diff --git a/.setools.metadata b/.setools.metadata new file mode 100644 index 0000000..af47a1e --- /dev/null +++ b/.setools.metadata @@ -0,0 +1 @@ +5117f4ffb7eb34dcb08760fae89c6d5a5d3bfd3b SOURCES/setools-3.3.7.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0002-setools-should-exit-with-an-error-status-if-it-gets-.patch b/SOURCES/0002-setools-should-exit-with-an-error-status-if-it-gets-.patch new file mode 100644 index 0000000..62a8050 --- /dev/null +++ b/SOURCES/0002-setools-should-exit-with-an-error-status-if-it-gets-.patch @@ -0,0 +1,133 @@ +From 667fe9187c203ffcba855e821dff11c8f71ef000 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:39:51 -0400 +Subject: [PATCH 2/6] setools-should-exit-with-an-error-status-if-it-gets-an + error + +--- + secmds/seinfo.c | 51 +++++++++++++++++++++++++++------------------------ + 1 files changed, 27 insertions(+), 24 deletions(-) + +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index fdf23e9..3088f88 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -827,7 +827,7 @@ static int print_sens(FILE * fp, const char *name, int expand, const apol_policy + */ + static int print_cats(FILE * fp, const char *name, int expand, const apol_policy_t * policydb) + { +- int retval = 0; ++ int retval = -1; + apol_cat_query_t *query = NULL; + apol_vector_t *v = NULL; + const qpol_cat_t *cat_datum = NULL; +@@ -911,9 +911,10 @@ static int print_fsuse(FILE * fp, const char *type, const apol_policy_t * policy + fprintf(fp, " %s\n", tmp); + free(tmp); + } +- if (type && !apol_vector_get_size(v)) ++ if (type && !apol_vector_get_size(v)) { + ERR(policydb, "No fs_use statement for filesystem of type %s.", type); +- ++ goto cleanup; ++ } + retval = 0; + cleanup: + apol_fs_use_query_destroy(&query); +@@ -949,7 +950,6 @@ static int print_genfscon(FILE * fp, const char *type, const apol_policy_t * pol + ERR(policydb, "%s", strerror(ENOMEM)); + goto cleanup; + } +- + if (apol_genfscon_query_set_filesystem(policydb, query, type)) + goto cleanup; + if (apol_genfscon_get_by_query(policydb, query, &v)) +@@ -967,8 +967,10 @@ static int print_genfscon(FILE * fp, const char *type, const apol_policy_t * pol + free(tmp); + } + +- if (type && !apol_vector_get_size(v)) ++ if (type && !apol_vector_get_size(v)) { + ERR(policydb, "No genfscon statement for filesystem of type %s.", type); ++ goto cleanup; ++ } + + retval = 0; + cleanup: +@@ -1646,6 +1648,7 @@ cleanup: // close and destroy iterators etc. + + int main(int argc, char **argv) + { ++ int rc = 0; + int classes, types, attribs, roles, users, all, expand, stats, rt, optc, isids, bools, sens, cats, fsuse, genfs, netif, + node, port, permissives, polcaps, constrain, linebreaks; + apol_policy_t *policydb = NULL; +@@ -1851,46 +1854,46 @@ int main(int argc, char **argv) + + /* display requested info */ + if (stats || all) +- print_stats(stdout, policydb); ++ rc = print_stats(stdout, policydb); + if (classes || all) +- print_classes(stdout, class_name, expand, policydb); ++ rc = print_classes(stdout, class_name, expand, policydb); + if (types || all) +- print_types(stdout, type_name, expand, policydb); ++ rc = print_types(stdout, type_name, expand, policydb); + if (attribs || all) +- print_attribs(stdout, attrib_name, expand, policydb); ++ rc = print_attribs(stdout, attrib_name, expand, policydb); + if (roles || all) +- print_roles(stdout, role_name, expand, policydb); ++ rc = print_roles(stdout, role_name, expand, policydb); + if (users || all) +- print_users(stdout, user_name, expand, policydb); ++ rc = print_users(stdout, user_name, expand, policydb); + if (bools || all) +- print_booleans(stdout, bool_name, expand, policydb); ++ rc = print_booleans(stdout, bool_name, expand, policydb); + if (sens || all) +- print_sens(stdout, sens_name, expand, policydb); ++ rc = print_sens(stdout, sens_name, expand, policydb); + if (cats || all) +- print_cats(stdout, cat_name, expand, policydb); ++ rc = print_cats(stdout, cat_name, expand, policydb); + if (fsuse || all) +- print_fsuse(stdout, fsuse_type, policydb); ++ rc = print_fsuse(stdout, fsuse_type, policydb); + if (genfs || all) +- print_genfscon(stdout, genfs_type, policydb); ++ rc = print_genfscon(stdout, genfs_type, policydb); + if (netif || all) +- print_netifcon(stdout, netif_name, policydb); ++ rc = print_netifcon(stdout, netif_name, policydb); + if (node || all) +- print_nodecon(stdout, node_addr, policydb); ++ rc = print_nodecon(stdout, node_addr, policydb); + if (port || all) +- print_portcon(stdout, port_num, protocol, policydb); ++ rc = print_portcon(stdout, port_num, protocol, policydb); + if (isids || all) +- print_isids(stdout, isid_name, expand, policydb); ++ rc = print_isids(stdout, isid_name, expand, policydb); + if (permissives || all) +- print_permissives(stdout, permissive_name, expand, policydb); ++ rc = print_permissives(stdout, permissive_name, expand, policydb); + if (polcaps || all) +- print_polcaps(stdout, polcap_name, expand, policydb); ++ rc = print_polcaps(stdout, polcap_name, expand, policydb); + if (constrain || all) +- print_constraints(stdout, expand, policydb, linebreaks); ++ rc = print_constraints(stdout, expand, policydb, linebreaks); + + apol_policy_destroy(&policydb); + apol_policy_path_destroy(&pol_path); + free(policy_file); +- exit(0); ++ exit(rc); + } + + /** +-- +1.7.6.2 + diff --git a/SOURCES/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch b/SOURCES/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch new file mode 100644 index 0000000..ae30696 --- /dev/null +++ b/SOURCES/0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch @@ -0,0 +1,28 @@ +From 252b7c8bf311d615164a20f4f402767e5859d972 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:40:28 -0400 +Subject: [PATCH 3/6] Since-we-do-not-ship-neverallow-rules-all-always-fail + +--- + libqpol/src/avrule_query.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libqpol/src/avrule_query.c b/libqpol/src/avrule_query.c +index 749565b..76dcaa3 100644 +--- a/libqpol/src/avrule_query.c ++++ b/libqpol/src/avrule_query.c +@@ -57,8 +57,9 @@ int qpol_policy_get_avrule_iter(const qpol_policy_t * policy, uint32_t rule_type + + if ((rule_type_mask & QPOL_RULE_NEVERALLOW) && !qpol_policy_has_capability(policy, QPOL_CAP_NEVERALLOW)) { + ERR(policy, "%s", "Cannot get avrules: Neverallow rules requested but not available"); +- errno = ENOTSUP; +- return STATUS_ERR; ++/* errno = ENOTSUP; ++ return STATUS_ERR; */ ++ return STATUS_SUCCESS; + } + + db = &policy->p->p; +-- +1.7.6.2 + diff --git a/SOURCES/0004-Fix-man-pages-and-getoptions.patch b/SOURCES/0004-Fix-man-pages-and-getoptions.patch new file mode 100644 index 0000000..c06270e --- /dev/null +++ b/SOURCES/0004-Fix-man-pages-and-getoptions.patch @@ -0,0 +1,78 @@ +From b3c8ef5822dbf3e3272fc29627ddac7e20e936d5 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:41:12 -0400 +Subject: [PATCH 4/6] Fix-man-pages-and-getoptions + +--- + man/replcon.1 | 2 ++ + man/seinfo.1 | 6 +++++- + seaudit/seaudit-report.c | 2 +- + sediff/sediff.c | 2 +- + 4 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/man/replcon.1 b/man/replcon.1 +index 8aca08a..478dc51 100644 +--- a/man/replcon.1 ++++ b/man/replcon.1 +@@ -44,6 +44,8 @@ Search for files which include PATH. + .IP "-c CLASS, --class=CLASS" + Search only files of object class CLASS. + .SH OPTIONS ++.IP "-R, --regex" ++Enable regular expressions + .IP "-v, --verbose" + Display context info during replacement. + .IP "-h, --help" +diff --git a/man/seinfo.1 b/man/seinfo.1 +index 8612119..6bc17db 100644 +--- a/man/seinfo.1 ++++ b/man/seinfo.1 +@@ -76,6 +76,10 @@ There is no expanded information for this component. + .IP "--nodecon[=ADDR]" + Print a list of node contexts or, if ADDR is provided, print the statement for the node with address ADDR. + There is no expanded information for this component. ++.IP "--polcap" ++Print policy capabilities. ++.IP "--permissive" ++Print permissive types. + .IP "--portcon[=PORT]" + Print a list of port contexts or, if PORT is provided, print the statement for port PORT. + There is no expanded information for this component. +@@ -93,7 +97,7 @@ These details include the types assigned to an attribute or role and the permiss + This option is not available for all component types; see the description of each component for the details this option will provide. + .IP "--stats" + Print policy statistics including policy type and version information and counts of all components and rules. +-.IP "-l" ++.IP "-l, --line-breaks" + Print line breaks when displaying constraint statements. + .IP "-h, --help" + Print help information and exit. +diff --git a/seaudit/seaudit-report.c b/seaudit/seaudit-report.c +index af3c6fb..d436c18 100644 +--- a/seaudit/seaudit-report.c ++++ b/seaudit/seaudit-report.c +@@ -100,7 +100,7 @@ static void seaudit_report_info_usage(const char *program_name, int brief) + printf(" -s, --stdin read log data from standard input\n"); + printf(" -m, --malformed include malformed log messages\n"); + printf(" -o FILE, --output=FILE output to FILE\n"); +- printf(" --config=FILE read configuration from FILE\n"); ++ printf(" -c FILE, --config=FILE read configuration from FILE\n"); + printf(" --html set output format to HTML\n"); + printf(" --stylesheet=FILE HTML style sheet for formatting HTML report\n"); + printf(" (ignored if --html is not given)\n"); +diff --git a/sediff/sediff.c b/sediff/sediff.c +index 6022775..341c650 100644 +--- a/sediff/sediff.c ++++ b/sediff/sediff.c +@@ -420,7 +420,7 @@ int main(int argc, char **argv) + poldiff_t *diff = NULL; + size_t total = 0; + +- while ((optc = getopt_long(argc, argv, "ctarubANDLMCRqhV", longopts, NULL)) != -1) { ++ while ((optc = getopt_long(argc, argv, "ctarubAqhV", longopts, NULL)) != -1) { + switch (optc) { + case 0: + break; +-- +1.7.6.2 + diff --git a/SOURCES/0005-Fix-sepol-calls-to-work-with-latest-libsepol.patch b/SOURCES/0005-Fix-sepol-calls-to-work-with-latest-libsepol.patch new file mode 100644 index 0000000..01f545d --- /dev/null +++ b/SOURCES/0005-Fix-sepol-calls-to-work-with-latest-libsepol.patch @@ -0,0 +1,34 @@ +From 2b58d92add64b53b16cbb438e7b69e85d046afd1 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:46:38 -0400 +Subject: [PATCH 5/6] Fix sepol calls to work with latest libsepol + +--- + configure.ac | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e837e03..3c11e23 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -505,7 +505,7 @@ AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([ + #include + int main () { +- return role_set_expand(NULL, NULL, NULL, NULL); ++ return role_set_expand(NULL, NULL, NULL, NULL, NULL); + }])], + sepol_new_user_role_mapping="yes", + sepol_new_user_role_mapping="no") +@@ -541,7 +541,7 @@ if test ${sepol_check_boolmap} = "yes"; then + [AC_LANG_SOURCE([ + #include + int main () { +- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0); ++ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0); + }])], + AC_MSG_RESULT([yes]), + AC_MSG_ERROR([this version of libsepol is incompatible with SETools])) +-- +1.7.6.2 + diff --git a/SOURCES/0006-Changes-to-support-named-file_trans-rules.patch b/SOURCES/0006-Changes-to-support-named-file_trans-rules.patch new file mode 100644 index 0000000..3cd7127 --- /dev/null +++ b/SOURCES/0006-Changes-to-support-named-file_trans-rules.patch @@ -0,0 +1,1505 @@ +From 287f507657e162bc09b5c186bbd580901fbc942a Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:47:28 -0400 +Subject: [PATCH 6/6] Changes to support named file_trans rules + +--- + libapol/include/apol/ftrule-query.h | 198 +++++++++++++++++++ + libapol/include/apol/policy-query.h | 1 + + libapol/src/Makefile.am | 1 + + libapol/src/ftrule-query.c | 363 +++++++++++++++++++++++++++++++++++ + libapol/src/libapol.map | 1 + + libqpol/include/qpol/ftrule_query.h | 116 +++++++++++ + libqpol/include/qpol/policy.h | 1 + + libqpol/src/Makefile.am | 1 + + libqpol/src/ftrule_query.c | 277 ++++++++++++++++++++++++++ + libqpol/src/libqpol.map | 1 + + libqpol/src/module_compiler.c | 12 ++ + libqpol/src/policy_define.c | 186 ++++++++++++++++++- + libqpol/src/policy_parse.y | 13 +- + libqpol/src/policy_scan.l | 1 + + secmds/sesearch.c | 101 ++++++++++ + 15 files changed, 1270 insertions(+), 3 deletions(-) + create mode 100644 libapol/include/apol/ftrule-query.h + create mode 100644 libapol/src/ftrule-query.c + create mode 100644 libqpol/include/qpol/ftrule_query.h + create mode 100644 libqpol/src/ftrule_query.c + +diff --git a/libapol/include/apol/ftrule-query.h b/libapol/include/apol/ftrule-query.h +new file mode 100644 +index 0000000..119c52f +--- /dev/null ++++ b/libapol/include/apol/ftrule-query.h +@@ -0,0 +1,198 @@ ++/** ++ * @file ++ * ++ * Routines to query filename_transition rules of a ++ * policy. ++ * ++ * @author Jeremy A. Mowery jmowery@tresys.com ++ * @author Jason Tang jtang@tresys.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef APOL_FILENAMERULE_QUERY_H ++#define APOL_FILENAMERULE_QUERY_H ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++#include "policy.h" ++#include "vector.h" ++#include ++ ++ typedef struct apol_filename_trans_query apol_filename_trans_query_t; ++ ++ ++/******************** filename_transition queries ********************/ ++ ++/** ++ * Execute a query against all filename_transition rules within the ++ * policy. ++ * ++ * @param p Policy within which to look up filename_transition rules. ++ * @param r Structure containing parameters for query. If this is ++ * NULL then return all filename_transition rules. ++ * @param v Reference to a vector of qpol_filename_trans_t. The vector ++ * will be allocated by this function. The caller must call ++ * apol_vector_destroy() afterwards. This will be set to NULL upon no ++ * results or upon error. ++ * ++ * @return 0 on success (including none found), negative on error. ++ */ ++ extern int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * r, apol_vector_t ** v); ++ ++/** ++ * Allocate and return a new filename trans query structure. All fields ++ * are initialized, such that running this blank query results in ++ * returning all filename_transitions within the policy. The caller must ++ * call apol_filename_trans_query_destroy() upon the return value ++ * afterwards. ++ * ++ * @return An initialized filename trans query structure, or NULL upon ++ * error. ++ */ ++ extern apol_filename_trans_query_t *apol_filename_trans_query_create(void); ++ ++/** ++ * Deallocate all memory associated with the referenced filename trans ++ * query, and then set it to NULL. This function does nothing if the ++ * query is already NULL. ++ * ++ * @param r Reference to a filename trans query structure to destroy. ++ */ ++ extern void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r); ++ ++/** ++ * Set a filename_trans query to return rules whose source symbol matches ++ * symbol. Symbol may be a type or attribute; if it is an alias then ++ * the query will convert it to its primary prior to searching. If ++ * is_indirect is non-zero then the search will be done indirectly. ++ * If the symbol is a type, then the query matches rules with one of ++ * the type's attributes. If the symbol is an attribute, then it ++ * matches rule with any of the attribute's types. ++ * ++ * @param p Policy handler, to report errors. ++ * @param t TE rule query to set. ++ * @param symbol Limit query to rules with this symbol as their ++ * source, or NULL to unset this field. ++ * @param is_indirect If non-zero, perform indirect matching. ++ * ++ * @return 0 on success, negative on error. ++ */ ++ extern int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol, ++ int is_indirect); ++ ++/** ++ * Set a filename trans query to return rules with a particular target ++ * symbol. Symbol may be a type or attribute; if it is an alias then ++ * the query will convert it to its primary prior to searching. If ++ * is_indirect is non-zero then the search will be done indirectly. ++ * If the symbol is a type, then the query matches rules with one of ++ * the type's attributes. If the symbol is an attribute, then it ++ * matches rule with any of the attribute's types. ++ * ++ * @param p Policy handler, to report errors. ++ * @param r Role trans query to set. ++ * @param symbol Limit query to rules with this type or attribute as ++ * their target, or NULL to unset this field. ++ * @param is_indirect If non-zero, perform indirect matching. ++ * ++ * @return 0 on success, negative on error. ++ */ ++ extern int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *symbol, ++ int is_indirect); ++ ++/** ++ * Set a filename trans query to return rules with a particular default ++ * filename. This field is ignored if ++ * apol_filename_trans_query_set_source_any() is set to non-zero. ++ * ++ * @param p Policy handler, to report errors. ++ * @param r Role trans query to set. ++ * @param filename Limit query to rules with this filename as their default, or ++ * NULL to unset this field. ++ * ++ * @return 0 on success, negative on error. ++ */ ++ extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename); ++ ++/** ++ * Set at filename_trans query to return rules with this object (non-common) ++ * class. If more than one class are appended to the query, the ++ * rule's class must be one of those appended. (I.e., the rule's ++ * class must be a member of the query's classes.) Pass a NULL to ++ * clear all classes. Note that this performs straight string ++ * comparison, ignoring the regex flag. ++ ++ * ++ * @param p Policy handler, to report errors. ++ * @param t TE rule query to set. ++ * @param obj_class Name of object class to add to search set. ++ * ++ * @return 0 on success, negative on error. ++ */ ++ extern int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class); ++ ++/** ++ * Set a filename trans query to treat the source filename as any. That is, ++ * use the same symbol for either source or default of a ++ * filename_transition rule. This flag does nothing if the source filename is ++ * not set. Note that a filename_transition's target is a type, so thus ++ * this flag does not affect its searching. ++ * ++ * @param p Policy handler, to report errors. ++ * @param r Role trans query to set. ++ * @param is_any Non-zero to use source symbol for source or default ++ * field, 0 to keep source as only source. ++ * ++ * @return Always 0. ++ */ ++ extern int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_any); ++ ++/** ++ * Set a filename trans query to use regular expression searching for ++ * source, target, and default fields. Strings will be treated as ++ * regexes instead of literals. For the target type, matching will ++ * occur against the type name or any of its aliases. ++ * ++ * @param p Policy handler, to report errors. ++ * @param r Role trans query to set. ++ * @param is_regex Non-zero to enable regex searching, 0 to disable. ++ * ++ * @return Always 0. ++ */ ++ extern int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_regex); ++ ++/** ++ * Render a filename_transition rule to a string. ++ * ++ * @param policy Policy handler, to report errors. ++ * @param rule The rule to render. ++ * ++ * @return A newly malloc()'d string representation of the rule, or NULL on ++ * failure; if the call fails, errno will be set. The caller is responsible ++ * for calling free() on the returned string. ++ */ ++ extern char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * rule); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h +index 315f70e..665e4cb 100644 +--- a/libapol/include/apol/policy-query.h ++++ b/libapol/include/apol/policy-query.h +@@ -71,6 +71,7 @@ extern "C" + #include "terule-query.h" + #include "condrule-query.h" + #include "rbacrule-query.h" ++#include "ftrule-query.h" + #include "range_trans-query.h" + #include "constraint-query.h" + +diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am +index 3fa4f06..baaa4f6 100644 +--- a/libapol/src/Makefile.am ++++ b/libapol/src/Makefile.am +@@ -40,6 +40,7 @@ libapol_a_SOURCES = \ + render.c \ + role-query.c \ + terule-query.c \ ++ ftrule-query.c \ + type-query.c \ + types-relation-analysis.c \ + user-query.c \ +diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c +new file mode 100644 +index 0000000..dc248de +--- /dev/null ++++ b/libapol/src/ftrule-query.c +@@ -0,0 +1,363 @@ ++/** ++ * @file ++ * ++ * Provides a way for setools to make queries about type enforcement ++ * filename_transs within a policy. The caller obtains a query object, fills in ++ * its parameters, and then runs the query; it obtains a vector of ++ * results. Searches are conjunctive -- all fields of the search ++ * query must match for a datum to be added to the results query. ++ * ++ * @author Jeremy A. Mowery jmowery@tresys.com ++ * @author Jason Tang jtang@tresys.