- Add audit2why python bindings

2008-01-10 19:01:20 +00:00 · 2008-01-10 19:01:20 +00:00 · 831e63b413
commit 831e63b413
parent d189708d7a
2 changed files with 561 additions and 59 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/av_permissions.h libselinux-2.0.46/include/selinux/av_permissions.h
 --- nsalibselinux/include/selinux/av_permissions.h	2007-11-15 15:52:46.000000000 -0500
-+++ libselinux-2.0.46/include/selinux/av_permissions.h	2008-01-03 15:23:31.000000000 -0500
+++ libselinux-2.0.46/include/selinux/av_permissions.h	2008-01-10 13:25:57.000000000 -0500
@@ -900,6 +900,8 @@
 #define PACKET__SEND                              0x00000001UL
 #define PACKET__RECV                              0x00000002UL
@ -10,10 +10,515 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/av_permission
 #define KEY__VIEW                                 0x00000001UL
 #define KEY__READ                                 0x00000002UL
 #define KEY__WRITE                                0x00000004UL
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/audit2why.c libselinux-2.0.46/src/audit2why.c
 --- nsalibselinux/src/audit2why.c	1969-12-31 19:00:00.000000000 -0500
 +++ libselinux-2.0.46/src/audit2why.c	2008-01-10 13:31:17.000000000 -0500
@@ -0,0 +1,462 @@
 +#include <unistd.h>
 +#include <stdlib.h>
 +#include <ctype.h>
 +#include <errno.h>
 +#include <getopt.h>
 +#include <limits.h>
 +#include <sepol/sepol.h>
 +#include <sepol/policydb/services.h>
 +#include <Python.h>
 +#include <selinux/selinux.h>
 +
 +#define UNKNOWN -1
 +#define BADSCON -2
 +#define BADTCON -3
 +#define BADTCLASS -4
 +#define BADPERM -5
 +#define BADCOMPUTE -6
 +#define NOPOLICY -7
 +#define ALLOW 0
 +#define DONTAUDIT 1
 +#define TERULE 2
 +#define BOOLEAN 3
 +#define CONSTRAINT 4
 +#define RBAC 5
 +
 +struct boolean_t {
 +	char *name;
 +	int active;
 +};
 +
 +static struct boolean_t **boollist = NULL;
 +static int boolcnt = 0;
 +
 +struct avc_t {
 +	sepol_handle_t *handle;
 +	policydb_t policydb;
 +	sepol_security_id_t ssid;
 +	sepol_security_id_t tsid;
 +	sepol_security_class_t tclass;
 +	sepol_access_vector_t av;
 +};
 +
 +static struct avc_t *avc = NULL;
 +
 +static sidtab_t sidtab;
 +
 +static int load_booleans(const sepol_bool_t * boolean,
 +			 void *arg __attribute__ ((__unused__)))
 +{
 +	boollist[boolcnt] =
 +	    (struct boolean_t *)malloc(sizeof(struct boolean_t));
 +	boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean));
 +	boollist[boolcnt]->active = sepol_bool_get_value(boolean);
 +	boolcnt++;
 +	return 0;
 +}
 +
 +static int check_booleans(struct avc_t *avc, struct boolean_t ***bools)
 +{
 +	char errormsg[PATH_MAX];
 +	struct sepol_av_decision avd;
 +	unsigned int reason;
 +	int rc;
 +	int i;
 +	sepol_bool_key_t *key = NULL;
 +	sepol_bool_t *boolean = NULL;
 +	int fcnt = 0;
 +	int *foundlist = calloc(boolcnt, sizeof(int));
 +	if (!foundlist) {
 +		PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
 +		return fcnt;
 +	}
 +	for (i = 0; i < boolcnt; i++) {
 +		char *name = boollist[i]->name;
 +		int active = boollist[i]->active;
 +		rc = sepol_bool_key_create(avc->handle, name, &key);
 +		if (rc < 0) {
 +			PyErr_SetString( PyExc_RuntimeError, 
 +					 "Could not create boolean key.\n");
 +			break;
 +		}
 +		rc = sepol_bool_query(avc->handle,
 +				      (sepol_policydb_t *) & avc->policydb,
 +				      key, &boolean);
 +
