!15 backport upstream bugfix

From: @zcfsite 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

0002-checkpolicy-destroy-the-class-datum-if-it-fails-to-initialize.patch

@@ -1,29 +0,0 @@
-From daa00b28998af811f92aa821090f0ac2dd71f2bc Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 26 May 2018 18:15:07 +0200
-Subject: [PATCH] checkpolicy: destroy the class datum if it fails to
- initialize
-
-require_class() allocate memory for its variable "class_datum_t *datum"
-and calls symtab_init(&datum->permissions, PERM_SYMTAB_SIZE). If this
-second call fails, datum is not freed.
-
-Fix this memory leak.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- module_compiler.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/module_compiler.c b/module_compiler.c
-index 155702f2..ada7cb2a 100644
---- a/module_compiler.c
-+++ b/module_compiler.c
-@@ -802,6 +802,7 @@ int require_class(int pass)
- 	if ((datum = calloc(1, sizeof(*datum))) == NULL ||
- 	    symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) {
- 		yyerror("Out of memory!");
-+		class_datum_destroy(datum);
- 		return -1;
- 	}
- 	ret =

backport-checkpolicy-Improve-error-message-for-type-bounds.patch

@@ -0,0 +1,32 @@
+From 1d33c911f514449bbc8cab71332752c22561b911 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 24 Nov 2022 17:31:52 +0100
+Subject: [PATCH] checkpolicy: Improve error message for type bounds
+
+Make the error message consistent with other occurrences of the
+same issue:
+https://github.com/SELinuxProject/selinux/blob/master/checkpolicy/module_compiler.c#L243
+https://github.com/SELinuxProject/selinux/blob/master/checkpolicy/module_compiler.c#L488
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policy_define.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy_define.c b/policy_define.c
+index 41e44631..86d57017 100644
+--- a/policy_define.c
++++ b/policy_define.c
+@@ -1416,7 +1416,7 @@ static int define_typebounds_helper(char *bounds_id, char *type_id)
+ 	if (!type->bounds)
+ 		type->bounds = bounds->s.value;
+ 	else if (type->bounds != bounds->s.value) {
+-		yyerror2("type %s has inconsistent master {%s,%s}",
++		yyerror2("type %s has inconsistent bounds %s/%s",
+ 			 type_id,
+ 			 policydbp->p_type_val_to_name[type->bounds - 1],
+ 			 policydbp->p_type_val_to_name[bounds->s.value - 1]);
+-- 
+2.39.2.windows.1
+

backport-checkpolicy-delete-invalid-spaces.patch

@@ -0,0 +1,60 @@
+From 27e1c7c8e90b98da53bfcce291b03d8f2f0f0b4d Mon Sep 17 00:00:00 2001
+From: lujiev <572084868@qq.com>
+Date: Thu, 27 Oct 2022 16:02:18 +0800
+Subject: [PATCH] checkpolicy: delete invalid spaces
+
+Closes: https://github.com/SELinuxProject/selinux/pull/372
+Signed-off-by: lujiev <572084868@qq.com>
+Acked-by: Jason Zaman <jason@perfinion.com>
+---
+ policy_define.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/policy_define.c b/policy_define.c
+index 86d57017..c2ae7fe5 100644
+--- a/policy_define.c
++++ b/policy_define.c
+@@ -2208,7 +2208,7 @@ static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
+ 	xperms = calloc(1, sizeof(av_extended_perms_t));
+ 	if (!xperms) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 
+ 	r = rangelist;
+@@ -2245,7 +2245,7 @@ static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
+ 	xperms = calloc(1, sizeof(av_extended_perms_t));
+ 	if (!xperms) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 
+ 	r = rangelist;
+@@ -2289,7 +2289,7 @@ static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
+ 	xperms = calloc(1, sizeof(av_extended_perms_t));
+ 	if (!xperms) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 
+ 	r = rangelist;
+@@ -2352,11 +2352,11 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
+ 	dest->flags = src->flags;
+ 	if (type_set_cpy(&dest->stypes, &src->stypes)) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 	if (type_set_cpy(&dest->ttypes, &src->ttypes)) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 	dest->line = src->line;
+ 	dest->source_filename = strdup(source_file);
+-- 
+2.39.2.windows.1
+

checkpolicy.spec

@@ -1,14 +1,16 @@
 Name:          checkpolicy
-Version:       2.8
-Release:       6
+Version:       3.3
+Release:       3
 Summary:       SELinux policy compiler
 License:       GPLv2
 URL:           https://github.com/SELinuxProject/selinux
-Source0:       https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/checkpolicy-2.8.tar.gz
+Source0:       https://github.com/SELinuxProject/selinux/releases/download/3.3/checkpolicy-3.3.tar.gz
 
-Patch6000:    0002-checkpolicy-destroy-the-class-datum-if-it-fails-to-initialize.patch
+Patch0:        backport-checkpolicy-Improve-error-message-for-type-bounds.patch
+Patch1:        backport-checkpolicy-delete-invalid-spaces.patch
+
+BuildRequires: gcc byacc bison flex flex-static libsepol-static >= %{version} libselinux-devel >= %{version} git
 
-BuildRequires: gcc byacc bison flex flex-static libsepol-static >= 2.8-1 libselinux-devel >= 2.8-1 git
 Conflicts: selinux-policy-base < 3.13.1-138
 
 %description
@@ -55,6 +57,18 @@ install test/dispol %{buildroot}%{_bindir}/sedispol
 %{_mandir}/*/*
 
 %changelog
+* Sat Mar 11 2023 zhangchenfeng <zhangchenfeng1@huawei.com> - 3.3-3
+- backport upstrem bugfix
+
+* Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 3.3-2
+- change changelog
+
+* Mon Dec 13 2021 yixiangzhike <yixiangzhike007@163.com> - 3.3-1
+- update to checkpolicy 3.3
+
+* Fri Jul 17 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.1-1
+- update to checkpolicy 3.1
+
 * Sat Sep 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.8-6
 - Type:enhancement
 - ID:NA

checkpolicy.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: SELinuxProject/selinux
+tag_prefix:
+seperator: