Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package checkpolicy for openSUSE:Factory
checked in at 2025-07-22 12:20:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old)
and /work/SRC/openSUSE:Factory/.checkpolicy.new.8875 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy"
Tue Jul 22 12:20:51 2025 rev:41 rq:1295054 version:3.8.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2025-07-20
15:27:51.745066150 +0200
+++ /work/SRC/openSUSE:Factory/.checkpolicy.new.8875/checkpolicy.changes
2025-07-22 12:21:36.047375486 +0200
@@ -2,8 +1,0 @@
-Thu Jul 17 15:40:49 UTC 2025 - Johannes Segitz <jseg...@suse.com>
-
-- Update to version 3.9
- * Add support for wildcard netifcon names
- * Abort on mismatched declarations
- * Introduce neveraudit types
-
--------------------------------------------------------------------
Old:
----
checkpolicy-3.9.tar.gz
checkpolicy-3.9.tar.gz.asc
New:
----
checkpolicy-3.8.1.tar.gz
checkpolicy-3.8.1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ checkpolicy.spec ++++++
--- /var/tmp/diff_new_pack.GlZyGr/_old 2025-07-22 12:21:36.563396906 +0200
+++ /var/tmp/diff_new_pack.GlZyGr/_new 2025-07-22 12:21:36.567397072 +0200
@@ -16,9 +16,9 @@
#
-%define libsepol_ver 3.9
+%define libsepol_ver 3.8.1
Name: checkpolicy
-Version: 3.9
+Version: 3.8.1
Release: 0
Summary: SELinux policy compiler
License: GPL-2.0-or-later
++++++ checkpolicy-3.9.tar.gz -> checkpolicy-3.8.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/VERSION new/checkpolicy-3.8.1/VERSION
--- old/checkpolicy-3.9/VERSION 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/VERSION 2025-03-05 19:59:06.000000000 +0100
@@ -1 +1 @@
-3.9
+3.8.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/checkmodule.8
new/checkpolicy-3.8.1/checkmodule.8
--- old/checkpolicy-3.9/checkmodule.8 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/checkmodule.8 2025-03-05 19:59:06.000000000 +0100
@@ -3,7 +3,7 @@
checkmodule \- SELinux policy module compiler
.SH SYNOPSIS
.B checkmodule
-.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-L] [\-U
handle_unknown] [\-V] [\-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-N] [\-U
handle_unknown] [\-V] [\-o output_file] [input_file]"
.SH "DESCRIPTION"
This manual page describes the
.BR checkmodule
@@ -46,11 +46,6 @@
.B \-N,\-\-disable-neverallow
Do not check neverallow rules.
.TP
-.B \-L,\-\-line-marker-for-allow
-Output line markers for allow rules, in addition to neverallow rules. This
option increases the size
-of the output CIL policy file, but the additional line markers helps
debugging, especially
-neverallow failure reports. Can only be used when writing a CIL policy file.
-.TP
.B \-V,\-\-version
Show policy versions created by this program.