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#include "policy-query-internal.h" ++ ++#include ++#include ++ ++struct apol_filename_trans_query ++{ ++ char *source, *target, *default_type, *name; ++ apol_vector_t *classes; ++ unsigned int flags; ++}; ++ ++ ++/******************** filename_transition queries ********************/ ++ ++int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v) ++{ ++ apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL; ++ int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans; ++ char *bool_name = NULL; ++ *v = NULL; ++ unsigned int flags = 0; ++ qpol_iterator_t *iter = NULL, *type_iter = NULL; ++ ++ if (t != NULL) { ++ flags = t->flags; ++ is_regex = t->flags & APOL_QUERY_REGEX; ++ if (t->source != NULL && ++ (source_list = ++ apol_query_create_candidate_type_list(p, t->source, is_regex, ++ t->flags & APOL_QUERY_SOURCE_INDIRECT, ++ ((t->flags & (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE)) / ++ APOL_QUERY_SOURCE_TYPE))) == NULL) { ++ goto cleanup; ++ } ++ ++ if ((t->flags & APOL_QUERY_SOURCE_AS_ANY) && t->source != NULL) { ++ default_list = target_list = source_list; ++ source_as_any = 1; ++ } else { ++ if (t->target != NULL && ++ (target_list = ++ apol_query_create_candidate_type_list(p, t->target, is_regex, ++ t->flags & APOL_QUERY_TARGET_INDIRECT, ++ ((t-> ++ flags & (APOL_QUERY_TARGET_TYPE | APOL_QUERY_TARGET_ATTRIBUTE)) ++ / APOL_QUERY_TARGET_TYPE))) == NULL) { ++ goto cleanup; ++ } ++ if (t->default_type != NULL && ++ (default_list = ++ apol_query_create_candidate_type_list(p, t->default_type, is_regex, 0, ++ APOL_QUERY_SYMBOL_IS_TYPE)) == NULL) { ++ goto cleanup; ++ } ++ } ++ if (t->classes != NULL && ++ apol_vector_get_size(t->classes) > 0 && ++ (class_list = apol_query_create_candidate_class_list(p, t->classes)) == NULL) { ++ goto cleanup; ++ } ++ } ++ ++ if (qpol_policy_get_filename_trans_iter(p->p, &iter) < 0) { ++ return -1; ++ } ++ ++ if ((*v = apol_vector_create(NULL)) == NULL) { ++ ERR(p, "%s", strerror(errno)); ++ goto cleanup; ++ } ++ ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ qpol_filename_trans_t *filename_trans; ++ if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) { ++ goto cleanup; ++ } ++ int match_source = 0, match_target = 0, match_default = 0, match_bool = 0; ++ size_t i; ++ ++ if (source_list == NULL) { ++ match_source = 1; ++ } else { ++ const qpol_type_t *source_type; ++ if (qpol_filename_trans_get_source_type(p->p, filename_trans, &source_type) < 0) { ++ goto cleanup; ++ } ++ if (apol_vector_get_index(source_list, source_type, NULL, NULL, &i) == 0) { ++ match_source = 1; ++ } ++ } ++ ++ /* if source did not match, but treating source symbol ++ * as any field, then delay rejecting this filename_trans until ++ * the target and default have been checked */ ++ if (!source_as_any && !match_source) { ++ continue; ++ } ++ ++ if (target_list == NULL || (source_as_any && match_source)) { ++ match_target = 1; ++ } else { ++ const qpol_type_t *target_type; ++ if (qpol_filename_trans_get_target_type(p->p, filename_trans, &target_type) < 0) { ++ goto cleanup; ++ } ++ if (apol_vector_get_index(target_list, target_type, NULL, NULL, &i) == 0) { ++ match_target = 1; ++ } ++ } ++ ++ if (!source_as_any && !match_target) { ++ continue; ++ } ++ ++ if (default_list == NULL || (source_as_any && match_source) || (source_as_any && match_target)) { ++ match_default = 1; ++ } else { ++ const qpol_type_t *default_type; ++ if (qpol_filename_trans_get_default_type(p->p, filename_trans, &default_type) < 0) { ++ goto cleanup; ++ } ++ if (apol_vector_get_index(default_list, default_type, NULL, NULL, &i) == 0) { ++ match_default = 1; ++ } ++ } ++ ++ if (!source_as_any && !match_default) { ++ continue; ++ } ++ /* at least one thing must match if source_as_any was given */ ++ if (source_as_any && (!match_source && !match_target && !match_default)) { ++ continue; ++ } ++ ++ if (class_list != NULL) { ++ const qpol_class_t *obj_class; ++ if (qpol_filename_trans_get_object_class(p->p, filename_trans, &obj_class) < 0) { ++ goto cleanup; ++ } ++ if (apol_vector_get_index(class_list, obj_class, NULL, NULL, &i) < 0) { ++ continue; ++ } ++ } ++ ++ if (apol_vector_append(*v, filename_trans)) { ++ ERR(p, "%s", strerror(ENOMEM)); ++ goto cleanup; ++ } ++ } ++ ++ retval = 0; ++ cleanup: ++ if (retval != 0) { ++ apol_vector_destroy(v); ++ } ++ apol_vector_destroy(&source_list); ++ if (!source_as_any) { ++ apol_vector_destroy(&target_list); ++ apol_vector_destroy(&default_list); ++ } ++ apol_vector_destroy(&class_list); ++ return retval; ++} ++ ++apol_filename_trans_query_t *apol_filename_trans_query_create(void) ++{ ++ apol_filename_trans_query_t *t = calloc(1, sizeof(apol_filename_trans_query_t)); ++ if (t != NULL) { ++ t->flags = ++ (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE | APOL_QUERY_TARGET_TYPE | ++ APOL_QUERY_TARGET_ATTRIBUTE); ++ } ++ return t; ++} ++ ++void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r) ++{ ++ if (r != NULL && *r != NULL) { ++ free((*r)->source); ++ free((*r)->target); ++ free((*r)->default_type); ++ free((*r)->name); ++ free(*r); ++ *r = NULL; ++ } ++} ++ ++int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect) ++{ ++ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); ++ return apol_query_set(p, &t->source, NULL, filename); ++} ++ ++int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect) ++{ ++ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); ++ return apol_query_set(p, &t->target, NULL, type); ++} ++ ++int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol) ++{ ++ return apol_query_set(p, &t->default_type, NULL, symbol); ++} ++ ++int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class) ++{ ++ char *s = NULL; ++ if (obj_class == NULL) { ++ apol_vector_destroy(&t->classes); ++ } else if ((s = strdup(obj_class)) == NULL || (t->classes == NULL && (t->classes = apol_vector_create(free)) == NULL) ++ || apol_vector_append(t->classes, s) < 0) { ++ ERR(p, "%s", strerror(errno)); ++ free(s); ++ return -1; ++ } ++ return 0; ++} ++ ++int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename) ++{ ++ return apol_query_set(p, &t->name, NULL, filename); ++} ++ ++int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_any) ++{ ++ return apol_query_set_flag(p, &t->flags, is_any, APOL_QUERY_SOURCE_AS_ANY); ++} ++ ++int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_regex) ++{ ++ return apol_query_set_regex(p, &t->flags, is_regex); ++} ++ ++char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * filename_trans) ++{ ++ char *tmp = NULL; ++ const char *tmp_name = NULL; ++ const char *filename_trans_type_str; ++ int error = 0; ++ size_t tmp_sz = 0; ++ uint32_t filename_trans_type = 0; ++ const qpol_type_t *type = NULL; ++ const qpol_class_t *obj_class = NULL; ++ ++ if (!policy || !filename_trans) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return NULL; ++ } ++ ++ /* source type */ ++ if (qpol_filename_trans_get_source_type(policy->p, filename_trans, &type)) { ++ error = errno; ++ goto err; ++ } ++ if (qpol_type_get_name(policy->p, type, &tmp_name)) { ++ error = errno; ++ goto err; ++ } ++ if (apol_str_appendf(&tmp, &tmp_sz, "transition_type %s ", tmp_name)) { ++ error = errno; ++ ERR(policy, "%s", strerror(error)); ++ goto err; ++ } ++ ++ /* target type */ ++ if (qpol_filename_trans_get_target_type(policy->p, filename_trans, &type)) { ++ error = errno; ++ goto err; ++ } ++ if (qpol_type_get_name(policy->p, type, &tmp_name)) { ++ error = errno; ++ goto err; ++ } ++ if (apol_str_appendf(&tmp, &tmp_sz, "%s : ", tmp_name)) { ++ error = errno; ++ ERR(policy, "%s", strerror(error)); ++ goto err; ++ } ++ ++ /* object class */ ++ if (qpol_filename_trans_get_object_class(policy->p, filename_trans, &obj_class)) { ++ error = errno; ++ goto err; ++ } ++ if (qpol_class_get_name(policy->p, obj_class, &tmp_name)) { ++ error = errno; ++ goto err; ++ } ++ if (apol_str_appendf(&tmp, &tmp_sz, "%s ", tmp_name)) { ++ error = errno; ++ ERR(policy, "%s", strerror(error)); ++ goto err; ++ } ++ ++ /* default type */ ++ if (qpol_filename_trans_get_default_type(policy->p, filename_trans, &type)) { ++ error = errno; ++ goto err; ++ } ++ if (qpol_type_get_name(policy->p, type, &tmp_name)) { ++ error = errno; ++ goto err; ++ } ++ if (apol_str_appendf(&tmp, &tmp_sz, "%s", tmp_name)) { ++ error = errno; ++ ERR(policy, "%s", strerror(error)); ++ goto err; ++ } ++ ++ if (qpol_filename_trans_get_filename(policy->p, filename_trans, &tmp_name)) { ++ error = errno; ++ goto err; ++ } ++ ++ if (apol_str_appendf(&tmp, &tmp_sz, " %s", tmp_name)) { ++ error = errno; ++ ERR(policy, "%s", strerror(error)); ++ goto err; ++ } ++ ++ if (apol_str_appendf(&tmp, &tmp_sz, ";")) { ++ error = errno; ++ ERR(policy, "%s", strerror(error)); ++ goto err; ++ } ++ return tmp; ++ ++ err: ++ free(tmp); ++ errno = error; ++ return NULL; ++} +diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map +index 4894374..7657a2d 100644 +--- a/libapol/src/libapol.map ++++ b/libapol/src/libapol.map +@@ -34,6 +34,7 @@ VERS_4.0{ + apol_protocol_to_str; + apol_qpol_context_render; + apol_range_trans_*; ++ apol_filename_trans_*; + apol_relabel_*; + apol_role_*; + apol_role_allow_*; +diff --git a/libqpol/include/qpol/ftrule_query.h b/libqpol/include/qpol/ftrule_query.h +new file mode 100644 +index 0000000..1f533a4 +--- /dev/null ++++ b/libqpol/include/qpol/ftrule_query.h +@@ -0,0 +1,116 @@ ++/** ++ * @file ++ * Defines public interface for iterating over FTRULE rules. ++ * ++ * @author Kevin Carr kcarr@tresys.com ++ * @author Jeremy A. Mowery jmowery@tresys.com ++ * @author Jason Tang jtang@tresys.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef QPOL_FTRULERULE_QUERY ++#define QPOL_FTRULERULE_QUERY ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++#include ++#include ++ ++ typedef struct qpol_filename_trans qpol_filename_trans_t; ++ ++/** ++ * Get an iterator over all filename transition rules in the policy. ++ * @param policy Policy from which to create the iterator. ++ * @param iter Iterator over items of type qpol_filename_trans_t returned. ++ * The caller is responsible for calling qpol_iterator_destroy() ++ * to free memory used by this iterator. ++ * It is important to note that this iterator is only valid as long as ++ * the policy is unmodifed. ++ * @returm 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *iter will be NULL. ++ */ ++ extern int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); ++ ++/** ++ * Get the source type from a filename transition rule. ++ * @param policy The policy from which the rule comes. ++ * @param rule The rule from which to get the source type. ++ * @param source Pointer in which to store the source type. ++ * The caller should not free this pointer. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *source will be NULL. ++ */ ++ extern int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, ++ const qpol_type_t ** source); ++ ++/** ++ * Get the target type from a filename transition rule. ++ * @param policy The policy from which the rule comes. ++ * @param rule The rule from which to get the target type. ++ * @param target Pointer in which to store the target type. ++ * The caller should not free this pointer. ++ * @return 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *target will be NULL. ++ */ ++ extern int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, ++ const qpol_type_t ** target); ++ ++/** ++ * Get the default type from a type rule. ++ * @param policy Policy from which the rule comes. ++ * @param rule The rule from which to get the default type. ++ * @param dflt Pointer in which to store the default type. ++ * The caller should not free this pointer. ++ * @returm 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *dflt will be NULL. ++ */ ++ extern int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, ++ const qpol_type_t ** dflt); ++ ++/** ++ * Get the object class from a type rule. ++ * @param policy Policy from which the rule comes. ++ * @param rule The rule from which to get the object class. ++ * @param obj_class Pointer in which to store the object class. ++ * The caller should not free this pointer. ++ * @returm 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *obj_class will be NULL. ++ */ ++ extern int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, ++ const qpol_class_t ** obj_class); ++ ++/** ++ * Get the transition filename type from a type rule. ++ * @param policy Policy from which the rule comes. ++ * @param rule The rule from which to get the transition filename. ++ * @param target Pointer in which to store the transition filename. ++ * The caller should not free this pointer. ++ * @returm 0 on success and < 0 on failure; if the call fails, ++ * errno will be set and *target will be NULL. ++ */ ++ extern int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, ++ const char ** name); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* QPOL_FTRULERULE_QUERY */ +diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h +index ae4ea08..bf85718 100644 +--- a/libqpol/include/qpol/policy.h ++++ b/libqpol/include/qpol/policy.h +@@ -55,6 +55,7 @@ extern "C" + #include + #include + #include ++#include + #include + #include + #include +diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am +index 34d87a6..0889a61 100644 +--- a/libqpol/src/Makefile.am ++++ b/libqpol/src/Makefile.am +@@ -48,6 +48,7 @@ libqpol_a_SOURCES = \ + syn_rule_internal.h \ + syn_rule_query.c \ + terule_query.c \ ++ ftrule_query.c \ + type_query.c \ + user_query.c \ + util.c \ +diff --git a/libqpol/src/ftrule_query.c b/libqpol/src/ftrule_query.c +new file mode 100644 +index 0000000..d6db848 +--- /dev/null ++++ b/libqpol/src/ftrule_query.c +@@ -0,0 +1,277 @@ ++/** ++ * @file ++ * Defines public interface for iterating over RBAC rules. ++ * ++ * @author Jeremy A. Mowery jmowery@tresys.com ++ * @author Jason Tang jtang@tresys.com ++ * ++ * Copyright (C) 2006-2007 Tresys Technology, LLC ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#include ++#include ++#include ++#include ++#include "iterator_internal.h" ++#include "qpol_internal.h" ++#include ++ ++typedef struct filename_trans_state ++{ ++ filename_trans_t *head; ++ filename_trans_t *cur; ++} filename_trans_state_t; ++ ++static int filename_trans_state_end(const qpol_iterator_t * iter) ++{ ++ filename_trans_state_t *fts = NULL; ++ ++ if (!iter || !(fts = qpol_iterator_state(iter))) { ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ return fts->cur ? 