Auto sync2gitlab import of libselinux-2.9-5.el8.src.rpm

.gitignore

@@ -0,0 +1 @@
+/libselinux-2.9.tar.gz

0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch

@@ -0,0 +1,31 @@
+From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 16 Jul 2014 08:28:03 +0200
+Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
+
+---
+ libselinux/man/man8/selinux.8 | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index e37aee68..bf23b655 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+ .BR sepolicy (8),
+ .BR system-config-selinux (8),
+ .BR togglesebool (8),
+-.BR restorecon (8),
+ .BR fixfiles (8),
++.BR restorecon (8),
+ .BR setfiles (8),
+ .BR semanage (8),
+ .BR sepolicy (8)
++.BR seinfo (8),
++.BR sesearch (8)
+ 
+ Every confined service on the system has a man page in the following format:
+ .br
+-- 
+2.21.0
+

0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch

@@ -0,0 +1,214 @@
+From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Mon, 23 Dec 2013 09:50:54 -0500
+Subject: [PATCH] Verify context input to funtions to make sure the context
+ field is not null.
+
+Return errno EINVAL, to prevent segfault.
+
+Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
+
+FIXME: use __attribute__(nonnull (arg-index, ...))
+---
+ libselinux/src/avc_sidtab.c           | 5 +++++
+ libselinux/src/canonicalize_context.c | 5 +++++
+ libselinux/src/check_context.c        | 5 +++++
+ libselinux/src/compute_av.c           | 5 +++++
+ libselinux/src/compute_create.c       | 5 +++++
+ libselinux/src/compute_member.c       | 5 +++++
+ libselinux/src/compute_relabel.c      | 5 +++++
+ libselinux/src/compute_user.c         | 5 +++++
+ libselinux/src/fsetfilecon.c          | 8 ++++++--
+ libselinux/src/lsetfilecon.c          | 9 +++++++--
+ libselinux/src/setfilecon.c           | 8 ++++++--
+ 11 files changed, 59 insertions(+), 6 deletions(-)
+
+diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
+index 9669264d..c7754305 100644
+--- a/libselinux/src/avc_sidtab.c
++++ b/libselinux/src/avc_sidtab.c
+@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
+ 	int hvalue, rc = 0;
+ 	struct sidtab_node *cur;
+ 
++	if (! ctx) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	*sid = NULL;
+ 	hvalue = sidtab_hash(ctx);
+ 
+diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
+index ba4c9a2c..c8158725 100644
+--- a/libselinux/src/canonicalize_context.c
++++ b/libselinux/src/canonicalize_context.c
+@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
+ 	size_t size;
+ 	int fd, ret;
+ 
++	if (! con) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+ 		return -1;
+diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
+index 8a7997f0..5be84348 100644
+--- a/libselinux/src/check_context.c
++++ b/libselinux/src/check_context.c
+@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
+ 	char path[PATH_MAX];
+ 	int fd, ret;
+ 
++	if (! con) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+ 		return -1;
+diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
+index a47cffe9..6d285a2e 100644
+--- a/libselinux/src/compute_av.c
++++ b/libselinux/src/compute_av.c
+@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
+index 0975aeac..3e6a48c1 100644
+--- a/libselinux/src/compute_create.c
++++ b/libselinux/src/compute_create.c
+@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
+index 4e2d221e..d1dd9772 100644
+--- a/libselinux/src/compute_member.c
++++ b/libselinux/src/compute_member.c
+@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
+index 49f77ef3..c3db7c0a 100644
+--- a/libselinux/src/compute_relabel.c
++++ b/libselinux/src/compute_relabel.c
+@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 7b881215..401fd107 100644
+--- a/libselinux/src/compute_user.c
++++ b/libselinux/src/compute_user.c
+@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if (! scon) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
+index 52707d05..0cbe12d8 100644
+--- a/libselinux/src/fsetfilecon.c
++++ b/libselinux/src/fsetfilecon.c
+@@ -9,8 +9,12 @@
+ 
+ int fsetfilecon_raw(int fd, const char * context)
+ {
+-	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			 0);
++	int rc;
++	if (! context) {
++		errno=EINVAL;
++		return -1;
++	}
++	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
+index 1d3b28a1..ea6d70b7 100644
+--- a/libselinux/src/lsetfilecon.c
++++ b/libselinux/src/lsetfilecon.c
+@@ -9,8 +9,13 @@
+ 
+ int lsetfilecon_raw(const char *path, const char * context)
+ {
+-	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			 0);
++	int rc;
++	if (! context) {
++		errno=EINVAL;
++		return -1;
++	}
++
++	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
+index d05969c6..3f0200e8 100644
+--- a/libselinux/src/setfilecon.c
++++ b/libselinux/src/setfilecon.c
+@@ -9,8 +9,12 @@
+ 
+ int setfilecon_raw(const char *path, const char * context)
+ {
+-	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			0);
++	int rc;
++	if (! context) {
++		errno=EINVAL;
++		return -1;
++	}
++	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+-- 
+2.21.0
+

