From 076ffc0b0a6c2d16fc7e38ac137b7bce3ac45143 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 6 Dec 2011 19:30:28 -0500
Subject: [PATCH] Upgrade to upstream * sandbox: move sandbox.conf.5 to just
sandbox.5 * po: Makefile use -p to preserve times to allow multilib
simultatious installs * of po files * sandbox: Allow user to specify the
DPI value for X in a sandbox * sandbox: make sure the domain launching
sandbox has at least 100 categories * sandbox: do not try forever to find
available category set * sandbox: only complain if sandbox unable to
launch * sandbox: init script run twice is still successful *
semanage: print local and dristo equiv rules * semanage: check file
equivalence rules for conflict * semanage: Make sure semanage
fcontext -l -C prints even if local keys * are not defined *
semanage: change src,dst to target,substitute for equivalency * sestatus:
Updated sestatus and man pages. * Added SELinux config file man page.
* add clean target to man Makefile
---
policycoreutils-rhat.patch | 1001 +++++++++++++++++---------------
policycoreutils-sepolgen.patch | 26 -
policycoreutils.spec | 39 +-
sources | 4 +-
4 files changed, 555 insertions(+), 515 deletions(-)
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 5c2038c..c75272a 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1,10 +1,10 @@
diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
-index 7244a36..3e95698 100644
+index 9cfe3bc..e31f7d3 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -1,4 +1,4 @@
--SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po
-+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po
+-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po man
++SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po man
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
@@ -42,19 +42,6 @@ index 99d0ed7..19e20a8 100644
if (set_signal_handles())
return -1;
-diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
-index 554262a..a52e4b0 100644
---- a/policycoreutils/po/Makefile
-+++ b/policycoreutils/po/Makefile
-@@ -7,7 +7,7 @@ TOP = ../..
- # What is this package?
- NLSPACKAGE = policycoreutils
- POTFILE = $(NLSPACKAGE).pot
--INSTALL = /usr/bin/install -c
-+INSTALL = /usr/bin/install -c -p
- INSTALL_DATA = $(INSTALL) -m 644
- INSTALL_DIR = /usr/bin/install -d
-
diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c
index 89f5d97..dfd9629 100644
--- a/policycoreutils/restorecond/restorecond.c
@@ -98,241 +85,29 @@ index 9db766c..068e24c 100644
} /* main() */
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
-index 1c458f1..96c6795 100644
+index 7789d23..b817364 100644
--- a/policycoreutils/sandbox/Makefile
+++ b/policycoreutils/sandbox/Makefile
-@@ -23,7 +23,7 @@ install: all
- install -m 644 sandbox.8 $(MANDIR)/man8/
- install -m 644 seunshare.8 $(MANDIR)/man8/
- -mkdir -p $(MANDIR)/man5
-- install -m 644 sandbox.conf.5 $(MANDIR)/man5/
-+ install -m 644 sandbox.5 $(MANDIR)/man5/sandbox.5
- -mkdir -p $(SBINDIR)
- install -m 4755 seunshare $(SBINDIR)/
- -mkdir -p $(SHAREDIR)
-diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 486cd4e..15a3ea3 100644
---- a/policycoreutils/sandbox/sandbox
-+++ b/policycoreutils/sandbox/sandbox
-@@ -118,10 +118,30 @@ def reserve(level):
- sock.bind("\0%s" % level)
- fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+@@ -8,13 +8,13 @@ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ LOCALEDIR ?= /usr/share/locale
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
+-LDLIBS += -lcgroup -lselinux -lcap-ng
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W
++LDLIBS += -lcgroup -lselinux -lcap-ng -L$(LIBDIR)
++SEUNSHARE_OBJS = seunshare.o
-+def get_range():
-+ try:
-+ level =selinux.getcon_raw()[1].split(":")[4]
-+ lowc,highc = level.split(".")
