diff --git a/SOURCES/libsepol-rhel.patch b/SOURCES/libsepol-rhel.patch
index 4e5b8fa..e575601 100644
--- a/SOURCES/libsepol-rhel.patch
+++ b/SOURCES/libsepol-rhel.patch
@@ -44,18 +44,19 @@ index ace3d54..c7cc464 100644
* Fix unused variable annotations, from Nicolas Iooss.
* Fix uninitialized variable in CIL, from Nicolas Iooss.
diff --git libsepol-2.5/cil/src/cil.c libsepol-2.5/cil/src/cil.c
-index afdc240..9b2c45b 100644
+index afdc240..3e99b24 100644
--- libsepol-2.5/cil/src/cil.c
+++ libsepol-2.5/cil/src/cil.c
-@@ -108,6 +108,7 @@ static void cil_init_keys(void)
+@@ -108,6 +108,8 @@ static void cil_init_keys(void)
CIL_KEY_STAR = cil_strpool_add("*");
CIL_KEY_UDP = cil_strpool_add("udp");
CIL_KEY_TCP = cil_strpool_add("tcp");
+ CIL_KEY_DCCP = cil_strpool_add("dccp");
++ CIL_KEY_SCTP = cil_strpool_add("sctp");
CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
CIL_KEY_ALLOW = cil_strpool_add("allow");
-@@ -186,6 +187,8 @@ static void cil_init_keys(void)
+@@ -186,6 +188,8 @@ static void cil_init_keys(void)
CIL_KEY_MLSVALIDATETRANS = cil_strpool_add("mlsvalidatetrans");
CIL_KEY_CONTEXT = cil_strpool_add("context");
CIL_KEY_FILECON = cil_strpool_add("filecon");
@@ -64,7 +65,7 @@ index afdc240..9b2c45b 100644
CIL_KEY_PORTCON = cil_strpool_add("portcon");
CIL_KEY_NODECON = cil_strpool_add("nodecon");
CIL_KEY_GENFSCON = cil_strpool_add("genfscon");
-@@ -232,6 +235,9 @@ static void cil_init_keys(void)
+@@ -232,6 +236,9 @@ static void cil_init_keys(void)
CIL_KEY_PERMISSIONX = cil_strpool_add("permissionx");
CIL_KEY_IOCTL = cil_strpool_add("ioctl");
CIL_KEY_UNORDERED = cil_strpool_add("unordered");
@@ -74,7 +75,7 @@ index afdc240..9b2c45b 100644
}
void cil_db_init(struct cil_db **db)
-@@ -252,6 +258,8 @@ void cil_db_init(struct cil_db **db)
+@@ -252,6 +259,8 @@ void cil_db_init(struct cil_db **db)
cil_sort_init(&(*db)->genfscon);
cil_sort_init(&(*db)->filecon);
cil_sort_init(&(*db)->nodecon);
@@ -83,7 +84,7 @@ index afdc240..9b2c45b 100644
cil_sort_init(&(*db)->portcon);
cil_sort_init(&(*db)->pirqcon);
cil_sort_init(&(*db)->iomemcon);
-@@ -301,6 +309,8 @@ void cil_db_destroy(struct cil_db **db)
+@@ -301,6 +310,8 @@ void cil_db_destroy(struct cil_db **db)
cil_sort_destroy(&(*db)->genfscon);
cil_sort_destroy(&(*db)->filecon);
cil_sort_destroy(&(*db)->nodecon);
@@ -92,7 +93,7 @@ index afdc240..9b2c45b 100644
cil_sort_destroy(&(*db)->portcon);
cil_sort_destroy(&(*db)->pirqcon);
cil_sort_destroy(&(*db)->iomemcon);
-@@ -712,9 +722,15 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
+@@ -712,9 +723,15 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
case CIL_FILECON:
cil_destroy_filecon(*data);
break;
@@ -108,7 +109,7 @@ index afdc240..9b2c45b 100644
case CIL_NODECON:
cil_destroy_nodecon(*data);
break;
-@@ -756,6 +772,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
+@@ -756,6 +773,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
case CIL_MLS:
cil_destroy_mls(*data);
break;
@@ -118,7 +119,7 @@ index afdc240..9b2c45b 100644
case CIL_OP:
case CIL_CONS_OPERAND:
break;
-@@ -763,8 +782,8 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
+@@ -763,8 +783,8 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
cil_log(CIL_INFO, "Unknown data flavor: %d\n", flavor);
break;
}
@@ -129,7 +130,7 @@ index afdc240..9b2c45b 100644
}
int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *sym_index)
-@@ -1076,6 +1095,10 @@ const char * cil_node_to_string(struct cil_tree_node *node)
+@@ -1076,6 +1096,10 @@ const char * cil_node_to_string(struct cil_tree_node *node)
return CIL_KEY_FSUSE;
case CIL_FILECON:
return CIL_KEY_FILECON;
@@ -140,7 +141,7 @@ index afdc240..9b2c45b 100644
case CIL_PORTCON:
return CIL_KEY_PORTCON;
case CIL_NODECON:
-@@ -1108,6 +1131,8 @@ const char * cil_node_to_string(struct cil_tree_node *node)
+@@ -1108,6 +1132,8 @@ const char * cil_node_to_string(struct cil_tree_node *node)
return CIL_KEY_HANDLEUNKNOWN;
case CIL_MLS:
return CIL_KEY_MLS;
@@ -149,7 +150,7 @@ index afdc240..9b2c45b 100644
case CIL_ALL:
return CIL_KEY_ALL;
case CIL_RANGE:
-@@ -1755,8 +1780,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s
+@@ -1755,8 +1781,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s
return SEPOL_OK;
exit:
@@ -159,7 +160,7 @@ index afdc240..9b2c45b 100644
return SEPOL_ERR;
}
-@@ -1796,6 +1820,16 @@ void cil_netifcon_init(struct cil_netifcon **netifcon)
+@@ -1796,6 +1821,16 @@ void cil_netifcon_init(struct cil_netifcon **netifcon)
(*netifcon)->context_str = NULL;
}
@@ -176,7 +177,7 @@ index afdc240..9b2c45b 100644
void cil_context_init(struct cil_context **context)
{
*context = cil_malloc(sizeof(**context));
-@@ -2212,6 +2246,17 @@ void cil_filecon_init(struct cil_filecon **filecon)
+@@ -2212,6 +2247,17 @@ void cil_filecon_init(struct cil_filecon **filecon)
(*filecon)->context = NULL;
}
@@ -194,7 +195,7 @@ index afdc240..9b2c45b 100644
void cil_portcon_init(struct cil_portcon **portcon)
{
*portcon = cil_malloc(sizeof(**portcon));
-@@ -2553,3 +2598,10 @@ void cil_mls_init(struct cil_mls **mls)
+@@ -2553,3 +2599,10 @@ void cil_mls_init(struct cil_mls **mls)
*mls = cil_malloc(sizeof(**mls));
(*mls)->value = 0;
}
@@ -206,20 +207,23 @@ index afdc240..9b2c45b 100644
+ (*info)->path = NULL;
+}
diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c
-index f749e53..c507124 100644
+index f749e53..9e71691 100644
--- libsepol-2.5/cil/src/cil_binary.c
+++ libsepol-2.5/cil/src/cil_binary.c
-@@ -31,6 +31,9 @@
+@@ -31,6 +31,12 @@
#include <stdio.h>
#include <assert.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
++#ifndef IPPROTO_SCTP
++#define IPPROTO_SCTP 132
++#endif
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/polcaps.h>
-@@ -606,9 +609,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb)
+@@ -606,9 +612,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb)
rc = SEPOL_ERR;
goto exit;
}
@@ -234,7 +238,7 @@ index f749e53..c507124 100644
}
}
-@@ -749,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci
+@@ -749,6 +757,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci
goto exit;
}
@@ -247,7 +251,7 @@ index f749e53..c507124 100644
if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) {
cil_log(CIL_INFO, "Failed to set role bit for user\n");
rc = SEPOL_ERR;
-@@ -1770,13 +1781,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1770,13 +1784,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
cil_typetrans = (struct cil_nametypetransition*)node->data;
if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) {
cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n");
@@ -263,7 +267,7 @@ index f749e53..c507124 100644
goto exit;
}
break;
-@@ -1784,7 +1794,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1784,7 +1797,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
cil_type_rule = node->data;
rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor);
if (rc != SEPOL_OK) {
@@ -272,7 +276,7 @@ index f749e53..c507124 100644
goto exit;
}
break;
-@@ -1792,7 +1802,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1792,7 +1805,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
cil_avrule = node->data;
rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor);
if (rc != SEPOL_OK) {
@@ -281,7 +285,7 @@ index f749e53..c507124 100644
goto exit;
}
break;
-@@ -1800,8 +1810,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
+@@ -1800,8 +1813,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
case CIL_TUNABLEIF:
break;
default:
@@ -291,7 +295,7 @@ index f749e53..c507124 100644
goto exit;
}
-@@ -2060,14 +2069,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+@@ -2060,14 +2072,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
tmp_cond = cond_node_create(pdb, NULL);
if (tmp_cond == NULL) {
rc = SEPOL_ERR;
@@ -308,7 +312,7 @@ index f749e53..c507124 100644
goto exit;
}
-@@ -2123,7 +2131,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+@@ -2123,7 +2134,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
bool_args.cond_flavor = CIL_CONDTRUE;
rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
if (rc != SEPOL_OK) {
@@ -317,7 +321,7 @@ index f749e53..c507124 100644
goto exit;
}
}
-@@ -2132,7 +2140,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+@@ -2132,7 +2143,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
bool_args.cond_flavor = CIL_CONDFALSE;
rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
if (rc != SEPOL_OK) {
@@ -326,7 +330,7 @@ index f749e53..c507124 100644
goto exit;
}
}
-@@ -3018,6 +3026,40 @@ exit:
+@@ -3018,6 +3029,40 @@ exit:
return rc;
}
@@ -367,17 +371,20 @@ index f749e53..c507124 100644
int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
{
int rc = SEPOL_ERR;
-@@ -3035,6 +3077,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
+@@ -3035,6 +3080,12 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
case CIL_PROTOCOL_TCP:
new_ocon->u.port.protocol = IPPROTO_TCP;
break;
+ case CIL_PROTOCOL_DCCP:
+ new_ocon->u.port.protocol = IPPROTO_DCCP;
+ break;
++ case CIL_PROTOCOL_SCTP:
++ new_ocon->u.port.protocol = IPPROTO_SCTP;
++ break;
default:
/* should not get here */
rc = SEPOL_ERR;
-@@ -3086,6 +3131,30 @@ exit:
+@@ -3086,6 +3137,30 @@ exit:
return rc;
}
@@ -408,7 +415,7 @@ index f749e53..c507124 100644
int cil_nodecon_to_policydb(policydb_t *pdb, struct cil_sort *nodecons)
{
int rc = SEPOL_ERR;
-@@ -3583,7 +3652,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
+@@ -3583,7 +3658,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
exit:
if (rc != SEPOL_OK) {
@@ -417,7 +424,7 @@ index f749e53..c507124 100644
}
return rc;
}
-@@ -3645,6 +3714,16 @@ int __cil_contexts_to_policydb(policydb_t *pdb, const struct cil_db *db)
+@@ -3645,6 +3720,16 @@ int __cil_contexts_to_policydb(policydb_t *pdb, const struct cil_db *db)
goto exit;
}
@@ -434,7 +441,7 @@ index f749e53..c507124 100644
if (db->target_platform == SEPOL_TARGET_XEN) {
rc = cil_pirqcon_to_policydb(pdb, db->pirqcon);
if (rc != SEPOL_OK) {
-@@ -4227,6 +4306,9 @@ exit:
+@@ -4227,6 +4312,9 @@ exit:
static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node)
{
avrule_t *avrule;
@@ -444,7 +451,7 @@ index f749e53..c507124 100644
avrule = cil_malloc(sizeof(avrule_t));
avrule->specified = kind;
-@@ -4235,8 +4317,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
+@@ -4235,8 +4323,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
__cil_init_sepol_type_set(&avrule->ttypes);
avrule->perms = NULL;
avrule->line = node->line;
@@ -463,7 +470,7 @@ index f749e53..c507124 100644
avrule->next = NULL;
return avrule;
}
-@@ -4263,10 +4354,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n)
+@@ -4263,10 +4360,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n)
__cil_print_parents(pad, n->parent);
@@ -476,7 +483,7 @@ index f749e53..c507124 100644
}
}
-@@ -4357,7 +4446,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
+@@ -4357,7 +4452,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
allow_str = CIL_KEY_ALLOWX;
avrule_flavor = CIL_AVRULEX;
}
@@ -485,7 +492,7 @@ index f749e53..c507124 100644
__cil_print_rule(" ", neverallow_str, cil_rule);
cil_list_init(&matching, CIL_NODE);
rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE);