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/checkmodule.c
new/checkpolicy-3.8.1/checkmodule.c
--- old/checkpolicy-3.9/checkmodule.c 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/checkmodule.c 2025-03-05 19:59:06.000000000 +0100
@@ -119,7 +119,7 @@
static __attribute__((__noreturn__)) void usage(const char *progname)
{
- printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m]
[-M] [-N] [-L] [-o FILE] [-c VERSION] [INPUT]\n", progname);
+ printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m]
[-M] [-N] [-o FILE] [-c VERSION] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
@@ -136,7 +136,6 @@
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -N do not check neverallow rules\n");
- printf(" -L output line markers for allow rules\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
printf(" -c VERSION build a policy module targeting a modular policy
version (%d-%d)\n",
MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
@@ -147,7 +146,6 @@
{
const char *file = txtfile, *outfile = NULL;
unsigned int binary = 0, cil = 0, disable_neverallow = 0;
- unsigned int line_marker_for_allow = 0;
unsigned int policy_type = POLICY_BASE;
unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
int ch;
@@ -161,13 +159,12 @@
{"handle-unknown", required_argument, NULL, 'U'},
{"mls", no_argument, NULL, 'M'},
{"disable-neverallow", no_argument, NULL, 'N'},
- {"line-marker-for-allow", no_argument, NULL, 'L'},
{"cil", no_argument, NULL, 'C'},
{"werror", no_argument, NULL, 'E'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "ho:bVEU:mMNCc:L", long_options,
NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "ho:bVEU:mMNCc:", long_options,
NULL)) != -1) {
switch (ch) {
case 'h':
usage(argv[0]);
@@ -234,9 +231,6 @@
policyvers = n;
break;
}
- case 'L':
- line_marker_for_allow = 1;
- break;
default:
usage(argv[0]);
}
@@ -258,11 +252,6 @@
exit(1);
}
- if (line_marker_for_allow && !cil) {
- fprintf(stderr, "%s: -L must be used along with -C.\n",
argv[0]);
- exit(1);
- }
-
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
@@ -358,9 +347,6 @@
exit(1);
}
} else {
- if (line_marker_for_allow) {
- modpolicydb.line_marker_avrules |=
AVRULE_ALLOWED | AVRULE_XPERMS_ALLOWED;
- }
if (sepol_module_policydb_to_cil(outfp, &modpolicydb,
0) != 0) {
fprintf(stderr, "%s: error writing %s\n",
argv[0], outfile);
exit(1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/checkpolicy.8
new/checkpolicy-3.8.1/checkpolicy.8
--- old/checkpolicy-3.9/checkpolicy.8 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/checkpolicy.8 2025-03-05 19:59:06.000000000 +0100
@@ -3,7 +3,7 @@
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-N]
[\-L] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform
(selinux,xen)] [\-O] [\-E] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-N]
[\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)]
[\-O] [\-E] [\-V] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
@@ -41,11 +41,6 @@
.B \-N,\-\-disable-neverallow
Do not check neverallow rules.
.TP
-.B \-L,\-\-line-marker-for-allow
-Output line markers for allow rules, in addition to neverallow rules. This
option increases the size
-of the output CIL policy file, but the additional line markers helps
debugging, especially
-neverallow failure reports. Can only be used when writing a CIL policy file.
-.TP
.B \-c policyvers
Specify the policy version, defaults to the latest.
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/checkpolicy.c
new/checkpolicy-3.8.1/checkpolicy.c
--- old/checkpolicy-3.9/checkpolicy.c 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/checkpolicy.c 2025-03-05 19:59:06.000000000 +0100
@@ -107,7 +107,7 @@
printf
("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown
(allow,deny,reject)] [-M] "
"[-N] [-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] "
- "[-t target_platform (selinux,xen)] [-E] [-V] [-L] [input_file]\n",
+ "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
@@ -390,7 +390,6 @@