0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch

@@ -0,0 +1,39 @@
+From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 11 Mar 2019 15:26:43 +0100
+Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command
+ line
+
+$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
+
+Drop this as soon as glibc-2.30 will become real 2.30 version, see
+https://bugzilla.redhat.com/show_bug.cgi?id=1685594
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/procattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
+index c6799ef2..cbb6824e 100644
+--- a/libselinux/src/procattr.c
++++ b/libselinux/src/procattr.c
+@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
+ 
+ /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
+  * has a definition for it */
++#ifndef OVERRIDE_GETTID
+ #ifdef __BIONIC__
+   #define OVERRIDE_GETTID 0
+ #elif !defined(__GLIBC_PREREQ)
+@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
+ #else
+   #define OVERRIDE_GETTID 0
+ #endif
++#endif
+ 
+ #if OVERRIDE_GETTID
+ static pid_t gettid(void)
+-- 
+2.21.0
+

0004-Bring-some-old-permission-and-flask-constants-back-t.patch

@@ -0,0 +1,55 @@
+From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 27 Feb 2019 09:37:17 +0100
+Subject: [PATCH] Bring some old permission and flask constants back to Python
+ bindings
+
+---
+ libselinux/src/selinuxswig.i        | 4 ++++
+ libselinux/src/selinuxswig_python.i | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
+index dbdb4c3d..9c5b9263 100644
+--- a/libselinux/src/selinuxswig.i
++++ b/libselinux/src/selinuxswig.i
+@@ -5,7 +5,9 @@
+ %module selinux
+ %{
+ 	#include "../include/selinux/avc.h"
++	#include "../include/selinux/av_permissions.h"
+ 	#include "../include/selinux/context.h"
++	#include "../include/selinux/flask.h"
+ 	#include "../include/selinux/get_context_list.h"
+ 	#include "../include/selinux/get_default_type.h"
+ 	#include "../include/selinux/label.h"
+@@ -58,7 +60,9 @@
+ %ignore avc_netlink_check_nb;
+ 
+ %include "../include/selinux/avc.h"
++%include "../include/selinux/av_permissions.h"
+ %include "../include/selinux/context.h"
++%include "../include/selinux/flask.h"
+ %include "../include/selinux/get_context_list.h"
+ %include "../include/selinux/get_default_type.h"
+ %include "../include/selinux/label.h"
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 4c73bf92..6eaab081 100644
+--- a/libselinux/src/selinuxswig_python.i
++++ b/libselinux/src/selinuxswig_python.i
+@@ -1,10 +1,11 @@
+ /* Author: James Athey
+  */
+ 
+-/* Never build rpm_execcon interface */
++/* Never build rpm_execcon interface unless you need to have ACG compatibility
+ #ifndef DISABLE_RPM
+ #define DISABLE_RPM
+ #endif
++*/
+ 
+ %module selinux
+ %{
+-- 
+2.21.0
+