-@@ -4380,10 +4469,9 @@ exit:
+@@ -4380,10 +4475,9 @@ exit:
return rc;
}
@@ -498,7 +505,7 @@ index f749e53..c507124 100644
struct cil_avrule *cil_rule = node->data;
struct cil_symtab_datum *tgt = cil_rule->tgt;
uint32_t kind;
-@@ -4422,11 +4510,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
+@@ -4422,11 +4516,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
rc = check_assertion(pdb, rule);
if (rc == CIL_TRUE) {
@@ -511,7 +518,7 @@ index f749e53..c507124 100644
}
} else {
-@@ -4444,12 +4532,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
+@@ -4444,12 +4538,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
rule->xperms = item->data;
rc = check_assertion(pdb, rule);
if (rc == CIL_TRUE) {
@@ -525,7 +532,7 @@ index f749e53..c507124 100644
}
}
}
-@@ -4466,34 +4553,23 @@ exit:
+@@ -4466,34 +4559,23 @@ exit:
rule->xperms = NULL;
__cil_destroy_sepol_avrules(rule);
@@ -565,7 +572,7 @@ index f749e53..c507124 100644
}
static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
-@@ -4548,7 +4624,7 @@ exit:
+@@ -4548,7 +4630,7 @@ exit:
return rc;
}
@@ -574,7 +581,7 @@ index f749e53..c507124 100644
{
int rc = SEPOL_OK;
int i;
-@@ -4574,6 +4650,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4574,6 +4656,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
if (bad) {
avtab_ptr_t cur;
struct cil_avrule target;
@@ -584,7 +591,7 @@ index f749e53..c507124 100644
target.is_extended = 0;
target.rule_kind = CIL_AVRULE_ALLOWED;
-@@ -4585,7 +4664,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4585,7 +4670,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
for (cur = bad; cur; cur = cur->next) {
struct cil_list_item *i2;
struct cil_list *matching;
@@ -592,7 +599,7 @@ index f749e53..c507124 100644
rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
if (rc != SEPOL_OK) {
-@@ -4594,7 +4672,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4594,7 +4678,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
}
__cil_print_rule(" ", "allow", &target);
cil_list_init(&matching, CIL_NODE);
@@ -601,7 +608,7 @@ index f749e53..c507124 100644
if (rc) {
cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
cil_list_destroy(&matching, CIL_FALSE);
-@@ -4602,14 +4680,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
+@@ -4602,14 +4686,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
bounds_destroy_bad(bad);
goto exit;
}
@@ -625,7 +632,7 @@ index f749e53..c507124 100644
cil_list_destroy(&matching, CIL_FALSE);
cil_list_destroy(&target.perms.classperms, CIL_TRUE);
}
-@@ -4753,20 +4834,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
+@@ -4753,20 +4840,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
__cil_set_conditional_state_and_flags(pdb);
if (db->disable_neverallow != CIL_TRUE) {
@@ -666,10 +673,11 @@ diff --git libsepol-2.5/cil/src/cil_binary.h libsepol-2.5/cil/src/cil_binary.h
index c59b1e3..5367feb 100644
--- libsepol-2.5/cil/src/cil_binary.h
+++ libsepol-2.5/cil/src/cil_binary.h
-@@ -330,6 +330,30 @@ int cil_sepol_level_define(policydb_t *pdb, struct cil_sens *cil_sens);
+@@ -329,6 +329,30 @@ int cil_sepol_level_define(policydb_t *pdb, struct cil_sens *cil_sens);
+ */
int cil_rangetransition_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_rangetransition *rangetrans, hashtab_t range_trans_table);
- /**
++/**
+ * Insert cil ibpkeycon structure into sepol policydb.
+ * The function is given a structure containing the sorted ibpkeycons and
+ * loops over this structure inserting them into the policy database.
@@ -693,12 +701,11 @@ index c59b1e3..5367feb 100644
+ */
+int cil_ibendportcon_to_policydb(policydb_t *pdb, struct cil_sort *pkeycons);
+
-+/**
+ /**
* Insert cil portcon structure into sepol policydb.
* The function is given a structure containing the sorted portcons and
- * loops over this structure inserting them into the policy database.
diff --git libsepol-2.5/cil/src/cil_build_ast.c libsepol-2.5/cil/src/cil_build_ast.c
-index 1135e06..855e2b4 100644
+index 1135e06..916e8cf 100644
--- libsepol-2.5/cil/src/cil_build_ast.c
+++ libsepol-2.5/cil/src/cil_build_ast.c
@@ -108,8 +108,7 @@ int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node
@@ -1419,16 +1426,18 @@ index 1135e06..855e2b4 100644
int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node)
{
enum cil_syntax syntax[] = {
-@@ -4261,6 +4282,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
+@@ -4261,6 +4282,10 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
portcon->proto = CIL_PROTOCOL_UDP;
} else if (proto == CIL_KEY_TCP) {
portcon->proto = CIL_PROTOCOL_TCP;
+ } else if (proto == CIL_KEY_DCCP) {
+ portcon->proto = CIL_PROTOCOL_DCCP;
++ } else if (proto == CIL_KEY_SCTP) {
++ portcon->proto = CIL_PROTOCOL_SCTP;
} else {
cil_log(CIL_ERR, "Invalid protocol\n");
rc = SEPOL_ERR;
-@@ -4311,8 +4334,7 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
+@@ -4311,8 +4336,7 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
return SEPOL_OK;
exit:
@@ -1438,7 +1447,7 @@ index 1135e06..855e2b4 100644
cil_destroy_portcon(portcon);
return rc;
}
-@@ -4393,8 +4415,7 @@ int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
+@@ -4393,8 +4417,7 @@ int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
return SEPOL_OK;
exit:
@@ -1448,7 +1457,7 @@ index 1135e06..855e2b4 100644
cil_destroy_nodecon(nodecon);
return rc;
}
-@@ -4464,8 +4485,7 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
+@@ -4464,8 +4487,7 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
return SEPOL_OK;
exit:
@@ -1458,7 +1467,7 @@ index 1135e06..855e2b4 100644
cil_destroy_genfscon(genfscon);
