diff --git a/SOURCES/0014-Add-support-for-DCCP-and-SCTP-protocols.patch b/SOURCES/0014-Add-support-for-DCCP-and-SCTP-protocols.patch new file mode 100644 index 0000000..94679d1 --- /dev/null +++ b/SOURCES/0014-Add-support-for-DCCP-and-SCTP-protocols.patch @@ -0,0 +1,235 @@ +From 78260f2d8fdeb05a9d53727ea64bf5b2d08d3349 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 20 Jul 2018 17:33:22 +0200 +Subject: [PATCH] Add support for DCCP and SCTP protocols + +Resolves: rhbz#1607273 +--- + libapol/include/apol/util.h | 12 ++++++------ + libapol/src/util.c | 17 +++++++++++++++++ + libapol/swig/apol.i | 3 +++ + libqpol/include/qpol/portcon_query.h | 13 +++++++++++-- + libqpol/src/policy_define.c | 10 ++++++++++ + libqpol/src/policy_parse.y | 7 +++++++ + libqpol/swig/qpol.i | 3 +++ + python/setools/seinfo.c | 4 +++- + secmds/seinfo.c | 4 ++++ + 9 files changed, 64 insertions(+), 9 deletions(-) + +diff --git a/libapol/include/apol/util.h b/libapol/include/apol/util.h +index 99db1685..3e370332 100644 +--- a/libapol/include/apol/util.h ++++ b/libapol/include/apol/util.h +@@ -48,8 +48,8 @@ extern "C" + * Given a portcon protocol, return a read-only string that describes + * that protocol. + * +- * @param protocol Portcon protocol, one of IPPROTO_TCP or IPPROTO_UDP +- * from netinet/in.h. ++ * @param protocol Portcon protocol, one of IPPROTO_TCP, IPPROTO_UDP, ++ * IPPROTO_DCCP or IPPROTO_SCTP from netinet/in.h. + * + * @return A string that describes the protocol, or NULL if the + * protocol is invalid. Do not free() this string. +@@ -59,10 +59,10 @@ extern "C" + /** + * Given the name of a portcon protocol, return its numeric value. + * +- * @param protocol_str Portcon protocol, one of "tcp", "TCP", "udp", or "UDP". +- * +- * @return Numeric value for the protocol, one of IPPROTO_TCP or IPPROTO_UDP +- * from netinet/in.h. Upon error return 0. ++ * @param protocol_str Portcon protocol, one of "tcp", "TCP", "udp", "UDP", ++ * "dccp", "DCCP", "sctp" or "SCTP". ++ * @return Numeric value for the protocol, one of IPPROTO_TCP, IPPROTO_UDP, ++ * IPPROTO_DCCP or IPPROTO_SCTP from netinet/in.h. Upon error return 0. + */ + extern uint8_t apol_str_to_protocol(const char *protocol_str); + +diff --git a/libapol/src/util.c b/libapol/src/util.c +index dd6d300d..fc38d9d5 100644 +--- a/libapol/src/util.c ++++ b/libapol/src/util.c +@@ -42,6 +42,13 @@ + #include + #include /* needed for portcon's protocol */ + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + /* use 8k line size */ + #define APOL_LINE_SZ 8192 + #define APOL_ENVIRON_VAR_NAME "APOL_INSTALL_DIR" +@@ -173,6 +180,10 @@ const char *apol_protocol_to_str(uint8_t protocol) + return "tcp"; + case IPPROTO_UDP: + return "udp"; ++ case IPPROTO_DCCP: ++ return "dccp"; ++ case IPPROTO_SCTP: ++ return "sctp"; + default: + errno = EPROTONOSUPPORT; + return NULL; +@@ -191,6 +202,12 @@ uint8_t apol_str_to_protocol(const char *protocol_str) + if (strcmp(protocol_str, "udp") == 0 || strcmp(protocol_str, "UDP") == 0) { + return IPPROTO_UDP; + } ++ if (strcmp(protocol_str, "dccp") == 0 || strcmp(protocol_str, "DCCP") == 0) { ++ return IPPROTO_DCCP; ++ } ++ if (strcmp(protocol_str, "sctp") == 0 || strcmp(protocol_str, "SCTP") == 