unsigned int i;
unsigned int protocol, port;
unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0,
optimize = 0, disable_neverallow = 0;
- unsigned int line_marker_for_allow = 0;
struct val_to_name v;
int ret, ch, fd, target = SEPOL_TARGET_SELINUX;
unsigned int policyvers = 0;
@@ -419,12 +418,11 @@
{"sort", no_argument, NULL, 'S'},
{"optimize", no_argument, NULL, 'O'},
{"werror", no_argument, NULL, 'E'},
- {"line-marker-for-allow", no_argument, NULL, 'L'},
{"help", no_argument, NULL, 'h'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "o:t:dbU:MNCFSVc:OELh",
long_options, NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "o:t:dbU:MNCFSVc:OEh",
long_options, NULL)) != -1) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -508,9 +506,6 @@
case 'E':
werror = 1;
break;
- case 'L':
- line_marker_for_allow = 1;
- break;
case 'h':
default:
usage(argv[0]);
@@ -540,11 +535,6 @@
exit(1);
}
- if (line_marker_for_allow && !cil) {
- fprintf(stderr, "Must convert to CIL for line markers to be
printed\n");
- exit(1);
- }
-
if (binary) {
fd = open(file, O_RDONLY);
if (fd < 0) {
@@ -700,9 +690,6 @@
exit(1);
}
} else {
- if (line_marker_for_allow) {
- policydbp->line_marker_avrules |=
AVRULE_ALLOWED | AVRULE_XPERMS_ALLOWED;
- }
if (binary) {
ret = sepol_kernel_policydb_to_cil(outfp,
policydbp);
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/module_compiler.c
new/checkpolicy-3.8.1/module_compiler.c
--- old/checkpolicy-3.9/module_compiler.c 2025-07-16 12:55:13.000000000
+0200
+++ new/checkpolicy-3.8.1/module_compiler.c 2025-03-05 19:59:06.000000000
+0100
@@ -291,7 +291,6 @@
if (*role && (isattr != (*role)->flavor)) {
yyerror2("Identifier %s used as both an attribute and a
role",
id);
- *role = NULL;
free(id);
role_datum_destroy(datum);
free(datum);
@@ -429,7 +428,6 @@
if (*type && (isattr != (*type)->flavor)) {
yyerror2("Identifier %s used as both an attribute and a
type",
id);
- *type = NULL;
free(id);
return -1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/policy_define.c
new/checkpolicy-3.8.1/policy_define.c
--- old/checkpolicy-3.9/policy_define.c 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/policy_define.c 2025-03-05 19:59:06.000000000
+0100
@@ -257,49 +257,6 @@
return rc;
}
-int define_neveraudit(void)
-{
- char *type = NULL;
- struct type_datum *t;
- int rc = 0;
-
- type = queue_remove(id_queue);
-
- if (!type) {
- yyerror2("forgot to include type in neveraudit definition?");
- rc = -1;
- goto out;
- }
-
- if (pass == 1)
- goto out;
-
- if (!is_id_in_scope(SYM_TYPES, type)) {
- yyerror2("type %s is not within scope", type);
- rc = -1;
- goto out;
- }
-
- t = hashtab_search(policydbp->p_types.table, type);
- if (!t) {
- yyerror2("type is not defined: %s", type);
- rc = -1;
- goto out;
- }
-
- if (t->flavor == TYPE_ATTRIB) {
- yyerror2("attributes may not be neveraudit: %s", type);
- rc = -1;
- goto out;
- }
-
- t->flags |= TYPE_FLAGS_NEVERAUDIT;
-
-out:
- free(type);
- return rc;
-}
-
int define_polcap(void)
{
char *id = 0;
@@ -1653,8 +1610,7 @@
/* Adds a type, given by its textual name, to a typeset. If *add is
0, then add the type to the negative set; otherwise if *add is 1
- then add it to the positive side.
- The identifier `id` is always consumed. */
+ then add it to the positive side. */
static int set_types(type_set_t * set, char *id, int *add, char starallowed)
{
type_datum_t *t;
@@ -1743,8 +1699,6 @@
return -1;
}
- ebitmap_init(&tclasses);
-
while ((id = queue_remove(id_queue))) {
if (set_types(&avrule->stypes, id, &add, 0))
goto bad;
@@ -1764,6 +1718,7 @@
goto bad;
}
+ ebitmap_init(&tclasses);
if (read_classes(&tclasses))
goto bad;
@@ -1804,7 +1759,6 @@
return 0;
bad:
- ebitmap_destroy(&tclasses);
avrule_destroy(avrule);
free(avrule);
return -1;
@@ -2163,17 +2117,18 @@
{
char *id;
class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
- const class_datum_t *cladatum;
- const perm_datum_t *perdatum;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum = NULL;
ebitmap_t tclasses;