return SEPOL_ERR;
}
-@@ -4538,8 +4558,7 @@ int cil_gen_netifcon(struct cil_db *db, struct cil_tree_node *parse_current, str
+@@ -4538,8 +4560,7 @@ int cil_gen_netifcon(struct cil_db *db, struct cil_tree_node *parse_current, str
return SEPOL_OK;
exit:
@@ -1468,7 +1477,7 @@ index 1135e06..855e2b4 100644
cil_destroy_netifcon(netifcon);
return SEPOL_ERR;
}
-@@ -4561,6 +4580,68 @@ void cil_destroy_netifcon(struct cil_netifcon *netifcon)
+@@ -4561,6 +4582,68 @@ void cil_destroy_netifcon(struct cil_netifcon *netifcon)
free(netifcon);
}
@@ -1537,7 +1546,7 @@ index 1135e06..855e2b4 100644
int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, struct cil_tree_node *ast_node)
{
enum cil_syntax syntax[] = {
-@@ -4606,8 +4687,7 @@ int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
+@@ -4606,8 +4689,7 @@ int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
return SEPOL_OK;
exit:
@@ -1547,7 +1556,7 @@ index 1135e06..855e2b4 100644
cil_destroy_pirqcon(pirqcon);
return rc;
}
-@@ -4692,8 +4772,7 @@ int cil_gen_iomemcon(struct cil_db *db, struct cil_tree_node *parse_current, str
+@@ -4692,8 +4774,7 @@ int cil_gen_iomemcon(struct cil_db *db, struct cil_tree_node *parse_current, str
return SEPOL_OK;
exit:
@@ -1557,7 +1566,7 @@ index 1135e06..855e2b4 100644
cil_destroy_iomemcon(iomemcon);
return rc;
}
-@@ -4778,8 +4857,7 @@ int cil_gen_ioportcon(struct cil_db *db, struct cil_tree_node *parse_current, st
+@@ -4778,8 +4859,7 @@ int cil_gen_ioportcon(struct cil_db *db, struct cil_tree_node *parse_current, st
return SEPOL_OK;
exit:
@@ -1567,7 +1576,7 @@ index 1135e06..855e2b4 100644
cil_destroy_ioportcon(ioportcon);
return rc;
}
-@@ -4842,8 +4920,7 @@ int cil_gen_pcidevicecon(struct cil_db *db, struct cil_tree_node *parse_current,
+@@ -4842,8 +4922,7 @@ int cil_gen_pcidevicecon(struct cil_db *db, struct cil_tree_node *parse_current,
return SEPOL_OK;
exit:
@@ -1577,7 +1586,7 @@ index 1135e06..855e2b4 100644
cil_destroy_pcidevicecon(pcidevicecon);
return rc;
}
-@@ -4903,8 +4980,7 @@ int cil_gen_devicetreecon(struct cil_db *db, struct cil_tree_node *parse_current
+@@ -4903,8 +4982,7 @@ int cil_gen_devicetreecon(struct cil_db *db, struct cil_tree_node *parse_current
return SEPOL_OK;
exit:
@@ -1587,7 +1596,7 @@ index 1135e06..855e2b4 100644
cil_destroy_devicetreecon(devicetreecon);
return rc;
}
-@@ -4979,8 +5055,7 @@ int cil_gen_fsuse(struct cil_db *db, struct cil_tree_node *parse_current, struct
+@@ -4979,8 +5057,7 @@ int cil_gen_fsuse(struct cil_db *db, struct cil_tree_node *parse_current, struct
return SEPOL_OK;
exit:
@@ -1597,7 +1606,7 @@ index 1135e06..855e2b4 100644
cil_destroy_fsuse(fsuse);
return SEPOL_ERR;
}
-@@ -5137,8 +5212,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct
+@@ -5137,8 +5214,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct
return SEPOL_OK;
exit:
@@ -1607,7 +1616,7 @@ index 1135e06..855e2b4 100644
cil_destroy_macro(macro);
cil_clear_node(ast_node);
return SEPOL_ERR;
-@@ -5196,8 +5270,7 @@ int cil_gen_call(struct cil_db *db, struct cil_tree_node *parse_current, struct
+@@ -5196,8 +5272,7 @@ int cil_gen_call(struct cil_db *db, struct cil_tree_node *parse_current, struct
return SEPOL_OK;
exit:
@@ -1617,7 +1626,7 @@ index 1135e06..855e2b4 100644
cil_destroy_call(call);
return rc;
}
-@@ -5299,8 +5372,7 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str
+@@ -5299,8 +5374,7 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str
return SEPOL_OK;
exit:
@@ -1627,7 +1636,7 @@ index 1135e06..855e2b4 100644
cil_destroy_optional(optional);
cil_clear_node(ast_node);
return rc;
-@@ -5348,8 +5420,7 @@ int cil_gen_policycap(struct cil_db *db, struct cil_tree_node *parse_current, st
+@@ -5348,8 +5422,7 @@ int cil_gen_policycap(struct cil_db *db, struct cil_tree_node *parse_current, st
return SEPOL_OK;
exit:
@@ -1637,7 +1646,7 @@ index 1135e06..855e2b4 100644
cil_destroy_policycap(polcap);
cil_clear_node(ast_node);
return rc;
-@@ -5404,8 +5475,7 @@ int cil_gen_ipaddr(struct cil_db *db, struct cil_tree_node *parse_current, struc
+@@ -5404,8 +5477,7 @@ int cil_gen_ipaddr(struct cil_db *db, struct cil_tree_node *parse_current, struc
return SEPOL_OK;
exit:
@@ -1647,7 +1656,7 @@ index 1135e06..855e2b4 100644
cil_destroy_ipaddr(ipaddr);
cil_clear_node(ast_node);
return rc;
-@@ -5609,8 +5679,7 @@ int cil_gen_bounds(struct cil_db *db, struct cil_tree_node *parse_current, struc
+@@ -5609,8 +5681,7 @@ int cil_gen_bounds(struct cil_db *db, struct cil_tree_node *parse_current, struc
return SEPOL_OK;
exit:
@@ -1657,7 +1666,7 @@ index 1135e06..855e2b4 100644
cil_destroy_bounds(bounds);
return rc;
}
-@@ -5671,8 +5740,7 @@ int cil_gen_default(struct cil_tree_node *parse_current, struct cil_tree_node *a
+@@ -5671,8 +5742,7 @@ int cil_gen_default(struct cil_tree_node *parse_current, struct cil_tree_node *a
return SEPOL_OK;
exit:
@@ -1667,7 +1676,7 @@ index 1135e06..855e2b4 100644
cil_destroy_default(def);
return rc;
}
-@@ -5758,8 +5826,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
+@@ -5758,8 +5828,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
return SEPOL_OK;
exit:
@@ -1677,7 +1686,7 @@ index 1135e06..855e2b4 100644
cil_destroy_defaultrange(def);
return rc;
}
-@@ -5819,8 +5886,7 @@ int cil_gen_handleunknown(struct cil_tree_node *parse_current, struct cil_tree_n
+@@ -5819,8 +5888,7 @@ int cil_gen_handleunknown(struct cil_tree_node *parse_current, struct cil_tree_n
return SEPOL_OK;
exit:
@@ -1687,7 +1696,7 @@ index 1135e06..855e2b4 100644
cil_destroy_handleunknown(unknown);
return rc;
}