0) { ++ return IPPROTO_SCTP; ++ } + errno = EPROTONOSUPPORT; + return 0; + } +diff --git a/libapol/swig/apol.i b/libapol/swig/apol.i +index 8a4a195f..6a650315 100644 +--- a/libapol/swig/apol.i ++++ b/libapol/swig/apol.i +@@ -227,6 +227,9 @@ const char *libapol_get_version(void); + /* defines from netinet/in.h for ip protocols */ + #define IPPROTO_TCP 6 + #define IPPROTO_UDP 17 ++#define IPPROTO_DCCP 33 ++#define IPPROTO_SCTP 132 ++ + const char *apol_protocol_to_str(uint8_t protocol); + uint8_t apol_str_to_protocol(const char *protocol_str); + %newobject wrap_apol_str_to_internal_ip(char*); +diff --git a/libqpol/include/qpol/portcon_query.h b/libqpol/include/qpol/portcon_query.h +index 63210feb..72e8ce9e 100644 +--- a/libqpol/include/qpol/portcon_query.h ++++ b/libqpol/include/qpol/portcon_query.h +@@ -37,6 +37,13 @@ extern "C" + #include + #include + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + typedef struct qpol_portcon qpol_portcon_t; + + /** +@@ -46,7 +53,8 @@ extern "C" + * @param high The high port of the range of ports; if searching for a + * single port, set high equal to low. + * @param protocol The protocol used in the portcon statement. +- * Value should be one of IPPROTO_TCP or IPPROTO_UDP from netinet/in.h ++ * Value should be one of IPPROTO_TCP, IPPROTO_UDP, IPPROTO_DCCP or ++ * IPPROTO_SCTP from netinet/in.h + * @param ocon Pointer in which to store the statement returned. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, +@@ -73,7 +81,8 @@ extern "C" + * @param policy The policy associated with the portcon statement. + * @param ocon The portcon statement from which to get the protocol. + * @param protocol Pointer to set to the value of protocol. +- * Value will be one of IPPROTO_TCP or IPPROTO_UDP from netinet/in.h ++ * Value will be one of IPPROTO_TCP, IPPROTO_UDP, IPPROTO_DCCP or ++ * IPPROTO_SCTP from netinet/in.h + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *protocol will be 0; + */ +diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c +index 15f70ba3..2c5d488b 100644 +--- a/libqpol/src/policy_define.c ++++ b/libqpol/src/policy_define.c +@@ -63,6 +63,12 @@ + #ifdef HAVE_SEPOL_ERRCODES + #include + #endif ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + + #include "queue.h" + /* Required for SETools libqpol - Removed #include "checkpolicy.h"*/ +@@ -4350,6 +4356,10 @@ int define_port_context(unsigned int low, unsigned int high) + protocol = IPPROTO_TCP; + } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { + protocol = IPPROTO_UDP; ++ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) { ++ protocol = IPPROTO_DCCP; ++ } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) { ++ protocol = IPPROTO_SCTP; + } else { + yyerror2("unrecognized protocol %s", id); + free(newc); +diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y +index 357f3d8f..e07ff52c 100644 +--- a/libqpol/src/policy_parse.y ++++ b/libqpol/src/policy_parse.y +@@ -52,6 +52,13 @@ + #include + #include + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + #include + #include + #include +diff --git a/libqpol/swig/qpol.i b/libqpol/swig/qpol.i +index b604488a..9fbb8286 100644 +--- a/libqpol/swig/qpol.i ++++ b/libqpol/swig/qpol.i +@@ -2005,6 +2005,9 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + /* from netinet/in.h */ + #define IPPROTO_TCP 6 + #define IPPROTO_UDP 17 ++#define IPPROTO_DCCP 33 ++#define IPPROTO_SCTP 132 ++ + typedef struct qpol_portcon {} qpol_portcon_t; + %extend qpol_portcon_t { + qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) { +diff --git a/python/setools/seinfo.c b/python/setools/seinfo.c +index 211930a3..7c22f9e7 100644 +--- a/python/setools/seinfo.c ++++ b/python/setools/seinfo.c +@@ -512,7 +512,9 @@ static PyObject* get_ports(const char *num, const apol_policy_t * policydb) + } + + if ((ocon_proto != IPPROTO_TCP) && +- (ocon_proto != IPPROTO_UDP)) ++ (ocon_proto != IPPROTO_UDP) && ++ (ocon_proto != IPPROTO_DCCP) && ++ (ocon_proto != IPPROTO_SCTP)) + goto cleanup; + + if (qpol_portcon_get_context(q, portcon, &ctxt)) { +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index a9708907..3c71af57 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -1155,6 +1155,10 @@ static int print_portcon(FILE * fp, const char *num, const char *protocol, const + proto = IPPROTO_TCP; + else if (!strcmp(protocol, "udp")) + proto = IPPROTO_UDP; ++ else if (!strcmp(protocol, "dccp")) ++ proto = IPPROTO_DCCP; ++ else if (!strcmp(protocol, "sctp")) ++ proto = IPPROTO_SCTP; + else { + ERR(policydb, "Unable to get portcon by protocol: bad protocol %s.", protocol); + goto cleanup; +-- +2.14.3 + diff --git a/SPECS/setools.spec b/SPECS/setools.spec index 68d830b..615abc6 100644 --- a/SPECS/setools.spec +++ b/SPECS/setools.spec @@ -4,7 +4,7 @@ Name: setools Version: %{setools_maj_ver}.%{setools_min_ver} -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2 URL: http://oss.tresys.com/projects/setools BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -28,6 +28,7 @@ Patch9: 0009-Fix-help-message-on-sesearch-D.patch Patch11: 0011-Fix-Wformat-security-issues.patch # Patch12: 0012-Fix-configure.ac-to-use-SWIG-3.0.0.patch Patch13: 0013-libqpol-Skip-types-when-building-type-attribute-map.patch +Patch14: 0014-Add-support-for-DCCP-and-SCTP-protocols.patch Summary: Policy analysis tools for SELinux Group: System Environment/Base @@ -37,8 +38,8 @@ Requires: setools-libs = %{version}-%{release} setools-libs-tcl = %{version}-%{r %define autoconf_ver 2.59 %define bwidget_ver 1.8 %define gtk_ver 2.8 -%define sepol_ver 2.5-8 -%define selinux_ver 2.5-12 +%define sepol_ver 2.5-10 +%define selinux_ver 2.5-14.1 %define sqlite_ver 3.2.0 %define swig_ver 2.0.7-3 %define tcltk_ver 8.4.9 @@ -166,6 +167,7 @@ This package includes the following graphical tools: %patch11 -p 1 -b .Wformat-security # %patch12 -p 1 -b .version %patch13 -p 1 -b .libqpol +%patch14 -p 1 -b .dccpsctp %ifarch sparc sparcv9 sparc64 s390 s390x for file in `find . -name Makefile.am`; do @@ -291,6 +293,12 @@ rm -rf ${RPM_BUILD_ROOT} %postun libs-tcl -p /sbin/ldconfig %changelog +* Wed Jul 25 2018 Vit Mojzis - 3.3.8-4 +- Add support for DCCP and SCTP protocols (#1607273, #1601958) + +* Fri May 04 2018 Vit Mojzis - 3.3.8-3 +- Rebuild to incorporate support for extended_socket_class from libsepol (#1573925) + * Thu Oct 19 2017 Vit Mojzis - 3.3.8-2 - libqpol: Do not fail on neverallow rule query