
+	* Merged Makefile test target patch from Caleb Case.
+	* Merged get_commit_number function rename patch from Caleb Case.
+	* Merged strnlen -> strlen patch from Todd Miller.
+
 1.10.1 2007-01-26
 	* Merged python binding fix from Dan Walsh.
 

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/libsemanage/VERSION	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1 +1 @@
-1.10.1
+2.0.0

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/policycoreutils/ChangeLog	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1,3 +1,7 @@
+2.0.2 2007-02-20
+	* Merged seobject exception handler fix from Caleb Case.
+	* Merged setfiles memory leak patch from Todd Miller.
+
 2.0.1 2007-02-08
 	* Merged small fix to correct include of errcodes.h in semodule_deps from Dan Walsh.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-02-20 13:53:16 UTC (rev 2240)
+++ trunk/policycoreutils/VERSION	2007-02-20 14:03:10 UTC (rev 2241)
@@ -1 +1 @@
-2.0.1
+2.0.2


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2249] trunk

[<ssm...@us...>]

Revision: 2249
          http://svn.sourceforge.net/selinux/?rev=2249&view=rev
Author:   ssmalley
Date:     2007-02-21 09:19:31 -0800 (Wed, 21 Feb 2007)

Log Message:
-----------
Updated ChangeLogs and VERSIONs.

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-02-21 17:16:09 UTC (rev 2248)
+++ trunk/libselinux/ChangeLog	2007-02-21 17:19:31 UTC (rev 2249)
@@ -1,3 +1,6 @@
+2.0.2 2007-02-21
+	* Merged more swig initializers from Dan Walsh.
+
 2.0.1 2007-02-20
 	* Merged patch from Todd Miller to convert int types over to C99 style.
 

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2007-02-21 17:16:09 UTC (rev 2248)
+++ trunk/libselinux/VERSION	2007-02-21 17:19:31 UTC (rev 2249)
@@ -1 +1 @@
-2.0.1
+2.0.2

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-02-21 17:16:09 UTC (rev 2248)
+++ trunk/policycoreutils/ChangeLog	2007-02-21 17:19:31 UTC (rev 2249)
@@ -1,3 +1,9 @@
+2.0.3 2007-02-21
+	* Merged translations update from Dan Walsh.
+	* Merged chcat fixes from Dan Walsh.
+	* Merged man page fixes from Dan Walsh.
+	* Merged seobject prefix validity checking from Dan Walsh.
+
 2.0.2 2007-02-20
 	* Merged seobject exception handler fix from Caleb Case.
 	* Merged setfiles memory leak patch from Todd Miller.

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-02-21 17:16:09 UTC (rev 2248)
+++ trunk/policycoreutils/VERSION	2007-02-21 17:19:31 UTC (rev 2249)
@@ -1 +1 @@
-2.0.2
+2.0.3


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2256] trunk

[<ssm...@us...>]

Revision: 2256
          http://svn.sourceforge.net/selinux/?rev=2256&view=rev
Author:   ssmalley
Date:     2007-02-22 05:54:45 -0800 (Thu, 22 Feb 2007)

Log Message:
-----------
Updated VERSIONs and ChangeLogs.

Modified Paths:
--------------
    trunk/libselinux/ChangeLog
    trunk/libselinux/VERSION
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION

Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog	2007-02-22 13:50:09 UTC (rev 2255)
+++ trunk/libselinux/ChangeLog	2007-02-22 13:54:45 UTC (rev 2256)
@@ -1,3 +1,6 @@
+2.0.3 2007-02-22
+	* Merged matchpathcon memory leak fix from Steve Grubb.
+
 2.0.2 2007-02-21
 	* Merged more swig initializers from Dan Walsh.
 

Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION	2007-02-22 13:50:09 UTC (rev 2255)
+++ trunk/libselinux/VERSION	2007-02-22 13:54:45 UTC (rev 2256)
@@ -1 +1 @@
-2.0.2
+2.0.3

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-02-22 13:50:09 UTC (rev 2255)
+++ trunk/policycoreutils/ChangeLog	2007-02-22 13:54:45 UTC (rev 2256)
@@ -1,3 +1,6 @@
+2.0.4 2007-02-22
+	* Merged restorecond memory leak fix from Steve Grubb.
+
 2.0.3 2007-02-21
 	* Merged translations update from Dan Walsh.
 	* Merged chcat fixes from Dan Walsh.

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-02-22 13:50:09 UTC (rev 2255)
+++ trunk/policycoreutils/VERSION	2007-02-22 13:54:45 UTC (rev 2256)
@@ -1 +1 @@
-2.0.3
+2.0.4


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2259] trunk

[<ssm...@us...>]

Revision: 2259
          http://svn.sourceforge.net/selinux/?rev=2259&view=rev
Author:   ssmalley
Date:     2007-02-22 06:36:04 -0800 (Thu, 22 Feb 2007)

Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: sepolgen: leave generated files in current directory
Date: Wed, 21 Feb 2007 13:02:04 -0500

This patch changes sepolgen so that the generated te files are left in 
the current directory when generating policy modules (with -M). This 
matches the behavior of the old audit2allow and allows review of the te 
file before inserting the module.

Signed-off-by: Karl MacMillan <kma...@me...>

Modified Paths:
--------------
    trunk/policycoreutils/audit2allow/audit2allow
    trunk/sepolgen/src/sepolgen/module.py
    trunk/sepolgen/tests/test_module.py

Modified: trunk/policycoreutils/audit2allow/audit2allow
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow	2007-02-22 14:03:31 UTC (rev 2258)
+++ trunk/policycoreutils/audit2allow/audit2allow	2007-02-22 14:36:04 UTC (rev 2259)
@@ -1,7 +1,7 @@
 #! /usr/bin/python -E
 # Authors: Karl MacMillan <kma...@me...>
 #
-# Copyright (C) 2006 Red Hat 
+# Copyright (C) 2006-2007  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or
@@ -94,7 +94,6 @@
             if not module.is_valid_name(name):
                 sys.stderr.write("only letters and numbers allowed in module names\n")
                 sys.exit(2)
-            
 
         # Make -M and -o conflict
         if options.module_package:
@@ -136,14 +135,14 @@
             except IOError, e:
                 sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e)))
                 sys.exit(1)
-                
+
         if f is not None:
             parser.parse_file(f)
             f.close()
 
         if messages is not None:
             parser.parse_string(messages)
-        
+
         self.__parser = parser
 
     def __process_input(self):
@@ -182,16 +181,41 @@
 
         perm_maps = objectmodel.PermMappings()
         perm_maps.from_file(fd)
-        
+
         return (ifs, perm_maps)
-        
-            
+
+    def __output_modulepackage(self, writer, generator):
+        generator.set_module_name(self.__options.module_package)
+        filename = self.__options.module_package + ".te"
+        packagename = self.__options.module_package + ".pp"
+
+        try:
+            fd = open(filename, "w")
+        except IOError, e:
+            sys.stderr.write("could not write output file: %s\n", str(e))
+            sys.exit(1)
+
+        writer.write(generator.get_module(), fd)
+        fd.close()
+
+        mc = module.ModuleCompiler()
+
+        try:
+            mc.create_module_package(filename, self.__options.refpolicy)
+        except RuntimeError, e:
+            print e
+            sys.exit(1)
+
+        sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
+        sys.stdout.write((_("To make this policy package active, execute:" +\
+                                "\n\nsemodule -i %s\n\n") % packagename))
+
     def __output(self):
         g = policygen.PolicyGenerator()
-        
+
         if self.__options.module:
             g.set_module_name(self.__options.module)
-        
+
         # Interface generation
         if self.__options.refpolicy:
             ifs, perm_maps = self.__load_interface_info()
@@ -215,34 +239,7 @@
 