-@@ -5868,8 +5934,7 @@ int cil_gen_mls(struct cil_tree_node *parse_current, struct cil_tree_node *ast_n
+@@ -5868,8 +5936,7 @@ int cil_gen_mls(struct cil_tree_node *parse_current, struct cil_tree_node *ast_n
return SEPOL_OK;
exit:
@@ -1697,7 +1706,7 @@ index 1135e06..855e2b4 100644
cil_destroy_mls(mls);
return rc;
}
-@@ -5879,6 +5944,27 @@ void cil_destroy_mls(struct cil_mls *mls)
+@@ -5879,6 +5946,27 @@ void cil_destroy_mls(struct cil_mls *mls)
free(mls);
}
@@ -1725,7 +1734,7 @@ index 1135e06..855e2b4 100644
int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args)
{
struct cil_args_build *args = NULL;
-@@ -5913,7 +5999,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -5913,7 +6001,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
if (parse_current->parent->parent == NULL) {
rc = SEPOL_OK;
} else {
@@ -1734,7 +1743,7 @@ index 1135e06..855e2b4 100644
}
goto exit;
}
-@@ -5926,7 +6012,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -5926,7 +6014,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
parse_current->data == CIL_KEY_BLOCKINHERIT ||
parse_current->data == CIL_KEY_BLOCKABSTRACT) {
rc = SEPOL_ERR;
@@ -1743,7 +1752,7 @@ index 1135e06..855e2b4 100644
goto exit;
}
}
-@@ -5942,8 +6028,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -5942,8 +6030,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
parse_current->data != CIL_KEY_TYPECHANGE &&
parse_current->data != CIL_KEY_CALL) {
rc = SEPOL_ERR;
@@ -1753,7 +1762,7 @@ index 1135e06..855e2b4 100644
if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
cil_log(CIL_ERR, "%s cannot be defined within tunableif statement (treated as a booleanif due to preserve-tunables)\n",
(char*)parse_current->data);
-@@ -5958,8 +6043,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -5958,8 +6045,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
if (tunif != NULL) {
if (parse_current->data == CIL_KEY_TUNABLE) {
rc = SEPOL_ERR;
@@ -1763,7 +1772,7 @@ index 1135e06..855e2b4 100644
cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
goto exit;
}
-@@ -5968,8 +6052,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -5968,8 +6054,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
if (in != NULL) {
if (parse_current->data == CIL_KEY_IN) {
rc = SEPOL_ERR;
@@ -1773,7 +1782,7 @@ index 1135e06..855e2b4 100644
cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
goto exit;
}
-@@ -5979,7 +6062,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -5979,7 +6064,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
ast_node->parent = ast_current;
ast_node->line = parse_current->line;
@@ -1782,7 +1791,7 @@ index 1135e06..855e2b4 100644
if (parse_current->data == CIL_KEY_BLOCK) {
rc = cil_gen_block(db, parse_current, ast_node, 0);
-@@ -6182,6 +6265,12 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -6182,6 +6267,12 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
} else if (parse_current->data == CIL_KEY_FILECON) {
rc = cil_gen_filecon(db, parse_current, ast_node);
*finished = CIL_TREE_SKIP_NEXT;
@@ -1795,7 +1804,7 @@ index 1135e06..855e2b4 100644
} else if (parse_current->data == CIL_KEY_PORTCON) {
rc = cil_gen_portcon(db, parse_current, ast_node);
*finished = CIL_TREE_SKIP_NEXT;
-@@ -6242,8 +6331,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -6242,8 +6333,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
} else if (parse_current->data == CIL_KEY_MLS) {
rc = cil_gen_mls(parse_current, ast_node);
*finished = CIL_TREE_SKIP_NEXT;
@@ -1807,7 +1816,7 @@ index 1135e06..855e2b4 100644
rc = SEPOL_ERR;
}
-@@ -6264,7 +6355,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
+@@ -6264,7 +6357,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
if (ast_current->flavor == CIL_IN) {
args->in = ast_current;
}
@@ -2027,18 +2036,19 @@ index 865bd7d..dad1347 100644
return rc;
diff --git libsepol-2.5/cil/src/cil_internal.h libsepol-2.5/cil/src/cil_internal.h
-index a0a5480..dcc2111 100644
+index a0a5480..9f0aeb6 100644
--- libsepol-2.5/cil/src/cil_internal.h
+++ libsepol-2.5/cil/src/cil_internal.h
-@@ -101,6 +101,7 @@ char *CIL_KEY_OBJECT_R;
+@@ -101,6 +101,8 @@ char *CIL_KEY_OBJECT_R;
char *CIL_KEY_STAR;
char *CIL_KEY_TCP;
char *CIL_KEY_UDP;
+char *CIL_KEY_DCCP;
++char *CIL_KEY_SCTP;
char *CIL_KEY_AUDITALLOW;
char *CIL_KEY_TUNABLEIF;
char *CIL_KEY_ALLOW;
-@@ -200,6 +201,8 @@ char *CIL_KEY_VALIDATETRANS;
+@@ -200,6 +202,8 @@ char *CIL_KEY_VALIDATETRANS;
char *CIL_KEY_MLSVALIDATETRANS;
char *CIL_KEY_CONTEXT;
char *CIL_KEY_FILECON;
@@ -2047,7 +2057,7 @@ index a0a5480..dcc2111 100644
char *CIL_KEY_PORTCON;
char *CIL_KEY_NODECON;
char *CIL_KEY_GENFSCON;
-@@ -225,6 +228,9 @@ char *CIL_KEY_NEVERALLOWX;
+@@ -225,6 +229,9 @@ char *CIL_KEY_NEVERALLOWX;
char *CIL_KEY_PERMISSIONX;
char *CIL_KEY_IOCTL;
char *CIL_KEY_UNORDERED;
@@ -2057,7 +2067,7 @@ index a0a5480..dcc2111 100644
/*
Symbol Table Array Indices
-@@ -279,6 +285,8 @@ struct cil_db {
+@@ -279,6 +286,8 @@ struct cil_db {
struct cil_sort *genfscon;
struct cil_sort *filecon;
struct cil_sort *nodecon;
@@ -2066,13 +2076,14 @@ index a0a5480..dcc2111 100644
struct cil_sort *portcon;
struct cil_sort *pirqcon;
struct cil_sort *iomemcon;
-@@ -713,7 +721,16 @@ struct cil_filecon {
+@@ -713,7 +722,17 @@ struct cil_filecon {
enum cil_protocol {
CIL_PROTOCOL_UDP = 1,
- CIL_PROTOCOL_TCP
+ CIL_PROTOCOL_TCP,
-+ CIL_PROTOCOL_DCCP
++ CIL_PROTOCOL_DCCP,
++ CIL_PROTOCOL_SCTP
+};
+
+struct cil_ibpkeycon {
@@ -2084,7 +2095,7 @@ index a0a5480..dcc2111 100644
};
struct cil_portcon {
-@@ -758,6 +775,12 @@ struct cil_netifcon {
+@@ -758,6 +777,12 @@ struct cil_netifcon {
char *context_str;
};