 +		if (rc < 0) {
 +			snprintf(errormsg, sizeof(errormsg), 
 +				 "Could not find boolean %s.\n", name);
 +			PyErr_SetString( PyExc_RuntimeError, errormsg);
 +			break;
 +		}
 +
 +		sepol_bool_set_value(boolean, !active);
 +
 +		rc = sepol_bool_set(avc->handle,
 +				    (sepol_policydb_t *) & avc->policydb,
 +				    key, boolean);
 +		if (rc < 0) {
 +			snprintf(errormsg, sizeof(errormsg), 
 +				 "Could not set boolean data %s.\n", name);
 +			PyErr_SetString( PyExc_RuntimeError, errormsg);
 +			break;
 +		}
 +
 +		/* Reproduce the computation. */
 +		rc = sepol_compute_av_reason(avc->ssid, avc->tsid, avc->tclass,
 +					     avc->av, &avd, &reason);
 +		if (rc < 0) {
 +			snprintf(errormsg, sizeof(errormsg), 
 +				 "Error during access vector computation, skipping...");
 +			PyErr_SetString( PyExc_RuntimeError, errormsg);
 +
 +			sepol_bool_free(boolean);
 +			break;
 +		} else {
 +			if (!reason) {
 +				foundlist[fcnt] = i;
 +				fcnt++;
 +			}
 +			sepol_bool_set_value((sepol_bool_t *) boolean, active);
 +			rc = sepol_bool_set(avc->handle,
 +					    (sepol_policydb_t *) & avc->
 +					    policydb, key,
 +					    (sepol_bool_t *) boolean);
 +			if (rc < 0) {
 +				snprintf(errormsg, sizeof(errormsg), 
 +					 "Could not set boolean data %s.\n",
 +					 name);
 +			
 +				PyErr_SetString( PyExc_RuntimeError, errormsg);
 +				break;
 +			}
 +		}
 +		sepol_bool_free(boolean);
 +		sepol_bool_key_free(key);
 +		key = NULL;
 +		boolean = NULL;
 +	}
 +	if (key)
 +		sepol_bool_key_free(key);
 +
 +	if (boolean)
 +		sepol_bool_free(boolean);
 +
 +	if (fcnt > 0) {
 +		*bools = (struct boolean_t **)
 +			calloc(sizeof(struct boolean_t), fcnt + 1);
 +		struct boolean_t *b = (struct boolean_t *) *bools;
 +		for (i = 0; i < fcnt; i++) {
 +			int ctr = foundlist[i];
 +			b[i].name = strdup(boollist[ctr]->name);
 +			b[i].active = !boollist[ctr]->active;
 +		}
 +	}
 +	free(foundlist);
 +	return fcnt;
 +}
 +
 +static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) {
 +	PyObject *result = 0;
 +  
 +	if (PyArg_ParseTuple(args,(char *)":finish")) {
 +		int i = 0;
 +		for (i = 0; i < boolcnt; i++) {
 +			free(boollist[i]->name);
 +			free(boollist[i]);
 +		}
 +		free(boollist);
 +		sepol_sidtab_shutdown(&sidtab);
 +		sepol_sidtab_destroy(&sidtab);
 +		policydb_destroy(&avc->policydb);
 +		sepol_handle_destroy(avc->handle);
 +		free(avc);
 +		avc = NULL;
 +		boollist = NULL;
 +		boolcnt = 0;
 +	  
 +		/* Boilerplate to return "None" */
 +		Py_RETURN_NONE;
 +	}
 +	return result;
 +}
 +
 +
 +static int __policy_init(const char *init_path)
 +{
 +	FILE *fp;
 +	int vers = 0;
 +	char path[PATH_MAX];
 +	char errormsg[PATH_MAX];
 +	struct policy_file pf;
 +	int rc;
 +	unsigned int cnt;
 +
 +	if (init_path) {
 +		strncpy(path, init_path, PATH_MAX);
 +		fp = fopen(path, "r");
 +		if (!fp) {
 +			snprintf(errormsg, sizeof(errormsg), 
 +				 "unable to open %s:  %s\n",
 +				 path, strerror(errno));
 +			PyErr_SetString( PyExc_ValueError, errormsg);
 +			return 0;    // trigger exception
 +		}
 +	} else {
 +		vers = security_policyvers();
 +		if (vers < 0) {
 +			snprintf(errormsg, sizeof(errormsg), 
 +				 "Could not get policy version:  %s\n",
 +				 strerror(errno));
 +			PyErr_SetString( PyExc_ValueError, errormsg);
 +			return 1;
 +		}
 +		snprintf(path, PATH_MAX, "%s.%d",
 +			 selinux_binary_policy_path(), vers);