0005-libselinux-add-missing-av_permission-values.patch

@@ -0,0 +1,32 @@
+From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 28 Feb 2017 16:12:43 +0100
+Subject: [PATCH] libselinux: add missing av_permission values
+
+Add missing av_permission values to av_permissions.h for the sake of
+completeness (this interface is obsolete - these values are now
+obtained at runtime).
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/include/selinux/av_permissions.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
+index c1269af9..631f0276 100644
+--- a/libselinux/include/selinux/av_permissions.h
++++ b/libselinux/include/selinux/av_permissions.h
+@@ -876,6 +876,8 @@
+ #define NSCD__SHMEMHOST                           0x00000080UL
+ #define NSCD__GETSERV                             0x00000100UL
+ #define NSCD__SHMEMSERV                           0x00000200UL
++#define NSCD__GETNETGRP                           0x00000400UL
++#define NSCD__SHMEMNETGRP                         0x00000800UL
+ #define ASSOCIATION__SENDTO                       0x00000001UL
+ #define ASSOCIATION__RECVFROM                     0x00000002UL
+ #define ASSOCIATION__SETCONTEXT                   0x00000004UL
+-- 
+2.21.0
+

0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch

@@ -0,0 +1,177 @@
+From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 16 May 2019 15:01:59 +0200
+Subject: [PATCH] libselinux: Use Python distutils to install SELinux python
+ bindings
+
+SWIG-4.0 changed its behavior so that it uses: from . import _selinux  which
+looks for _selinux module in the same directory as where __init__.py is -
+$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
+$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
+of _selinux.so").
+
+In order to prevent such breakage in future use Python's distutils instead of
+building and installing python bindings manually in Makefile.
+
+Fixes:
+>>> import selinux
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+  File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
+    from . import _selinux
+ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
+>>>
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/.gitignore |  2 +-
+ libselinux/src/Makefile   | 37 ++++++++-----------------------------
+ libselinux/src/setup.py   | 24 ++++++++++++++++++++++++
+ 3 files changed, 33 insertions(+), 30 deletions(-)
+ create mode 100644 libselinux/src/setup.py
+
+diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
+index 4dcc3b3b..428afe5a 100644
+--- a/libselinux/src/.gitignore
++++ b/libselinux/src/.gitignore
+@@ -1,4 +1,4 @@
+ selinux.py
+-selinuxswig_wrap.c
++selinuxswig_python_wrap.c
+ selinuxswig_python_exception.i
+ selinuxswig_ruby_wrap.c
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index e9ed0383..826c830c 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -36,7 +36,7 @@ TARGET=libselinux.so
+ LIBPC=libselinux.pc
+ SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
+ SWIGRUBYIF= selinuxswig_ruby.i
+-SWIGCOUT= selinuxswig_wrap.c
++SWIGCOUT= selinuxswig_python_wrap.c
+ SWIGPYOUT= selinux.py
+ SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
+ SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
+@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
+         LDLIBS_LIBSEPOLA := -l:libsepol.a
+ endif
+ 
+-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
++GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
+ SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
+ 
+ MAX_STACK_SIZE=32768
+@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+ endif
+ 
+-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
+-
+ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ 
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+ 
+-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
++pywrap: all selinuxswig_python_exception.i
++	CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+ 
+ rubywrap: all $(SWIGRUBYSO)
+ 
+-$(SWIGLOBJ): $(SWIGCOUT)
+-	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+-
+ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
+ 	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
+ 
+-$(SWIGSO): $(SWIGLOBJ)
+-	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
+-
+ $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
+ 	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
+ 
+@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
+ selinuxswig_python_exception.i: ../include/selinux/selinux.h
+ 	bash -e exception.sh > $@ || (rm -f $@ ; false)
+ 
+-$(AUDIT2WHYLOBJ): audit2why.c
+-	$(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+-
+-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
+-	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
+-
+ %.o:  %.c policy.h
+ 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
+ 
+ %.lo:  %.c policy.h
+ 	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
+ 
+-$(SWIGCOUT): $(SWIGIF)
+-	$(SWIG) $<
+-
+-$(SWIGPYOUT): $(SWIGCOUT)
+-
+ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
+ 	$(SWIGRUBY) $<
+ 
+-swigify: $(SWIGIF)
+-	$(SWIG) $<
+-
+ install: all 
+ 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
+ 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
+@@ -194,10 +173,8 @@ install: all
+ 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+ 
+ install-pywrap: pywrap
+-	test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
+-	install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+-	install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
+-	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
++	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+ 
+ install-rubywrap: rubywrap
+ 	test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) 
+@@ -208,6 +185,8 @@ relabel:
+ 
+ clean-pywrap:
+ 	-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
++	$(PYTHON) setup.py clean
++	-rm -rf build *~ \#* *pyc .#*
+ 
+ clean-rubywrap:
+ 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
+diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
+new file mode 100644
+index 00000000..b12e7869
+--- /dev/null
++++ b/libselinux/src/setup.py
+@@ -0,0 +1,24 @@
++#!/usr/bin/python3
++
++from distutils.core import Extension, setup
++
++setup(
++    name="selinux",
++    version="2.9",
++    description="SELinux python 3 bindings",
++    author="SELinux Project",
++    author_email="selinux@vger.kernel.org",
++    ext_modules=[
++        Extension('selinux._selinux',
++                  sources=['selinuxswig_python.i'],
++                  include_dirs=['../include'],
++                  library_dirs=['.'],
++                  libraries=['selinux']),
++        Extension('selinux.audit2why',
++                  sources=['audit2why.c'],
++                  include_dirs=['../include'],
++                  library_dirs=['.'],
++                  libraries=['selinux'],
++                  extra_link_args=['-l:libsepol.a'])
++    ],
++)
+-- 
+2.21.0
+