0 : 1; ++} ++ ++static void *filename_trans_state_get_cur(const qpol_iterator_t * iter) ++{ ++ filename_trans_state_t *fts = NULL; ++ const policydb_t *db = NULL; ++ ++ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || filename_trans_state_end(iter)) { ++ errno = EINVAL; ++ return NULL; ++ } ++ ++ return fts->cur; ++} ++ ++static int filename_trans_state_next(qpol_iterator_t * iter) ++{ ++ filename_trans_state_t *fts = NULL; ++ const policydb_t *db = NULL; ++ ++ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ if (filename_trans_state_end(iter)) { ++ errno = ERANGE; ++ return STATUS_ERR; ++ } ++ ++ fts->cur = fts->cur->next; ++ ++ return STATUS_SUCCESS; ++} ++ ++static size_t filename_trans_state_size(const qpol_iterator_t * iter) ++{ ++ filename_trans_state_t *fts = NULL; ++ const policydb_t *db = NULL; ++ filename_trans_t *tmp = NULL; ++ size_t count = 0; ++ ++ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ for (tmp = fts->head; tmp; tmp = tmp->next) ++ count++; ++ ++ return count; ++} ++ ++int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter) ++{ ++ policydb_t *db = NULL; ++ filename_trans_state_t *fts = NULL; ++ int error = 0; ++ ++ if (iter) ++ *iter = NULL; ++ ++ if (!policy || !iter) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ++ fts = calloc(1, sizeof(filename_trans_state_t)); ++ if (!fts) { ++ /* errno set by calloc */ ++ ERR(policy, "%s", strerror(errno)); ++ return STATUS_ERR; ++ } ++ fts->head = fts->cur = db->filename_trans; ++ ++ if (qpol_iterator_create ++ (policy, (void *)fts, filename_trans_state_get_cur, filename_trans_state_next, filename_trans_state_end, filename_trans_state_size, ++ free, iter)) { ++ error = errno; ++ free(fts); ++ errno = error; ++ return STATUS_ERR; ++ } ++ ++ return STATUS_SUCCESS; ++} ++ ++int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** source) ++{ ++ policydb_t *db = NULL; ++ filename_trans_t *ft = NULL; ++ ++ if (source) { ++ *source = NULL; ++ } ++ ++ if (!policy || !rule || !source) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ft = (filename_trans_t *) rule; ++ ++ *source = (qpol_type_t *) db->type_val_to_struct[ft->stype - 1]; ++ ++ return STATUS_SUCCESS; ++} ++ ++int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** target) ++{ ++ policydb_t *db = NULL; ++ filename_trans_t *ft = NULL; ++ ++ if (target) { ++ *target = NULL; ++ } ++ ++ if (!policy || !rule || !target) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ft = (filename_trans_t *) rule; ++ ++ *target = (qpol_type_t *) db->type_val_to_struct[ft->ttype - 1]; ++ ++ return STATUS_SUCCESS; ++} ++ ++int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, ++ const qpol_class_t ** obj_class) ++{ ++ policydb_t *db = NULL; ++ filename_trans_t *ft = NULL; ++ ++ if (obj_class) { ++ *obj_class = NULL; ++ } ++ ++ if (!policy || !rule || !obj_class) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ft = (filename_trans_t *) rule; ++ ++ *obj_class = (qpol_class_t *) db->class_val_to_struct[ft->tclass - 1]; ++ ++ return STATUS_SUCCESS; ++} ++ ++int qpol_filename_trans_get_trans_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** output_type) ++{ ++ policydb_t *db = NULL; ++ filename_trans_t *ft = NULL; ++ ++ if (output_type) { ++ *output_type = NULL; ++ } ++ ++ if (!policy || !rule || !output_type) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ft = (filename_trans_t *) rule; ++ ++ *output_type = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; ++ ++ return STATUS_SUCCESS; ++} ++ ++int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** dflt) ++{ ++ policydb_t *db = NULL; ++ filename_trans_t *ft = NULL; ++ ++ if (dflt) { ++ *dflt = NULL; ++ } ++ ++ if (!policy || !rule || !dflt) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ft = (filename_trans_t *) rule; ++ ++ *dflt = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; ++ ++ return STATUS_SUCCESS; ++} ++ ++int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name) ++{ ++ policydb_t *db = NULL; ++ filename_trans_t *ft = NULL; ++ ++ if (name) { ++ *name = NULL; ++ } ++ ++ if (!policy || !rule || !name) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return STATUS_ERR; ++ } ++ ++ db = &policy->p->p; ++ ft = (filename_trans_t *) rule; ++ ++ *name = ft->name; ++ ++ return STATUS_SUCCESS; ++} ++ +diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map +index dd293bc..6973cca 100644 +--- a/libqpol/src/libqpol.map ++++ b/libqpol/src/libqpol.map +@@ -34,6 +34,7 @@ VERS_1.2 { + qpol_policy_reevaluate_conds; + qpol_portcon_*; + qpol_range_trans_*; ++ qpol_filename_trans_*; + qpol_role_*; + qpol_syn_avrule_*; + qpol_syn_terule_*; +diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c +index dc19798..b06e285 100644 +--- a/libqpol/src/module_compiler.c ++++ b/libqpol/src/module_compiler.c +@@ -1247,6 +1247,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules) + } + + /* this doesn't actually append, but really prepends it */ ++void append_filename_trans(filename_trans_rule_t * filename_trans_rules) ++{ ++ avrule_decl_t *decl = stack_top->decl; ++ ++ /* filename transitions are not allowed within conditionals */ ++ assert(stack_top->type == 1); ++ ++ filename_trans_rules->next = decl->filename_trans_rules; ++ decl->filename_trans_rules = filename_trans_rules; ++} ++ ++/* this doesn't actually append, but really prepends it */ + void append_range_trans(range_trans_rule_t * range_tr_rules) + { + avrule_decl_t *decl = stack_top->decl; +diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c +index c94f7aa..0f3a45a 100644 +--- a/libqpol/src/policy_define.c ++++ b/libqpol/src/policy_define.c +@@ -2133,7 +2133,7 @@ int define_role_trans(void) + + /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */ + #ifdef HAVE_SEPOL_USER_ROLE_MAPPING +- if (role_set_expand(&roles, &e_roles, policydbp, NULL)) ++ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) + #else + if (role_set_expand(&roles, &e_roles, policydbp)) + #endif +@@ -2226,6 +2226,190 @@ int define_role_allow(void) + return 0; + } + ++avrule_t *define_cond_filename_trans(void) ++{ ++ yyerror("type transitions with a filename not allowed inside " ++ "conditionals\n"); ++ return COND_ERR; ++} ++ ++int define_filename_trans(void) ++{ ++ char *id, *name = NULL; ++ type_set_t stypes, ttypes; ++ ebitmap_t e_stypes, e_ttypes; ++ ebitmap_t e_tclasses; ++ ebitmap_node_t *snode, *tnode, *cnode; ++ filename_trans_t *ft; ++ filename_trans_rule_t *ftr; ++ class_datum_t *cladatum; ++ type_datum_t *typdatum; ++ uint32_t otype; ++ unsigned int c, s, t; ++ int add; ++ ++ if (pass == 1) { ++ /* stype */ ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ /* ttype */ ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ /* tclass */ ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ /* otype */ ++ id = queue_remove(id_queue); ++ free(id); ++ /* name */ ++ id = queue_remove(id_queue); ++ free(id); ++ return 0; ++ } ++ ++ ++ add = 1; ++ type_set_init(&stypes); ++ while ((id = queue_remove(id_queue))) { ++ if (set_types(&stypes, id, &add, 0)) ++ goto bad; ++ } ++ ++ add =1; ++ type_set_init(&ttypes); ++ while ((id = queue_remove(id_queue))) { ++ if (set_types(&ttypes, id, &add, 0)) ++ goto bad; ++ } ++ ++ ebitmap_init(&e_tclasses); ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ free(id); ++ goto bad; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ goto bad; ++ } ++ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { ++ yyerror("Out of memory"); ++ goto bad; ++ } ++ free(id); ++ } ++ ++ id = (char *)queue_remove(id_queue); ++ if (!id) { ++ yyerror("no otype in transition definition?"); ++ goto bad; ++ } ++ if (!is_id_in_scope(SYM_TYPES, id)) { ++ yyerror2("type %s is not within scope", id); ++ free(id); ++ goto bad; ++ } ++ typdatum = hashtab_search(policydbp->p_types.table, id); ++ if (!typdatum) { ++ yyerror2("unknown type %s used in transition definition", id); ++ goto bad; ++ } ++ free(id); ++ otype = typdatum->s.value; ++ ++ name = queue_remove(id_queue); ++ if (!name) { ++ yyerror("no pathname specified in filename_trans definition?"); ++ goto bad; ++ } ++ ++ /* We expand the class set into seperate rules. We expand the types ++ * just to make sure there are not duplicates. They will get turned ++ * into seperate rules later */ ++ ebitmap_init(&e_stypes); ++ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) ++ goto bad; ++ ++ ebitmap_init(&e_ttypes); ++ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) ++ goto bad; ++ ++ ebitmap_for_each_bit(&e_tclasses, cnode, c) { ++ if (!ebitmap_node_get_bit(cnode, c)) ++ continue; ++ ebitmap_for_each_bit(&e_stypes, snode, s) { ++ if (!ebitmap_node_get_bit(snode, s)) ++ continue; ++ ebitmap_for_each_bit(&e_ttypes, tnode, t) { ++ if (!ebitmap_node_get_bit(tnode, t)) ++ continue; ++ ++ for (ft = policydbp->filename_trans; ft; ft = ft->next) { ++ if (ft->stype == (s + 1) && ++ ft->ttype == (t + 1) && ++ ft->tclass == (c + 1) && ++ !strcmp(ft->name, name)) { ++ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", ++ name, ++ policydbp->p_type_val_to_name[s], ++ policydbp->p_type_val_to_name[t], ++ policydbp->p_class_val_to_name[c]); ++ goto bad; ++ } ++ } ++ ++ ft = malloc(sizeof(*ft)); ++ if (!ft) { ++ yyerror("out of memory"); ++ goto bad; ++ } ++ memset(ft, 0, sizeof(*ft)); ++ ++ ft->next = policydbp->filename_trans; ++ policydbp->filename_trans = ft; ++ ++ ft->name = strdup(name); ++ if (!ft->name) { ++ yyerror("out of memory"); ++ goto bad; ++ } ++ ft->stype = s + 1; ++ ft->ttype = t + 1; ++ ft->tclass = c + 1; ++ ft->otype = otype; ++ } ++ } ++ ++ /* Now add the real rule since we didn't find any duplicates */ ++ ftr = malloc(sizeof(*ftr)); ++ if (!ftr) { ++ yyerror("out of memory"); ++ goto bad; ++ } ++ filename_trans_rule_init(ftr); ++ append_filename_trans(ftr); ++ ++ ftr->name = strdup(name); ++ ftr->stypes = stypes; ++ ftr->ttypes = ttypes; ++ ftr->tclass = c + 1; ++ ftr->otype = otype; ++ } ++ ++ free(name); ++ ebitmap_destroy(&e_stypes); ++ ebitmap_destroy(&e_ttypes); ++ ebitmap_destroy(&e_tclasses); ++ ++ return 0; ++ ++bad: ++ free(name); ++ return -1; ++} ++ + static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) + { + constraint_expr_t *h = NULL, *l = NULL, *e, *newe; +diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y +index 84f4114..dc16c6f 100644 +--- a/libqpol/src/policy_parse.y ++++ b/libqpol/src/policy_parse.y +@@ -98,6 +98,7 @@ extern char *qpol_src_inputlim;/* end of data */ + %type require_decl_def + + %token PATH ++%token FILENAME + %token CLONE + %token COMMON + %token CLASS +@@ -360,7 +361,10 @@ cond_rule_def : cond_transition_def + | require_block + { $$ = NULL; } + ; +-cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' ++cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' ++ { $$ = define_cond_filename_trans() ; ++ if ($$ == COND_ERR) return -1;} ++ | TYPE_TRANSITION names names ':' names identifier ';' + { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; + if ($$ == COND_ERR) return -1;} + | TYPE_MEMBER names names ':' names identifier ';' +@@ -395,7 +399,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' + { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); + if ($$ == COND_ERR) return -1; } + ; +-transition_def : TYPE_TRANSITION names names ':' names identifier ';' ++transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' ++ {if (define_filename_trans()) return -1; } ++ | TYPE_TRANSITION names names ':' names identifier ';' + {if (define_compute_type(AVRULE_TRANSITION)) return -1;} + | TYPE_MEMBER names names ':' names identifier ';' + {if (define_compute_type(AVRULE_MEMBER)) return -1;} +@@ -752,6 +758,9 @@ identifier : IDENTIFIER + path : PATH + { if (insert_id(yytext,0)) return -1; } + ; ++filename : FILENAME ++ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } ++ ; + number : NUMBER + { $$ = strtoul(yytext,NULL,0); } + ; +diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l +index 75485f3..30203cd 100644 +--- a/libqpol/src/policy_scan.l ++++ b/libqpol/src/policy_scan.l +@@ -235,6 +235,7 @@ POLICYCAP { return(POLICYCAP); } + permissive | + PERMISSIVE { return(PERMISSIVE); } + "/"({alnum}|[_\.\-/])* { return(PATH); } ++\"({alnum}|[_\.\-])+\" { return(FILENAME); } + {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } + {digit}+|0x{hexval}+ { return(NUMBER); } + {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } +diff --git a/secmds/sesearch.c b/secmds/sesearch.c +index ec0315f..e44b3bc 100644 +--- a/secmds/sesearch.c ++++ b/secmds/sesearch.c +@@ -575,6 +575,95 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt + free(expr); + } + ++static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) ++{ ++ apol_filename_trans_query_t *ftq = NULL; ++ int error = 0; ++ ++ if (!policy || !opt || !v) { ++ ERR(policy, "%s", strerror(EINVAL)); ++ errno = EINVAL; ++ return -1; ++ } ++ ++ if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) { ++ *v = NULL; ++ return 0; /* no search to do */ ++ } ++ ++ ftq = apol_filename_trans_query_create(); ++ if (!ftq) { ++ ERR(policy, "%s", strerror(ENOMEM)); ++ errno = ENOMEM; ++ return -1; ++ } ++ ++ apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); ++ if (opt->src_name) { ++ if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) { ++ error = errno; ++ goto err; ++ } ++ } ++ if (opt->tgt_name) { ++ if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { ++ error = errno; ++ goto err; ++ } ++ } ++ ++ if (apol_filename_trans_get_by_query(policy, ftq, v)) { ++ error = errno; ++ goto err; ++ } ++ ++ apol_filename_trans_query_destroy(&ftq); ++ return 0; ++ ++ err: ++ apol_vector_destroy(v); ++ apol_filename_trans_query_destroy(&ftq); ++ ERR(policy, "%s", strerror(error)); ++ errno = error; ++ return -1; ++} ++ ++static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) ++{ ++ qpol_policy_t *q = apol_policy_get_qpol(policy); ++ size_t i, num_rules = 0; ++ const qpol_filename_trans_t *rule = NULL; ++ char *tmp = NULL, *rule_str = NULL, *expr = NULL; ++ char enable_char = ' ', branch_char = ' '; ++ qpol_iterator_t *iter = NULL; ++ const qpol_cond_t *cond = NULL; ++ uint32_t enabled = 0, list = 0; ++ ++ if (!(num_rules = apol_vector_get_size(v))) ++ goto cleanup; ++ ++ fprintf(stdout, "Found %zd named file transition rules:\n", num_rules); ++ ++ for (i = 0; i < num_rules; i++) { ++ enable_char = branch_char = ' '; ++ if (!(rule = apol_vector_get_element(v, i))) ++ goto cleanup; ++ ++ if (!(rule_str = apol_filename_trans_render(policy, rule))) ++ goto cleanup; ++ fprintf(stdout, "%s %s\n", rule_str, expr ? expr : ""); ++ free(rule_str); ++ rule_str = NULL; ++ free(expr); ++ expr = NULL; ++ } ++ ++ cleanup: ++ free(tmp); ++ free(rule_str); ++ free(expr); ++} ++ + static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) + { + apol_role_allow_query_t *raq = NULL; +@@ -1128,6 +1217,18 @@ int main(int argc, char **argv) + print_te_results(policy, &cmd_opts, v); + fprintf(stdout, "\n"); + } ++ ++ if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) { ++ apol_vector_destroy(&v); ++ if (perform_ft_query(policy, &cmd_opts, &v)) { ++ rt = 1; ++ goto cleanup; ++ } ++ ++ print_ft_results(policy, &cmd_opts, v); ++ fprintf(stdout, "\n"); ++ } ++ + apol_vector_destroy(&v); + if (perform_ra_query(policy, &cmd_opts, &v)) { + rt = 1; +-- +1.7.6.2 + +diff -up setools-3.3.7/libapol/include/apol/Makefile.am.filenametrans setools-3.3.7/libapol/include/apol/Makefile.am +--- setools-3.3.7/libapol/include/apol/Makefile.am.filenametrans 2009-07-14 14:03:27.000000000 -0400 ++++ setools-3.3.7/libapol/include/apol/Makefile.am 2011-10-26 16:24:59.948130442 -0400 +@@ -27,6 +27,7 @@ apol_HEADERS = \ + relabel-analysis.h \ + render.h \ + role-query.h \ ++ ftrule-query.h \ + terule-query.h \ + type-query.h \ + types-relation-analysis.h \ +diff -up setools-3.3.7/libqpol/include/qpol/Makefile.am.filenametrans setools-3.3.7/libqpol/include/qpol/Makefile.am +--- setools-3.3.7/libqpol/include/qpol/Makefile.am.filenametrans 2011-10-26 16:22:28.723523155 -0400 ++++ setools-3.3.7/libqpol/include/qpol/Makefile.am 2011-10-26 16:22:41.283493767 -0400 +@@ -25,6 +25,7 @@ qpol_HEADERS = \ + role_query.h \ + syn_rule_query.h \ + terule_query.h \ ++ ftrule_query.h \ + type_query.h \ + user_query.h \ + util.h diff --git a/SOURCES/0007-Remove-unused-variables.patch b/SOURCES/0007-Remove-unused-variables.patch new file mode 100644 index 0000000..dfa532c --- /dev/null +++ b/SOURCES/0007-Remove-unused-variables.patch @@ -0,0 +1,277 @@ +From e30036e358b8f1c3f56048b467e8646fa3bfffb6 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 16:40:26 -0400 +Subject: [PATCH 7/7] Remove unused variables + +--- + libapol/src/ftrule-query.c | 11 ++---- + libqpol/src/ftrule_query.c | 2 - + secmds/sesearch.c | 86 +++++++++++++++++++++++++++++++++----------- + 3 files changed, 68 insertions(+), 31 deletions(-) + +diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c +index dc248de..9c7a23b 100644 +--- a/libapol/src/ftrule-query.c ++++ b/libapol/src/ftrule-query.c +@@ -45,14 +45,11 @@ struct apol_filename_trans_query + int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v) + { + apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL; +- int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans; +- char *bool_name = NULL; ++ int retval = -1, source_as_any = 0, is_regex = 0; + *v = NULL; +- unsigned int flags = 0; +- qpol_iterator_t *iter = NULL, *type_iter = NULL; ++ qpol_iterator_t *iter = NULL; + + if (t != NULL) { +- flags = t->flags; + is_regex = t->flags & APOL_QUERY_REGEX; + if (t->source != NULL && + (source_list = +@@ -104,7 +101,7 @@ int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filenam + if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) { + goto cleanup; + } +- int match_source = 0, match_target = 0, match_default = 0, match_bool = 0; ++ int match_source = 0, match_target = 0, match_default = 0; + size_t i; + + if (source_list == NULL) { +@@ -265,10 +262,8 @@ char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filena + { + char *tmp = NULL; + const char *tmp_name = NULL; +- const char *filename_trans_type_str; + int error = 0; + size_t tmp_sz = 0; +- uint32_t filename_trans_type = 0; + const qpol_type_t *type = NULL; + const qpol_class_t *obj_class = NULL; + +diff --git a/libqpol/src/ftrule_query.c b/libqpol/src/ftrule_query.c +index d6db848..3148d30 100644 +--- a/libqpol/src/ftrule_query.c ++++ b/libqpol/src/ftrule_query.c +@@ -254,7 +254,6 @@ int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpo + + int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name) + { +- policydb_t *db = NULL; + filename_trans_t *ft = NULL; + + if (name) { +@@ -267,7 +266,6 @@ int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_fi + return STATUS_ERR; + } + +- db = &policy->p->p; + ft = (filename_trans_t *) rule; + + *name = ft->name; +diff --git a/secmds/sesearch.c b/secmds/sesearch.c +index e44b3bc..319ffe7 100644 +--- a/secmds/sesearch.c ++++ b/secmds/sesearch.c +@@ -72,6 +72,7 @@ static struct option const longopts[] = { + + {"source", required_argument, NULL, 's'}, + {"target", required_argument, NULL, 't'}, ++ {"default", required_argument, NULL, 'D'}, + {"role_source", required_argument, NULL, EXPR_ROLE_SOURCE}, + {"role_target", required_argument, NULL, EXPR_ROLE_TARGET}, + {"class", required_argument, NULL, 'c'}, +@@ -92,6 +93,7 @@ typedef struct options + { + char *src_name; + char *tgt_name; ++ char *default_name; + char *src_role_name; + char *tgt_role_name; + char *class_name; +@@ -293,7 +295,8 @@ static void print_syn_av_results(const apol_policy_t * policy, const options_t * + tmp = apol_cond_expr_render(policy, cond); + enable_char = (enabled ? 'E' : 'D'); + branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); +- asprintf(&expr, "[ %s ]", tmp); ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) ++ goto cleanup; + free(tmp); + tmp = NULL; + if (!expr) +@@ -356,7 +359,8 @@ static void print_av_results(const apol_policy_t * policy, const options_t * opt + qpol_iterator_destroy(&iter); + enable_char = (enabled ? 'E' : 'D'); + branch_char = (list ? 'T' : 'F'); +- asprintf(&expr, "[ %s ]", tmp); ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) ++ goto cleanup; + free(tmp); + tmp = NULL; + if (!expr) +@@ -488,7 +492,8 @@ static void print_syn_te_results(const apol_policy_t * policy, const options_t * + tmp = apol_cond_expr_render(policy, cond); + enable_char = (enabled ? 