 +		fp = fopen(path, "r");
 +		while (!fp && errno == ENOENT && --vers) {
 +			snprintf(path, PATH_MAX, "%s.%d",
 +				 selinux_binary_policy_path(), vers);
 +			fp = fopen(path, "r");
 +		}
 +		if (!fp) {
 +			snprintf(errormsg, sizeof(errormsg), 
 +				 "unable to open %s.%d:  %s\n",
 +				 selinux_binary_policy_path(),
 +				 security_policyvers(), strerror(errno));
 +			PyErr_SetString( PyExc_ValueError, errormsg);
 +			return 1;
 +		}
 +	}
 +
 +	avc = calloc(sizeof(struct avc_t), 1);
 +	if (!avc) {
 +		PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
 +		return 1;
 +	}
 +
 +	/* Set up a policydb directly so that we can mutate it later
 +	   for booleans and user settings.  Otherwise we would just use
 +	   sepol_set_policydb_from_file() here. */
 +	pf.fp = fp;
 +	pf.type = PF_USE_STDIO;
 +	if (policydb_init(&avc->policydb)) {
 +		snprintf(errormsg, sizeof(errormsg), 
 +			 "policydb_init failed: %s\n", strerror(errno));
 +		PyErr_SetString( PyExc_RuntimeError, errormsg);
 +		fclose(fp);
 +		return 1;
 +	}
 +	if (policydb_read(&avc->policydb, &pf, 0)) {
 +		snprintf(errormsg, sizeof(errormsg), 
 +			 "invalid binary policy %s\n", path);
 +		PyErr_SetString( PyExc_ValueError, errormsg);
 +		fclose(fp);
 +		return 1;
 +	}
 +	fclose(fp);
 +	sepol_set_policydb(&avc->policydb);
 +	if (!init_path) {
 +		/* If they didn't specify a full path of a binary policy file,
 +		   then also try loading any boolean settings and user
 +		   definitions from the active locations.  Otherwise,
 +		   they can use genpolbools and genpolusers to build a
 +		   binary policy file that includes any desired settings
 +		   and then apply audit2why -p to the resulting file. 
 +		   Errors are non-fatal as such settings are optional. */
 +		sepol_debug(0);
 +		(void)sepol_genbools_policydb(&avc->policydb,
 +					      selinux_booleans_path());
 +		(void)sepol_genusers_policydb(&avc->policydb,
 +					      selinux_users_path());
 +	}
 +	avc->handle = sepol_handle_create();
 +
 +	rc = sepol_bool_count(avc->handle,
 +			      (sepol_policydb_t *) & avc->policydb, &cnt);
 +	if (rc < 0) {
 +		PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n");
 +		return 1;
 +	}
 +
 +	boollist = calloc(cnt, sizeof(struct boolean_t));
 +	if (!boollist) {
 +		PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
 +		return 1;
 +	}
 +
 +	sepol_bool_iterate(avc->handle,
 +			   (const sepol_policydb_t *)&avc->policydb,
 +			   load_booleans, (void *)NULL);
 +
 +	/* Initialize the sidtab for subsequent use by sepol_context_to_sid
 +	   and sepol_compute_av_reason. */
 +	rc = sepol_sidtab_init(&sidtab);
 +	if (rc < 0) {
 +		PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n");
 +		free(boollist);
 +		return 1;
 +	}
 +	sepol_set_sidtab(&sidtab);
 +	return 0;
 +}
 +
 +static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
 +  int result;
 +  char *init_path=NULL;
 +  if (PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) 
 +	  result = __policy_init(init_path);
 +  return Py_BuildValue("i", result);
 +}
 +
 +#define RETURN(X) \
 +	PyList_SetItem(result, 0, Py_BuildValue("i", X));	\
 +	return result;						
 +
 +static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) {
 +	security_context_t scon; 
 +	security_context_t tcon;
 +	char *tclassstr; 
 +	PyObject *listObj;
 +	PyObject *strObj;
 +	int numlines;
 +	struct boolean_t **bools;