0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch

@@ -0,0 +1,44 @@
+From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 27 Jun 2019 11:17:13 +0200
+Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are
+ built
+
+Fixes:
+https://rpmdiff.engineering.redhat.com/run/410372/7/
+
+Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
+Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
+' on x86_64
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/Makefile | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 826c830c..f64f23a8 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
+ 
+ override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
+ 
+-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
+-		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+-
+ RANLIB ?= ranlib
+ 
+ ARCH := $(patsubst i%86,i386,$(shell uname -m))
+@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+ 
+ pywrap: all selinuxswig_python_exception.i
+-	CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
++	$(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+ 
+ rubywrap: all $(SWIGRUBYSO)
+ 
+-- 
+2.21.0
+

0008-Fix-mcstrans-secolor-examples.patch

@@ -0,0 +1,66 @@
+From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 2 Jul 2019 14:09:05 +0200
+Subject: [PATCH] Fix mcstrans secolor examples
+
+According to "check_dominance" function:
+Range defined as "s15:c0.c1023" does not dominate any other range than
+ "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
+While range defined as "s15-s15:c0.c1023" dominates all of the above.
+
+This is either a bug, or "s15:c0.c1023" should not be used in the
+examples.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/man/man5/secolor.conf.5    | 4 ++--
+ libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
+index b834577a..a3bf2da1 100644
+--- a/libselinux/man/man5/secolor.conf.5
++++ b/libselinux/man/man5/secolor.conf.5
+@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
+ .br
+ range s9\-s9:c0.c1023 = black orange
+ .br
+-range s15:c0.c1023   = black yellow
++range s15\-s15:c0.c1023   = black yellow
+ .RE
+ 
+ .sp
+@@ -165,7 +165,7 @@ type xguest_t     = black green
+ .br
+ user sysadm_u     = white black
+ .br
+-range s0:c0.c1023 = black white
++range s0-s0:c0.c1023 = black white
+ .br
+ user *            = black white
+ .br
+diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5
+index 4c1236ae..bcae80c1 100644
+--- a/libselinux/man/ru/man5/secolor.conf.5
++++ b/libselinux/man/ru/man5/secolor.conf.5
+@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
+ .br
+ range s9\-s9:c0.c1023 = black orange
+ .br
+-range s15:c0.c1023   = black yellow
++range s15\-s15:c0.c1023   = black yellow
+ .RE
+ 
+ .sp
+@@ -163,7 +163,7 @@ type xguest_t     = black green
+ .br
+ user sysadm_u     = white black
+ .br
+-range s0:c0.c1023 = black white
++range s0\-s0:c0.c1023 = black white
+ .br
+ user *            = black white
+ .br
+-- 
+2.21.0
+