'E' : 'D'); + branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); +- asprintf(&expr, "[ %s ]", tmp); ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) ++ goto cleanup; + free(tmp); + tmp = NULL; + if (!expr) +@@ -553,7 +558,8 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt + qpol_iterator_destroy(&iter); + enable_char = (enabled ? 'E' : 'D'); + branch_char = (list ? 'T' : 'F'); +- asprintf(&expr, "[ %s ]", tmp); ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) ++ goto cleanup; + free(tmp); + tmp = NULL; + if (!expr) +@@ -586,7 +592,7 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, + return -1; + } + +- if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) { ++ if (!opt->type && !opt->all) { + *v = NULL; + return 0; /* no search to do */ + } +@@ -600,17 +606,44 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, + + apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); + if (opt->src_name) { +- if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) { ++ if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name, opt->indirect)) { + error = errno; + goto err; + } + } ++ + if (opt->tgt_name) { + if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { + error = errno; + goto err; + } + } ++ if (opt->default_name) { ++ if (apol_filename_trans_query_set_default(policy, ftq, opt->default_name)) { ++ error = errno; ++ goto err; ++ } ++ } ++ ++ if (opt->class_name) { ++ if (opt->class_vector == NULL) { ++ if (apol_filename_trans_query_append_class(policy, ftq, opt->class_name)) { ++ error = errno; ++ goto err; ++ } ++ } else { ++ for (size_t i = 0; i < apol_vector_get_size(opt->class_vector); ++i) { ++ char *class_name; ++ class_name = apol_vector_get_element(opt->class_vector, i); ++ if (!class_name) ++ continue; ++ if (apol_filename_trans_query_append_class(policy, ftq, class_name)) { ++ error = errno; ++ goto err; ++ } ++ } ++ } ++ } + + if (apol_filename_trans_get_by_query(policy, ftq, v)) { + error = errno; +@@ -630,37 +663,36 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, + + static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) + { +- qpol_policy_t *q = apol_policy_get_qpol(policy); +- size_t i, num_rules = 0; +- const qpol_filename_trans_t *rule = NULL; +- char *tmp = NULL, *rule_str = NULL, *expr = NULL; ++ size_t i, num_filename_trans = 0; ++ const qpol_filename_trans_t *filename_trans = NULL; ++ char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL; + char enable_char = ' ', branch_char = ' '; + qpol_iterator_t *iter = NULL; + const qpol_cond_t *cond = NULL; + uint32_t enabled = 0, list = 0; + +- if (!(num_rules = apol_vector_get_size(v))) ++ if (!(num_filename_trans = apol_vector_get_size(v))) + goto cleanup; + +- fprintf(stdout, "Found %zd named file transition rules:\n", num_rules); ++ fprintf(stdout, "Found %zd named file transition filename_trans:\n", num_filename_trans); + +- for (i = 0; i < num_rules; i++) { ++ for (i = 0; i < num_filename_trans; i++) { + enable_char = branch_char = ' '; +- if (!(rule = apol_vector_get_element(v, i))) ++ if (!(filename_trans = apol_vector_get_element(v, i))) + goto cleanup; + +- if (!(rule_str = apol_filename_trans_render(policy, rule))) ++ if (!(filename_trans_str = apol_filename_trans_render(policy, filename_trans))) + goto cleanup; +- fprintf(stdout, "%s %s\n", rule_str, expr ? expr : ""); +- free(rule_str); +- rule_str = NULL; ++ fprintf(stdout, "%s %s\n", filename_trans_str, expr ? expr : ""); ++ free(filename_trans_str); ++ filename_trans_str = NULL; + free(expr); + expr = NULL; + } + + cleanup: + free(tmp); +- free(rule_str); ++ free(filename_trans_str); + free(expr); + } + +@@ -930,7 +962,7 @@ int main(int argc, char **argv) + + memset(&cmd_opts, 0, sizeof(cmd_opts)); + cmd_opts.indirect = true; +- while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dRnSChV", longopts, NULL)) != -1) { ++ while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) { + switch (optc) { + case 0: + break; +@@ -946,6 +978,18 @@ int main(int argc, char **argv) + exit(1); + } + break; ++ case 'D': /* source */ ++ if (optarg == 0) { ++ usage(argv[0], 1); ++ printf("Missing source default type for -D (--default)\n"); ++ exit(1); ++ } ++ cmd_opts.default_name = strdup(optarg); ++ if (!cmd_opts.default_name) { ++ ++ exit(1); ++ } ++ break; + case 't': /* target */ + if (optarg == 0) { + usage(argv[0], 1); +@@ -1218,7 +1262,7 @@ int main(int argc, char **argv) + fprintf(stdout, "\n"); + } + +- if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) { ++ if (cmd_opts.all || cmd_opts.type) { + apol_vector_destroy(&v); + if (perform_ft_query(policy, &cmd_opts, &v)) { + rt = 1; +-- +1.7.6.2 + diff --git a/SOURCES/0008-Fix-output-to-match-policy-lines.patch b/SOURCES/0008-Fix-output-to-match-policy-lines.patch new file mode 100644 index 0000000..47c258e --- /dev/null +++ b/SOURCES/0008-Fix-output-to-match-policy-lines.patch @@ -0,0 +1,34 @@ +From 2f89d9acc12c0a7b50a94e4247b015242ce712c9 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Wed, 21 Sep 2011 15:15:02 -0400 +Subject: [PATCH 8/8] Fix output to match policy lines + +--- + libapol/src/ftrule-query.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c +index 9c7a23b..1d5f5c8 100644 +--- a/libapol/src/ftrule-query.c ++++ b/libapol/src/ftrule-query.c +@@ -282,7 +282,7 @@ char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filena + error = errno; + goto err; + } +- if (apol_str_appendf(&tmp, &tmp_sz, "transition_type %s ", tmp_name)) { ++ if (apol_str_appendf(&tmp, &tmp_sz, "type_transition %s ", tmp_name)) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto err; +@@ -338,7 +338,7 @@ char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filena + goto err; + } + +- if (apol_str_appendf(&tmp, &tmp_sz, " %s", tmp_name)) { ++ if (apol_str_appendf(&tmp, &tmp_sz, " \"%s\"", tmp_name)) { + error = errno; + ERR(policy, "%s", strerror(error)); + goto err; +-- +1.7.6.2 + diff --git a/SOURCES/0009-Fix-swig-coding-style-for-structures.patch b/SOURCES/0009-Fix-swig-coding-style-for-structures.patch new file mode 100644 index 0000000..f05cd4a --- /dev/null +++ b/SOURCES/0009-Fix-swig-coding-style-for-structures.patch @@ -0,0 +1,583 @@ +#diff -Nur old_setools/libqpol/swig/qpol.i setools-3.3.7/libqpol/swig/qpol.i +diff -Nur setools-3.3.7/libqpol/swig/qpol.i.current setools-3.3.7/libqpol/swig/qpol.i +--- old_setools/libqpol/swig/qpol.i 2010-04-30 18:23:28.000000000 +0200 ++++ setools-3.3.7/libqpol/swig/qpol.i 2012-07-03 19:20:45.383016553 +0200 +@@ -228,7 +228,7 @@ + #define QPOL_MODULE_OTHER 2 + typedef struct qpol_module {} qpol_module_t; + %extend qpol_module_t { +- qpol_module_t(const char *path) { ++ qpol_module(const char *path) { + qpol_module_t *m; + BEGIN_EXCEPTION + if (qpol_module_create_from_file(path, &m)) { +@@ -239,7 +239,7 @@ + fail: + return NULL; + }; +- ~qpol_module_t() { ++ ~qpol_module() { + qpol_module_destroy(&self); + }; + const char *get_path() { +@@ -330,7 +330,7 @@ + } qpol_capability_e; + + %extend qpol_policy_t { +- qpol_policy_t(const char *path, const int options) { ++ qpol_policy(const char *path, const int options) { + qpol_policy_t *p; + BEGIN_EXCEPTION + if (qpol_policy_open_from_file(path, &p, qpol_swig_message_callback, qpol_swig_message_callback_arg, options) < 0) { +@@ -341,7 +341,7 @@ + fail: + return NULL; + } +- ~qpol_policy_t() { ++ ~qpol_policy() { + qpol_policy_destroy(&self); + }; + void reevaluate_conds() { +@@ -687,14 +687,14 @@ + typedef struct qpol_iterator {} qpol_iterator_t; + %extend qpol_iterator_t { + /* user never directly creates, but SWIG expects a constructor */ +- qpol_iterator_t() { ++ qpol_iterator() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_TypeError, "User may not create iterators difectly"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_iterator_t() { ++ ~qpol_iterator() { + qpol_iterator_destroy(&self); + }; + void *get_item() { +@@ -736,7 +736,7 @@ + /* qpol type */ + typedef struct qpol_type {} qpol_type_t; + %extend qpol_type_t { +- qpol_type_t(qpol_policy_t *p, const char *name) { ++ qpol_type(qpol_policy_t *p, const char *name) { + BEGIN_EXCEPTION + const qpol_type_t *t; + if (qpol_policy_get_type_by_name(p, name, &t)) { +@@ -747,7 +747,7 @@ + fail: + return NULL; + }; +- ~qpol_type_t() { ++ ~qpol_type() { + /* no op */ + return; + }; +@@ -851,7 +851,7 @@ + /* qpol role */ + typedef struct qpol_role {} qpol_role_t; + %extend qpol_role_t { +- qpol_role_t(qpol_policy_t *p, const char *name) { ++ qpol_role(qpol_policy_t *p, const char *name) { + const qpol_role_t *r; + BEGIN_EXCEPTION + if (qpol_policy_get_role_by_name(p, name, &r)) { +@@ -862,7 +862,7 @@ + fail: + return NULL; + }; +- ~qpol_role_t() { ++ ~qpol_role() { + /* no op */ + return; + }; +@@ -919,7 +919,7 @@ + /* qpol level */ + typedef struct qpol_level {} qpol_level_t; + %extend qpol_level_t { +- qpol_level_t(qpol_policy_t *p, const char *name) { ++ qpol_level(qpol_policy_t *p, const char *name) { + const qpol_level_t *l; + BEGIN_EXCEPTION + if (qpol_policy_get_level_by_name(p, name, &l)) { +@@ -930,7 +930,7 @@ + fail: + return NULL; + }; +- ~qpol_level_t() { ++ ~qpol_level() { + /* no op */ + return; + }; +@@ -997,7 +997,7 @@ + /* qpol cat */ + typedef struct qpol_cat {} qpol_cat_t; + %extend qpol_cat_t { +- qpol_cat_t(qpol_policy_t *p, const char *name) { ++ qpol_cat(qpol_policy_t *p, const char *name) { + const qpol_cat_t *c; + BEGIN_EXCEPTION + if (qpol_policy_get_cat_by_name(p, name, &c)) { +@@ -1008,7 +1008,7 @@ + fail: + return NULL; + }; +- ~qpol_cat_t() { ++ ~qpol_cat() { + /* no op */ + return; + }; +@@ -1064,14 +1064,14 @@ + /* qpol mls range */ + typedef struct qpol_mls_range {} qpol_mls_range_t; + %extend qpol_mls_range_t { +- qpol_mls_range_t() { ++ qpol_mls_range() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_mls_range_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~qpol_mls_range_t() { ++ ~qpol_mls_range() { + /* no op */ + return; + }; +@@ -1105,14 +1105,14 @@ + /* qpol mls level */ + typedef struct qpol_mls_level {} qpol_mls_level_t; + %extend qpol_mls_level_t { +- qpol_mls_level_t() { ++ qpol_mls_level() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_mls_level_t objects"); + END_EXCEPTION + fail: + return NULL; + } +- ~qpol_mls_level_t() { ++ ~qpol_mls_level() { + /* no op */ + return; + }; +@@ -1147,7 +1147,7 @@ + /* qpol user */ + typedef struct qpol_user {} qpol_user_t; + %extend qpol_user_t { +- qpol_user_t(qpol_policy_t *p, const char *name) { ++ qpol_user(qpol_policy_t *p, const char *name) { + const qpol_user_t *u; + BEGIN_EXCEPTION + if (qpol_policy_get_user_by_name(p, name, &u)) { +@@ -1158,7 +1158,7 @@ + fail: + return NULL; + }; +- ~qpol_user_t() { ++ ~qpol_user() { + /* no op */ + return; + }; +@@ -1223,7 +1223,7 @@ + /* qpol bool */ + typedef struct qpol_bool {} qpol_bool_t; + %extend qpol_bool_t { +- qpol_bool_t(qpol_policy_t *p, const char *name) { ++ qpol_bool(qpol_policy_t *p, const char *name) { + qpol_bool_t *b; + BEGIN_EXCEPTION + if (qpol_policy_get_bool_by_name(p, name, &b)) { +@@ -1233,7 +1233,7 @@ + fail: + return b; + }; +- ~qpol_bool_t() { ++ ~qpol_bool() { + /* no op */ + return; + }; +@@ -1295,14 +1295,14 @@ + /* qpol context */ + typedef struct qpol_context {} qpol_context_t; + %extend qpol_context_t { +- qpol_context_t() { ++ qpol_context() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_context_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_context_t() { ++ ~qpol_context() { + /* no op */ + return; + }; +@@ -1356,7 +1356,7 @@ + /* qpol class */ + typedef struct qpol_class {} qpol_class_t; + %extend qpol_class_t { +- qpol_class_t(qpol_policy_t *p, const char *name) { ++ qpol_class(qpol_policy_t *p, const char *name) { + const qpol_class_t *c; + BEGIN_EXCEPTION + if (qpol_policy_get_class_by_name(p, name, &c)) { +@@ -1366,7 +1366,7 @@ + fail: + return (qpol_class_t*)c; + }; +- ~qpol_class_t() { ++ ~qpol_class() { + /* no op */ + return; + }; +@@ -1443,7 +1443,7 @@ + /* qpol common */ + typedef struct qpol_common {} qpol_common_t; + %extend qpol_common_t { +- qpol_common_t(qpol_policy_t *p, const char *name) { ++ qpol_common(qpol_policy_t *p, const char *name) { + const qpol_common_t *c; + BEGIN_EXCEPTION + if (qpol_policy_get_common_by_name(p, name, &c)) { +@@ -1453,7 +1453,7 @@ + fail: + return (qpol_common_t*)c; + }; +- ~qpol_common_t() { ++ ~qpol_common() { + /* no op */ + return; + }; +@@ -1515,7 +1515,7 @@ + #define QPOL_FS_USE_PSID 6U + #endif + typedef struct qpol_fs_use {} qpol_fs_use_t; +-%extend qpol_fs_use_t { ++%extend qpol_fs_use { + qpol_fs_use_t(qpol_policy_t *p, const char *name) { + const qpol_fs_use_t *f; + BEGIN_EXCEPTION +@@ -1526,7 +1526,7 @@ + fail: + return (qpol_fs_use_t*)f; + }; +- ~qpol_fs_use_t() { ++ ~qpol_fs_use() { + /* no op */ + return; + }; +@@ -1594,7 +1594,7 @@ + #endif + typedef struct qpol_genfscon {} qpol_genfscon_t; + %extend qpol_genfscon_t { +- qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) { ++ qpol_genfscon(qpol_policy_t *p, const char *name, const char *path) { + qpol_genfscon_t *g; + BEGIN_EXCEPTION + if (qpol_policy_get_genfscon_by_name(p, name, path, &g)) { +@@ -1604,7 +1604,7 @@ + fail: + return g; + }; +- ~qpol_genfscon_t() { ++ ~qpol_genfscon() { + free(self); + }; + const char *get_name(qpol_policy_t *p) { +@@ -1656,7 +1656,7 @@ + + /* qpol isid */ + typedef struct qpol_isid {} qpol_isid_t; +-%extend qpol_isid_t { ++%extend qpol_isid { + qpol_isid_t(qpol_policy_t *p, const char *name) { + const qpol_isid_t *i; + BEGIN_EXCEPTION +@@ -1667,7 +1667,7 @@ + fail: + return (qpol_isid_t*)i; + }; +- ~qpol_isid_t() { ++ ~qpol_isid() { + /* no op */ + return; + }; +@@ -1701,7 +1701,7 @@ + /* qpol netifcon */ + typedef struct qpol_netifcon {} qpol_netifcon_t; + %extend qpol_netifcon_t { +- qpol_netifcon_t(qpol_policy_t *p, const char *name) { ++ qpol_netifcon(qpol_policy_t *p, const char *name) { + const qpol_netifcon_t *n; + BEGIN_EXCEPTION + if (qpol_policy_get_netifcon_by_name(p, name, &n)) { +@@ -1711,7 +1711,7 @@ + fail: + return (qpol_netifcon_t*)n; + }; +- ~qpol_netifcon_t() { ++ ~qpol_netifcon() { + /* no op */ + return; + }; +@@ -1757,7 +1757,7 @@ + #define QPOL_IPV6 1 + typedef struct qpol_nodecon {} qpol_nodecon_t; + %extend qpol_nodecon_t { +- qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) { ++ qpol_nodecon(qpol_policy_t *p, int addr[4], int mask[4], int protocol) { + uint32_t a[4], m[4]; + qpol_nodecon_t *n; + BEGIN_EXCEPTION +@@ -1772,7 +1772,7 @@ + fail: + return n; + } +- ~qpol_nodecon_t() { ++ ~qpol_nodecon() { + free(self); + }; + uint32_t *get_addr(qpol_policy_t *p) { +@@ -1830,7 +1830,7 @@ + #define IPPROTO_UDP 17 + typedef struct qpol_portcon {} qpol_portcon_t; + %extend qpol_portcon_t { +- qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) { ++ qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) { + const qpol_portcon_t *qp; + BEGIN_EXCEPTION + if (qpol_policy_get_portcon_by_port(p, low, high, protocol, &qp)) { +@@ -1840,7 +1840,7 @@ + fail: + return (qpol_portcon_t*)qp; + }; +- ~qpol_portcon_t() { ++ ~qpol_portcon() { + /* no op */ + return; + }; +@@ -1893,7 +1893,7 @@ + + /* qpol constraint */ + typedef struct qpol_constraint {} qpol_constraint_t; +-%extend qpol_constraint_t { ++%extend qpol_constraint { + qpol_constraint_t() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_constraint_t objects"); +@@ -1901,7 +1901,7 @@ + fail: + return NULL; + }; +- ~qpol_constraint_t() { ++ ~qpol_constraint() { + free(self); + }; + const qpol_class_t *get_class(qpol_policy_t *p) { +@@ -1945,7 +1945,7 @@ + + /* qpol validatetrans */ + typedef struct qpol_validatetrans {} qpol_validatetrans_t; +-%extend qpol_validatetrans_t { ++%extend qpol_validatetrans { + qpol_validatetrans_t() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_validatetrans_t objects"); +@@ -1953,7 +1953,7 @@ + fail: + return NULL; + }; +- ~qpol_validatetrans_t() { ++ ~qpol_validatetrans() { + free(self); + }; + const qpol_class_t *get_class(qpol_policy_t *p) { +@@ -2011,14 +2011,14 @@ + #define QPOL_CEXPR_OP_INCOMP 5 + typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t; + %extend qpol_constraint_expr_node_t { +- qpol_constraint_expr_node_t() { ++ qpol_constraint_expr_node() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_constraint_expr_node_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_constraint_expr_node_t() { ++ ~qpol_constraint_expr_node() { + /* no op */ + return; + }; +@@ -2073,14 +2073,14 @@ + /* qpol role allow */ + typedef struct qpol_role_allow {} qpol_role_allow_t; + %extend qpol_role_allow_t { +- qpol_role_allow_t() { ++ qpol_role_allow() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_role_allow_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_role_allow_t() { ++ ~qpol_role_allow() { + /* no op */ + return; + }; +@@ -2114,14 +2114,14 @@ + /* qpol role trans */ + typedef struct qpol_role_trans {} qpol_role_trans_t; + %extend qpol_role_trans_t { +- qpol_role_trans_t() { ++ qpol_role_trans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_role_trans_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_role_trans_t() { ++ ~qpol_role_trans() { + /* no op */ + return; + }; +@@ -2165,14 +2165,14 @@ + /* qpol range trans */ + typedef struct qpol_range_trans {} qpol_range_trans_t; + %extend qpol_range_trans_t { +- qpol_range_trans_t() { ++ qpol_range_trans() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_range_trans_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_range_trans_t() { ++ ~qpol_range_trans() { + /* no op */ + return; + }; +@@ -2228,14 +2228,14 @@ + #define QPOL_RULE_DONTAUDIT 4 + typedef struct qpol_avrule {} qpol_avrule_t; + %extend qpol_avrule_t { +- qpol_avrule_t() { ++ qpol_avrule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_avrule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_avrule_t() { ++ ~qpol_avrule() { + /* no op */ + return; + }; +@@ -2348,14 +2348,14 @@ + #define QPOL_RULE_TYPE_MEMBER 32 + typedef struct qpol_terule {} qpol_terule_t; + %extend qpol_terule_t { +- qpol_terule_t() { ++ qpol_terule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_terule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_terule_t() { ++ ~qpol_terule() { + /* no op */ + return; + }; +@@ -2464,14 +2464,14 @@ + /* qpol conditional */ + typedef struct qpol_cond {} qpol_cond_t; + %extend qpol_cond_t { +- qpol_cond_t() { ++ qpol_cond() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_cond_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_cond_t() { ++ ~qpol_cond() { + /* no op */ + return; + }; +@@ -2557,14 +2557,14 @@ + #define QPOL_COND_EXPR_NEQ 7 /* bool != bool */ + typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t; + %extend qpol_cond_expr_node_t { +- qpol_cond_expr_node_t() { ++ qpol_cond_expr_node() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_cond_expr_node_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_cond_expr_node_t() { ++ ~qpol_cond_expr_node() { + /* no op */ + return; + }; +@@ -2602,14 +2602,14 @@ + /* qpol type set */ + typedef struct qpol_type_set {} qpol_type_set_t; + %extend qpol_type_set_t { +- qpol_type_set_t() { ++ qpol_type_set() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_type_set_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_type_set_t() { ++ ~qpol_type_set() { + /* no op */ + return; + }; +@@ -2665,14 +2665,14 @@ + /* qpol syn av rule */ + typedef struct qpol_syn_avrule {} qpol_syn_avrule_t; + %extend qpol_syn_avrule_t { +- qpol_syn_avrule_t() { ++ qpol_syn_avrule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_syn_avrule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_syn_avrule_t() { ++ ~qpol_syn_avrule() { + /* no op */ + return; + }; +@@ -2778,14 +2778,14 @@ + /* qpol syn te rule */ + typedef struct qpol_syn_terule {} qpol_syn_terule_t; + %extend qpol_syn_terule_t { +- qpol_syn_terule_t() { ++ qpol_syn_terule() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create qpol_syn_terule_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~qpol_syn_terule_t() { ++ ~qpol_syn_terule() { + /* no op */ + return; + }; diff --git a/SOURCES/0010-selinux_current_policy_path.patch b/SOURCES/0010-selinux_current_policy_path.patch new file mode 100644 index 0000000..e9cc81d --- /dev/null +++ b/SOURCES/0010-selinux_current_policy_path.patch @@ -0,0 +1,84 @@ +diff -up setools-3.3.7/libqpol/src/util.c.current setools-3.3.7/libqpol/src/util.c +--- setools-3.3.7/libqpol/src/util.c.current 2010-04-23 12:22:08.000000000 -0400 ++++ setools-3.3.7/libqpol/src/util.c 2012-02-16 12:01:33.030434514 -0500 +@@ -84,75 +84,12 @@ static int get_binpol_version(const char + + static int search_policy_binary_file(char **path) + { +- const char *binary_path; +- if ((binary_path = selinux_binary_policy_path()) == NULL) { +- return -1; ++ const char *binary_path = selinux_current_policy_path(); ++ if (binary_path) { ++ *path = strdup(binary_path); ++ if (*path) return 0; + } +- +- int expected_version = -1, latest_version = -1; +-#ifdef LIBSELINUX +- /* if the system has SELinux enabled, prefer the policy whose +- name matches the current policy version */ +- if ((expected_version = security_policyvers()) < 0) { +- return -1; +- } +-#endif +- +- glob_t glob_buf; +- struct stat fs; +- int rt, error = 0, retval = -1; +- size_t i; +- char *pattern = NULL; +- if (asprintf(&pattern, "%s.*", binary_path) < 0) { +- return -1; +- } +- glob_buf.gl_offs = 1; +- glob_buf.gl_pathc = 0; +- rt = glob(pattern, GLOB_DOOFFS, NULL, &glob_buf); +- if (rt != 0 && rt != GLOB_NOMATCH) { +- errno = EIO; +- return -1; +- } +- +- for (i = 0; i < glob_buf.gl_pathc; i++) { +- char *p = glob_buf.gl_pathv[i + glob_buf.gl_offs]; +- if (stat(p, &fs) != 0) { +- error = errno; +- goto cleanup; +- } +- if (S_ISDIR(fs.st_mode)) +- continue; +- +- if ((rt = get_binpol_version(p)) < 0) { +- error = errno; +- goto cleanup; +- } +- +- if (rt > latest_version || rt == expected_version) { +- free(*path); +- if ((*path = strdup(p)) == NULL) { +- error = errno; +- goto cleanup; +- } +- if (rt == expected_version) { +- break; +- } +- latest_version = rt; +- } +- } +- +- if (*path == NULL) { +- retval = 1; +- } else { +- retval = 0; +- } +- cleanup: +- free(pattern); +- globfree(&glob_buf); +- if (retval == -1) { +- errno = error; +- } +- return retval; ++ return -1; + } + + int qpol_default_policy_find(char **path) diff --git a/SOURCES/0011-setools-noship.patch b/SOURCES/0011-setools-noship.patch new file mode 100644 index 0000000..b678d30 --- /dev/null +++ b/SOURCES/0011-setools-noship.patch @@ -0,0 +1,255 @@ +diff -up setools-3.3.7/Makefile.am.noship setools-3.3.7/Makefile.am +--- setools-3.3.7/Makefile.am.noship 2008-02-22 14:06:28.000000000 -0500 ++++ setools-3.3.7/Makefile.am 2013-01-30 09:18:59.775157146 -0500 +@@ -8,9 +8,8 @@ endif + if BUILD_GUI + MAYBE_GUI = seaudit + endif +-# sediffx is also built conditionally, from sediffx/Makefile.am + +-SUBDIRS = libqpol libapol libsefs libpoldiff libseaudit secmds sechecker sediff man packages debian $(MAYBE_APOL) $(MAYBE_GUI) ++SUBDIRS = libqpol libapol libsefs libpoldiff libseaudit secmds sediff man packages debian $(MAYBE_APOL) $(MAYBE_GUI) + + #old indent opts + #INDENT_OPTS = -npro -nbad -bap -sob -ss -l132 -di1 -nbc -br -nbbb -c40 -cd40 -ncdb -ce -cli0 -cp40 -ncs -d0 -nfc1 -nfca -i8 -ts8 -ci8 -lp -ip0 -npcs -npsl -sc +@@ -49,12 +48,6 @@ seaudit: libqpol libapol libseaudit + sediff: libqpol libapol libpoldiff + $(MAKE) -C $(top_srcdir)/sediff sediff + +-sediffx: libqpol libapol libpoldiff +- $(MAKE) -C $(top_srcdir)/sediff sediffx +- +-sechecker: libqpol libapol libsefs +- $(MAKE) -C $(top_srcdir)/sechecker +- + help: + @echo "Make targets for SETools:" + @echo " all: build everything, but do not install" +@@ -65,8 +58,6 @@ help: + @echo " secmds: build command line tools" + @echo " seaudit: build audit log analysis tools" + @echo " sediff: build semantic policy diff command line tool" +- @echo " sediffx: build semantic policy diff graphical tool" +- @echo " sechecker: build policy checking tool" + @echo "" + @echo " install-logwatch: install LogWatch config files for seaudit-report" + @echo " (requires LogWatch and root privileges)" +@@ -78,9 +69,9 @@ install-logwatch: + $(MAKE) -C $(top_srcdir)/seaudit install-logwatch + + .PHONY: libqpol libapol libpoldiff libsefs libseaudit \ +- apol secmds seaudit sediff sediffx sechecker \ ++ apol secmds seaudit sediff \ + install-logwatch help \ +- seinfo sesearch indexcon findcon replcon searchcon \ ++ seinfo sesearch \ + packages + + seinfo: libqpol libapol +@@ -89,18 +80,6 @@ seinfo: libqpol libapol + sesearch: libqpol libapol + $(MAKE) -C $(top_srcdir)/secmds sesearch + +-indexcon: libqpol libapol libsefs +- $(MAKE) -C $(top_srcdir)/secmds indexcon +- +-findcon: libqpol libapol libsefs +- $(MAKE) -C $(top_srcdir)/secmds findcon +- +-replcon: libqpol libapol libsefs +- $(MAKE) -C $(top_srcdir)/secmds replcon +- +-searchcon: libqpol libapol libsefs +- $(MAKE) -C $(top_srcdir)/secmds searchcon +- + packages: + $(MAKE) -C $(top_srcdir)/packages + +diff -up setools-3.3.7/man/Makefile.am.noship setools-3.3.7/man/Makefile.am +--- setools-3.3.7/man/Makefile.am.noship 2007-08-02 17:16:33.000000000 -0400 ++++ setools-3.3.7/man/Makefile.am 2013-01-30 09:16:13.696871566 -0500 +@@ -1,19 +1,10 @@ + if BUILD_GUI + MAYBEMANS = apol.1 \ +- seaudit.8 seaudit-report.8 \ +- sediffx.1 ++ seaudit.8 + endif + + EXTRA_DIST=$(man_MANS) apol.1 \ +- seaudit.8 seaudit-report.8.in \ +- sediffx.1 ++ seaudit.8 + +-man_MANS = findcon.1 indexcon.1 replcon.1 \ +- sechecker.1 \ +- sediff.1 \ ++man_MANS = sediff.1 \ + seinfo.1 sesearch.1 $(MAYBEMANS) +- +-seaudit-report.8: seaudit-report.8.in Makefile +- sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ +- +-CLEANFILES = seaudit-report.8 +diff -up setools-3.3.7/seaudit/Makefile.am.noship setools-3.3.7/seaudit/Makefile.am +--- setools-3.3.7/seaudit/Makefile.am.noship 2008-02-22 14:06:28.000000000 -0500 ++++ setools-3.3.7/seaudit/Makefile.am 2013-01-30 09:16:13.697871568 -0500 +@@ -1,5 +1,4 @@ + setoolsdir = @setoolsdir@ +-bin_PROGRAMS = seaudit-report + sbin_PROGRAMS = seaudit + + AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ +@@ -20,13 +19,10 @@ LDADD = @SELINUX_LIB_FLAG@ @SEAUDIT_LIB_ + dist_setools_DATA = \ + seaudit.glade \ + seaudit_help.txt \ +- seaudit-report.conf \ +- seaudit-report.css \ + seaudit.png seaudit-small.png + + nodist_setools_DATA = \ +- dot_seaudit \ +- seaudit-report-service ++ dot_seaudit + + seaudit_SOURCES = \ + filter_view.c filter_view.h \ +@@ -50,31 +46,12 @@ seaudit_DEPENDENCIES = $(top_builddir)/l + dot_seaudit: dot_seaudit.in Makefile + sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ + +-seaudit_report_SOURCES = seaudit-report.c +-seaudit_report_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \ +- $(top_builddir)/libapol/src/libapol.so \ +- $(top_builddir)/libqpol/src/libqpol.so +- + logwatch = $(DESTDIR)/etc/logwatch + LOGWATCH_GROUP = $(logwatch)/conf/logfiles + LOGWATCH_SERVICE = $(logwatch)/conf/services + LOGWATCH_FILTER = $(logwatch)/scripts/services + +-dist_noinst_DATA = dot_seaudit.in \ +- seaudit-report-group.conf \ +- seaudit-report-service.conf \ +- seaudit-report-service.in +- +-seaudit-report-service: seaudit-report-service.in Makefile +- sed -e 's|\@bindir\@|$(bindir)|g' $< > $@ +- +-install-logwatch: $(dist_noinst_DATA) seaudit-report-service +- mkdir -p -- $(LOGWATCH_GROUP) +- install -m 644 seaudit-report-group.conf $(LOGWATCH_GROUP) +- mkdir -p -- $(LOGWATCH_SERVICE) +- install -m 644 seaudit-report-service.conf $(LOGWATCH_SERVICE) +- mkdir -p -- $(LOGWATCH_FILTER) +- install -m 755 seaudit-report-service $(LOGWATCH_FILTER) ++dist_noinst_DATA = dot_seaudit.in + + $(top_builddir)/libapol/src/libapol.so: + $(MAKE) -C $(top_builddir)/libapol/src $(notdir $@) +@@ -85,6 +62,4 @@ $(top_builddir)/libqpol/src/libqpol.so: + $(top_builddir)/libsefs/src/libsefs.so: + $(MAKE) -C $(top_builddir)/libsefs/src $(notdir $@) + +-.PHONY: install-logwatch +- +-CLEANFILES = dot_seaudit seaudit-report-service ++CLEANFILES = dot_seaudit +diff -up setools-3.3.7/secmds/Makefile.am.noship setools-3.3.7/secmds/Makefile.am +--- setools-3.3.7/secmds/Makefile.am.noship 2007-08-02 17:16:33.000000000 -0400 ++++ setools-3.3.7/secmds/Makefile.am 2013-01-30 09:16:13.698871569 -0500 +@@ -1,6 +1,6 @@ + # various setools command line tools + +-bin_PROGRAMS = seinfo sesearch findcon replcon indexcon ++bin_PROGRAMS = seinfo sesearch + + # These are for indexcon so that it is usable on machines without setools + STATICLIBS = ../libsefs/src/libsefs.a ../libapol/src/libapol.a ../libqpol/src/libqpol.a -lsqlite3 +@@ -18,18 +18,6 @@ seinfo_SOURCES = seinfo.c + + sesearch_SOURCES = sesearch.c + +-indexcon_SOURCES = indexcon.cc +-indexcon_LDADD = @SELINUX_LIB_FLAG@ $(STATICLIBS) +-indexcon_DEPENDENCIES = $(DEPENDENCIES) $(top_builddir)/libsefs/src/libsefs.so +- +-findcon_SOURCES = findcon.cc +-findcon_LDADD = @SEFS_LIB_FLAG@ $(LDADD) +-findcon_DEPENDENCIES = $(DEPENDENCIES) $(top_builddir)/libsefs/src/libsefs.so +- +-replcon_SOURCES = replcon.cc +-replcon_LDADD = @SEFS_LIB_FLAG@ $(LDADD) +-replcon_DEPENDENCIES = $(DEPENDENCIES) $(top_builddir)/libsefs/src/libsefs.so +- + $(top_builddir)/libapol/src/libapol.so: + $(MAKE) -C $(top_builddir)/libapol/src $(notdir $@) + +diff -up setools-3.3.7/sediff/Makefile.am.noship setools-3.3.7/sediff/Makefile.am +--- setools-3.3.7/sediff/Makefile.am.noship 2007-04-25 15:20:20.000000000 -0400 ++++ setools-3.3.7/sediff/Makefile.am 2013-01-30 09:16:13.698871569 -0500 +@@ -1,13 +1,6 @@ + setoolsdir = @setoolsdir@ + +-dist_setools_DATA = sediff_help.txt sediffx.glade \ +- sediffx.png sediffx-small.png +- +-if BUILD_GUI +- MAYBE_SEDIFFX = sediffx +-endif +- +-bin_PROGRAMS = sediff $(MAYBE_SEDIFFX) ++bin_PROGRAMS = sediff + + AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ + @QPOL_CFLAGS@ @APOL_CFLAGS@ @POLDIFF_CFLAGS@ +@@ -15,14 +8,7 @@ AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS + + LDADD = @SELINUX_LIB_FLAG@ @POLDIFF_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@ + +-sediff_CFLAGS = $(AM_CFLAGS) +-sediffx_CFLAGS = $(AM_CFLAGS) \ +- @GTK_CFLAGS@ @PIXBUF_CFLAGS@ @GLADE_CFLAGS@ @GTHREAD_CFLAGS@ +- +-# need the -rdynamic flag below - glade uses dlopen() upon sediffx callbacks +-sediffx_LDFLAGS = $(AM_LDFLAGS) \ +- @GTK_LIBS@ @PIXBUF_LIBS@ @GLADE_LIBS@ @GTHREAD_LIBS@ @XML_LIBS@ \ +- -rdynamic ++sediff_CFLAGS = $(AM_CFLAGS) + + DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \ + $(top_builddir)/libapol/src/libapol.so \ +@@ -30,20 +16,6 @@ DEPENDENCIES = $(top_builddir)/libpoldif + + sediff_SOURCES = sediff.c + +-sediffx_SOURCES = \ +- find_dialog.c find_dialog.h \ +- open_policies_dialog.c open_policies_dialog.h \ +- policy_view.c policy_view.h \ +- progress.c progress.h \ +- remap_types_dialog.c remap_types_dialog.h \ +- result_item.c result_item.h \ +- result_item_render.c result_item_render.h \ +- results.c results.h \ +- select_diff_dialog.c select_diff_dialog.h \ +- toplevel.c toplevel.h \ +- utilgui.c utilgui.h \ +- sediffx.c sediffx.h +- + $(top_builddir)/libpoldiff/src/libpoldiff.so: + $(MAKE) -C $(top_builddir)/libpoldiff/src $(notdir $@) + +diff -up setools-3.3.7/configure.ac~ setools-3.3.7/configure.ac +--- setools-3.3.7/configure.ac~ 2013-01-30 09:52:05.689136955 -0500 ++++ setools-3.3.7/configure.ac 2013-01-30 09:56:26.853722063 -0500 +@@ -63,7 +63,7 @@ if test ${ac_cv_prog_cc_c99} = "no"; the + fi + AC_PROG_CXX + AC_LANG([C]) +-AC_PROG_LIBTOOL ++AC_PROG_RANLIB + AC_PROG_LN_S + AC_PROG_LEX + AC_PROG_YACC diff --git a/SOURCES/0012-seaudit.patch b/SOURCES/0012-seaudit.patch new file mode 100644 index 0000000..78da66e --- /dev/null +++ b/SOURCES/0012-seaudit.patch @@ -0,0 +1,28 @@ +diff -up setools-3.3.7/libqpol/swig/java/Makefile.am.seaudit setools-3.3.7/libqpol/swig/java/Makefile.am +--- setools-3.3.7/libqpol/swig/java/Makefile.am.seaudit 2010-05-03 12:37:54.000000000 -0400 ++++ setools-3.3.7/libqpol/swig/java/Makefile.am 2012-09-28 10:15:56.408912525 -0400 +@@ -48,7 +48,6 @@ BUILT_SOURCES = qpol_wrap.c \ + qpol_type_t.java \ + qpol_user_t.java \ + qpol_validatetrans_t.java \ +- SWIGTYPE_p_int.java \ + SWIGTYPE_p_unsigned_int.java \ + SWIGTYPE_p_void.java + +diff -up setools-3.3.7/seaudit/progress.c.seaudit setools-3.3.7/seaudit/progress.c +--- setools-3.3.7/seaudit/progress.c.seaudit 2007-08-02 17:16:33.000000000 -0400 ++++ setools-3.3.7/seaudit/progress.c 2012-09-28 10:15:56.407912521 -0400 +@@ -99,10 +99,11 @@ void progress_hide(progress_t * progress + + int progress_wait(progress_t * progress) + { +- GTimeVal wait_time = { 0, 50000 }; ++ gint64 end_time; + g_mutex_lock(progress->mutex); + while (!progress->done) { +- g_cond_timed_wait(progress->cond, progress->mutex, &wait_time); ++ end_time = g_get_monotonic_time () + 50000; // need to be set before each wait ++ g_cond_wait_until(progress->cond, progress->mutex,end_time); + if (progress->s != NULL) { + gtk_label_set_text(GTK_LABEL(progress->label2), progress->s); + free(progress->s); diff --git a/SOURCES/0013-swig.patch b/SOURCES/0013-swig.patch new file mode 100644 index 0000000..56bbd40 --- /dev/null +++ b/SOURCES/0013-swig.patch @@ -0,0 +1,956 @@ +@@ -, +, @@ +--- + libapol/swig/apol.i | 218 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 109 insertions(+), 109 deletions(-) +--- a/libapol/swig/apol.i ++++ a/libapol/swig/apol.i +@@ -256,7 +256,7 @@ uint8_t apol_str_to_protocol(const char *protocol_str); + } + %} + %extend apol_ip_t { +- apol_ip_t(const char *str) { ++ apol_ip(const char *str) { + apol_ip_t *ip = NULL; + BEGIN_EXCEPTION + ip = calloc(1, sizeof(*ip)); +@@ -274,7 +274,7 @@ uint8_t apol_str_to_protocol(const char *protocol_str); + fail: + return ip; + }; +- ~apol_ip_t() { ++ ~apol_ip() { + free(self); + }; + int get_protocol() { +@@ -303,16 +303,16 @@ char *apol_file_find_path(const char *file_name); + %} + typedef struct apol_vector {} apol_vector_t; + %extend apol_vector_t { +- apol_vector_t() { ++ apol_vector() { + return apol_vector_create(NULL); + }; +- apol_vector_t(qpol_iterator_t *iter) { ++ apol_vector(qpol_iterator_t *iter) { + return apol_vector_create_from_iter(iter, NULL); + }; +- apol_vector_t(apol_vector_t *v) { ++ apol_vector(apol_vector_t *v) { + return apol_vector_create_from_vector(v, NULL, NULL, NULL); + }; +- apol_vector_t(apol_vector_t *a, apol_vector_t *b) { ++ apol_vector(apol_vector_t *a, apol_vector_t *b) { + return apol_vector_create_from_intersection(a, b, NULL, NULL); + }; + size_t get_size() { +@@ -324,7 +324,7 @@ typedef struct apol_vector {} apol_vector_t; + void *get_element(size_t i) { + return apol_vector_get_element(self, i); + }; +- ~apol_vector_t() { ++ ~apol_vector() { + apol_vector_destroy(&self); + }; + void append(void *x) { +@@ -379,13 +379,13 @@ typedef struct apol_vector {} apol_vector_t; + %} + typedef struct apol_string_vector {} apol_string_vector_t; + %extend apol_string_vector_t { +- apol_string_vector_t() { ++ apol_string_vector() { + return (apol_string_vector_t*)apol_vector_create(free); + }; +- apol_string_vector_t(apol_string_vector_t *v) { ++ apol_string_vector(apol_string_vector_t *v) { + return (apol_string_vector_t*)apol_vector_create_from_vector((apol_vector_t*)v, apol_str_strdup, NULL, free); + }; +- apol_string_vector_t(apol_string_vector_t *a, apol_string_vector_t *b) { ++ apol_string_vector(apol_string_vector_t *a, apol_string_vector_t *b) { + return (apol_string_vector_t*)apol_vector_create_from_intersection((apol_vector_t*)a, (apol_vector_t*)b, apol_str_strcmp, NULL); + }; + size_t get_size() { +@@ -397,7 +397,7 @@ typedef struct apol_string_vector {} apol_string_vector_t; + char *get_element(size_t i) { + return (char*)apol_vector_get_element((apol_vector_t*)self, i); + }; +- ~apol_string_vector_t() { ++ ~apol_string_vector() { + apol_vector_destroy((apol_vector_t**)&self); + }; + size_t get_index(char *str) { +@@ -462,7 +462,7 @@ typedef struct apol_string_vector {} apol_string_vector_t; + } apol_policy_path_type_e; + typedef struct apol_policy_path {} apol_policy_path_t; + %extend apol_policy_path_t { +- apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) { ++ apol_policy_path(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create(type, primary, (apol_vector_t*)modules)) == NULL) { +@@ -472,7 +472,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- apol_policy_path_t(char *path) { ++ apol_policy_path(char *path) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create_from_file(path)) == NULL) { +@@ -482,7 +482,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- apol_policy_path_t(char *str, int unused) { ++ apol_policy_path(char *str, int unused) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create_from_string(str)) == NULL) { +@@ -492,7 +492,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- apol_policy_path_t(apol_policy_path_t *in) { ++ apol_policy_path(apol_policy_path_t *in) { + apol_policy_path_t *p; + BEGIN_EXCEPTION + if ((p = apol_policy_path_create_from_policy_path(in)) == NULL) { +@@ -502,7 +502,7 @@ typedef struct apol_policy_path {} apol_policy_path_t; + fail: + return p; + }; +- ~apol_policy_path_t() { ++ ~apol_policy_path() { + apol_policy_path_destroy(&self); + }; + apol_policy_path_type_e get_type() { +@@ -549,7 +549,7 @@ typedef struct apol_policy {} apol_policy_t; + #define APOL_PERMMAP_BOTH (APOL_PERMMAP_READ | APOL_PERMMAP_WRITE) + #define APOL_PERMMAP_NONE 0x10 + %extend apol_policy_t { +- apol_policy_t(apol_policy_path_t *path, int options = 0) { ++ apol_policy(apol_policy_path_t *path, int options = 0) { + apol_policy_t *p; + BEGIN_EXCEPTION + p = apol_policy_create_from_policy_path(path, options, apol_swig_message_callback, apol_swig_message_callback_arg); +@@ -564,7 +564,7 @@ typedef struct apol_policy {} apol_policy_t; + fail: + return p; + }; +- ~apol_policy_t() { ++ ~apol_policy() { + apol_policy_destroy(&self); + }; + int get_policy_type() { +@@ -652,7 +652,7 @@ typedef struct apol_policy {} apol_policy_t; + /* apol type query */ + typedef struct apol_type_query {} apol_type_query_t; + %extend apol_type_query_t { +- apol_type_query_t() { ++ apol_type_query() { + apol_type_query_t *tq; + BEGIN_EXCEPTION + tq = apol_type_query_create(); +@@ -663,7 +663,7 @@ typedef struct apol_type_query {} apol_type_query_t; + fail: + return tq; + }; +- ~apol_type_query_t() { ++ ~apol_type_query() { + apol_type_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -694,7 +694,7 @@ typedef struct apol_type_query {} apol_type_query_t; + /* apol attribute query */ + typedef struct apol_attr_query {} apol_attr_query_t; + %extend apol_attr_query_t { +- apol_attr_query_t() { ++ apol_attr_query() { + apol_attr_query_t *aq; + BEGIN_EXCEPTION + aq = apol_attr_query_create(); +@@ -705,7 +705,7 @@ typedef struct apol_attr_query {} apol_attr_query_t; + fail: + return aq; + }; +- ~apol_attr_query_t() { ++ ~apol_attr_query() { + apol_attr_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -736,7 +736,7 @@ typedef struct apol_attr_query {} apol_attr_query_t; + /* apol role query */ + typedef struct apol_role_query {} apol_role_query_t; + %extend apol_role_query_t { +- apol_role_query_t() { ++ apol_role_query() { + apol_role_query_t *rq; + BEGIN_EXCEPTION + rq = apol_role_query_create(); +@@ -747,7 +747,7 @@ typedef struct apol_role_query {} apol_role_query_t; + fail: + return rq; + }; +- ~apol_role_query_t() { ++ ~apol_role_query() { + apol_role_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -788,7 +788,7 @@ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t); + /* apol class query */ + typedef struct apol_class_query {} apol_class_query_t; + %extend apol_class_query_t { +- apol_class_query_t() { ++ apol_class_query() { + apol_class_query_t *cq; + BEGIN_EXCEPTION + cq = apol_class_query_create(); +@@ -799,7 +799,7 @@ typedef struct apol_class_query {} apol_class_query_t; + fail: + return cq; + }; +- ~apol_class_query_t() { ++ ~apol_class_query() { + apol_class_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -839,7 +839,7 @@ typedef struct apol_class_query {} apol_class_query_t; + /* apol common query */ + typedef struct apol_common_query {} apol_common_query_t; + %extend apol_common_query_t { +- apol_common_query_t() { ++ apol_common_query() { + apol_common_query_t *cq; + BEGIN_EXCEPTION + cq = apol_common_query_create(); +@@ -850,7 +850,7 @@ typedef struct apol_common_query {} apol_common_query_t; + fail: + return cq; + }; +- ~apol_common_query_t() { ++ ~apol_common_query() { + apol_common_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -881,7 +881,7 @@ typedef struct apol_common_query {} apol_common_query_t; + /* apol perm query */ + typedef struct apol_perm_query {} apol_perm_query_t; + %extend apol_perm_query_t { +- apol_perm_query_t() { ++ apol_perm_query() { + apol_perm_query_t *pq; + BEGIN_EXCEPTION + pq = apol_perm_query_create(); +@@ -892,7 +892,7 @@ typedef struct apol_perm_query {} apol_perm_query_t; + fail: + return pq; + }; +- ~apol_perm_query_t() { ++ ~apol_perm_query() { + apol_perm_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -923,7 +923,7 @@ typedef struct apol_perm_query {} apol_perm_query_t; + /* apol bool query */ + typedef struct apol_bool_query {} apol_bool_query_t; + %extend apol_bool_query_t { +- apol_bool_query_t() { ++ apol_bool_query() { + apol_bool_query_t *bq; + BEGIN_EXCEPTION + bq = apol_bool_query_create(); +@@ -934,7 +934,7 @@ typedef struct apol_bool_query {} apol_bool_query_t; + fail: + return bq; + }; +- ~apol_bool_query_t() { ++ ~apol_bool_query() { + apol_bool_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -965,7 +965,7 @@ typedef struct apol_bool_query {} apol_bool_query_t; + /* apol mls level */ + typedef struct apol_mls_level {} apol_mls_level_t; + %extend apol_mls_level_t { +- apol_mls_level_t() { ++ apol_mls_level() { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create(); +@@ -976,7 +976,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_mls_level_t *in) { ++ apol_mls_level(apol_mls_level_t *in) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_mls_level(in); +@@ -987,7 +987,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_policy_t *p, const char *str) { ++ apol_mls_level(apol_policy_t *p, const char *str) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_string(p, str); +@@ -998,7 +998,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(const char *str) { ++ apol_mls_level(const char *str) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_literal(str); +@@ -1009,7 +1009,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_policy_t *p, qpol_mls_level_t *qml) { ++ apol_mls_level(apol_policy_t *p, qpol_mls_level_t *qml) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_qpol_mls_level(p, qml); +@@ -1020,7 +1020,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- apol_mls_level_t(apol_policy_t *p, qpol_level_t *ql) { ++ apol_mls_level(apol_policy_t *p, qpol_level_t *ql) { + apol_mls_level_t *aml; + BEGIN_EXCEPTION + aml = apol_mls_level_create_from_qpol_level_datum(p, ql); +@@ -1031,7 +1031,7 @@ typedef struct apol_mls_level {} apol_mls_level_t; + fail: + return aml; + }; +- ~apol_mls_level_t() { ++ ~apol_mls_level() { + apol_mls_level_destroy(&self); + }; + void set_sens(apol_policy_t *p, char *sens) { +@@ -1128,7 +1128,7 @@ int apol_mls_cats_compare(apol_policy_t * p, const char *cat1, const char *cat2) + #endif + typedef struct apol_mls_range {} apol_mls_range_t; + %extend apol_mls_range_t { +- apol_mls_range_t() { ++ apol_mls_range() { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create(); +@@ -1139,7 +1139,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(apol_mls_range_t *in) { ++ apol_mls_range(apol_mls_range_t *in) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_mls_range(in); +@@ -1150,7 +1150,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(apol_policy_t *p, const char *s) { ++ apol_mls_range(apol_policy_t *p, const char *s) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_string(p, s); +@@ -1161,7 +1161,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(const char *s) { ++ apol_mls_range(const char *s) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_literal(s); +@@ -1172,7 +1172,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- apol_mls_range_t(apol_policy_t *p, qpol_mls_range_t *in) { ++ apol_mls_range(apol_policy_t *p, qpol_mls_range_t *in) { + apol_mls_range_t *amr; + BEGIN_EXCEPTION + amr = apol_mls_range_create_from_qpol_mls_range(p, in); +@@ -1183,7 +1183,7 @@ typedef struct apol_mls_range {} apol_mls_range_t; + fail: + return amr; + }; +- ~apol_mls_range_t() { ++ ~apol_mls_range() { + apol_mls_range_destroy(&self); + }; + void set_low(apol_policy_t *p, apol_mls_level_t *lvl) { +@@ -1278,7 +1278,7 @@ int apol_mls_range_contain_subrange(apol_policy_t * p, const apol_mls_range_t * + /* apol level query */ + typedef struct apol_level_query {} apol_level_query_t; + %extend apol_level_query_t { +- apol_level_query_t() { ++ apol_level_query() { + apol_level_query_t * alq; + BEGIN_EXCEPTION + alq = apol_level_query_create(); +@@ -1289,7 +1289,7 @@ typedef struct apol_level_query {} apol_level_query_t; + fail: + return alq; + }; +- ~apol_level_query_t() { ++ ~apol_level_query() { + apol_level_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1329,7 +1329,7 @@ typedef struct apol_level_query {} apol_level_query_t; + /* apol cat query */ + typedef struct apol_cat_query {} apol_cat_query_t; + %extend apol_cat_query_t { +- apol_cat_query_t() { ++ apol_cat_query() { + apol_cat_query_t * acq; + BEGIN_EXCEPTION + acq = apol_cat_query_create(); +@@ -1340,7 +1340,7 @@ typedef struct apol_cat_query {} apol_cat_query_t; + fail: + return acq; + }; +- ~apol_cat_query_t() { ++ ~apol_cat_query() { + apol_cat_query_destroy(&self); + }; + %newobject run(apol_policy_t *); +@@ -1379,7 +1379,7 @@ typedef struct apol_cat_query {} apol_cat_query_t; + #endif + typedef struct apol_user_query {} apol_user_query_t; + %extend apol_user_query_t { +- apol_user_query_t() { ++ apol_user_query() { + apol_user_query_t *auq; + BEGIN_EXCEPTION + auq = apol_user_query_create(); +@@ -1390,7 +1390,7 @@ typedef struct apol_user_query {} apol_user_query_t; + fail: + return auq; + }; +- ~apol_user_query_t() { ++ ~apol_user_query() { + apol_user_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1448,7 +1448,7 @@ typedef struct apol_user_query {} apol_user_query_t; + /* apol context */ + typedef struct apol_context {} apol_context_t; + %extend apol_context_t { +- apol_context_t() { ++ apol_context() { + apol_context_t *ctx; + BEGIN_EXCEPTION + ctx = apol_context_create(); +@@ -1459,7 +1459,7 @@ typedef struct apol_context {} apol_context_t; + fail: + return ctx; + }; +- apol_context_t(apol_policy_t *p, qpol_context_t *in) { ++ apol_context(apol_policy_t *p, qpol_context_t *in) { + apol_context_t *ctx; + BEGIN_EXCEPTION + ctx = apol_context_create_from_qpol_context(p, in); +@@ -1470,7 +1470,7 @@ typedef struct apol_context {} apol_context_t; + fail: + return ctx; + }; +- apol_context_t(const char *str) { ++ apol_context(const char *str) { + apol_context_t *ctx; + BEGIN_EXCEPTION + ctx = apol_context_create_from_literal(str); +@@ -1481,7 +1481,7 @@ typedef struct apol_context {} apol_context_t; + fail: + return ctx; + }; +- ~apol_context_t() { ++ ~apol_context() { + apol_context_destroy(&self); + }; + void set_user(apol_policy_t *p, char *name) { +@@ -1583,7 +1583,7 @@ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_contex + /* apol constraint query */ + typedef struct apol_constraint_query {} apol_constraint_query_t; + %extend apol_constraint_query_t { +- apol_constraint_query_t() { ++ apol_constraint_query() { + apol_constraint_query_t *acq; + BEGIN_EXCEPTION + acq = apol_constraint_query_create(); +@@ -1594,7 +1594,7 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + fail: + return acq; + }; +- ~apol_constraint_query_t() { ++ ~apol_constraint_query() { + apol_constraint_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1634,7 +1634,7 @@ typedef struct apol_constraint_query {} apol_constraint_query_t; + /* apol validatetrans query */ + typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + %extend apol_validatetrans_query_t { +- apol_validatetrans_query_t() { ++ apol_validatetrans_query() { + apol_validatetrans_query_t *avq; + BEGIN_EXCEPTION + avq = apol_validatetrans_query_create(); +@@ -1645,7 +1645,7 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + fail: + return avq; + }; +- ~apol_validatetrans_query_t() { ++ ~apol_validatetrans_query() { + apol_validatetrans_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1684,7 +1684,7 @@ typedef struct apol_validatetrans_query {} apol_validatetrans_query_t; + #endif + typedef struct apol_genfscon_query {} apol_genfscon_query_t; + %extend apol_genfscon_query_t { +- apol_genfscon_query_t() { ++ apol_genfscon_query() { + apol_genfscon_query_t *agq; + BEGIN_EXCEPTION + agq = apol_genfscon_query_create(); +@@ -1695,7 +1695,7 @@ typedef struct apol_genfscon_query {} apol_genfscon_query_t; + fail: + return agq; + }; +- ~apol_genfscon_query_t() { ++ ~apol_genfscon_query() { + apol_genfscon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1746,7 +1746,7 @@ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon); + /* apol fs_use query */ + typedef struct apol_fs_use_query {} apol_fs_use_query_t; + %extend apol_fs_use_query_t { +- apol_fs_use_query_t() { ++ apol_fs_use_query() { + apol_fs_use_query_t *afq; + BEGIN_EXCEPTION + afq = apol_fs_use_query_create(); +@@ -1757,7 +1757,7 @@ typedef struct apol_fs_use_query {} apol_fs_use_query_t; + fail: + return afq; + }; +- ~apol_fs_use_query_t() { ++ ~apol_fs_use_query() { + apol_fs_use_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1799,7 +1799,7 @@ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse); + /* apol initial sid query */ + typedef struct apol_isid_query {} apol_isid_query_t; + %extend apol_isid_query_t { +- apol_isid_query_t() { ++ apol_isid_query() { + apol_isid_query_t *aiq; + BEGIN_EXCEPTION + aiq = apol_isid_query_create(); +@@ -1810,7 +1810,7 @@ typedef struct apol_isid_query {} apol_isid_query_t; + fail: + return aiq; + }; +- ~apol_isid_query_t() { ++ ~apol_isid_query() { + apol_isid_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1841,7 +1841,7 @@ typedef struct apol_isid_query {} apol_isid_query_t; + /* apol portcon query */ + typedef struct apol_portcon_query {} apol_portcon_query_t; + %extend apol_portcon_query_t { +- apol_portcon_query_t() { ++ apol_portcon_query() { + apol_portcon_query_t *apq; + BEGIN_EXCEPTION + apq = apol_portcon_query_create(); +@@ -1852,7 +1852,7 @@ typedef struct apol_portcon_query {} apol_portcon_query_t; + fail: + return apq; + }; +- ~apol_portcon_query_t() { ++ ~apol_portcon_query() { + apol_portcon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1885,7 +1885,7 @@ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon); + /* apol netifcon query */ + typedef struct apol_netifcon_query {} apol_netifcon_query_t; + %extend apol_netifcon_query_t { +- apol_netifcon_query_t() { ++ apol_netifcon_query() { + apol_netifcon_query_t *anq; + BEGIN_EXCEPTION + anq = apol_netifcon_query_create(); +@@ -1896,7 +1896,7 @@ typedef struct apol_netifcon_query {} apol_netifcon_query_t; + fail: + return anq; + }; +- ~apol_netifcon_query_t() { ++ ~apol_netifcon_query() { + apol_netifcon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -1932,7 +1932,7 @@ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon); + /* apol nodecon query */ + typedef struct apol_nodecon_query {} apol_nodecon_query_t; + %extend apol_nodecon_query_t { +- apol_nodecon_query_t() { ++ apol_nodecon_query() { + apol_nodecon_query_t *anq; + BEGIN_EXCEPTION + anq = apol_nodecon_query_create(); +@@ -1943,7 +1943,7 @@ typedef struct apol_nodecon_query {} apol_nodecon_query_t; + fail: + return anq; + }; +- ~apol_nodecon_query_t() { ++ ~apol_nodecon_query() { + apol_nodecon_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2012,7 +2012,7 @@ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon); + /* apol avrule query */ + typedef struct apol_avrule_query {} apol_avrule_query_t; + %extend apol_avrule_query_t { +- apol_avrule_query_t() { ++ apol_avrule_query() { + apol_avrule_query_t *avq; + BEGIN_EXCEPTION + avq = apol_avrule_query_create(); +@@ -2023,7 +2023,7 @@ typedef struct apol_avrule_query {} apol_avrule_query_t; + fail: + return avq; + }; +- ~apol_avrule_query_t() { ++ ~apol_avrule_query() { + apol_avrule_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2163,7 +2163,7 @@ char *apol_syn_avrule_render(apol_policy_t * policy, qpol_syn_avrule_t * rule); + /* apol terule query */ + typedef struct apol_terule_query {} apol_terule_query_t; + %extend apol_terule_query_t { +- apol_terule_query_t() { ++ apol_terule_query() { + apol_terule_query_t *atq; + BEGIN_EXCEPTION + atq = apol_terule_query_create(); +@@ -2174,7 +2174,7 @@ typedef struct apol_terule_query {} apol_terule_query_t; + fail: + return atq; + }; +- ~apol_terule_query_t() { ++ ~apol_terule_query() { + apol_terule_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2287,7 +2287,7 @@ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t + /* apol cond rule query */ + typedef struct apol_cond_query {} apol_cond_query_t; + %extend apol_cond_query_t { +- apol_cond_query_t() { ++ apol_cond_query() { + apol_cond_query_t *acq; + BEGIN_EXCEPTION + acq = apol_cond_query_create(); +@@ -2298,7 +2298,7 @@ typedef struct apol_cond_query {} apol_cond_query_t; + fail: + return acq; + }; +- ~apol_cond_query_t() { ++ ~apol_cond_query() { + apol_cond_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2331,7 +2331,7 @@ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond); + /* apol role allow query */ + typedef struct apol_role_allow_query {} apol_role_allow_query_t; + %extend apol_role_allow_query_t { +- apol_role_allow_query_t() { ++ apol_role_allow_query() { + apol_role_allow_query_t *arq; + BEGIN_EXCEPTION + arq = apol_role_allow_query_create(); +@@ -2342,7 +2342,7 @@ typedef struct apol_role_allow_query {} apol_role_allow_query_t; + fail: + return arq; + }; +- ~apol_role_allow_query_t() { ++ ~apol_role_allow_query() { + apol_role_allow_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2387,7 +2387,7 @@ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule); + /* apol role transition rule query */ + typedef struct apol_role_trans_query {} apol_role_trans_query_t; + %extend apol_role_trans_query_t { +- apol_role_trans_query_t() { ++ apol_role_trans_query() { + apol_role_trans_query_t *arq; + BEGIN_EXCEPTION + arq = apol_role_trans_query_create(); +@@ -2398,7 +2398,7 @@ typedef struct apol_role_trans_query {} apol_role_trans_query_t; + fail: + return arq; + }; +- ~apol_role_trans_query_t() { ++ ~apol_role_trans_query() { + apol_role_trans_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2452,7 +2452,7 @@ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule); + /* apol range transition rule query */ + typedef struct apol_range_trans_query {} apol_range_trans_query_t; + %extend apol_range_trans_query_t { +- apol_range_trans_query_t() { ++ apol_range_trans_query() { + apol_range_trans_query_t *arq; + BEGIN_EXCEPTION + arq = apol_range_trans_query_create(); +@@ -2463,7 +2463,7 @@ typedef struct apol_range_trans_query {} apol_range_trans_query_t; + fail: + return arq; + }; +- ~apol_range_trans_query_t() { ++ ~apol_range_trans_query() { + apol_range_trans_query_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2531,7 +2531,7 @@ char *apol_range_trans_render(apol_policy_t * policy, qpol_range_trans_t * rule) + #define APOL_DOMAIN_TRANS_SEARCH_BOTH (APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID) + typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + %extend apol_domain_trans_analysis_t { +- apol_domain_trans_analysis_t() { ++ apol_domain_trans_analysis() { + apol_domain_trans_analysis_t *dta; + BEGIN_EXCEPTION + dta = apol_domain_trans_analysis_create(); +@@ -2542,7 +2542,7 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + fail: + return dta; + }; +- ~apol_domain_trans_analysis_t() { ++ ~apol_domain_trans_analysis() { + apol_domain_trans_analysis_destroy(&self); + }; + void set_direction(apol_policy_t *p, int direction) { +@@ -2622,7 +2622,7 @@ typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t; + }; + typedef struct apol_domain_trans_result {} apol_domain_trans_result_t; + %extend apol_domain_trans_result_t { +- apol_domain_trans_result_t(apol_domain_trans_result_t *in) { ++ apol_domain_trans_result(apol_domain_trans_result_t *in) { + apol_domain_trans_result_t *dtr; + BEGIN_EXCEPTION + dtr = apol_domain_trans_result_create_from_domain_trans_result(in); +@@ -2633,7 +2633,7 @@ typedef struct apol_domain_trans_result {} apol_domain_trans_result_t; + fail: + return dtr; + }; +- ~apol_domain_trans_result_t() { ++ ~apol_domain_trans_result() { + apol_domain_trans_result_destroy(&self); + }; + const qpol_type_t *get_start_type() { +@@ -2705,14 +2705,14 @@ int apol_domain_trans_table_verify_trans(apol_policy_t * policy, qpol_type_t * s + %} + typedef struct apol_infoflow {} apol_infoflow_t; + %extend apol_infoflow_t { +- apol_infoflow_t() { ++ apol_infoflow() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_t() { ++ ~apol_infoflow() { + apol_infoflow_destroy(&self); + }; + %newobject extract_graph(); +@@ -2730,7 +2730,7 @@ typedef struct apol_infoflow {} apol_infoflow_t; + }; + typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + %extend apol_infoflow_analysis_t { +- apol_infoflow_analysis_t() { ++ apol_infoflow_analysis() { + apol_infoflow_analysis_t *aia; + BEGIN_EXCEPTION + aia = apol_infoflow_analysis_create(); +@@ -2741,7 +2741,7 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + fail: + return aia; + }; +- ~apol_infoflow_analysis_t() { ++ ~apol_infoflow_analysis() { + apol_infoflow_analysis_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -2823,14 +2823,14 @@ typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t; + }; + typedef struct apol_infoflow_graph {} apol_infoflow_graph_t; + %extend apol_infoflow_graph_t { +- apol_infoflow_graph_t() { ++ apol_infoflow_graph() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_graph_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_graph_t() { ++ ~apol_infoflow_graph() { + apol_infoflow_graph_destroy(&self); + }; + %newobject do_more(apol_policy_t*, char*); +@@ -2867,14 +2867,14 @@ typedef struct apol_infoflow_graph {} apol_infoflow_graph_t; + }; + typedef struct apol_infoflow_result {} apol_infoflow_result_t; + %extend apol_infoflow_result_t { +- apol_infoflow_result_t() { ++ apol_infoflow_result() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_result_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_result_t() { ++ ~apol_infoflow_result() { + /* no op - vector will destroy */ + return; + }; +@@ -2901,14 +2901,14 @@ typedef struct apol_infoflow_result {} apol_infoflow_result_t; + %} + typedef struct apol_infoflow_step {} apol_infoflow_step_t; + %extend apol_infoflow_step_t { +- apol_infoflow_step_t() { ++ apol_infoflow_step() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_infoflow_step_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_infoflow_step_t() { ++ ~apol_infoflow_step() { + /* no op */ + return; + }; +@@ -2938,7 +2938,7 @@ typedef struct apol_infoflow_step {} apol_infoflow_step_t; + #define APOL_RELABEL_DIR_SUBJECT 0x04 + typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + %extend apol_relabel_analysis_t { +- apol_relabel_analysis_t() { ++ apol_relabel_analysis() { + apol_relabel_analysis_t *ara; + BEGIN_EXCEPTION + ara = apol_relabel_analysis_create(); +@@ -2949,7 +2949,7 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + fail: + return ara; + }; +- ~apol_relabel_analysis_t() { ++ ~apol_relabel_analysis() { + apol_relabel_analysis_destroy(&self); + }; + %newobject run(apol_policy_t*); +@@ -3011,14 +3011,14 @@ typedef struct apol_relabel_analysis {} apol_relabel_analysis_t; + }; + typedef struct apol_relabel_result {} apol_relabel_result_t; + %extend apol_relabel_result_t { +- apol_relabel_result_t() { ++ apol_relabel_result() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_relabel_result_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_relabel_result_t() { ++ ~apol_relabel_result() { + /* no op - vector will destroy */ + return; + }; +@@ -3042,14 +3042,14 @@ typedef struct apol_relabel_result {} apol_relabel_result_t; + %} + typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t; + %extend apol_relabel_result_pair_t { +- apol_relabel_result_pair_t() { ++ apol_relabel_result_pair() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_relabel_result_pair_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_relabel_result_pair_t() { ++ ~apol_relabel_result_pair() { + /* no op - owned and free()'d by apol_relabel_result_t */ + return; + }; +@@ -3084,7 +3084,7 @@ typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t; + #define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000 + typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + %extend apol_types_relation_analysis_t { +- apol_types_relation_analysis_t() { ++ apol_types_relation_analysis() { + apol_types_relation_analysis_t *atr; + BEGIN_EXCEPTION + atr = apol_types_relation_analysis_create(); +@@ -3095,7 +3095,7 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + fail: + return atr; + }; +- ~apol_types_relation_analysis_t() { ++ ~apol_types_relation_analysis() { + apol_types_relation_analysis_destroy(&self); + } + %newobject run(apol_policy_t*); +@@ -3139,14 +3139,14 @@ typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t; + }; + typedef struct apol_types_relation_result {} apol_types_relation_result_t; + %extend apol_types_relation_result_t { +- apol_types_relation_result_t() { ++ apol_types_relation_result() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_types_relation_result_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_types_relation_result_t() { ++ ~apol_types_relation_result() { + apol_types_relation_result_destroy(&self); + }; + const apol_vector_t *get_attributes() { +@@ -3194,14 +3194,14 @@ typedef struct apol_types_relation_result {} apol_types_relation_result_t; + }; + typedef struct apol_types_relation_access {} apol_types_relation_access_t; + %extend apol_types_relation_access_t { +- apol_types_relation_access_t() { ++ apol_types_relation_access() { + BEGIN_EXCEPTION + SWIG_exception(SWIG_RuntimeError, "Cannot directly create apol_types_relation_access_t objects"); + END_EXCEPTION + fail: + return NULL; + }; +- ~apol_types_relation_access_t() { ++ ~apol_types_relation_access() { + /* no op - vector will destroy */ + return; + }; +-- + diff --git a/SOURCES/0014-boolsub.patch b/SOURCES/0014-boolsub.patch new file mode 100644 index 0000000..2890628 --- /dev/null +++ b/SOURCES/0014-boolsub.patch @@ -0,0 +1,24 @@ +diff -up ./setools-3.3.7/secmds/seinfo.c~ ./setools-3.3.7/secmds/seinfo.c +--- ./setools-3.3.7/secmds/seinfo.c~ 2013-03-14 15:26:31.467121596 -0400 ++++ ./setools-3.3.7/secmds/seinfo.c 2013-03-14 15:35:20.154650517 -0400 +@@ -1705,7 +1705,7 @@ int main(int argc, char **argv) + case 'b': /* conditional booleans */ + bools = 1; + if (optarg != 0) +- bool_name = optarg; ++ bool_name = selinux_boolean_sub(optarg); + break; + case OPT_INITIALSID: + isids = 1; +diff -up ./setools-3.3.7/secmds/sesearch.c~ ./setools-3.3.7/secmds/sesearch.c +--- ./setools-3.3.7/secmds/sesearch.c~ 2013-03-14 15:26:31.539121944 -0400 ++++ ./setools-3.3.7/secmds/sesearch.c 2013-03-14 15:34:36.615445562 -0400 +@@ -1056,7 +1056,7 @@ int main(int argc, char **argv) + printf("Missing boolean for -b (--bool)\n"); + exit(1); + } +- cmd_opts.bool_name = strdup(optarg); ++ cmd_opts.bool_name = strdup(selinux_boolean_sub(optarg)); + if (!cmd_opts.bool_name) { + fprintf(stderr, "%s\n", strerror(errno)); + exit(1); diff --git a/SOURCES/0015-aliases.patch b/SOURCES/0015-aliases.patch new file mode 100644 index 0000000..355aff3 --- /dev/null +++ b/SOURCES/0015-aliases.patch @@ -0,0 +1,82 @@ +diff -up setools-3.3.7/libapol/src/policy-query.c~ setools-3.3.7/libapol/src/policy-query.c +diff -up setools-3.3.7/libqpol/include/qpol/type_query.h~ setools-3.3.7/libqpol/include/qpol/type_query.h +diff -up setools-3.3.7/libqpol/tests/iterators-tests.c~ setools-3.3.7/libqpol/tests/iterators-tests.c +diff -up setools-3.3.7/secmds/seinfo.c~ setools-3.3.7/secmds/seinfo.c +--- setools-3.3.7/secmds/seinfo.c~ 2013-03-25 11:30:23.161633059 -0400 ++++ setools-3.3.7/secmds/seinfo.c 2013-03-28 13:08:07.281751011 -0400 +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" + +@@ -54,6 +55,7 @@ + + static char *policy_file = NULL; + ++static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb); + static void print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); + static void print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); + static void print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand); +@@ -511,6 +513,7 @@ static int print_types(FILE * fp, const + if (qpol_policy_get_type_by_name(q, name, &type_datum)) + goto cleanup; + print_type_attrs(fp, type_datum, policydb, expand); ++ print_type_aliases(fp, type_datum, policydb); + } else { + if (qpol_policy_get_type_iter(q, &iter)) + goto cleanup; +@@ -1897,6 +1900,51 @@ int main(int argc, char **argv) + } + + /** ++ * Prints the alias of a type. ++ * ++ * @param fp Reference to a file to which to print type information ++ * @param type_datum Reference to sepol type_datum ++ * @param policydb Reference to a policy ++ * attributes ++ */ ++static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb) ++{ ++ qpol_iterator_t *iter = NULL; ++ size_t alias_size; ++ unsigned char isattr, isalias; ++ const char *type_name = NULL; ++ const char *alias_name; ++ qpol_policy_t *q = apol_policy_get_qpol(policydb); ++ ++ if (qpol_type_get_name(q, type_datum, &type_name)) ++ goto cleanup; ++ if (qpol_type_get_isattr(q, type_datum, &isattr)) ++ goto cleanup; ++ if (qpol_type_get_isalias(q, type_datum, &isalias)) ++ goto cleanup; ++ ++ if (isalias) { ++ fprintf(fp, " TypeName %s\n", type_name); ++ } ++ if (qpol_type_get_alias_iter(q, type_datum, &iter)) ++ goto cleanup; ++ if (qpol_iterator_get_size(iter, &alias_size)) ++ goto cleanup; ++ if (alias_size > 0) { ++ fprintf(fp, " Aliases\n"); ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ if (qpol_iterator_get_item(iter, (void **)&alias_name)) ++ goto cleanup; ++ fprintf(fp, " %s\n", alias_name); ++ } ++ } ++ ++ cleanup: ++ qpol_iterator_destroy(&iter); ++ return; ++} ++ ++/** + * Prints a textual representation of a type, and possibly + * all of that type's attributes. + * diff --git a/SOURCES/0016-cmdline.patch b/SOURCES/0016-cmdline.patch new file mode 100644 index 0000000..82b4825 --- /dev/null +++ b/SOURCES/0016-cmdline.patch @@ -0,0 +1,107 @@ +diff -up setools-3.3.7/man/sesearch.1.cmdline setools-3.3.7/man/sesearch.1 +--- setools-3.3.7/man/sesearch.1.cmdline 2008-02-22 14:06:28.000000000 -0500 ++++ setools-3.3.7/man/sesearch.1 2013-07-19 06:46:21.314068667 -0400 +@@ -43,7 +43,7 @@ Search for allow rules. + Search for neverallow rules. + .IP "--auditallow" + Search for auditallow rules. +-.IP "--dontaudit" ++.IP "-D, --dontaudit" + Search for dontaudit rules. + .IP "-T, --type" + Search for type_transition, type_member, and type_change rules. +diff -up setools-3.3.7/secmds/sesearch.c.cmdline setools-3.3.7/secmds/sesearch.c +--- setools-3.3.7/secmds/sesearch.c.cmdline 2013-07-19 06:46:21.291068510 -0400 ++++ setools-3.3.7/secmds/sesearch.c 2013-07-19 06:48:12.962830868 -0400 +@@ -24,6 +24,7 @@ + */ + + #include ++#include + + /* libapol */ + #include +@@ -61,9 +62,8 @@ enum opt_values + static struct option const longopts[] = { + {"allow", no_argument, NULL, 'A'}, + {"neverallow", no_argument, NULL, RULE_NEVERALLOW}, +- {"audit", no_argument, NULL, RULE_AUDIT}, + {"auditallow", no_argument, NULL, RULE_AUDITALLOW}, +- {"dontaudit", no_argument, NULL, RULE_DONTAUDIT}, ++ {"dontaudit", no_argument, NULL, 'D'}, + {"type", no_argument, NULL, 'T'}, + {"role_allow", no_argument, NULL, RULE_ROLE_ALLOW}, + {"role_trans", no_argument, NULL, RULE_ROLE_TRANS}, +@@ -72,7 +72,6 @@ static struct option const longopts[] = + + {"source", required_argument, NULL, 's'}, + {"target", required_argument, NULL, 't'}, +- {"default", required_argument, NULL, 'D'}, + {"role_source", required_argument, NULL, EXPR_ROLE_SOURCE}, + {"role_target", required_argument, NULL, EXPR_ROLE_TARGET}, + {"class", required_argument, NULL, 'c'}, +@@ -129,7 +128,7 @@ void usage(const char *program_name, int + printf(" -A, --allow allow rules\n"); + printf(" --neverallow neverallow rules\n"); + printf(" --auditallow auditallow rules\n"); +- printf(" --dontaudit dontaudit rules\n"); ++ printf(" -D, --dontaudit dontaudit rules\n"); + printf(" -T, --type type_trans, type_member, and type_change\n"); + printf(" --role_allow role allow rules\n"); + printf(" --role_trans role_transition rules\n"); +@@ -666,10 +665,6 @@ static void print_ft_results(const apol_ + size_t i, num_filename_trans = 0; + const qpol_filename_trans_t *filename_trans = NULL; + char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL; +- char enable_char = ' ', branch_char = ' '; +- qpol_iterator_t *iter = NULL; +- const qpol_cond_t *cond = NULL; +- uint32_t enabled = 0, list = 0; + + if (!(num_filename_trans = apol_vector_get_size(v))) + goto cleanup; +@@ -677,7 +672,6 @@ static void print_ft_results(const apol_ + fprintf(stdout, "Found %zd named file transition filename_trans:\n", num_filename_trans); + + for (i = 0; i < num_filename_trans; i++) { +- enable_char = branch_char = ' '; + if (!(filename_trans = apol_vector_get_element(v, i))) + goto cleanup; + +@@ -962,7 +956,7 @@ int main(int argc, char **argv) + + memset(&cmd_opts, 0, sizeof(cmd_opts)); + cmd_opts.indirect = true; +- while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) { ++ while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dDRnSChV", longopts, NULL)) != -1) { + switch (optc) { + case 0: + break; +@@ -978,18 +972,6 @@ int main(int argc, char **argv) + exit(1); + } + break; +- case 'D': /* source */ +- if (optarg == 0) { +- usage(argv[0], 1); +- printf("Missing source default type for -D (--default)\n"); +- exit(1); +- } +- cmd_opts.default_name = strdup(optarg); +- if (!cmd_opts.default_name) { +- +- exit(1); +- } +- break; + case 't': /* target */ + if (optarg == 0) { + usage(argv[0], 1); +@@ -1082,7 +1064,7 @@ int main(int argc, char **argv) + case RULE_AUDITALLOW: + cmd_opts.auditallow = true; + break; +- case RULE_DONTAUDIT: ++ case 'D': + cmd_opts.dontaudit = true; + break; + case 'T': /* type */ diff --git a/SOURCES/apol.desktop b/SOURCES/apol.desktop new file mode 100644 index 0000000..6cc82cc --- /dev/null +++ b/SOURCES/apol.desktop @@ -0,0 +1,12 @@ +[Desktop Entry] +Name=SELinux Policy Analysis +GenericName=SELinux Policy Analysis Tool +Comment=This tool can examine, search, and relate policy components and policy rules +Icon=apol.png +Exec=/usr/bin/apol +Type=Application +Terminal=false +Encoding=UTF-8 +Categories=System; +X-Desktop-File-Install-Version=0.2 +StartupNotify=true diff --git a/SOURCES/seaudit.desktop b/SOURCES/seaudit.desktop new file mode 100644 index 0000000..e07e62b --- /dev/null +++ b/SOURCES/seaudit.desktop @@ -0,0 +1,12 @@ +[Desktop Entry] +Name=SELinux Audit Log Analysis +GenericName=SELinux Audit Log Analysis Tool +Comment=The tool parses syslog files and extracts all policy , AVC and change of boolean messages. +Icon=seaudit.png +Exec=/usr/bin/seaudit +Type=Application +Terminal=false +Encoding=UTF-8 +Categories=System; +X-Desktop-File-Install-Version=0.2 +StartupNotify=true diff --git a/SOURCES/setools.pam b/SOURCES/setools.pam new file mode 100644 index 0000000..c7d67e3 --- /dev/null +++ b/SOURCES/setools.pam @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth include config-util +account include config-util +session include config-util diff --git a/SPECS/setools.spec b/SPECS/setools.spec new file mode 100644 index 0000000..da53ce9 --- /dev/null +++ b/SPECS/setools.spec @@ -0,0 +1,715 @@ +%define setools_maj_ver 3.3 +%define setools_min_ver 7 + +Name: setools +Version: %{setools_maj_ver}.