 +	unsigned int reason;
 +	sepol_security_id_t ssid, tsid;
 +	sepol_security_class_t tclass;
 +	sepol_access_vector_t perm, av;
 +	struct sepol_av_decision avd;
 +	int rc;
 +	int i=0;
 +	PyObject *result = PyList_New(2);
 +	if (!result) return NULL;
 +	Py_INCREF(Py_None);
 +	PyList_SetItem(result, 1, Py_None);
 +
 +	if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj)) 
 +		return NULL;
 +  
 +	/* get the number of lines passed to us */
 +	numlines = PyList_Size(listObj);
 +
 +	/* should raise an error here. */
 +	if (numlines < 0)	return NULL; /* Not a list */
 +
 +	if (!avc) {
 +		RETURN(NOPOLICY)
 +	}
 +
 +	rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
 +	if (rc < 0) {
 +		RETURN(BADSCON)
 +	}
 +	rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
 +	if (rc < 0) {
 +		RETURN(BADTCON)
 +	}
 +	tclass = string_to_security_class(tclassstr);
 +	if (!tclass) {
 +		RETURN(BADTCLASS)
 +	}
 +	/* Convert the permission list to an AV. */
 +	av = 0;
 +
 +	/* iterate over items of the list, grabbing strings, and parsing
 +	   for numbers */
 +	for (i=0; i<numlines; i++){
 +		char *permstr;
 +
 +		/* grab the string object from the next element of the list */
 +		strObj = PyList_GetItem(listObj, i); /* Can't fail */
 +		
 +		/* make it a string */
 +		permstr = PyString_AsString( strObj );
 +		
 +		perm = string_to_av_perm(tclass, permstr);
 +		if (!perm) {
 +			RETURN(BADPERM)
 +		}
 +		av |= perm;
 +	}
 +
 +	/* Reproduce the computation. */
 +	rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason);
 +	if (rc < 0) {
 +		RETURN(BADCOMPUTE)
 +	}
 +
 +	if (!reason) {
 +		RETURN(ALLOW)
 +	}
 +	if (reason & SEPOL_COMPUTEAV_TE) {
 +		avc->ssid = ssid;
 +		avc->tsid = tsid;
 +		avc->tclass = tclass;
 +		avc->av = av;
 +		if (check_booleans(avc, &bools) == 0) {
 +			if (av & ~avd.auditdeny) {
 +				RETURN(DONTAUDIT)
 +			} else {
 +				RETURN(TERULE)
 +			}
 +		} else {
 +			PyList_SetItem(result, 0, Py_BuildValue("i", BOOLEAN));
 +			struct boolean_t *b=(struct boolean_t *) bools;
 +			int len=0;
 +			while (b->name) {
 +				len++; b++;
 +			}
 +			b = (struct boolean_t *) bools;
 +			PyObject *boollist = PyList_New(len);
 +			len=0;
 +			while(b->name) {
 +				PyObject *bool = PyList_New(2);
 +				PyList_SetItem(bool, 0, PyString_FromString(b->name));
 +				PyList_SetItem(bool, 1, Py_BuildValue("i", b->active));
 +				PyList_SetItem(boollist, len++, bool);
 +				b++;
 +			}
 +			free(bools);
 +			PyList_SetItem(result, 1, boollist);
 +			return result;
 +		}
 +	}
 +
 +	if (reason & SEPOL_COMPUTEAV_CONS) {
 +		RETURN(CONSTRAINT);
 +	}
 +
 +	if (reason & SEPOL_COMPUTEAV_RBAC) {
 +		RETURN(RBAC)
 +	}
 +        RETURN(BADCOMPUTE)
 +}
 +
 +static PyMethodDef audit2whyMethods[] = {
 +    {"init",  init, METH_VARARGS,
 +     "Initialize policy database."},
 +    {"analyze",  analyze, METH_VARARGS,
 +     "Analyze AVC."},
 +    {"finish",  finish, METH_VARARGS,
 +     "Finish using policy, free memory."},
 +    {NULL, NULL, 0, NULL}        /* Sentinel */
 +};
 +
 +PyMODINIT_FUNC
 +initaudit2why(void)
 +{
 +	PyObject *m = Py_InitModule("audit2why", audit2whyMethods);
 +	PyModule_AddIntConstant(m,"UNKNOWN", UNKNOWN);
 +	PyModule_AddIntConstant(m,"BADSCON", BADSCON);
 +	PyModule_AddIntConstant(m,"BADTCON", BADTCON);
 +	PyModule_AddIntConstant(m,"BADTCLASS", BADTCLASS);
 +	PyModule_AddIntConstant(m,"BADPERM", BADPERM);