0009-libselinux-Eliminate-use-of-security_compute_user.patch

@@ -0,0 +1,354 @@
+From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 17 Feb 2020 21:47:35 +0100
+Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
+
+get_ordered_context_list() code used to ask the kernel to compute the complete
+set of reachable contexts using /sys/fs/selinux/user aka
+security_compute_user(). This set can be so huge so that it doesn't fit into a
+kernel page and security_compute_user() fails. Even if it doesn't fail,
+get_ordered_context_list() throws away the vast majority of the returned
+contexts because they don't match anything in
+/etc/selinux/targeted/contexts/default_contexts or
+/etc/selinux/targeted/contexts/users/
+
+get_ordered_context_list() is rewritten to compute set of contexts based on
+/etc/selinux/targeted/contexts/users/ and
+/etc/selinux/targeted/contexts/default_contexts files and to return only valid
+contexts, using security_check_context(), from this set.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/28
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
+ 1 file changed, 93 insertions(+), 119 deletions(-)
+
+diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
+index 689e4658..26d7b3b9 100644
+--- a/libselinux/src/get_context_list.c
++++ b/libselinux/src/get_context_list.c
+@@ -2,6 +2,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdio_ext.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
+@@ -114,64 +115,41 @@ int get_default_context(const char *user,
+ 	return 0;
+ }
+ 
+-static int find_partialcon(char ** list,
+-			   unsigned int nreach, char *part)
++static int is_in_reachable(char **reachable, const char *usercon_str)
+ {
+-	const char *conrole, *contype;
+-	char *partrole, *parttype, *ptr;
+-	context_t con;
+-	unsigned int i;
++	if (!reachable)
++		return 0;
+ 
+-	partrole = part;
+-	ptr = part;
+-	while (*ptr && !isspace(*ptr) && *ptr != ':')
+-		ptr++;
+-	if (*ptr != ':')
+-		return -1;
+-	*ptr++ = 0;
+-	parttype = ptr;
+-	while (*ptr && !isspace(*ptr) && *ptr != ':')
+-		ptr++;
+-	*ptr = 0;
+-
+-	for (i = 0; i < nreach; i++) {
+-		con = context_new(list[i]);
+-		if (!con)
+-			return -1;
+-		conrole = context_role_get(con);
+-		contype = context_type_get(con);
+-		if (!conrole || !contype) {
+-			context_free(con);
+-			return -1;
+-		}
+-		if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
+-			context_free(con);
+-			return i;
++	for (; *reachable != NULL; reachable++) {
++		if (strcmp(*reachable, usercon_str) == 0) {
++			return 1;
+ 		}
+-		context_free(con);
+ 	}
+-
+-	return -1;
++	return 0;
+ }
+ 
+-static int get_context_order(FILE * fp,
++static int get_context_user(FILE * fp,
+ 			     char * fromcon,
+-			     char ** reachable,
+-			     unsigned int nreach,
+-			     unsigned int *ordering, unsigned int *nordered)
++			     const char * user,
++			     char ***reachable,
++			     unsigned int *nreachable)
+ {
+ 	char *start, *end = NULL;
+ 	char *line = NULL;
+-	size_t line_len = 0;
++	size_t line_len = 0, usercon_len;
++	size_t user_len = strlen(user);
+ 	ssize_t len;
+ 	int found = 0;
+-	const char *fromrole, *fromtype;