         # Module package
         if self.__options.module_package:
-            g.set_module_name(self.__options.module_package)
-
-            fd = tempfile.NamedTemporaryFile()
-            writer.write(g.get_module(), fd)
-            fd.flush()
-            
-            mc = module.ModuleCompiler()
-            if self.__options.debug:
-                clean = False
-            else:
-                clean = True
-
-            if self.__options.refpolicy:
-                mc.refpolicy = True
-                
-            try:
-                mc.create_module_package(fd.name, self.__options.module_package + ".pp",
-                                         cleanup=clean)
-            except RuntimeError, e:
-                print e
-                sys.exit(1)
-
-            # This should unlink the temporary file
-            fd.close()
-            sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
-            sys.stdout.write((_("To make this policy package active, execute:" +\
-                                "\n\nsemodule -i %s.pp\n\n") % self.__options.module_package))
-            
+            self.__output_modulepackage(writer, g)
         else:
             # File or stdout
             if self.__options.module:
@@ -253,7 +250,7 @@
             else:
                 fd = sys.stdout
             writer.write(g.get_module(), fd)
-        
+
     def main(self):
         try:
             self.__parse_options()

Modified: trunk/sepolgen/src/sepolgen/module.py
===================================================================
--- trunk/sepolgen/src/sepolgen/module.py	2007-02-22 14:03:31 UTC (rev 2258)
+++ trunk/sepolgen/src/sepolgen/module.py	2007-02-22 14:36:04 UTC (rev 2259)
@@ -92,7 +92,8 @@
     module compiler (checkmodule) and module packager (semodule_package).
     You are likely interested in the create_module_package method.
     
-    Several options are controlled via paramaters:
+    Several options are controlled via paramaters (only effects the 
+    non-refpol builds):
     
      .mls          [boolean] Generate an MLS module (by passed -M to
                    checkmodule). True to generate an MLS module, false
@@ -119,8 +120,8 @@
         self.semodule_package = "/usr/bin/semodule_package"
         self.output = output
         self.last_output = ""
+        self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
         self.make = "/usr/bin/make"
-        self.refpolicy = False
 
     def o(self, str):
         if self.output:
@@ -133,8 +134,25 @@
         self.o(output)
         
         return rc
+    
+    def gen_filenames(self, sourcename):
+        """Generate the module and policy package filenames from
+        a source file name. The source file must be in the form
+        of "foo.te". This will generate "foo.mod" and "foo.pp".
+        
+        Returns a tuple with (modname, policypackage).
+        """
+        splitname = sourcename.split(".")
+        if len(splitname) < 2:
+            raise RuntimeError("invalid sourcefile name %s (must end in .te)", sourcename)
+        # Handle other periods in the filename correctly
+        basename = ".".join(splitname[0:-1])
+        modname = basename + ".mod"
+        packagename = basename + ".pp"
+        
+        return (modname, packagename)
 
-    def create_module_package(self, sourcename, packagename, cleanup=True):
+    def create_module_package(self, sourcename, refpolicy=True):
         """Create a module package saved in a packagename from a
         sourcename.
 
@@ -150,47 +168,23 @@
         On error a RuntimeError will be raised with a descriptive
         error message.
         """
-        if self.refpolicy:
-            self.refpol_build(sourcename, packagename, cleanup)
+        if refpolicy:
+            self.refpol_build(sourcename)
         else:
-            modfile = tempfile.NamedTemporaryFile()
-            self.compile(sourcename, modfile.name)
-            self.package(modfile.name, packagename)
-            modfile.close()
-
-    def refpol_build(self, sourcename, packagename, cleanup):
-        # Create a fake directory tree
-        parent = tempfile.mkdtemp()
-        modname = modname_from_sourcename(packagename)
-        tree = ModuleTree(modname)
-        tree.create(parent)
-
-        # Copy the source
-        tefd = open(tree.te_name(), "w")
-        sourcefd = open(sourcename)
-        tefd.write(sourcefd.read())
-        tefd.close()
-
+            modname, packagename = self.gen_filenames(sourcename)
+            self.compile(sourcename, modname)
+            self.package(modname, packagename)
+            os.unlink(modname)
+            
+    def refpol_build(self, sourcename):
         # Compile
-        p = subprocess.Popen(self.make, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE, cwd=tree.dir_name())
-        self.o("\n".join(p.communicate()))
+        command = self.make + " -f " + self.refpol_makefile
+        rc = self.run(command)
 