 +	PyModule_AddIntConstant(m,"BADCOMPUTE", BADCOMPUTE);
 +	PyModule_AddIntConstant(m,"NOPOLICY", NOPOLICY);
 +	PyModule_AddIntConstant(m,"ALLOW", ALLOW);
 +	PyModule_AddIntConstant(m,"DONTAUDIT", DONTAUDIT);
 +	PyModule_AddIntConstant(m,"TERULE", TERULE);
 +	PyModule_AddIntConstant(m,"BOOLEAN", BOOLEAN);
 +	PyModule_AddIntConstant(m,"CONSTRAINT", CONSTRAINT);
 +	PyModule_AddIntConstant(m,"RBAC", RBAC);
 +}
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.46/src/Makefile
 --- nsalibselinux/src/Makefile	2007-09-26 19:37:45.000000000 -0400
-+++ libselinux-2.0.46/src/Makefile	2008-01-05 08:19:27.000000000 -0500
+++ libselinux-2.0.46/src/Makefile	2008-01-10 13:25:57.000000000 -0500
-@@ -77,14 +77,14 @@
+@@ -18,6 +18,7 @@
 SWIGSO=_selinux.so
 SWIGFILES=$(SWIGSO) selinux.py 
 LIBSO=$(TARGET).$(LIBVERSION)
 +AUDIT2WHYSO=audit2why.so
 ifeq ($(DISABLE_AVC),y)
 	UNUSED_SRCS+=avc.c avc_internal.c avc_sidtab.c mapping.c stringrep.c checkAccess.c
@@ -28,7 +29,7 @@
 ifeq ($(DISABLE_RPM),y)
 	UNUSED_SRCS+=rpm.c
 endif
 -SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out $(SWIGCOUT),$(wildcard *.c)))
 +SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(SWIGCOUT),$(wildcard *.c)))
 OBJS= $(patsubst %.c,%.o,$(SRCS))
 LOBJS= $(patsubst %.c,%.lo,$(SRCS))
@@ -47,7 +48,7 @@
 all: $(LIBA) $(LIBSO) 
 -pywrap: all $(SWIGSO)
 +pywrap: all $(SWIGSO) $(AUDIT2WHYSO)
 $(LIBA):  $(OBJS)
 	$(AR) rcs $@ $^
@@ -63,6 +64,12 @@
 	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
 	ln -sf $@ $(TARGET) 
 +audit2why.lo: audit2why.c
 +	$(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
 +
 +$(AUDIT2WHYSO): audit2why.lo
 +	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux ${LIBDIR}/libsepol.a -L$(LIBDIR) -Wl,-soname,$@
 +
 %.o:  %.c policy.h
 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
@@ -77,20 +84,21 @@
 install: all 
 	test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
@ -23,16 +528,25 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.4
 	cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
 install-pywrap: pywrap
- 	test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
+-	test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
 -	install -m 755 $(SWIGFILES) $(PYTHONLIBDIR)/site-packages
-+	install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages
+	test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages/selinux
-+	install -m 644  selinux.py $(PYTHONLIBDIR)/site-packages
+	install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages/selinux
 +	install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux
 +	install -m 644  selinux.py $(PYTHONLIBDIR)/site-packages/selinux/__init_.py
 relabel:
 	/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
 clean: 
 -	-rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) 
 +	-rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~
 distclean: clean
 	rm -f $(SWIGCOUT) $(SWIGFILES)
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.46/src/matchpathcon.c
 --- nsalibselinux/src/matchpathcon.c	2007-09-28 09:48:58.000000000 -0400
-+++ libselinux-2.0.46/src/matchpathcon.c	2008-01-03 15:23:32.000000000 -0500
+++ libselinux-2.0.46/src/matchpathcon.c	2008-01-10 13:25:57.000000000 -0500
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <errno.h>
@ -52,7 +566,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.46/src/selinux.py