@@ -2097,7 +2108,7 @@ index a0a5480..dcc2111 100644
struct cil_pirqcon {
uint32_t pirq;
char *context_str;
-@@ -915,6 +938,11 @@ struct cil_mls {
+@@ -915,6 +940,11 @@ struct cil_mls {
int value;
};
@@ -2109,7 +2120,7 @@ index a0a5480..dcc2111 100644
void cil_db_init(struct cil_db **db);
void cil_db_destroy(struct cil_db **db);
-@@ -938,6 +966,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s
+@@ -938,6 +968,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s
void cil_sort_init(struct cil_sort **sort);
void cil_sort_destroy(struct cil_sort **sort);
void cil_netifcon_init(struct cil_netifcon **netifcon);
@@ -2117,7 +2128,7 @@ index a0a5480..dcc2111 100644
void cil_context_init(struct cil_context **context);
void cil_level_init(struct cil_level **level);
void cil_levelrange_init(struct cil_levelrange **lvlrange);
-@@ -980,6 +1009,7 @@ void cil_catset_init(struct cil_catset **catset);
+@@ -980,6 +1011,7 @@ void cil_catset_init(struct cil_catset **catset);
void cil_cats_init(struct cil_cats **cats);
void cil_senscat_init(struct cil_senscat **senscat);
void cil_filecon_init(struct cil_filecon **filecon);
@@ -2125,7 +2136,7 @@ index a0a5480..dcc2111 100644
void cil_portcon_init(struct cil_portcon **portcon);
void cil_nodecon_init(struct cil_nodecon **nodecon);
void cil_genfscon_init(struct cil_genfscon **genfscon);
-@@ -1017,6 +1047,7 @@ void cil_default_init(struct cil_default **def);
+@@ -1017,6 +1049,7 @@ void cil_default_init(struct cil_default **def);
void cil_defaultrange_init(struct cil_defaultrange **def);
void cil_handleunknown_init(struct cil_handleunknown **unk);
void cil_mls_init(struct cil_mls **mls);
@@ -2518,19 +2529,21 @@ index d0e108c..101520c 100644
+ return SEPOL_ERR;
}
diff --git libsepol-2.5/cil/src/cil_policy.c libsepol-2.5/cil/src/cil_policy.c
-index 2c9b158..7a57583 100644
+index 2c9b158..6bc3f09 100644
--- libsepol-2.5/cil/src/cil_policy.c
+++ libsepol-2.5/cil/src/cil_policy.c
-@@ -123,6 +123,8 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
+@@ -123,6 +123,10 @@ int cil_portcon_to_policy(FILE **file_arr, struct cil_sort *sort)
fprintf(file_arr[NETIFCONS], "udp ");
} else if (portcon->proto == CIL_PROTOCOL_TCP) {
fprintf(file_arr[NETIFCONS], "tcp ");
+ } else if (portcon->proto == CIL_PROTOCOL_DCCP) {
+ fprintf(file_arr[NETIFCONS], "dccp ");
++ } else if (portcon->proto == CIL_PROTOCOL_SCTP) {
++ fprintf(file_arr[NETIFCONS], "sctp ");
}
fprintf(file_arr[NETIFCONS], "%d ", portcon->port_low);
fprintf(file_arr[NETIFCONS], "%d ", portcon->port_high);
-@@ -148,6 +150,39 @@ int cil_genfscon_to_policy(FILE **file_arr, struct cil_sort *sort)
+@@ -148,6 +152,39 @@ int cil_genfscon_to_policy(FILE **file_arr, struct cil_sort *sort)
return SEPOL_OK;
}
@@ -2570,7 +2583,7 @@ index 2c9b158..7a57583 100644
int cil_netifcon_to_policy(FILE **file_arr, struct cil_sort *sort)
{
uint32_t i = 0;
-@@ -1321,6 +1356,18 @@ int cil_gen_policy(struct cil_db *db)
+@@ -1321,6 +1358,18 @@ int cil_gen_policy(struct cil_db *db)
cil_log(CIL_ERR, "Error creating policy.conf\n");
return rc;
}
@@ -3095,7 +3108,7 @@ index 1175f97..82c8ea3 100644
int cil_resolve_genfscon(struct cil_tree_node *current, void *extra_args);
int cil_resolve_nodecon(struct cil_tree_node *current, void *extra_args);
diff --git libsepol-2.5/cil/src/cil_tree.c libsepol-2.5/cil/src/cil_tree.c
-index 1c23efc..599f756 100644
+index 1c23efc..aadedb4 100644
--- libsepol-2.5/cil/src/cil_tree.c
+++ libsepol-2.5/cil/src/cil_tree.c
@@ -1,6 +1,6 @@
@@ -3258,16 +3271,18 @@ index 1c23efc..599f756 100644
case CIL_PORTCON: {
struct cil_portcon *portcon = node->data;
cil_log(CIL_INFO, "PORTCON:");
-@@ -1319,6 +1419,8 @@ void cil_tree_print_node(struct cil_tree_node *node)
+@@ -1319,6 +1419,10 @@ void cil_tree_print_node(struct cil_tree_node *node)
cil_log(CIL_INFO, " udp");
} else if (portcon->proto == CIL_PROTOCOL_TCP) {
cil_log(CIL_INFO, " tcp");
+ } else if (portcon->proto == CIL_PROTOCOL_DCCP) {
+ cil_log(CIL_INFO, " dccp");
++ } else if (portcon->proto == CIL_PROTOCOL_SCTP) {
++ cil_log(CIL_INFO, " sctp");
}
cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high);
-@@ -1393,6 +1495,19 @@ void cil_tree_print_node(struct cil_tree_node *node)
+@@ -1393,6 +1497,19 @@ void cil_tree_print_node(struct cil_tree_node *node)
cil_log(CIL_INFO, "\n");
return;
}
@@ -3944,12 +3959,15 @@ index 0000000..4ab0a8a
+__END_DECLS
+#endif
diff --git libsepol-2.5/include/sepol/policydb/polcaps.h libsepol-2.5/include/sepol/policydb/polcaps.h
-index 74b7c9e..2018083 100644
+index 74b7c9e..278af82 100644
--- libsepol-2.5/include/sepol/policydb/polcaps.h
+++ libsepol-2.5/include/sepol/policydb/polcaps.h
-@@ -11,6 +11,8 @@ enum {
+@@ -9,8 +9,10 @@ __BEGIN_DECLS
+ enum {
+ POLICYDB_CAPABILITY_NETPEER,
POLICYDB_CAPABILITY_OPENPERM,
- POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
+- POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
++ POLICYDB_CAPABILITY_EXTSOCKCLASS,
POLICYDB_CAPABILITY_ALWAYSNETWORK,
+ POLICYDB_CAPABILITY_CGROUPSECLABEL,
+ POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
@@ -4056,10 +4074,11 @@ diff --git libsepol-2.5/include/sepol/policydb/services.h libsepol-2.5/include/s
index 8a5dc9a..ea2fa2e 100644
--- libsepol-2.5/include/sepol/policydb/services.h
+++ libsepol-2.5/include/sepol/policydb/services.h
-@@ -186,6 +186,22 @@ extern int sepol_port_sid(uint16_t domain,
+@@ -185,6 +185,22 @@ extern int sepol_port_sid(uint16_t domain,
+ uint8_t protocol,
uint16_t port, sepol_security_id_t * out_sid);
- /*
++/*
+ * Return the SID of the ibpkey specified by
+ * `subnet prefix', and `pkey'.