++	const char *fromrole, *fromtype, *fromlevel;
+ 	char *linerole, *linetype;
+-	unsigned int i;
++	char **new_reachable = NULL;
++	char *usercon_str;
+ 	context_t con;
++	context_t usercon;
++
+ 	int rc;
+ 
+-	errno = -EINVAL;
++	errno = EINVAL;
+ 
+ 	/* Extract the role and type of the fromcon for matching.
+ 	   User identity and MLS range can be variable. */
+@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
+ 		return -1;
+ 	fromrole = context_role_get(con);
+ 	fromtype = context_type_get(con);
++	fromlevel = context_range_get(con);
+ 	if (!fromrole || !fromtype) {
+ 		context_free(con);
+ 		return -1;
+@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
+ 		if (*end)
+ 			*end++ = 0;
+ 
+-		/* Check for a match in the reachable list. */
+-		rc = find_partialcon(reachable, nreach, start);
+-		if (rc < 0) {
+-			/* No match, skip it. */
++		/* Check whether a new context is valid */
++		if (SIZE_MAX - user_len < strlen(start) + 2) {
++			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
++			errno = EINVAL;
++			rc = -1;
++			goto out;
++		}
++		usercon_len = user_len + strlen(start) + 2;
++		usercon_str = malloc(usercon_len);
++		if (!usercon_str) {
++			rc = -1;
++			goto out;
++		}
++
++		/* set range from fromcon in the new usercon */
++		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
++		usercon = context_new(usercon_str);
++		if (!usercon) {
++			if (errno != EINVAL) {
++				free(usercon_str);
++				rc = -1;
++				goto out;
++			}
++			fprintf(stderr,
++				"%s: can't create a context from %s, skipping\n",
++				__FUNCTION__, usercon_str);
++			free(usercon_str);
+ 			start = end;
+ 			continue;
+ 		}
++		free(usercon_str);
++		if (context_range_set(usercon, fromlevel) != 0) {
++			context_free(usercon);
++			rc = -1;
++			goto out;
++		}
++		usercon_str = context_str(usercon);
++		if (!usercon_str) {
++			context_free(usercon);
++			rc = -1;
++			goto out;
++		}
+ 
+-		/* If a match is found and the entry is not already ordered
+-		   (e.g. due to prior match in prior config file), then set
+-		   the ordering for it. */
+-		i = rc;
+-		if (ordering[i] == nreach)
+-			ordering[i] = (*nordered)++;
++		/* check whether usercon is already in reachable */
++		if (is_in_reachable(*reachable, usercon_str)) {
++			context_free(usercon);
++			start = end;
++			continue;
++		}
++		if (security_check_context(usercon_str) == 0) {
++			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
++			if (!new_reachable) {
++				context_free(usercon);
++				rc = -1;
++				goto out;
++			}
++			*reachable = new_reachable;
++			new_reachable[*nreachable] = strdup(usercon_str);
++			if (new_reachable[*nreachable] == NULL) {
++				context_free(usercon);
++				rc = -1;
++				goto out;
++			}
++			new_reachable[*nreachable + 1] = 0;
++			*nreachable += 1;
++		}
++		context_free(usercon);
+ 		start = end;
+ 	}
+-
+ 	rc = 0;
+ 
+       out:
+@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
+ 	return 0;
+ }
+ 
+-struct context_order {
+-	char * con;
+-	unsigned int order;
+-};
+-
+-static int order_compare(const void *A, const void *B)
+-{
+-	const struct context_order *c1 = A, *c2 = B;