 --- nsalibselinux/src/selinux.py	2007-10-05 13:09:54.000000000 -0400
-+++ libselinux-2.0.46/src/selinux.py	2008-01-08 05:00:39.000000000 -0500
+++ libselinux-2.0.46/src/selinux.py	2008-01-10 13:26:25.000000000 -0500
@@ -1,5 +1,5 @@
 # This file was automatically generated by SWIG (http://www.swig.org).
 -# Version 1.3.31
@ -60,21 +574,29 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0
 #
 # Don't modify this file, modify the SWIG interface instead.
 # This file is compatible with both classic and new-style classes.
 Binary files nsalibselinux/src/selinux.pyc and libselinux-2.0.46/src/selinux.pyc differ
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.46/src/selinuxswig.i
 --- nsalibselinux/src/selinuxswig.i	2007-10-01 09:54:35.000000000 -0400
-+++ libselinux-2.0.46/src/selinuxswig.i	2008-01-08 05:00:22.000000000 -0500
+++ libselinux-2.0.46/src/selinuxswig.i	2008-01-10 13:25:57.000000000 -0500
-@@ -10,6 +10,7 @@
+@@ -5,11 +5,16 @@
 %module selinux
 %{
 	#include "selinux/selinux.h"
 +	#include "../include/selinux/selinux.h"
 +	#include "../include/selinux/get_default_type.h"
 +	#include "../include/selinux/get_context_list.h"
 %}
 %apply int *OUTPUT { int *enforce };
 %apply int *OUTPUT { size_t * };
 %typedef unsigned mode_t;
 +%typedef unsigned pid_t;
 +%typedef char * security_contextx_t;
 %typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
 	$1 = &temp1;
 diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.46/src/selinuxswig_wrap.c
 --- nsalibselinux/src/selinuxswig_wrap.c	2007-10-05 13:09:54.000000000 -0400
-+++ libselinux-2.0.46/src/selinuxswig_wrap.c	2008-01-08 05:00:39.000000000 -0500
+++ libselinux-2.0.46/src/selinuxswig_wrap.c	2008-01-10 13:26:25.000000000 -0500
@@ -1,6 +1,6 @@
 /* ----------------------------------------------------------------------------
  * This file was automatically generated by SWIG (http://www.swig.org).
@ -208,7 +730,17 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 #define SWIG_VERSION SWIGVERSION
-@@ -2577,14 +2584,12 @@
+@@ -2496,6 +2503,9 @@
 	#include "selinux/selinux.h"
 +	#include "../include/selinux/selinux.h"
 +	#include "../include/selinux/get_default_type.h"
 +	#include "../include/selinux/get_context_list.h"
   #define SWIG_From_long   PyInt_FromLong 
@@ -2577,14 +2587,12 @@
 #include <limits.h>
@ -229,7 +761,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 #endif
-@@ -2669,13 +2674,18 @@
+@@ -2669,13 +2677,18 @@
 SWIGINTERN int
@ -252,7 +784,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_OK;
-@@ -2686,7 +2696,7 @@
+@@ -2686,7 +2699,7 @@
 #ifdef SWIG_PYTHON_CAST_MODE
   {
     int dispatch = 0;
@ -261,7 +793,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_AddCast(SWIG_OK);
-@@ -2696,8 +2706,8 @@
+@@ -2696,8 +2709,8 @@
     if (!dispatch) {
       double d;
       int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
@ -272,7 +804,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 	return res;
       }
     }
-@@ -2708,15 +2718,15 @@
+@@ -2708,15 +2721,15 @@
 SWIGINTERN int
@ -293,7 +825,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
     }
   }  
   return res;
-@@ -2724,18 +2734,13 @@
+@@ -2724,18 +2737,13 @@
 SWIGINTERN int
@ -316,7 +848,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_OK;
-@@ -2746,7 +2751,7 @@
+@@ -2746,7 +2754,7 @@
 #ifdef SWIG_PYTHON_CAST_MODE
   {
     int dispatch = 0;
@ -325,7 +857,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_AddCast(SWIG_OK);
-@@ -2756,8 +2761,8 @@
+@@ -2756,8 +2764,8 @@
     if (!dispatch) {
       double d;
       int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
@ -336,7 +868,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 	return res;
       }
     }
-@@ -2768,15 +2773,15 @@
+@@ -2768,15 +2776,15 @@
 SWIGINTERN int
@ -357,7 +889,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
     }
   }  
   return res;
-@@ -2986,24 +2991,18 @@
+@@ -2986,24 +2994,18 @@
   pid_t arg1 ;
   security_context_t *arg2 = (security_context_t *) 0 ;
   int result;
@ -389,7 +921,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
   result = (int)getpidcon(arg1,arg2);
   resultobj = SWIG_From_int((int)(result));