-        # Copy the package
-        if p.returncode == 0:
-            shutil.copyfile(tree.package_name(), packagename)
-
-        # Remove the tree
-        if cleanup:
-            shutil.rmtree(parent)
-        else:
-            print "generated module at %s\n" % parent
-
         # Raise an error if the process failed
-        if p.returncode != 0:
+        if rc != 0:
             raise RuntimeError("compilation failed:\n%s" % self.last_output)
         
-        
     def compile(self, sourcename, modname):
         s = [self.checkmodule]
         if self.mls:

Modified: trunk/sepolgen/tests/test_module.py
===================================================================
--- trunk/sepolgen/tests/test_module.py	2007-02-22 14:03:31 UTC (rev 2258)
+++ trunk/sepolgen/tests/test_module.py	2007-02-22 14:36:04 UTC (rev 2259)
@@ -25,11 +25,11 @@
     def test(self):
         package = "module_compile_test.pp"
         mc = module.ModuleCompiler()
-        mc.create_module_package("module_compile_test.te", package)
+        mc.create_module_package("module_compile_test.te", refpolicy=True)
         os.stat(package)
         os.unlink(package)
 
         mc.refpolicy = True
-        mc.create_module_package("module_compile_test.te", "module_compile_test.pp")
+        mc.create_module_package("module_compile_test.te", refpolicy=False)
         os.stat(package)
-        #os.unlink(package)
+        os.unlink(package)


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2263] trunk

[<ssm...@us...>]

Revision: 2263
          http://svn.sourceforge.net/selinux/?rev=2263&view=rev
Author:   ssmalley
Date:     2007-02-22 06:56:16 -0800 (Thu, 22 Feb 2007)

Log Message:
-----------
Updated ChangeLogs and VERSIONs.

Modified Paths:
--------------
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION
    trunk/sepolgen/ChangeLog
    trunk/sepolgen/VERSION

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-02-22 14:41:32 UTC (rev 2262)
+++ trunk/policycoreutils/ChangeLog	2007-02-22 14:56:16 UTC (rev 2263)
@@ -1,3 +1,7 @@
+2.0.5 2007-02-22
+	* Merged sepolgen and audit2allow patches to leave generated files 
+	  in the current directory from Karl MacMillan.
+
 2.0.4 2007-02-22
 	* Merged restorecond memory leak fix from Steve Grubb.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-02-22 14:41:32 UTC (rev 2262)
+++ trunk/policycoreutils/VERSION	2007-02-22 14:56:16 UTC (rev 2263)
@@ -1 +1 @@
-2.0.4
+2.0.5

Modified: trunk/sepolgen/ChangeLog
===================================================================
--- trunk/sepolgen/ChangeLog	2007-02-22 14:41:32 UTC (rev 2262)
+++ trunk/sepolgen/ChangeLog	2007-02-22 14:56:16 UTC (rev 2263)
@@ -1,3 +1,9 @@
+1.0.2 2007-02-22
+	* Merged patch to leave generated files (e.g. local.te) in current directory from Karl MacMillan.
+	* Merged patch to make run-tests.py use unittest.main from Karl MacMillan.
+	* Merged patch to update PLY from Karl MacMillan.
+	* Merged patch to update the sepolgen parser to handle the latest reference policy from Karl MacMillan.
+
 1.0.1 2007-02-21
 	* Merged Makefile and refparser.py patch from Dan Walsh.
 	  Fixes PYTHONLIBDIR definition and error handling on interface files.
@@ -3,4 +9,4 @@
 
 1.0.0 2007-02-05
-	* Initial commit.
+	* Initial merge from Karl MacMillan.
 	

Modified: trunk/sepolgen/VERSION
===================================================================
--- trunk/sepolgen/VERSION	2007-02-22 14:41:32 UTC (rev 2262)
+++ trunk/sepolgen/VERSION	2007-02-22 14:56:16 UTC (rev 2263)
@@ -1 +1 @@
-1.0.1
+1.0.2


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

[Selinux-commits] SF.net SVN: selinux: [2325] trunk

[<ssm...@us...>]

Revision: 2325
          http://svn.sourceforge.net/selinux/?rev=2325&view=rev
Author:   ssmalley
Date:     2007-04-09 11:02:21 -0700 (Mon, 09 Apr 2007)

Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: libselinux: add support for getting contexts for kernel initial SIDs from selinuxfs
Date: Fri, 06 Apr 2007 15:37:20 -0400

Adds support to libselinux to get the context for a kernel initial
security identifier specified by name from the selinuxfs interface.