ebitmap_node_t *node;
avrule_t *avrule;
unsigned int i;
- int add = 1, ret;
+ int add = 1, ret = 0;
avrule = (avrule_t *) malloc(sizeof(avrule_t));
if (!avrule) {
yyerror("out of memory");
+ ret = -1;
goto out;
}
avrule_init(avrule);
@@ -2184,13 +2139,14 @@
avrule->xperms = NULL;
if (!avrule->source_filename) {
yyerror("out of memory");
- goto out;
+ return -1;
}
while ((id = queue_remove(id_queue))) {
if (set_types
(&avrule->stypes, id, &add,
which == AVRULE_XPERMS_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
goto out;
}
}
@@ -2200,11 +2156,13 @@
free(id);
if (add == 0 && which != AVRULE_XPERMS_NEVERALLOW) {
yyerror("-self is only supported in neverallow
and neverallowxperm rules");
+ ret = -1;
goto out;
}
avrule->flags |= (add ? RULE_SELF : RULE_NOTSELF);
if ((avrule->flags & RULE_SELF) && (avrule->flags &
RULE_NOTSELF)) {
yyerror("self and -self are mutual exclusive");
+ ret = -1;
goto out;
}
continue;
@@ -2212,6 +2170,7 @@
if (set_types
(&avrule->ttypes, id, &add,
which == AVRULE_XPERMS_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
goto out;
}
}
@@ -2219,6 +2178,7 @@
if ((avrule->ttypes.flags & TYPE_COMP)) {
if (avrule->flags & RULE_NOTSELF) {
yyerror("-self is not supported in complements");
+ ret = -1;
goto out;
}
if (avrule->flags & RULE_SELF) {
@@ -2230,7 +2190,7 @@
ebitmap_init(&tclasses);
ret = read_classes(&tclasses);
if (ret)
- goto out2;
+ goto out;
perms = NULL;
id = queue_head(id_queue);
@@ -2239,7 +2199,8 @@
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
if (!cur_perms) {
yyerror("out of memory");
- goto out2;
+ ret = -1;
+ goto out;
}
class_perm_node_init(cur_perms);
cur_perms->tclass = i + 1;
@@ -2277,14 +2238,9 @@
avrule->perms = perms;
*rule = avrule;
- return 0;
-out2:
- ebitmap_destroy(&tclasses);
out:
- avrule_destroy(avrule);
- free(avrule);
- return -1;
+ return ret;
}
/* index of the u32 containing the permission */
@@ -3226,10 +3182,10 @@
int define_role_trans(int class_specified)
{
char *id;
- const role_datum_t *role;
+ role_datum_t *role;
role_set_t roles;
type_set_t types;
- const class_datum_t *cladatum;
+ class_datum_t *cladatum;
ebitmap_t e_types, e_roles, e_classes;
ebitmap_node_t *tnode, *rnode, *cnode;
struct role_trans *tr = NULL;
@@ -3258,29 +3214,29 @@
while ((id = queue_remove(id_queue))) {
if (set_roles(&roles, id))
- goto bad;
+ return -1;
}
add = 1;
while ((id = queue_remove(id_queue))) {
if (set_types(&types, id, &add, 0))
- goto bad;
+ return -1;
}
if (class_specified) {
if (read_classes(&e_classes))
- goto bad;
+ return -1;
} else {
cladatum = hashtab_search(policydbp->p_classes.table,
"process");
if (!cladatum) {
yyerror2("could not find process class for "
"legacy role_transition statement");
- goto bad;
+ return -1;
}
if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
yyerror("out of memory");
- goto bad;
+ return -1;
}
}
@@ -3336,7 +3292,7 @@
tr = malloc(sizeof(struct role_trans));
if (!tr) {
yyerror("out of memory");
- goto bad;
+ return -1;
}
memset(tr, 0, sizeof(struct role_trans));
tr->role = i + 1;
@@ -3352,7 +3308,7 @@
rule = malloc(sizeof(struct role_trans_rule));
if (!rule) {
yyerror("out of memory");
- goto bad;
+ return -1;
}
memset(rule, 0, sizeof(struct role_trans_rule));
rule->roles = roles;
@@ -3368,11 +3324,6 @@
return 0;
bad:
- role_set_destroy(&roles);
- type_set_destroy(&types);
- ebitmap_destroy(&e_roles);
- ebitmap_destroy(&e_types);
- ebitmap_destroy(&e_classes);
return -1;
}
@@ -4251,7 +4202,6 @@
if (!e1 || e1->next) {
yyerror
("illegal right side of conditional binary op
expression");
- cond_expr_destroy(arg1);
free(expr);
return NULL;
}
@@ -6010,7 +5960,6 @@
char *type = NULL;
const char *sclass;
size_t len, len2;
- int wildcard = ebitmap_get_bit(&policydbp->policycaps,
POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);
if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
yyerror("genfs not supported for target");
@@ -6061,19 +6010,6 @@
newc->u.name = (char *)queue_remove(id_queue);