+ */
@@ -4075,19 +4094,19 @@ index 8a5dc9a..ea2fa2e 100644
+ uint8_t port,
+ sepol_security_id_t *out_sid);
+
-+/*
+ /*
* Return the SIDs to use for a network interface
* with the name `name'. The `if_sid' SID is returned for
- * the interface and the `msg_sid' SID is returned as
diff --git libsepol-2.5/include/sepol/port_record.h libsepol-2.5/include/sepol/port_record.h
-index 697cea4..c07d1fa 100644
+index 697cea4..4b45ebe 100644
--- libsepol-2.5/include/sepol/port_record.h
+++ libsepol-2.5/include/sepol/port_record.h
-@@ -14,6 +14,7 @@ typedef struct sepol_port_key sepol_port_key_t;
+@@ -14,6 +14,8 @@ typedef struct sepol_port_key sepol_port_key_t;
#define SEPOL_PROTO_UDP 0
#define SEPOL_PROTO_TCP 1
+#define SEPOL_PROTO_DCCP 2
++#define SEPOL_PROTO_SCTP 3
/* Key */
extern int sepol_port_compare(const sepol_port_t * port,
@@ -5968,7 +5987,7 @@ index f211164..cd4cc86 100644
(policy_module_t *) calloc(1,
sizeof(policy_module_t))) ==
diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c
-index 18ec6b9..26b1ee3 100644
+index 18ec6b9..fbded42 100644
--- libsepol-2.5/src/module_to_cil.c
+++ libsepol-2.5/src/module_to_cil.c
@@ -3,6 +3,7 @@
@@ -5979,17 +5998,20 @@ index 18ec6b9..26b1ee3 100644
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
-@@ -26,6 +27,9 @@
+@@ -26,6 +27,12 @@
#include <getopt.h>
#include <libgen.h>
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
++#ifndef IPPROTO_SCTP
++#define IPPROTO_SCTP 132
++#endif
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
-@@ -602,6 +606,103 @@ exit:
+@@ -602,6 +609,103 @@ exit:
return rc;
}
@@ -6093,7 +6115,7 @@ index 18ec6b9..26b1ee3 100644
static int num_digits(int n)
{
int num = 1;
-@@ -1070,6 +1171,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
+@@ -1070,6 +1174,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
struct type_set *ts;
for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) {
@@ -6105,7 +6127,7 @@ index 18ec6b9..26b1ee3 100644
ts = &avrule->stypes;
rc = process_typeset(indent, pdb, ts, attr_list, &snames, &num_snames);
if (rc != 0) {
-@@ -1084,14 +1190,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
+@@ -1084,14 +1193,22 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
for (s = 0; s < num_snames; s++) {
for (t = 0; t < num_tnames; t++) {
@@ -6130,7 +6152,7 @@ index 18ec6b9..26b1ee3 100644
if (rc != 0) {
goto exit;
}
-@@ -1100,6 +1214,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
+@@ -1100,6 +1217,11 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
names_destroy(&snames, &num_snames);
names_destroy(&tnames, &num_tnames);
@@ -6142,7 +6164,7 @@ index 18ec6b9..26b1ee3 100644
}
return 0;
-@@ -1292,7 +1411,7 @@ static int cond_list_to_cil(int indent, struct policydb *pdb, struct cond_node *
+@@ -1292,7 +1414,7 @@ static int cond_list_to_cil(int indent, struct policydb *pdb, struct cond_node *
{
int rc = -1;
struct cond_node *cond;
@@ -6151,15 +6173,16 @@ index 18ec6b9..26b1ee3 100644
rc = list_init(&attr_list);
if (rc != 0) {
-@@ -2537,6 +2656,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p
+@@ -2537,6 +2659,8 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p
switch (portcon->u.port.protocol) {
case IPPROTO_TCP: protocol = "tcp"; break;
case IPPROTO_UDP: protocol = "udp"; break;
+ case IPPROTO_DCCP: protocol = "dccp"; break;
++ case IPPROTO_SCTP: protocol = "sctp"; break;
default:
log_err("Unknown portcon protocol: %i", portcon->u.port.protocol);
rc = -1;
-@@ -2562,6 +2682,45 @@ exit:
+@@ -2562,6 +2686,45 @@ exit:
return rc;
}
@@ -6205,7 +6228,7 @@ index 18ec6b9..26b1ee3 100644
static int ocontext_selinux_netif_to_cil(struct policydb *pdb, struct ocontext *netifs)
{
struct ocontext *netif;
-@@ -2642,6 +2801,19 @@ exit:
+@@ -2642,6 +2805,19 @@ exit:
return rc;
}
@@ -6225,7 +6248,7 @@ index 18ec6b9..26b1ee3 100644
static int ocontext_selinux_fsuse_to_cil(struct policydb *pdb, struct ocontext *fsuses)
{
-@@ -2795,6 +2967,8 @@ static int ocontexts_to_cil(struct policydb *pdb)
+@@ -2795,6 +2971,8 @@ static int ocontexts_to_cil(struct policydb *pdb)
ocontext_selinux_node_to_cil,
ocontext_selinux_fsuse_to_cil,
ocontext_selinux_node6_to_cil,
@@ -6234,7 +6257,7 @@ index 18ec6b9..26b1ee3 100644
};
static int (*ocon_xen_funcs[OCON_NUM])(struct policydb *pdb, struct ocontext *ocon) = {
ocontext_xen_isid_to_cil,
-@@ -3470,7 +3644,7 @@ static int block_to_cil(struct policydb *pdb, struct avrule_block *block, struct
+@@ -3470,7 +3648,7 @@ static int block_to_cil(struct policydb *pdb, struct avrule_block *block, struct
{
int rc = -1;
struct avrule_decl *decl;
@@ -6243,7 +6266,7 @@ index 18ec6b9..26b1ee3 100644
decl = block->branch_list;
-@@ -3619,7 +3793,7 @@ static int blocks_to_cil(struct policydb *pdb)
+@@ -3619,7 +3797,7 @@ static int blocks_to_cil(struct policydb *pdb)
int rc = -1;
struct avrule_block *block;
int indent = 0;
@@ -6252,7 +6275,7 @@ index 18ec6b9..26b1ee3 100644
rc = stack_init(&stack);
if (rc != 0) {
-@@ -3687,7 +3861,7 @@ static int linked_blocks_to_cil(struct policydb *pdb)
+@@ -3687,7 +3865,7 @@ static int linked_blocks_to_cil(struct policydb *pdb)
// Since it is linked, all optional blocks have been resolved
int rc = -1;
struct avrule_block *block;
@@ -6296,12 +6319,15 @@ index 50cf21d..820346d 100644
}
break;
diff --git libsepol-2.5/src/polcaps.c libsepol-2.5/src/polcaps.c
-index 43a71a7..0c6f2af 100644