-+ low = int(lowc[1:])
-+ high = int(highc[1:])+1
-+ if high - low < 100:
-+ raise IndexError
-+
-+ return low,high
-+ except IndexError:
-+ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
-+
- def gen_mcs():
-- while True:
-- i1 = random.randrange(0, 1024)
-- i2 = random.randrange(0, 1024)
-+ low, high = get_range()
-+
-+ level = None
-+ ctr = 0
-+ total = high-low
-+ total = (total * total)/2 - total
-+ while ctr < total:
-+ ctr += 1
-+ i1 = random.randrange(low, high)
-+ i2 = random.randrange(low, high)
- if i1 == i2:
- continue
- if i1 > i2:
-@@ -134,7 +154,10 @@ def gen_mcs():
- except socket.error:
- continue
- break
-- return level
-+ if level:
-+ return level
-+ raise ValueError(_("Failed to find any unused categories"))
-+
+ all: sandbox seunshare sandboxX.sh start
- def fullpath(cmd):
- for i in [ "/", "./", "../" ]:
-@@ -160,7 +183,7 @@ class Sandbox:
- self.__level = None
- self.__homedir = None
- self.__tmpdir = None
--
-+
- def __validate_mount(self):
- if self.__options.level:
- if not self.__options.homedir or not self.__options.tmpdir:
-@@ -278,6 +301,10 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
- action="callback", callback=self.__mount_callback,
- help=_("mount new home and/or tmp directory"))
+-seunshare: seunshare.o $(EXTRA_OBJS)
+- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) -L$(LIBDIR)
++seunshare: $(SEUNSHARE_OBJS)
-+ parser.add_option("-d", "--dpi",
-+ dest="dpi", action="store",
-+ help=_("dots per inch for X display"))
-+
- parser.add_option("-S", "--session", action="store_true", dest="session",
- default=False, help=_("run complete desktop session within sandbox"))
-
-@@ -322,7 +349,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
-
- if self.__options.X_ind:
- self.setype = DEFAULT_X_TYPE
-- self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2")
-+
- if self.__options.setype:
- self.setype = self.__options.setype
-
-@@ -401,6 +428,12 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
- cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
-
- if self.__options.X_ind:
-+ if self.__options.dpi:
-+ dpi = self.__options.dpi
-+ else:
-+ import gtk
-+ dpi = str(gtk.settings_get_default().props.gtk_xft_dpi/1024)
-+
- xmodmapfile = self.__homedir + "/.xmodmap"
- xd = open(xmodmapfile,"w")
- subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
-@@ -408,7 +441,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
-
- self.__setup_sandboxrc(self.__options.wm)
-
-- cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
-+ cmds += [ "--", SANDBOXSH, self.__options.windowsize, dpi ]
- else:
- cmds += [ "--" ] + self.__paths
- return subprocess.Popen(cmds).wait()
-diff --git a/policycoreutils/sandbox/sandbox.5 b/policycoreutils/sandbox/sandbox.5
-new file mode 100644
-index 0000000..b3ee67d
---- /dev/null
-+++ b/policycoreutils/sandbox/sandbox.5
-@@ -0,0 +1,40 @@
-+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
-+.SH NAME
-+sandbox.conf \- user config file for the SELinux sandbox
-+.SH DESCRIPTION
-+.PP
-+When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
-+
-+.PP
-+Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
-+
-+.PP
-+These keywords are allowed.
-+
-+.RS
-+.TP
-+.B NAME
-+The name of the sandbox control group. Default is "sandbox".
-+
-+.TP
-+.B CPUAFFINITY
-+Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
-+
-+.TP
-+.B MEMUSAGE
-+How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
-+
-+.TP
-+.B CPUUSAGE
-+Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
-+
-+
-+
-+.SH "SEE ALSO"
-+.TP
-+sandbox(8)
-+.PP
-+
-+.SH AUTHOR
-+This manual page was written by
-+.I Thomas Liu <tliu@fedoraproject.org>
-diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
-index 2b37e63..3f05c79 100644
---- a/policycoreutils/sandbox/sandbox.8
-+++ b/policycoreutils/sandbox/sandbox.8
-@@ -3,11 +3,11 @@
- sandbox \- Run cmd under an SELinux sandbox
- .SH SYNOPSIS
- .B sandbox
--[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
-+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
-
- .br
- .B sandbox
--[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
-+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
- .br
- .SH DESCRIPTION
- .PP
-@@ -60,6 +60,9 @@ Default to /usr/bin/matchbox-window-manager.
- Create an X based Sandbox for gui apps, temporary files for
- $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
- .TP
-+\fB\-d\fR
-+Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
-+.TP
- \fB\-c\fR
- Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
- .TP
-diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5
-deleted file mode 100644
-index b3ee67d..0000000
---- a/policycoreutils/sandbox/sandbox.conf.5
-+++ /dev/null
-@@ -1,40 +0,0 @@
--.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
--.SH NAME
--sandbox.conf \- user config file for the SELinux sandbox
--.SH DESCRIPTION
--.PP
--When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
--
--.PP
--Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
--
--.PP
--These keywords are allowed.
--
--.RS
--.TP
--.B NAME
--The name of the sandbox control group. Default is "sandbox".