%{setools_min_ver} +Release: 40%{?dist} +License: GPLv2 +URL: http://oss.tresys.com/projects/setools +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +Source: http://oss.tresys.com/projects/setools/chrome/site/dists/setools-%{version}/setools-%{version}.tar.bz2 +Source1: setools.pam +Source2: apol.desktop +Source3: seaudit.desktop +Patch2: 0002-setools-should-exit-with-an-error-status-if-it-gets-.patch +Patch3: 0003-Since-we-do-not-ship-neverallow-rules-all-always-fai.patch +Patch4: 0004-Fix-man-pages-and-getoptions.patch +Patch5: 0005-Fix-sepol-calls-to-work-with-latest-libsepol.patch +Patch6: 0006-Changes-to-support-named-file_trans-rules.patch +Patch7: 0007-Remove-unused-variables.patch +Patch8: 0008-Fix-output-to-match-policy-lines.patch +Patch9: 0009-Fix-swig-coding-style-for-structures.patch +Patch10: 0010-selinux_current_policy_path.patch +Patch11: 0011-setools-noship.patch +Patch12: 0012-seaudit.patch +Patch13: 0013-swig.patch +Patch14: 0014-boolsub.patch +Patch15: 0015-aliases.patch +Patch16: 0016-cmdline.patch + +Summary: Policy analysis tools for SELinux +Group: System Environment/Base +Requires: setools-libs = %{version}-%{release} setools-libs-tcl = %{version}-%{release} setools-gui = %{version}-%{release} setools-console = %{version}-%{release} + +# external requirements +%define autoconf_ver 2.59 +%define bwidget_ver 1.8 +%define gtk_ver 2.8 +%define sepol_ver 2.1.8-5 +%define selinux_ver 2.1.12-10 +%define sqlite_ver 3.2.0 +%define swig_ver 2.0.7-3 +%define tcltk_ver 8.4.9 + +%description +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This meta-package depends upon the main packages necessary to run +SETools. + +%package libs +License: LGPLv2 +Summary: Policy analysis support libraries for SELinux +Group: System Environment/Libraries +Requires: libselinux >= %{selinux_ver} libsepol >= %{sepol_ver} sqlite >= %{sqlite_ver} +Obsoletes: setools-libs-java +Obsoletes: setools-libs-python < 3.3.7-36 +BuildRequires: flex bison pkgconfig bzip2-devel +BuildRequires: glibc-devel libstdc++-devel gcc gcc-c++ +BuildRequires: libselinux-devel >= %{selinux_ver} libsepol-devel >= %{sepol_ver} +BuildRequires: libsepol-static >= %{sepol_ver} +BuildRequires: sqlite-devel >= %{sqlite_ver} libxml2-devel +BuildRequires: tcl-devel >= %{tcltk_ver} +BuildRequires: autoconf >= %{autoconf_ver} automake + +%description libs +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following run-time libraries: + + libapol policy analysis library + libpoldiff semantic policy difference library + libqpol library that abstracts policy internals + libseaudit parse and filter SELinux audit messages in log files + libsefs SELinux file contexts library + +%package libs-tcl +License: LGPLv2 +Summary: Tcl bindings for SELinux policy analysis +Group: Development/Languages +Requires: setools-libs = %{version}-%{release} tcl >= %{tcltk_ver} +BuildRequires: tcl-devel >= %{tcltk_ver} swig >= %{swig_ver} + +%description libs-tcl +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes Tcl bindings for the following libraries: + + libapol policy analysis library + libpoldiff semantic policy difference library + libqpol library that abstracts policy internals + libseaudit parse and filter SELinux audit messages in log files + libsefs SELinux file contexts library + +%package devel +License: LGPLv2 +Summary: Policy analysis development files for SELinux +Group: Development/Libraries +Requires: libselinux-devel >= %{selinux_ver} libsepol-devel >= %{sepol_ver} setools-libs = %{version}-%{release} +BuildRequires: sqlite-devel >= %{sqlite_ver} libxml2-devel + +%description devel +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes header files and archives for the following +libraries: + + libapol policy analysis library + libpoldiff semantic policy difference library + libqpol library that abstracts policy internals + libseaudit parse and filter SELinux audit messages in log files + libsefs SELinux file contexts library + +%package console +Summary: Policy analysis command-line tools for SELinux +Group: System Environment/Base +License: GPLv2 +Requires: setools-libs = %{version}-%{release} +Requires: libselinux >= %{selinux_ver} + +%description console +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following console tools: + + secmds command line tools: seinfo, sesearch + sediff semantic policy difference tool + +%package gui +Summary: Policy analysis graphical tools for SELinux +Group: System Environment/Base +Requires: tcl >= %{tcltk_ver} tk >= %{tcltk_ver} bwidget >= %{bwidget_ver} +Requires: setools-libs = %{version}-%{release} setools-libs-tcl = %{version}-%{release} +Requires: glib2 gtk2 >= %{gtk_ver} usermode +BuildRequires: gtk2-devel >= %{gtk_ver} libglade2-devel libxml2-devel tk-devel >= %{tcltk_ver} +BuildRequires: desktop-file-utils + +%description gui +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following graphical tools: + + apol policy analysis tool + seaudit audit log analysis tool + +%define setoolsdir %{_datadir}/setools-%{setools_maj_ver} +%define tcllibdir %{_libdir}/setools + +%prep +%setup -q +%patch2 -p 1 -b .exitstatus +%patch3 -p 1 -b .neverallow +%patch4 -p 1 -b .manpage +%patch5 -p 1 -b .libsepol +%patch6 -p 1 -b .filenametrans +%patch7 -p 1 -b .unused +%patch8 -p 1 -b .fixoutput +%patch9 -p 1 -b .fixswig +%patch10 -p 1 -b .current +%patch11 -p 1 -b .noship +%patch12 -p 1 -b .seaudit +%patch13 -p 1 -b .swig +%patch14 -p 2 -b .boolsub +%patch15 -p 1 -b .aliases +%patch16 -p 1 -b .cmdline +%ifarch sparc sparcv9 sparc64 s390 s390x + for file in `find . -name Makefile.am`; do + sed -i -e 's:-fpic:-fPIC:' $file; + done +%endif +# Fixup expected version of SWIG: +sed -i -e "s|AC_PROG_SWIG(1.3.28)|AC_PROG_SWIG(2.0.0)|g" configure.ac +# and rebuild the autotooled files: +aclocal +autoreconf -if + +%build +automake +%configure --libdir=%{_libdir} --disable-bwidget-check --disable-selinux-check \ + --enable-swig-tcl +# work around issue with gcc 4.3 + gnu99 + swig-generated code: +make %{?_smp_mflags} + +%install +rm -rf ${RPM_BUILD_ROOT} +make DESTDIR=${RPM_BUILD_ROOT} INSTALL="install -p" install +mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/applications +mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/pixmaps +install -d -m 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d +install -p -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d/seaudit +install -d -m 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/security/console.apps +install -p -m 644 packages/rpm/seaudit.console ${RPM_BUILD_ROOT}%{_sysconfdir}/security/console.apps/seaudit +install -d -m 755 ${RPM_BUILD_ROOT}%{_datadir}/applications +install -p -m 644 apol/apol.png ${RPM_BUILD_ROOT}%{_datadir}/pixmaps/apol.png +install -p -m 644 seaudit/seaudit.png ${RPM_BUILD_ROOT}%{_datadir}/pixmaps/seaudit.png +desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications %{SOURCE2} +ln -sf consolehelper ${RPM_BUILD_ROOT}/%{_bindir}/seaudit +# remove static libs +rm -f ${RPM_BUILD_ROOT}/%{_libdir}/*.a +# ensure permissions are correct +chmod 0755 ${RPM_BUILD_ROOT}/%{_libdir}/*.so.* +chmod 0755 ${RPM_BUILD_ROOT}/%{_libdir}/%{name}/*/*.so.* +chmod 0644 ${RPM_BUILD_ROOT}/%{tcllibdir}/*/pkgIndex.tcl + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%defattr(-,root,root,-) + +%files libs +%defattr(-,root,root,-) +%doc AUTHORS ChangeLog COPYING COPYING.GPL COPYING.LGPL KNOWN-BUGS NEWS README +%{_libdir}/libqpol.so.* +%{_libdir}/libapol.so.* +%{_libdir}/libpoldiff.so.* +%{_libdir}/libsefs.so.* +%{_libdir}/libseaudit.so.* +%dir %{setoolsdir} + +%files libs-tcl +%defattr(-,root,root,-) +%dir %{tcllibdir} +%{tcllibdir}/qpol/ +%{tcllibdir}/apol/ +%{tcllibdir}/poldiff/ +%{tcllibdir}/seaudit/ +%{tcllibdir}/sefs/ + +%files devel +%defattr(-,root,root,-) +%{_libdir}/*.so +%{_libdir}/pkgconfig/* +%{_includedir}/qpol/ +%{_includedir}/apol/ +%{_includedir}/poldiff/ +%{_includedir}/seaudit/ +%{_includedir}/sefs/ + +%files console +%defattr(-,root,root,-) +%{_bindir}/seinfo +%{_bindir}/sesearch +%{_bindir}/sediff +%{_mandir}/man1/sediff.1.gz +%{_mandir}/man1/seinfo.1.gz +%{_mandir}/man1/sesearch.1.gz + +%files gui +%defattr(-,root,root,-) +%{_bindir}/seaudit +%{_bindir}/apol +%{tcllibdir}/apol_tcl/ +%{setoolsdir}/apol_help.txt +%{setoolsdir}/domaintrans_help.txt +%{setoolsdir}/file_relabel_help.txt +%{setoolsdir}/infoflow_help.txt +%{setoolsdir}/types_relation_help.txt +%{setoolsdir}/apol_perm_mapping_* +%{setoolsdir}/seaudit_help.txt +%{setoolsdir}/*.glade +%{setoolsdir}/*.png +%{setoolsdir}/apol.gif +%{setoolsdir}/dot_seaudit +%{_mandir}/man1/apol.1.gz +%{_mandir}/man8/seaudit.8.gz +%{_sbindir}/seaudit +%config(noreplace) %{_sysconfdir}/pam.d/seaudit +%config(noreplace) %{_sysconfdir}/security/console.apps/seaudit +%{_datadir}/applications/* +%attr(0644,root,root) %{_datadir}/pixmaps/*.png + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%post libs-tcl -p /sbin/ldconfig + +%postun libs-tcl -p /sbin/ldconfig + +%changelog +* Fri Jul 19 2013 Dan Walsh - 3.3.7-40 +- Fix help message on sesearch -D + +* Thu May 16 2013 Dan Walsh - 3.3.7-39 +- Remove --default and --audit from sesearch +- Make -D == --dontaudit in sesearch + +* Thu Mar 28 2013 Dan Walsh - 3.3.7-38 +- Add alias support to seinfo -t + +* Wed Mar 27 2013 Kalev Lember - 3.3.7-37 +- Obsolete the removed setools-libs-python subpackage + +* Fri Mar 15 2013 Dan Walsh - 3.3.7-36 +- Drop support for python bindings + +* Thu Mar 14 2013 Dan Walsh - 3.3.7-35 +- Add support for substituting bools to sesearch and seinfo + +* Wed Jan 30 2013 Dan Walsh - 3.3.7-34 +- Rebuild using pristine source from Tresys + +* Tue Jan 29 2013 Dan Walsh - 3.3.7-33 +- Apply swig patch to make apol work again. + +* Mon Jan 7 2013 Dan Walsh - 3.3.7-32 +- Rebuild with new tool chain + +* Fri Sep 28 2012 Dan Walsh - 3.3.7-31 +- Add filename_trans to python/setools/sesearch bindings + +* Fri Sep 28 2012 Dan Walsh - 3.3.7-30 +- Apply Lars Jensen patch to fix seaudit +- Remove java bindings, not supported + +* Sun Sep 16 2012 Dan Walsh - 3.3.7-29 +- Remove tools that we do not want to support + +* Mon Aug 20 2012 Dan Horák - 3.3.7-28 +- use autoreconf to rebuild all autotooled files (FTBFS) + +* Sat Jul 21 2012 Fedora Release Engineering - 3.3.7-27 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Dan Walsh - 3.3.7-26 +- mgrepl patch to Fix swig coding style for structures related to SWIG changes + +* Wed Jul 4 2012 Dan Walsh - 3.3.7-25 +- Fix swig coding style for structures related to SWIG changes + +* Wed May 2 2012 Dan Walsh - 3.3.7-24 +- Revert setools current patch + +- Rebuild to get latest libsepol which fixes the file_name transition problems +- Use selinux_current_policy_path to read by default policy + +* Tue Feb 28 2012 Fedora Release Engineering - 3.3.7-22 +- Rebuilt for c++ ABI breakage + +* Sat Jan 14 2012 Fedora Release Engineering - 3.3.7-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Dec 20 2011 Dan Walsh - 3.3.7-20 +- Rebuild to use latest libsepol + +* Wed Oct 26 2011 Dan Walsh - 3.3.7-19 +- Add ftrule*h in apol and qpol + +* Wed Sep 21 2011 Dan Walsh - 3.3.7-18 +- Fix output to match input in policy + +* Tue Sep 20 2011 Dan Walsh - 3.3.7-17 +- Fix to build with latest libsepol +- Show filename transition files + +* Thu Apr 21 2011 Dan Walsh - 3.3.7-16 +- Rebuild for new sepol + +* Fri Apr 15 2011 Dan Walsh - 3.3.7-15 +- Rebuild for new sepol + +* Sat Apr 9 2011 Dan Walsh - 3.3.7-14 +- Rebuild for new sepol + +* Sun Feb 27 2011 Dennis Gilmore - 3.3.7-13 +- switch in -fPIC in Makefile.am in prep stage + +* Wed Feb 09 2011 Fedora Release Engineering - 3.3.7-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Nov 5 2010 Dan Walsh 3.3.6-10 +- Exit seinfo and sesearch with proper status + +* Fri Nov 5 2010 Dan Walsh 3.3.6-9 +- Rebuild for new libxml2 + +* Thu Oct 14 2010 Dan Walsh 3.3.6-8 +- Return None when no records match python setools.sesearch + +* Thu Aug 19 2010 Dan Walsh 3.3.6-7 +- Add range to ports in seinfo python + +* Tue Aug 3 2010 Dan Walsh 3.3.6-6 +- Return range with ports + +* Tue Aug 3 2010 Dan Walsh 3.3.6-5 +- Add port support to setools python + +* Mon Jul 26 2010 David Malcolm - 3.3.7-4 +- fixup configure.ac to expect SWIG 2.0.0; bump the python version to 2.7 in +patch 1 + +* Thu Jul 22 2010 David Malcolm - 3.3.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Wed May 12 2010 Chris PeBenito 3.3.7-2 +- Add missing bzip2 dependencies. + +* Wed May 12 2010 Chris PeBenito 3.3.7-1 +- New upstream release. + +* Tue Aug 11 2009 Dan Walsh 3.3.6-4 +- Add python bindings for sesearch and seinfo + +* Tue Jul 28 2009 Dan Walsh 3.3.6-3 +- Fix qpol install of include files + +* Sun Jul 26 2009 Fedora Release Engineering - 3.3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Chris PeBenito 3.3.6-1 +- New upstream release. + +* Sun Apr 5 2009 Dan Horák - 3.3.5-8 +- don't expect that java-devel resolves as gcj + +* Sun Apr 5 2009 Dan Horák - 3.3.5-7 +- add support for s390x + +* Wed Feb 25 2009 Fedora Release Engineering - 3.3.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Dec 04 2008 Ignacio Vazquez-Abrams - 3.3.5-5 +- Rebuild for Python 2.6 + +* Mon Dec 1 2008 Michael Schwendt - 3.3.5-4 +- Include %%tcllibdir directory in -libs-tcl package. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 3.3.5-3 +- Rebuild for Python 2.6 + +* Wed Sep 17 2008 Dennis Gilmore 3.3.5-2 +- fix building in sparc and s390 arches + +* Tue Aug 26 2008 Chris PeBenito 3.3.5-1 +- Update to upstream version 3.3.5. + +* Wed Feb 27 2008 Chris PeBenito 3.3.4-1 +- Fixes gcc 4.3, glibc 2.7, tcl 8.5, and libsepol 2.0.20 issues. +- Fix policy loading when policy on disk is higher version than the kernel. + +* Tue Feb 19 2008 Fedora Release Engineering - 3.3.2-3 +- Autorebuild for GCC 4.3 + +* Tue Jan 29 2008 Chris Pebenito 3.3.2-2.fc9 +- Bump to pick up new libsepol and policy 22. + +* Wed Nov 28 2007 Chris Pebenito 3.3.2-1.fc9 +- Update for 3.3.2. + +* Thu Oct 18 2007 Chris PeBenito 3.3.1-7.fc8 +- Rebuild to fix ppc64 issue. + +* Wed Oct 17 2007 Chris PeBenito 3.3.1-6.fc8 +- Update for 3.3.1. + +* Tue Aug 28 2007 Fedora Release Engineering - 3.2-4 +- Rebuild for selinux ppc32 issue. + +* Fri Jul 20 2007 Dan Walsh 3.2-3 +- Move to Tresys spec file + +* Wed Jun 13 2007 Dan Walsh 3.2-2 +- Bump for rebuild + +* Mon Apr 30 2007 Dan Walsh 3.2-1 +- Start shipping the rest of the setools command line apps + +* Wed Apr 25 2007 Jason Tang 3.2-0 +- update to SETools 3.2 release + +* Fri Feb 02 2007 Jason Tang 3.1-1 +- update to SETools 3.1 release + +* Mon Oct 30 2006 Dan Walsh 3.0-2.fc6 +- bump for fc6 + +* Thu Oct 26 2006 Dan Walsh 3.0-2 +- Build on rawhide + +* Sun Oct 15 2006 Dan Walsh 3.0-1 +- Update to upstream + +* Wed Jul 12 2006 Jesse Keating - sh: line 0: fg: no job control +- rebuild + +* Tue May 23 2006 Dan Walsh 2.4-2 +- Remove sqlite include directory + +* Wed May 3 2006 Dan Walsh 2.4-1 +- Update from upstream + +* Mon Apr 10 2006 Dan Walsh 2.3-3 +- Fix help +- Add icons + +* Tue Mar 21 2006 Dan Walsh 2.3-2 +- Remove console apps for sediff, sediffx and apol + +* Fri Feb 10 2006 Jesse Keating - 2.3-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 2.3-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 31 2006 Dan Walsh 2.3-1 +- Update from upstream + * apol: + added new MLS components tab for sensitivities, + levels, and categories. + Changed users tab to support ranges and default + levels. + added range transition tab for searching range + Transition rules. + added new tab for network context components. + added new tab for file system context components. + * libapol: + added binpol support for MLS, network contexts, + and file system contexts. + * seinfo: + added command line options for MLS components. + added command line options for network contexts + and file system contexts. + * sesearch: + added command line option for searching for rules + by conditional boolean name. + * seaudit: + added new column in the log view for the 'comm' + field found in auditd log files. + added filters for the 'comm' field and 'message' + field. + * manpages: + added manpages for all tools. + + + +* Fri Dec 16 2005 Jesse Keating +- rebuilt for new gcj + +* Wed Dec 14 2005 Dan Walsh 2.2-4 +- Fix dessktop files +- Apply fixes from bkyoung + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Nov 3 2005 Dan Walsh 2.2-3 +- Move more gui files out of base into gui + +* Thu Nov 3 2005 Dan Walsh 2.2-2 +- Move sediff from gui to main package + +* Thu Nov 3 2005 Dan Walsh 2.2-1 +- Upgrade to upstream version + +* Thu Oct 13 2005 Dan Walsh 2.1.3-1 +- Upgrade to upstream version + +* Mon Oct 10 2005 Tomas Mraz 2.1.2-3 +- use include instead of pam_stack in pam config + +* Thu Sep 1 2005 Dan Walsh 2.1.2-2 +- Fix spec file + +* Thu Sep 1 2005 Dan Walsh 2.1.2-1 +- Upgrade to upstream version + +* Thu Aug 18 2005 Florian La Roche +- do not package debug files into the -devel package + +* Wed Aug 17 2005 Jeremy Katz - 2.1.1-3 +- rebuild against new cairo + +* Wed May 25 2005 Dan Walsh 2.1.1-0 +- Upgrade to upstream version + +* Mon May 23 2005 Bill Nottingham 2.1.0-5 +- put libraries in the right place (also puts debuginfo in the right + package) +- add %%defattr for -devel too + +* Thu May 12 2005 Dan Walsh 2.1.0-4 +- Move sepcut to gui apps. + +* Fri May 6 2005 Dan Walsh 2.1.0-3 +- Fix Missing return code. + +* Wed Apr 20 2005 Dan Walsh 2.1.0-2 +- Fix requires line + +* Tue Apr 19 2005 Dan Walsh 2.1.0-1 +- Update to latest from tresys + +* Tue Apr 5 2005 Dan Walsh 2.0.0-2 +- Fix buildrequires lines in spec file + +* Wed Mar 2 2005 Dan Walsh 2.0.0-1 +- Update to latest from tresys + +* Mon Nov 29 2004 Dan Walsh 1.5.1-6 +- add FALLBACK=true to /etc/security/console.apps/apol + +* Wed Nov 10 2004 Dan Walsh 1.5.1-3 +- Add badtcl patch from Tresys. + +* Mon Nov 8 2004 Dan Walsh 1.5.1-2 +- Apply malloc problem patch provided by Sami Farin + +* Mon Nov 1 2004 Dan Walsh 1.5.1-1 +- Update to latest from Upstream + +* Wed Oct 6 2004 Dan Walsh 1.4.1-5 +- Update tresys patch + +* Mon Oct 4 2004 Dan Walsh 1.4.1-4 +- Fix directory ownership + +* Thu Jul 8 2004 Dan Walsh 1.4.1-1 +- Latest from Tresys + +* Wed Jun 23 2004 Dan Walsh 1.4-5 +- Add build requires libselinux + +* Tue Jun 22 2004 Dan Walsh 1.4-4 +- Add support for policy.18 + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu Jun 10 2004 Dan Walsh 1.4-2 +- Fix install locations of policy_src_dir + +* Wed Jun 2 2004 Dan Walsh 1.4-1 +- Update to latest from TRESYS. + +* Tue Jun 1 2004 Dan Walsh 1.3-3 +- Make changes to work with targeted/strict policy +* Fri Apr 16 2004 Dan Walsh 1.3-2 +- Take out requirement for policy file + +* Fri Apr 16 2004 Dan Walsh 1.3-1 +- Fix doc location + +* Fri Apr 16 2004 Dan Walsh 1.3-1 +- Latest from TRESYS + +* Tue Apr 13 2004 Dan Walsh 1.2.1-8 +- fix location of policy.conf file + +* Tue Apr 6 2004 Dan Walsh 1.2.1-7 +- Obsolete setools-devel +* Tue Apr 6 2004 Dan Walsh 1.2.1-6 +- Fix location of +* Tue Apr 6 2004 Dan Walsh 1.2.1-5 +- Remove devel libraries +- Fix installdir for lib64 + +* Sat Apr 3 2004 Dan Walsh 1.2.1-4 +- Add usr_t file read to policy + +* Thu Mar 25 2004 Dan Walsh 1.2.1-3 +- Use tcl8.4 + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Fri Feb 6 2004 Dan Walsh 1.2.1-1 +- New patch + +* Fri Feb 6 2004 Dan Walsh 1.2-1 +- Latest upstream version + +* Tue Dec 30 2003 Dan Walsh 1.1.1-1 +- New version from upstream +- Remove seuser.te. Now in policy file. + +* Tue Dec 30 2003 Dan Walsh 1.1-2 +- Add Defattr to devel +- move libs to base kit + +* Fri Dec 19 2003 Dan Walsh 1.1-1 +- Update to latest code from tresys +- Break into three separate packages for cmdline, devel and gui +- Incorporate the tcl patch + +* Mon Dec 15 2003 Jens Petersen - 1.0.1-3 +- apply setools-1.0.1-tcltk.patch to build against tcl/tk 8.4 +- buildrequire tk-devel + +* Thu Nov 20 2003 Dan Walsh 1.0.1-2 +- Add Bwidgets to this RPM + +* Tue Nov 4 2003 Dan Walsh 1.0.1-1 +- Upgrade to 1.0.1 + +* Wed Oct 15 2003 Dan Walsh 1.0-6 +- Clean up build + +* Tue Oct 14 2003 Dan Walsh 1.0-5 +- Update with correct seuser.te + +* Wed Oct 1 2003 Dan Walsh 1.0-4 +- Update with final release from Tresys + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version