+index 43a71a7..0581b85 100644
--- libsepol-2.5/src/polcaps.c
+++ libsepol-2.5/src/polcaps.c
-@@ -10,6 +10,8 @@ static const char *polcap_names[] = {
+@@ -8,8 +8,10 @@
+ static const char *polcap_names[] = {
+ "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
"open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
- "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
+- "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
++ "extended_socket_class", /* POLICYDB_CAPABILITY_EXTSOCKCLASS */
"always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
+ "cgroup_seclabel", /* POLICYDB_CAPABILITY_SECLABEL */
+ "nnp_nosuid_transition", /* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */
@@ -6320,24 +6346,25 @@ index 6a80f94..98fb9c8 100644
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
-@@ -186,6 +187,13 @@ static struct policydb_compat_info policydb_compat[] = {
+@@ -185,6 +186,13 @@ static struct policydb_compat_info policydb_compat[] = {
+ .ocon_num = OCON_NODE6 + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
++ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_INFINIBAND,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_IBENDPORT + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
-+ {
+ {
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
- .sym_num = SYM_NUM,
-@@ -284,6 +292,20 @@ static struct policydb_compat_info policydb_compat[] = {
+@@ -283,6 +291,20 @@ static struct policydb_compat_info policydb_compat[] = {
+ .ocon_num = OCON_NODE6 + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
++ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_XPERMS_IOCTL,
+ .sym_num = SYM_NUM,
@@ -6351,10 +6378,9 @@ index 6a80f94..98fb9c8 100644
+ .ocon_num = OCON_IBENDPORT + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
-+ {
+ {
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
- .sym_num = SYM_NUM,
@@ -381,6 +403,20 @@ static struct policydb_compat_info policydb_compat[] = {
.ocon_num = 0,
.target_platform = SEPOL_TARGET_SELINUX,
@@ -6520,45 +6546,54 @@ index 6a80f94..98fb9c8 100644
bad:
if (avrule) {
diff --git libsepol-2.5/src/port_record.c libsepol-2.5/src/port_record.c
-index 6a33d93..ed9093b 100644
+index 6a33d93..15fb198 100644
--- libsepol-2.5/src/port_record.c
+++ libsepol-2.5/src/port_record.c
-@@ -184,6 +184,8 @@ const char *sepol_port_get_proto_str(int proto)
+@@ -184,6 +184,10 @@ const char *sepol_port_get_proto_str(int proto)
return "udp";
case SEPOL_PROTO_TCP:
return "tcp";
+ case SEPOL_PROTO_DCCP:
+ return "dccp";
++ case SEPOL_PROTO_SCTP:
++ return "sctp";
default:
return "???";
}
diff --git libsepol-2.5/src/ports.c libsepol-2.5/src/ports.c
-index 607a629..62ec602 100644
+index 607a629..cc55863 100644
--- libsepol-2.5/src/ports.c
+++ libsepol-2.5/src/ports.c
-@@ -1,4 +1,7 @@
+@@ -1,4 +1,10 @@
#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
++#ifndef IPPROTO_SCTP
++#define IPPROTO_SCTP 132
++#endif
#include <stdlib.h>
#include "debug.h"
-@@ -16,6 +19,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
+@@ -16,6 +22,10 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
return IPPROTO_TCP;
case SEPOL_PROTO_UDP:
return IPPROTO_UDP;
+ case SEPOL_PROTO_DCCP:
+ return IPPROTO_DCCP;
++ case SEPOL_PROTO_SCTP:
++ return IPPROTO_SCTP;
default:
ERR(handle, "unsupported protocol %u", proto);
return STATUS_ERR;
-@@ -30,6 +35,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
+@@ -30,6 +40,10 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
return SEPOL_PROTO_TCP;
case IPPROTO_UDP:
return SEPOL_PROTO_UDP;
+ case IPPROTO_DCCP:
+ return SEPOL_PROTO_DCCP;
++ case IPPROTO_SCTP:
++ return SEPOL_PROTO_SCTP;
default:
ERR(handle, "invalid protocol %u " "found in policy", proto);
return STATUS_ERR;
@@ -6626,10 +6661,11 @@ index d64a8e8..ea8453b 100644
}
/*
-@@ -1811,6 +1808,79 @@ int hidden sepol_fs_sid(char *name,
+@@ -1810,6 +1807,79 @@ int hidden sepol_fs_sid(char *name,
+ return rc;
}
- /*
++/*
+ * Return the SID of the ibpkey specified by
+ * `subnet prefix', and `pkey number'.
+ */
@@ -6702,10 +6738,9 @@ index d64a8e8..ea8453b 100644
+}
+
+
-+/*
+ /*
* Return the SID of the port specified by
* `domain', `type', `protocol', and `port'.
- */
diff --git libsepol-2.5/src/write.c libsepol-2.5/src/write.c
index d87ea61..620baa9 100644
--- libsepol-2.5/src/write.c
diff --git a/SPECS/libsepol.spec b/SPECS/libsepol.spec
index b3ab8bf..cf12bc7 100644
--- a/SPECS/libsepol.spec
+++ b/SPECS/libsepol.spec
@@ -1,11 +1,11 @@
Summary: SELinux binary policy manipulation library
Name: libsepol
Version: 2.5
-Release: 8.1%{?dist}
+Release: 10%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
-# HEAD f4aca6b867715e9f93537d116e6ff2268c3f3394
+# HEAD bfaa258580f74440ca92d68828ac31f58656f5ef
Patch1: libsepol-rhel.patch
URL: https://github.com/SELinuxProject/selinux/wiki
BuildRequires: flex
@@ -104,6 +104,12 @@ exit 0
%{_libdir}/libsepol.so.1
%changelog
+* Wed Jul 25 2018 Vit Mojzis <vmojzis@redhat.com> - 2.5-10
+- Add support for the SCTP portcon keyword (rhbz#1603571)
+
+* Mon Apr 30 2018 Vit Mojzis <vmojzis@redhat.com> - 2.5-9
+- Define extended_socket_class policy capability (rhbz#1564775)
+
* Thu Oct 12 2017 Vit Mojzis <vmojzis@redhat.com> - 2.5-8.1
- Define nnp_nosuid_transition policy capability (rhbz#1480519)
- use IN6ADDR_ANY_INIT to initialize IPv6 addresses