--
--.TP
--.B CPUAFFINITY
--Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
--
--.TP
--.B MEMUSAGE
--How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
--
--.TP
--.B CPUUSAGE
--Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
--
--
--
--.SH "SEE ALSO"
--.TP
--sandbox(8)
--.PP
--
--.SH AUTHOR
--This manual page was written by
--.I Thomas Liu <tliu@fedoraproject.org>
+ install: all
+ -mkdir -p $(BINDIR)
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
-index d1ccdc2..b3979bf 100644
+index 8aed876..b3979bf 100644
--- a/policycoreutils/sandbox/sandbox.init
+++ b/policycoreutils/sandbox/sandbox.init
@@ -19,6 +19,7 @@
@@ -343,15 +118,6 @@ index d1ccdc2..b3979bf 100644
LOCKFILE=/var/lock/subsys/sandbox
-@@ -27,7 +28,7 @@ base=${0##*/}
- start() {
- echo -n "Starting sandbox"
-
-- [ -f "$LOCKFILE" ] && return 1
-+ [ -f "$LOCKFILE" ] && return 0
-
- touch $LOCKFILE
- mount --make-rshared / || return $?
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
index ab696a7..58b19cd 100644
--- a/policycoreutils/scripts/genhomedircon
@@ -505,116 +271,495 @@ index 0000000..e2befdb
+ packages=["policycoreutils"],
+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
-index 48d7baa..2c0cfdd 100644
+index 48d7baa..f601720 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
-@@ -20,6 +20,7 @@
- # 02111-1307 USA
- #
- #
-+import policycoreutils.default_encoding_utf8
- import sys, getopt, re
- import seobject
- import selinux
-@@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME)
- try:
- gettext.install(PROGNAME,
- localedir="/usr/share/locale",
-- unicode=False,
-+ unicode=True,
- codeset = 'utf-8')
- except IOError:
- import __builtin__
-@@ -283,11 +284,14 @@ Object-specific Options (see above):
- equal = a
+@@ -39,29 +39,21 @@ except IOError:
+ __builtin__.__dict__['_'] = unicode
- if o == "--enable":
-- set_action(o)
-+ if disable:
-+ raise ValueError(_("You can't disable and enable at the same time"))
+ if __name__ == '__main__':
+- manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"]
+- action = False
+- def set_action(option):
+- global action
+- if action:
+- raise ValueError(_("%s bad option") % option)
+- action = True
+
+ def usage(message = ""):
+ text = _("""
+ semanage [ -S store ] -i [ input_file | - ]
+-semanage [ -S store ] -o [ output_file | - ]
+-
+-semanage login -{a|d|m|l|D|E} [-nsr] login_name | %groupname
+-semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
+-semanage port -{a|d|m|l|D|E} [-ntr] [ -p proto ] port | port_range
+-semanage interface -{a|d|m|l|D|E} [-ntr] interface_spec
+-semanage module -{a|d|m} [--enable|--disable] module
+-semanage node -{a|d|m|l|D|E} [-ntr] [ -p protocol ] [-M netmask] addr
+-semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
+
- enable = True
++semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n]
++semanage login -{a|d|m} [-sr] login_name | %groupname
++semanage user -{a|d|m} [-LrRP] selinux_name
++semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
++semanage interface -{a|d|m} [-tr] interface_spec
++semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
++semanage fcontext -{a|d|m} [-frst] file_spec
++semanage translation -{a|d|m} [-T] level
+ semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
+-semanage permissive -{d|a|l} [-n] type
+-semanage dontaudit [ on | off ]
++semanage permissive -{d|a} type
- if o == "--disable":
+ Primary Options:
+
+@@ -69,9 +61,7 @@ Primary Options:
+ -d, --delete Delete a OBJECT record NAME
+ -m, --modify Modify a OBJECT record NAME
+ -i, --input Input multiple semange commands in a transaction
+- -o, --output Output current customizations as semange commands
+ -l, --list List the OBJECTS
+- -E, --extract extract customizable commands
+ -C, --locallist List OBJECTS local customizations
+ -D, --deleteall Remove all OBJECTS local customizations
+
+@@ -94,15 +84,14 @@ Object-specific Options (see above):
+ -F, --file Treat target as an input file for command, change multiple settings
+ -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
+ -M, --mask Netmask
+- -e, --equal Substitue source path for dest path when labeling
+ -P, --prefix Prefix for home directory labeling
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
++ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
++
+ -s, --seuser SELinux User Name
+ -t, --type SELinux Type for the object
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+- --enable Enable a module