Signed-off-by: James Carter <jw...@ty...>

Modified Paths:
--------------
    trunk/libselinux/include/selinux/selinux.h
    trunk/libselinux/man/man3/security_compute_av.3
    trunk/libselinux/src/Makefile
    trunk/libselinux/src/load_policy.c
    trunk/libselinux/src/selinux_internal.h
    trunk/libsepol/src/Makefile

Added Paths:
-----------
    trunk/libselinux/man/man3/security_get_initial_context.3

Modified: trunk/libselinux/include/selinux/selinux.h
===================================================================
--- trunk/libselinux/include/selinux/selinux.h	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/include/selinux/selinux.h	2007-04-09 18:02:21 UTC (rev 2325)
@@ -189,6 +189,13 @@
 /* Load a policy configuration. */
 	extern int security_load_policy(void *data, size_t len);
 
+/* Get the context of an initial kernel security identifier by name.  
+   Caller must free via freecon */
+	extern int security_get_initial_context(const char * name, 
+						security_context_t * con);
+	extern int security_get_initial_context_raw(const char * name, 
+						    security_context_t * con);
+
 /*
  * Make a policy image and load it.
  * This function provides a higher level interface for loading policy

Modified: trunk/libselinux/man/man3/security_compute_av.3
===================================================================
--- trunk/libselinux/man/man3/security_compute_av.3	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/man/man3/security_compute_av.3	2007-04-09 18:02:21 UTC (rev 2325)
@@ -1,6 +1,7 @@
 .TH "security_compute_av" "3" "1 January 2004" "ru...@co..." "SE Linux API documentation"
 .SH "NAME"
-security_compute_av, security_compute_create, security_compute_relabel, security_compute_user \- query
+security_compute_av, security_compute_create, security_compute_relabel,
+security_compute_user, security_get_initial_context \- query
 the SELinux policy database in the kernel.
 
 .SH "SYNOPSIS"
@@ -16,6 +17,9 @@
 .sp
 .BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
 .sp
+.BI "int security_get_initial_context(const char *" name ", security_context_t
+"con );
+.sp
 .BI "int checkPasswdAccess(access_vector_t " requested );
 
 .SH "DESCRIPTION"
@@ -44,6 +48,9 @@
 source context. Is mainly used by
 .B get_ordered_context_list.
 
+.B security_get_initial_context
+is used to get the context of an initial kernel security identifier by name.
+
 .B checkPasswdAccess
 This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
 

Added: trunk/libselinux/man/man3/security_get_initial_context.3
===================================================================
--- trunk/libselinux/man/man3/security_get_initial_context.3	                        (rev 0)
+++ trunk/libselinux/man/man3/security_get_initial_context.3	2007-04-09 18:02:21 UTC (rev 2325)
@@ -0,0 +1 @@
+.so man3/security_compute_av.3

Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/Makefile	2007-04-09 18:02:21 UTC (rev 2325)
@@ -18,10 +18,27 @@
 SWIGSO=_selinux.so
 SWIGFILES=$(SWIGSO) selinux.py 
 LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(filter-out $(SWIGCOUT),$(wildcard *.c))) 
-LOBJS= $(patsubst %.c,%.lo,$(filter-out $(SWIGCOUT),$(wildcard *.c)))
+
+LSEPOL=-lsepol
+SRCS=$(filter-out $(SWIGCOUT),$(wildcard *.c))
+ifeq ($(EMBEDDED),1)
+UNUSED_SRCS=avc.c avc_internal.c avc_sidtab.c
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+endif
+ifeq ($(DISABLE_SEPOL),1)
+UNUSED_SRCS+=booleans.c
+LSEPOL=
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
+endif
+
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
 CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
 override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
+ifeq ($(DISABLE_SEPOL),1)
+override CFLAGS += -DDISABLE_SEPOL
+endif
+
 RANLIB=ranlib
 
 ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -48,7 +65,7 @@
 	$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(LDFLAGS) -shared -o $@ $^ -ldl -lsepol -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+	$(CC) $(LDFLAGS) -shared -o $@ $^ -ldl $(LSEPOL) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
 	ln -sf $@ $(TARGET) 
 
 %.o:  %.c policy.h

Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/load_policy.c	2007-04-09 18:02:21 UTC (rev 2325)
@@ -41,7 +41,56 @@
 
 int load_setlocaldefs hidden = 1;
 
-int selinux_mkload_policy(int preservebools)
+/* 
+  This function is used only if DISABLE_SEPOL is defined.
+  Size of libsepol is big, so you may want to disable libsepol for embedded devices.
+  This function is selinux_mkload_policy with limitations.
+  Limitations:
+  - Binary policy file name is assumed as "policy.<value in /selinux/policyvers>".
+  - Preserve boolean is not supported, so it is recommended not to use boolean,
+    if you want to disable sepol.
+  - system.users and local.users are not supported.
+*/
+static int selinux_mkload_policy_nosepol(int preservebools) {
+	int rc = -1;
+	char path[PATH_MAX];
+	size_t size;
+	void *data;
+	int fd;	
+	struct stat sb;
+
+	if (preservebools) {
+		return -1;
+	}
+
+	snprintf(path, sizeof(path), "%s", selinux_binary_policy_path());
+
+	fd = open(path, O_RDONLY);
+	if (fd < 0)
+		return -1;
+	
+	if (fstat(fd, &sb) < 0)
+		goto close;
+
+	size = sb.st_size;
+	data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+	if (data == MAP_FAILED)
+		goto close;
+
+	rc = security_load_policy(data, size);
+
+ close:
+	close(fd);
+	return rc;
+	
+}
+
+#ifndef DISABLE_SEPOL
+/*
+  selinux_mkload_policy with full features.
+  This is used usually(when DISABLE_SEPOL is not defined).
+*/
+static int selinux_mkload_policy_sepol(int preservebools)
 {
 	int vers = sepol_policy_kern_vers_max();
 	int kernvers = security_policyvers();
@@ -154,7 +203,16 @@
 	close(fd);
 	return rc;
 }
+#endif /*ifndef DISABLE_SEPOL*/
 
+int selinux_mkload_policy(int preservebools) {
+#ifdef DISABLE_SEPOL
+	return selinux_mkload_policy_nosepol(preservebools);
+#else
+	return selinux_mkload_policy_sepol(preservebools);
+#endif
+}
+
 hidden_def(selinux_mkload_policy)
 
 /*

Modified: trunk/libselinux/src/selinux_internal.h
===================================================================
--- trunk/libselinux/src/selinux_internal.h	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libselinux/src/selinux_internal.h	2007-04-09 18:02:21 UTC (rev 2325)
@@ -76,6 +76,8 @@
 hidden_proto(selinux_getpolicytype);
 hidden_proto(selinux_raw_to_trans_context);
 hidden_proto(selinux_trans_to_raw_context);
+hidden_proto(security_get_initial_context);
+hidden_proto(security_get_initial_context_raw);
 
 extern int load_setlocaldefs hidden;
 extern int require_seusers hidden;

Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile	2007-04-05 20:03:56 UTC (rev 2324)
+++ trunk/libsepol/src/Makefile	2007-04-09 18:02:21 UTC (rev 2325)
@@ -8,11 +8,18 @@
 LIBA=libsepol.a 
 TARGET=libsepol.so
 LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
-LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
+
+SRCS=$(wildcard *.c)
+ifeq ($(EMBEDDED),1)
+UNUSED_SRCS=link.c nodes.c roles.c iface_record.c module.c port_record.c user_record.c interfaces.c  node_record.c ports.c users.c
+SRCS= $(filter-out $(UNUSED_SRCS), $(wildcard *.c))
+endif
+OBJS= $(patsubst %.c,%.o,$(SRCS))
+LOBJS= $(patsubst %.c,%.lo,$(SRCS))
 CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
 override CFLAGS += -I. -I../include -D_GNU_SOURCE
 
+
 all: $(LIBA) $(LIBSO)
 
 $(LIBA):  $(OBJS)


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.