   if (*arg2) {
-@@ -3025,24 +3024,18 @@
+@@ -3025,24 +3027,18 @@
   pid_t arg1 ;
   security_context_t *arg2 = (security_context_t *) 0 ;
   int result;
@ -421,7 +953,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
   result = (int)getpidcon_raw(arg1,arg2);
   resultobj = SWIG_From_int((int)(result));
   if (*arg2) {
-@@ -8149,7 +8142,7 @@
+@@ -8149,7 +8145,7 @@
 /* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
 static swig_type_info _swigt__p_SELboolean = {"_p_SELboolean", "SELboolean *", 0, 0, (void*)0, 0};
@ -430,7 +962,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_f_int_p_q_const__char_v_______int = {"_p_f_int_p_q_const__char_v_______int", "int (*)(int,char const *,...)", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_f_p_p_char__int = {"_p_f_p_p_char__int", "int (*)(char **)|int (*)(security_context_t *)", 0, 0, (void*)0, 0};
-@@ -8158,12 +8151,11 @@
+@@ -8158,12 +8154,11 @@
 static swig_type_info _swigt__p_int = {"_p_int", "int *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_p_char = {"_p_p_char", "char **|security_context_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_p_p_char = {"_p_p_p_char", "char ***|security_context_t **", 0, 0, (void*)0, 0};
@ -448,7 +980,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 static swig_type_info *swig_type_initial[] = {
   &_swigt__p_SELboolean,
-@@ -8176,7 +8168,6 @@
+@@ -8176,7 +8171,6 @@
   &_swigt__p_int,
   &_swigt__p_p_char,
   &_swigt__p_p_p_char,
@ -456,7 +988,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
   &_swigt__p_security_class_mapping,
   &_swigt__p_selinux_callback,
   &_swigt__p_selinux_opt,
-@@ -8194,7 +8185,6 @@
+@@ -8194,7 +8188,6 @@
 static swig_cast_info _swigc__p_int[] = {  {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_p_char[] = {  {&_swigt__p_p_char, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_p_p_char[] = {  {&_swigt__p_p_p_char, 0, 0, 0},{0, 0, 0, 0}};
@ -464,7 +996,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
 static swig_cast_info _swigc__p_security_class_mapping[] = {  {&_swigt__p_security_class_mapping, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_selinux_callback[] = {  {&_swigt__p_selinux_callback, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_selinux_opt[] = {  {&_swigt__p_selinux_opt, 0, 0, 0},{0, 0, 0, 0}};
-@@ -8212,7 +8202,6 @@
+@@ -8212,7 +8205,6 @@
   _swigc__p_int,
   _swigc__p_p_char,
   _swigc__p_p_p_char,
@ -472,32 +1004,3 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel
   _swigc__p_security_class_mapping,
   _swigc__p_selinux_callback,
   _swigc__p_selinux_opt,
 diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.46/utils/matchpathcon.c
 --- nsalibselinux/utils/matchpathcon.c	2007-07-16 14:20:45.000000000 -0400
 +++ libselinux-2.0.46/utils/matchpathcon.c	2008-01-03 15:23:32.000000000 -0500
@@ -17,10 +17,24 @@
 	exit(1);
 }
 +static void
 +#ifdef __GNUC__
 +    __attribute__ ((format(printf, 1, 2)))
 +#endif
 +    myprintf(const char *fmt, ...)
 +{
 +	va_list ap;
 +	va_start(ap, fmt);
 +	vfprintf(stderr, fmt, ap);
 +	va_end(ap);
 +}
 +
 int printmatchpathcon(char *path, int header, int mode)
 {
 	char *buf;
 -	int rc = matchpathcon(path, mode, &buf);
 +	int rc;
 +	set_matchpathcon_printf(myprintf);
 +	rc = matchpathcon(path, mode, &buf);
 	if (rc < 0) {
 		fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
 			strerror(errno));
--- a/libselinux.spec
+++ b/libselinux.spec
@ -9,7 +9,7 @@ Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
 Patch: libselinux-rhat.patch
 URL: http://www.nsa.gov/selinux
-BuildRequires: libsepol-devel >= %{libsepolver} swig
+BuildRequires: python-devel libsepol-devel >= %{libsepolver} swig
 Requires: libsepol >= %{libsepolver}
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -32,7 +32,6 @@ decisions.  Required for any applications that use the SELinux API.
 Summary: SELinux python bindings for libselinux
 Group: Development/Libraries
 Requires: libselinux = %{version}-%{release} 
 BuildRequires: python-devel libsepol-devel  >= %{libsepolver}
 %description python
 The libselinux-python package contains the python bindings for developing