+- --disable Disable a module
+ """)
+ raise ValueError("%s\n%s" % (text, message))
+
+@@ -114,25 +103,23 @@ Object-specific Options (see above):
+
+ def get_options():
+ valid_option={}
+- valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ]
+- valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall']
++ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-C', '--locallist', '-D', '--deleteall', '-S', '--store' ]
+ valid_option["login"] = []
+- valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
++ valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
+ valid_option["user"] = []
+- valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
++ valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
+ valid_option["port"] = []
+- valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
++ valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
+ valid_option["interface"] = []
+- valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
++ valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
+ valid_option["node"] = []
+- valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
+- valid_option["module"] = []
+- valid_option["module"] += valid_everyone + [ '--enable', '--disable']
++ valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
+ valid_option["fcontext"] = []
+- valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
+- valid_option["dontaudit"] = [ '-S', '--store' ]
++ valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
++ valid_option["translation"] = []
++ valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
+ valid_option["boolean"] = []
+- valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
++ valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
+ return valid_option
+@@ -184,8 +171,6 @@ Object-specific Options (see above):
+ return ret
+
+ def process_args(argv):
+- global action
+- action = False
+ serange = ""
+ port = ""
+ proto = ""
+@@ -193,6 +178,7 @@ Object-specific Options (see above):
+ selevel = ""
+ setype = ""
+ ftype = ""
++ setrans = ""
+ roles = ""
+ seuser = ""
+ prefix = "user"
+@@ -202,17 +188,11 @@ Object-specific Options (see above):
+ modify = False
+ delete = False
+ deleteall = False
+- enable = False
+- extract = False
+- disable = False
+ list = False
+ locallist = False
+ use_file = False
+ store = ""
+- equal = ""
+-
+- if len(argv) == 0:
+- return
++
+ object = argv[0]
+ option_dict=get_options()
+ if object not in option_dict.keys():
+@@ -220,81 +200,59 @@ Object-specific Options (see above):
+
+ args = argv[1:]
+
+- try:
+- gopts, cmds = getopt.getopt(args,
+- '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
+- ['add',
+- 'delete',
+- 'deleteall',
+- 'enable',
+- 'equal=',
+- 'extract',
+- 'disable',
+- 'ftype=',
+- 'file',
+- 'help',
+- 'input=',
+- 'list',
+- 'modify',
+- 'noheading',
+- 'localist',
+- 'off',
+- 'on',
+- 'proto=',
+- 'seuser=',
+- 'store=',
+- 'range=',
+- 'locallist=',
+- 'level=',
+- 'roles=',
+- 'type=',
+- 'prefix=',
+- 'mask='
+- ])
+- except getopt.error, error:
+- usage(_("Options Error %s ") % error.msg)
+-
++ gopts, cmds = getopt.getopt(args,
++ '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:M:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'locallist=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'trans=',
++ 'prefix=',
++ 'mask='
++ ])
+ for o, a in gopts:
+ if o not in option_dict[object]:
+ sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) );
+- return
+
+ for o,a in gopts:
+ if o == "-a" or o == "--add":
- set_action(o)
-+ if enable:
-+ raise ValueError(_("You can't disable and enable at the same time"))
- disable = True
++ if modify or delete:
++ raise ValueError(_("%s bad option") % o)
+ add = True
+
+ if o == "-d" or o == "--delete":
+- set_action(o)
++ if modify or add:
++ raise ValueError(_("%s bad option") % o)
+ delete = True
+-
+ if o == "-D" or o == "--deleteall":
+- set_action(o)
++ if modify:
++ raise ValueError(_("%s bad option") % o)
+ deleteall = True
+-
+- if o == "-E" or o == "--extract":
+- set_action(o)
+- extract = True
+-
+ if o == "-f" or o == "--ftype":
+ ftype=a
+- if o == "-e" or o == "--equal":
+- equal = a
+-
+- if o == "--enable":
+- set_action(o)
+- enable = True
+-
+- if o == "--disable":
+- set_action(o)
+- disable = True
+-
if o == "-F" or o == "--file":
-@@ -504,31 +508,36 @@ Object-specific Options (see above):
- if len(sys.argv) < 3:
+ use_file = True
+