if (!newc->u.name)
goto fail;
-
- if (wildcard) {
- size_t name_len = strlen(newc->u.name);
- newc->u.name = realloc(newc->u.name, name_len + 2);
- if (newc->u.name == NULL) {
- yyerror("out of memory");
- return -1;
- }
-
- newc->u.name[name_len] = '*';
- newc->u.name[name_len + 1] = '\0';
- }
-
if (has_type) {
type = (char *)queue_remove(id_queue);
if (!type)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/policy_define.h
new/checkpolicy-3.8.1/policy_define.h
--- old/checkpolicy-3.9/policy_define.h 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/policy_define.h 2025-03-05 19:59:06.000000000
+0100
@@ -45,7 +45,6 @@
int define_level(void);
int define_netif_context(void);
int define_permissive(void);
-int define_neveraudit(void);
int define_polcap(void);
int define_ibpkey_context(unsigned int low, unsigned int high);
int define_ibendport_context(unsigned int port);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/policy_parse.y
new/checkpolicy-3.8.1/policy_parse.y
--- old/checkpolicy-3.9/policy_parse.y 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/policy_parse.y 2025-03-05 19:59:06.000000000
+0100
@@ -152,9 +152,7 @@
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%token POLICYCAP
%token PERMISSIVE
-%token NEVERAUDIT
%token FILESYSTEM
-%token NETIFNAME
%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
%token LOW_HIGH LOW HIGH GLBLUB
%token INVALID_CHAR
@@ -332,7 +330,6 @@
| range_trans_def
| te_avtab_def
| permissive_def
- | neveraudit_def
;
attribute_def : ATTRIBUTE identifier ';'
{ if (define_attrib()) YYABORT;}
@@ -751,7 +748,7 @@
netif_contexts : netif_context_def
| netif_contexts netif_context_def
;
-netif_context_def : NETIFCON netifname security_context_def
security_context_def
+netif_context_def : NETIFCON identifier security_context_def
security_context_def
{if (define_netif_context()) YYABORT;}
;
opt_node_contexts : node_contexts
@@ -904,13 +901,6 @@
filename : FILENAME
{ yytext[strlen(yytext) - 1] = '\0'; if
(insert_id(yytext + 1,0)) YYABORT; }
;
-netifname : NETIFNAME
- { if (insert_id(yytext,0)) YYABORT; }
- | IDENTIFIER
- { if (insert_id(yytext,0)) YYABORT; }
- | FILESYSTEM
- { if (insert_id(yytext,0)) YYABORT; }
- ;
number : NUMBER
{ unsigned long x;
errno = 0;
@@ -944,8 +934,6 @@
;
permissive_def : PERMISSIVE identifier ';'
{if (define_permissive()) YYABORT;}
-neveraudit_def : NEVERAUDIT identifier ';'
- {if (define_neveraudit()) YYABORT;}
/*********** module grammar below ***********/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/policy_scan.l
new/checkpolicy-3.8.1/policy_scan.l
--- old/checkpolicy-3.9/policy_scan.l 2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/policy_scan.l 2025-03-05 19:59:06.000000000 +0100
@@ -57,7 +57,6 @@
#endif
void set_source_file(const char *name);
-static void set_source_line_and_file(const char *line);
char source_file[PATH_MAX];
unsigned long source_lineno = 1;
@@ -271,8 +270,6 @@
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
-neveraudit |
-NEVERAUDIT { return(NEVERAUDIT); }
default_user |
DEFAULT_USER { return(DEFAULT_USER); }
default_role |
@@ -300,8 +297,7 @@
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*"/"{digit}{1,3} {
return(IPV6_CIDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
-({alnum}({alnum}|[\*\?_]){0,15}|[\*\?]({alnum}|[\*\?_]){1,15}) {
return(NETIFNAME); }
-#line[ ]{digit}+[ ]\"[^\n]*\" { set_source_line_and_file(yytext+6); }
+#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ {
errno = 0;
source_lineno = strtoul(yytext+6, NULL, 10) -
1;
@@ -399,21 +395,3 @@
if (strlen(source_file) && source_file[strlen(source_file)-1] == '"')
source_file[strlen(source_file)-1] = '\0';
}
-
-void set_source_line_and_file(const char *line)
-{
- char *name;
- unsigned long lineno;
- errno = 0;
- lineno = strtoul(line, &name, 10) - 1;
- if (errno) {
- yywarn("source line number too big");
- }
- set_source_file(name + 2 /* skip a space and a quote */ );
-
- /*
- * set_source_file sets source_lineno to 1.
