diff -Naurp --exclude-from excludes old/libsemanage/src/policy_components.c new/libsemanage/src/policy_components.c --- old/libsemanage/src/policy_components.c 2006-02-16 02:04:52.000000000 -0500 +++ new/libsemanage/src/policy_components.c 2006-02-16 01:06:13.000000000 -0500 @@ -7,25 +7,25 @@ #include "modules.h" #include "debug.h" +/* Powers of two only */ #define MODE_SET 1 #define MODE_MODIFY 2 +#define MODE_SORT 4 static int clear_obsolete( semanage_handle_t* handle, + record_t** records, + unsigned int nrecords, dbase_config_t* src, dbase_config_t* dst) { record_key_t* key = NULL; - record_t** records = NULL; - unsigned int i, nrecords = 0; + unsigned int i; dbase_table_t* src_dtable = src->dtable; dbase_table_t* dst_dtable = dst->dtable; record_table_t* rtable = src_dtable->get_rtable(src->dbase); - if (src_dtable->list(handle, src->dbase, &records, &nrecords) < 0) - goto err; - for (i = 0; i < nrecords; i++) { int exists; @@ -39,6 +39,9 @@ static int clear_obsolete( if (src_dtable->del(handle, src->dbase, key) < 0) goto err; + rtable->free(records[i]); + records[i] = NULL; + /* FIXME: notice to user */ /* INFO(handle, "boolean %s is obsolete, unsetting configured value..."); */ } @@ -46,70 +49,60 @@ static int clear_obsolete( rtable->key_free(key); } - for (i=0; i < nrecords; i++) - rtable->free(records[i]); - free(records); return STATUS_SUCCESS; err: /* FIXME: handle error */ - for (i=0; i < nrecords; i++) - rtable->free(records[i]); - free(records); rtable->key_free(key); return STATUS_ERR; } -typedef struct load_handler_arg { - semanage_handle_t* handle; - dbase_config_t* dconfig; - int mode; -} load_handler_arg_t; - -static int load_handler( - const record_t* record, - void* varg) { +static int load_records( + semanage_handle_t* handle, + dbase_config_t* dst, + record_t** records, + unsigned int nrecords, + int mode) { + unsigned int i; record_key_t* rkey = NULL; - load_handler_arg_t* arg = - (load_handler_arg_t*) varg; - semanage_handle_t* handle = arg->handle; - dbase_t* dbase = arg->dconfig->dbase; - dbase_table_t* dtable = arg->dconfig->dtable; + dbase_t* dbase = dst->dbase; + dbase_table_t* dtable = dst->dtable; record_table_t* rtable = dtable->get_rtable(dbase); - if (rtable->key_extract(handle, record, &rkey) < 0) - goto err; + for (i = 0; i < nrecords; i++) { + + /* Possibly obsoleted */ + if (!records[i]) + continue; - switch (arg->mode) { - - case MODE_SET: - if (dtable->set(handle, dbase, rkey, record) < 0) - goto err; - break; + if (rtable->key_extract(handle, records[i], &rkey) < 0) + goto err; + + if (mode & MODE_SET && + dtable->set(handle, dbase, rkey, records[i]) < 0) + goto err; - default: - case MODE_MODIFY: - if (dtable->modify(handle, dbase, rkey, record) < 0) - goto err; - break; + else if (mode & MODE_MODIFY && + dtable->modify(handle, dbase, rkey, records[i]) < 0) + goto err; + rtable->key_free(rkey); } - rtable->key_free(rkey); - return 0; + return STATUS_SUCCESS; err: /* FIXME: handle error */ rtable->key_free(rkey); - return -1; + return STATUS_ERR; } typedef struct load_table { - dbase_config_t* from; - dbase_config_t* to; + dbase_config_t* src; + dbase_config_t* dst; int mode; } load_table_t; @@ -120,7 +113,8 @@ typedef struct load_table { int semanage_base_merge_components( semanage_handle_t* handle) { - int i; + unsigned int i,j; + int rc = STATUS_SUCCESS; /* Order is important here - change things carefully. * System components first, local next. Verify runs with @@ -149,39 +143,60 @@ int semanage_base_merge_components( semanage_seuser_dbase_policy(handle), MODE_MODIFY }, { semanage_node_dbase_local(handle), - semanage_node_dbase_policy(handle), MODE_MODIFY }, + semanage_node_dbase_policy(handle), MODE_MODIFY | MODE_SORT }, }; - const int CCOUNT = sizeof(components)/sizeof(components[0]); - - load_handler_arg_t load_arg; - load_arg.handle = handle; + const unsigned int CCOUNT = sizeof(components)/sizeof(components[0]); /* Merge components into policy (and validate) */ for (i = 0; i < CCOUNT; i++) { - dbase_config_t* from = components[i].from; - dbase_config_t* to = components[i].to; - load_arg.dconfig = to; - load_arg.mode = components[i].mode; + + record_t** records = NULL; + unsigned int nrecords = 0; + + dbase_config_t* src = components[i].src; + dbase_config_t* dst = components[i].dst; + int mode = components[i].mode; + record_table_t* rtable = src->dtable->get_rtable(src->dbase); /* Must invoke cache function first */ - if (from->dtable->cache(handle, from->dbase) < 0) + if (src->dtable->cache(handle, src->dbase) < 0) goto err; - - if (to->dtable->cache(handle, to->dbase) < 0) + if (dst->dtable->cache(handle, dst->dbase) < 0) goto err; - /* Clear obsolete items for MODE_SET */ - if (components[i].mode == MODE_SET) - if (clear_obsolete(handle, from, to) < 0) - goto err; - - /* Now iterate */ - if (from->dtable->iterate( - handle, from->dbase, load_handler, &load_arg) < 0) + /* List all records */ + if (src->dtable->list(handle, src->dbase, + &records, &nrecords) < 0) goto err; + + /* Sort records on MODE_SORT */ + if (mode & MODE_SORT) { + qsort(records, nrecords, sizeof(record_t*), + (int (*) (const void*, const void*)) rtable->compare2_qsort); + } + + /* Clear obsolete ones for MODE_SET */ + if (mode & MODE_SET && + clear_obsolete(handle, records, nrecords, src, dst) < 0) { + rc = STATUS_ERR; + goto dbase_exit; + } + + /* Load records */ + if (load_records(handle, dst, records, nrecords, mode) < 0) { + + rc = STATUS_ERR; + goto dbase_exit; + } + + /* Cleanup */ + dbase_exit: + for (j = 0; j < nrecords; j++) + rtable->free(records[j]); + free(records); } - return STATUS_SUCCESS; + return rc; err: ERR(handle, "could not merge local modifications into policy"); diff -Naurp --exclude-from excludes old/libsepol/include/sepol/policydb/policydb.h new/libsepol/include/sepol/policydb/policydb.h --- old/libsepol/include/sepol/policydb/policydb.h 2006-02-16 02:04:52.000000000 -0500 +++ new/libsepol/include/sepol/policydb/policydb.h 2006-02-16 02:04:29.000000000 -0500 @@ -152,7 +152,6 @@ typedef struct user_datum { typedef struct level_datum { mls_level_t *level; /* sensitivity and associated categories */ unsigned char isalias; /* is this sensitivity an alias for another? */ - unsigned char defined; } level_datum_t; /* Category attributes */ diff -Naurp --exclude-from excludes old/libsepol/src/node_record.c new/libsepol/src/node_record.c --- old/libsepol/src/node_record.c 2006-02-16 02:04:52.000000000 -0500 +++ new/libsepol/src/node_record.c 2006-02-16 02:00:20.000000000 -0500 @@ -147,8 +147,8 @@ static int node_expand_addr( { struct in_addr addr; memset(&addr, 0, sizeof(struct in_addr)); - addr.s_addr = addr_bytes[0]; - + memcpy(&addr.s_addr, addr_bytes, 4); + if (inet_ntop(AF_INET, &addr, addr_str, INET_ADDRSTRLEN) == NULL) { @@ -337,7 +337,7 @@ int sepol_node_compare( rc1 = memcmp(node->addr, key->addr, node->addr_sz); rc2 = memcmp(node->mask, key->mask, node->mask_sz); - return (rc1 != 0)? rc1: rc2; + return (rc2 != 0)? rc2: rc1; } int sepol_node_compare2( @@ -357,7 +357,7 @@ int sepol_node_compare2( rc1 = memcmp(node->addr, node2->addr, node->addr_sz); rc2 = memcmp(node->mask, node2->mask, node->mask_sz); - return (rc1 != 0)? rc1: rc2; + return (rc2 != 0)? rc2: rc1; } /* Addr */