+-	if (c1->order < c2->order)
+-		return -1;
+-	else if (c1->order > c2->order)
+-		return 1;
+-	return strcmp(c1->con, c2->con);
+-}
+-
+ int get_ordered_context_list_with_level(const char *user,
+ 					const char *level,
+ 					char * fromcon,
+@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
+ 			     char *** list)
+ {
+ 	char **reachable = NULL;
+-	unsigned int *ordering = NULL;
+-	struct context_order *co = NULL;
+-	char **ptr;
+ 	int rc = 0;
+-	unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
++	unsigned nreachable = 0, freefrom = 0;
+ 	FILE *fp;
+ 	char *fname = NULL;
+ 	size_t fname_len;
+@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
+ 		freefrom = 1;
+ 	}
+ 
+-	/* Determine the set of reachable contexts for the user. */
+-	rc = security_compute_user(fromcon, user, &reachable);
+-	if (rc < 0)
+-		goto failsafe;
+-	nreach = 0;
+-	for (ptr = reachable; *ptr; ptr++)
+-		nreach++;
+-	if (!nreach)
+-		goto failsafe;
+-
+-	/* Initialize ordering array. */
+-	ordering = malloc(nreach * sizeof(unsigned int));
+-	if (!ordering)
+-		goto failsafe;
+-	for (i = 0; i < nreach; i++)
+-		ordering[i] = nreach;
+-
+ 	/* Determine the ordering to apply from the optional per-user config
+ 	   and from the global config. */
+ 	fname_len = strlen(user_contexts_path) + strlen(user) + 2;
+@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
+ 	fp = fopen(fname, "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
+-				       &nordered);
++		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
++
+ 		fclose(fp);
+ 		if (rc < 0 && errno != ENOENT) {
+ 			fprintf(stderr,
+@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
+ 	fp = fopen(selinux_default_context_path(), "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
+-				       &nordered);
++		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ 		fclose(fp);
+ 		if (rc < 0 && errno != ENOENT) {
+ 			fprintf(stderr,
+@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
+ 				__FUNCTION__, selinux_default_context_path());
+ 			/* Fall through */
+ 		}
+-		rc = 0;
+ 	}
+ 
+-	if (!nordered)
++	if (!nreachable)
+ 		goto failsafe;
+ 
+-	/* Apply the ordering. */
+-	co = malloc(nreach * sizeof(struct context_order));
+-	if (!co)
+-		goto failsafe;
+-	for (i = 0; i < nreach; i++) {
+-		co[i].con = reachable[i];
+-		co[i].order = ordering[i];
+-	}
+-	qsort(co, nreach, sizeof(struct context_order), order_compare);
+-	for (i = 0; i < nreach; i++)
+-		reachable[i] = co[i].con;
+-	free(co);
+-
+-	/* Only report the ordered entries to the caller. */
+-	if (nordered <= nreach) {
+-		for (i = nordered; i < nreach; i++)
+-			free(reachable[i]);
+-		reachable[nordered] = NULL;
+-		rc = nordered;
+-	}
+-
+       out:
+-	if (rc > 0)
++	if (nreachable > 0) {
+ 		*list = reachable;
++		rc = nreachable;
++	}
+ 	else
+ 		freeconary(reachable);
+ 
+-	free(ordering);
+ 	if (freefrom)
+ 		freecon(fromcon);
+ 
+@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
+ 		reachable = NULL;
+ 		goto out;
+ 	}
+-	rc = 1;			/* one context in the list */
++	nreachable = 1;			/* one context in the list */
+ 	goto out;
+ }
+ 
+-- 
+2.25.4
+