- * Assign source_lineno after calling set_source_file.
- */
- source_lineno = lineno;
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce.conf
new/checkpolicy-3.8.1/tests/policy_allonce.conf
--- old/checkpolicy-3.9/tests/policy_allonce.conf 2025-07-16
12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/tests/policy_allonce.conf 2025-03-05
19:59:06.000000000 +0100
@@ -45,7 +45,6 @@
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
permissive TYPE1;
-neveraudit TYPE1;
attribute_role ROLE_ATTR1;
role ROLE1;
role ROLE3;
@@ -75,11 +74,7 @@
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
-netifcon net? USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon netx* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon 1o USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 192.168.42.0 255.255.0.0 USER1:ROLE1:TYPE1
nodecon 127.0.0.1/24 USER1:ROLE1:TYPE1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce.expected.conf
new/checkpolicy-3.8.1/tests/policy_allonce.expected.conf
--- old/checkpolicy-3.9/tests/policy_allonce.expected.conf 2025-07-16
12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/tests/policy_allonce.expected.conf 2025-03-05
19:59:06.000000000 +0100
@@ -31,7 +31,6 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
-neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
@@ -80,11 +79,7 @@
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
-netifcon 1o USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon netx* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net? USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/checkpolicy-3.9/tests/policy_allonce.expected_opt.conf
new/checkpolicy-3.8.1/tests/policy_allonce.expected_opt.conf
--- old/checkpolicy-3.9/tests/policy_allonce.expected_opt.conf 2025-07-16
12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/tests/policy_allonce.expected_opt.conf
2025-03-05 19:59:06.000000000 +0100
@@ -31,7 +31,6 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
-neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
@@ -80,11 +79,7 @@
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
-netifcon 1o USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon netx* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net? USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
-netifcon net* USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
+netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
nodecon 192.168.0.0 255.255.0.0 USER1:ROLE1:TYPE1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/checkpolicy-3.9/tests/policy_allonce_mls.conf
new/checkpolicy-3.8.1/tests/policy_allonce_mls.conf
--- old/checkpolicy-3.9/tests/policy_allonce_mls.conf 2025-07-16
12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/tests/policy_allonce_mls.conf 2025-03-05
19:59:06.000000000 +0100
@@ -53,7 +53,6 @@
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
permissive TYPE1;
-neveraudit TYPE1;
attribute_role ROLE_ATTR1;
role ROLE1;
role ROLE3;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/checkpolicy-3.9/tests/policy_allonce_mls.expected.conf
new/checkpolicy-3.8.1/tests/policy_allonce_mls.expected.conf
--- old/checkpolicy-3.9/tests/policy_allonce_mls.expected.conf 2025-07-16
12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/tests/policy_allonce_mls.expected.conf
2025-03-05 19:59:06.000000000 +0100
@@ -39,7 +39,6 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
-neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/checkpolicy-3.9/tests/policy_allonce_mls.expected_opt.conf
new/checkpolicy-3.8.1/tests/policy_allonce_mls.expected_opt.conf
--- old/checkpolicy-3.9/tests/policy_allonce_mls.expected_opt.conf
2025-07-16 12:55:13.000000000 +0200
+++ new/checkpolicy-3.8.1/tests/policy_allonce_mls.expected_opt.conf
2025-03-05 19:59:06.000000000 +0100
@@ -39,7 +39,6 @@
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
-neveraudit TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
