* Wed Jul 30 2014 Miroslav Grepl <mgrepl@fedoraproject.org> - 2.3-5

- Skip policy module re-link when only setting booleans.
    * patch from Stephen Smalley

libsemanage-rhat.patch

@@ -1,39 +1,89 @@
-diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
+diff --git a/src/direct_api.c b/src/direct_api.c
-index f3b9b5c..1aea839 100644
+index 64dc7d9..5b94725 100644
---- a/libsemanage/src/genhomedircon.c
+--- a/src/direct_api.c
-+++ b/libsemanage/src/genhomedircon.c
++++ b/src/direct_api.c
-@@ -1070,8 +1070,10 @@ int semanage_genhomedircon(semanage_handle_t * sh,
+@@ -690,7 +690,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
- 	s.fallback_user = strdup(FALLBACK_USER);
+ 	/* Declare some variables */
- 	s.fallback_user_prefix = strdup(FALLBACK_USER_PREFIX);
+ 	int modified = 0, fcontexts_modified, ports_modified,
- 	s.fallback_user_level = strdup(FALLBACK_USER_LEVEL);
+ 	    seusers_modified, users_extra_modified, dontaudit_modified,
--	if (s.fallback_user == NULL || s.fallback_user_prefix == NULL || s.fallback_user_level == NULL)
+-	    preserve_tunables_modified;
--		return STATUS_ERR;
++	    preserve_tunables_modified, bools_modified;
-+	if (s.fallback_user == NULL || s.fallback_user_prefix == NULL || s.fallback_user_level == NULL) {
+ 	dbase_config_t *users = semanage_user_dbase_local(sh);
-+		retval = STATUS_ERR;
+ 	dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
-+		goto done;
+ 	dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
+@@ -771,11 +771,11 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 	users_extra_modified =
+ 	    users_extra->dtable->is_modified(users_extra->dbase);
+ 	ports_modified = ports->dtable->is_modified(ports->dbase);
++	bools_modified = bools->dtable->is_modified(bools->dbase);
+ 
+ 	modified = sh->modules_modified;
+ 	modified |= ports_modified;
+ 	modified |= users->dtable->is_modified(users_base->dbase);
+-	modified |= bools->dtable->is_modified(bools->dbase);
+ 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
+ 	modified |= nodes->dtable->is_modified(nodes->dbase);
+ 	modified |= dontaudit_modified;
+@@ -891,15 +891,26 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 
+ 		/* ==================== Policydb-backed ================ */
+ 
+-		/* Create new policy object, then attach to policy databases
+-		 * that work with a policydb */
++		/* Create new policy object */
+ 		retval = semanage_expand_sandbox(sh, base, &out);
+ 		if (retval < 0)
+ 			goto cleanup;
+ 	
+ 		sepol_module_package_free(base);
+ 		base = NULL;
++	} else {
++		/* Load already linked policy */
++		retval = sepol_policydb_create(&out);
++		if (retval < 0)
++			goto cleanup;
++
++		retval = semanage_read_policydb(sh, out);
++		if (retval < 0)
++			goto cleanup;
 +	}
  
- 	if (ignoredirs) ignore_setup(ignoredirs);
++	if (sh->do_rebuild || modified || bools_modified) {
++		/* Attach to policy databases that work with a policydb. */
+ 		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,
+ 				      out);
+ 		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
+@@ -921,14 +932,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 		if (retval < 0)
+ 			goto cleanup;
+ 	} else {
+-		retval = sepol_policydb_create(&out);
+-		if (retval < 0)
+-			goto cleanup;
+-
+-		retval = semanage_read_policydb(sh, out);
+-		if (retval < 0)
+-			goto cleanup;
+-		
++		/* Changes to non-kernel policy configurations only. */
+ 		if (seusers_modified || users_extra_modified) {
+ 			retval = semanage_link_base(sh, &base);
+ 			if (retval < 0)
+@@ -1007,7 +1011,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 	sepol_policydb_free(out);
+ 	out = NULL;
  
-@@ -1082,15 +1084,19 @@ int semanage_genhomedircon(semanage_handle_t * sh,
+-	if (sh->do_rebuild || modified || 
- 	if (!(out = fopen(s.fcfilepath, "w"))) {
++	if (sh->do_rebuild || modified || bools_modified ||
- 		/* couldn't open output file */
+ 	    seusers_modified || fcontexts_modified || users_extra_modified) {
- 		ERR(sh, "Could not open the file_context file for writing");
+ 		retval = semanage_install_sandbox(sh);
--		return STATUS_ERR;
+ 	}
-+		retval = STATUS_ERR;
+@@ -1017,7 +1021,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
-+		goto done;
+ 		free(mod_filenames[i]);
  	}
  
- 	retval = write_context_file(&s, out);
+-	if (modified) {
- 
++	if (modified || bools_modified) {
--	fclose(out);
+ 		/* Detach from policydb, so it can be freed */
-+done:
+ 		dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
-+	if (out != NULL)
+ 		dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
-+		fclose(out);
- 
- 	free(s.fallback_user);
- 	free(s.fallback_user_prefix);
-+	free(s.fallback_user_level);
- 	ignore_free();
- 
- 	return retval;

libsemanage.spec

@@ -7,11 +7,11 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: libsemanage-%{version}.tgz
-#Patch: libsemanage-rhat.patch
+Patch: libsemanage-rhat.patch
 URL: http://oss.tresys.com/git/selinux.git
 Source1: semanage.conf
 
@@ -83,7 +83,7 @@ SELinux management applications.
 
 %prep
 %setup -q
-#%patch -p2 -b .rhat
+%patch -p1 -b .rhat
 
 %build
 # To support building the Python wrapper against multiple Python runtimes
@@ -181,6 +181,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif # if with_python3
 
 %changelog
+* Wed Jul 30 2014 Miroslav Grepl <mgrepl@fedoraproject.org> - 2.3-5
+- Skip policy module re-link when only setting booleans.
+    * patch from Stephen Smalley
+
 * Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.3-4
 - fix license handling