0010-libselinux-deprecate-security_compute_user-update-ma.patch

@@ -0,0 +1,168 @@
+From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Thu, 20 Feb 2020 10:40:19 -0500
+Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
+ pages
+
+commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
+use of security_compute_user()") eliminated the use of
+security_compute_user() by get_ordered_context_list().  Deprecate
+all use of security_compute_user() by updating the headers and man
+pages and logging a warning message on any calls to it.  Remove
+the example utility that called the interface. While here, also
+fix the documentation of correct usage of the user argument to these
+interfaces.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/70
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/include/selinux/selinux.h          |  8 +++-
+ .../man/man3/get_ordered_context_list.3       | 24 +++++++++---
+ libselinux/man/man3/security_compute_av.3     |  5 ++-
+ libselinux/src/compute_user.c                 |  3 ++
+ libselinux/utils/compute_user.c               | 38 -------------------
+ 5 files changed, 31 insertions(+), 47 deletions(-)
+ delete mode 100644 libselinux/utils/compute_user.c
+
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index a34d54fc..a5ada324 100644
+--- a/libselinux/include/selinux/selinux.h
++++ b/libselinux/include/selinux/selinux.h
+@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
+ 				       security_class_t tclass,
+ 				       char ** newcon);
+ 
+-/* Compute the set of reachable user contexts and set *con to refer to 
+-   the NULL-terminated array of contexts.  Caller must free via freeconary. */
++/*
++ * Compute the set of reachable user contexts and set *con to refer to
++ * the NULL-terminated array of contexts.  Caller must free via freeconary.
++ * These interfaces are deprecated.  Use get_ordered_context_list() or
++ * one of its variant interfaces instead.
++ */
+ extern int security_compute_user(const char * scon,
+ 				 const char *username,
+ 				 char *** con);
+diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
+index e084da40..3ed14a96 100644
+--- a/libselinux/man/man3/get_ordered_context_list.3
++++ b/libselinux/man/man3/get_ordered_context_list.3
+@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
+ .BI "int get_default_type(const char *" role ", char **" type );
+ .
+ .SH "DESCRIPTION"
++
++This family of functions can be used to obtain either a prioritized list of
++all reachable security contexts for a given SELinux user or a single default
++(highest priority) context for a given SELinux user for use by login-like
++programs.  These functions takes a SELinux user identity that must
++be defined in the SELinux policy as their input, not a Linux username.
++Most callers should typically first call
++.BR getseuserbyname(3)
++to look up the SELinux user identity and level for a given
++Linux username and then invoke one of
++.BR get_ordered_context_list_with_level ()
++or
++.BR get_default_context_with_level ()
++with the returned SELinux user and level as inputs.
++
+ .BR get_ordered_context_list ()
+-invokes the 
+-.BR security_compute_user (3)
+-function to obtain the list of contexts for the specified
++obtains the list of contexts for the specified
++SELinux
+ .I user
+-that are reachable from the specified
++identity that are reachable from the specified
+ .I fromcon
+-context.  The function then orders the resulting list based on the global
++context based on the global
+ .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
+ file and the per-user
+ .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
+diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
+index 2aade5fe..8e1f746a 100644
+--- a/libselinux/man/man3/security_compute_av.3
++++ b/libselinux/man/man3/security_compute_av.3
+@@ -97,8 +97,9 @@ instance.
+ 
+ .BR security_compute_user ()
+ is used to determine the set of user contexts that can be reached from a
+-source context. It is mainly used by
+-.BR get_ordered_context_list ().
++source context. This function is deprecated; use
++.BR get_ordered_context_list (3)
++instead.
+ 
+ .BR security_get_initial_context ()
+ is used to get the context of a kernel initial security identifier specified by 
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 401fd107..0f55de84 100644
+--- a/libselinux/src/compute_user.c
++++ b/libselinux/src/compute_user.c
+@@ -8,6 +8,7 @@
+ #include "selinux_internal.h"
+ #include "policy.h"
+ #include <limits.h>
++#include "callbacks.h"
+ 
+ int security_compute_user_raw(const char * scon,
+ 			      const char *user, char *** con)
+@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
++
+ 	if (! scon) {
+ 		errno=EINVAL;
+ 		return -1;
+diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
+deleted file mode 100644
+index cae62b26..00000000
+--- a/libselinux/utils/compute_user.c
++++ /dev/null
+@@ -1,38 +0,0 @@
+-#include <unistd.h>
+-#include <sys/types.h>
+-#include <fcntl.h>
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <errno.h>
+-#include <string.h>
+-#include <ctype.h>
+-#include <selinux/selinux.h>
+-
+-int main(int argc, char **argv)
+-{
+-	char **buf, **ptr;
+-	int ret;
+-
+-	if (argc != 3) {
+-		fprintf(stderr, "usage:  %s context user\n", argv[0]);
+-		exit(1);
+-	}
+-
+-	ret = security_compute_user(argv[1], argv[2], &buf);
+-	if (ret < 0) {
+-		fprintf(stderr, "%s:  security_compute_user(%s,%s) failed\n",
+-			argv[0], argv[1], argv[2]);
+-		exit(2);
+-	}
+-
+-	if (!buf[0]) {
+-		printf("none\n");
+-		exit(0);
+-	}
+-
+-	for (ptr = buf; *ptr; ptr++) {
+-		printf("%s\n", *ptr);
+-	}
+-	freeconary(buf);
+-	exit(0);
+-}
+-- 
+2.25.4
+

EMPTY

@@ -1 +0,0 @@
- 

selinuxconlist.8

@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)

selinuxdefcon.8

@@ -0,0 +1,24 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- report default SELinux context for user 
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user fromcon
+
+.SH "DESCRIPTION"
+.B selinuxdefcon
+reports the default context for the specified user from the specified context
+
+.B \-l level
+mcs/mls level
+
+.SH EXAMPLE
+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0
+.br
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)

sources

@@ -0,0 +1 @@
+SHA512 (libselinux-2.9.tar.gz) = 727b211d09f374d45aa3fa4dec7fd5463dfdcf5aaa47f7fcaccee51fb74896c3aa1a6f0bac9cdd47ebe4929effff13f66f5f70447b27b783dca5f7b1576d30d0