+ if o == "-h" or o == "--help":
+- raise usage()
++ raise ValueError(_("%s bad option") % o)
+
+ if o == "-n" or o == "--noheading":
+ heading = False
+@@ -303,7 +261,8 @@ Object-specific Options (see above):
+ locallist = True
+
+ if o == "-m"or o == "--modify":
+- set_action(o)
++ if delete or add:
++ raise ValueError(_("%s bad option") % o)
+ modify = True
+
+ if o == "-S" or o == '--store':
+@@ -336,13 +295,13 @@ Object-specific Options (see above):
+ if o == "-t" or o == "--type":
+ setype = a
+
+- if o == "--on" or o == "-1":
+- value = "on"
+- modify = True
++ if o == "-T" or o == "--trans":
++ setrans = a
+
+- if o == "--off" or o == "-0":
+- value = "off"
+- modify = True
++ if o == "--on" or o == "-1":
++ value = "on"
++ if o == "--off" or o == "-0":
++ value = "off"
+
+ if object == "login":
+ OBJECT = seobject.loginRecords(store)
+@@ -364,12 +323,10 @@ Object-specific Options (see above):
+
+ if object == "boolean":
+ OBJECT = seobject.booleanRecords(store)
+- if use_file:
+- modify = True
+-
+- if object == "module":
+- OBJECT = seobject.moduleRecords(store)
+-
++
++ if object == "translation":
++ OBJECT = seobject.setransRecords()
++
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
+@@ -384,98 +341,64 @@ Object-specific Options (see above):
+ OBJECT.deleteall()
+ return
+
+- if extract:
+- for i in OBJECT.customized():
+- print "%s %s" % (object, str(i))
+- return
+-
+ if len(cmds) != 1:
+- raise ValueError(_("bad option"))
++ raise ValueError(_("%s bad option") % o)
+
+ target = cmds[0]
+
+- if object == "dontaudit":
+- OBJECT = seobject.dontauditClass(store)
+- OBJECT.toggle(target)
+- return
+-
+ if add:
+ if object == "login":
+ OBJECT.add(target, seuser, serange)
+- return
++
++ if object == "translation":
++ OBJECT.add(target, setrans)
+
+ if object == "user":
+ OBJECT.add(target, roles.split(), selevel, serange, prefix)
+- return
+
+ if object == "port":
+ OBJECT.add(target, proto, serange, setype)
+- return
+
+ if object == "interface":
+ OBJECT.add(target, serange, setype)
+- return
+-
+- if object == "module":
+- OBJECT.add(target)
+- return
+
+ if object == "node":
+ OBJECT.add(target, mask, proto, serange, setype)
+- return
+
+ if object == "fcontext":
+- if equal == "":
+- OBJECT.add(target, setype, ftype, serange, seuser)
+- else:
+- OBJECT.add_equal(target, equal)
+- return
+-
++ OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+- return
+
++ return
++
+ if modify:
+ if object == "boolean":
+- OBJECT.modify(target, value, use_file)
+- return
++ OBJECT.modify(target, value, use_file)
+
+ if object == "login":
+ OBJECT.modify(target, seuser, serange)
+- return
++
++ if object == "translation":
++ OBJECT.modify(target, setrans)
+
+ if object == "user":
+ rlist = roles.split()
+ OBJECT.modify(target, rlist, selevel, serange, prefix)
+- return
+-
+- if object == "module":
+- if enable:
+- OBJECT.enable(target)
+- elif disable:
+- OBJECT.disable(target)
+- else:
+- OBJECT.modify(target)
+- return
+
+ if object == "port":
+ OBJECT.modify(target, proto, serange, setype)
+- return
+
+ if object == "interface":
+ OBJECT.modify(target, serange, setype)
+- return
+
+ if object == "node":
+ OBJECT.modify(target, mask, proto, serange, setype)
+- return
+
+ if object == "fcontext":
+- if equal == "":
+- OBJECT.modify(target, setype, ftype, serange, seuser)
+- else:
+- OBJECT.modify_equal(target, equal)
+- return
++ OBJECT.modify(target, setype, ftype, serange, seuser)
++
++ return
+
+ if delete:
+ if object == "port":
+@@ -489,15 +412,15 @@ Object-specific Options (see above):
+
+ else:
+ OBJECT.delete(target)
++
+ return
+
+- raise ValueError(_("Invalid command: semanage %s") % " ".join(argv))
++ raise ValueError(_("Invalid command") % " ".join(argv))
+
+ #
+ #
+ #
+ try:
+- output = None
+ input = None
+ store = ""
+
+@@ -505,7 +428,7 @@ Object-specific Options (see above):
usage(_("Requires 2 or more arguments"))
-- gopts, cmds = getopt.getopt(sys.argv[1:],
+ gopts, cmds = getopt.getopt(sys.argv[1:],
- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
-- ['add',
-- 'delete',
-- 'deleteall',
-- 'ftype=',
-- 'file',
-- 'help',
-- 'input=',
-- 'list',
-- 'modify',
-- 'noheading',
-- 'localist',
-- 'off',
-- 'on',
++ '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:',
+ ['add',
+ 'delete',
+ 'deleteall',
+@@ -519,7 +442,6 @@ Object-specific Options (see above):
+ 'localist',
+ 'off',
+ 'on',
- 'output=',
-- 'proto=',
-- 'seuser=',
-- 'store=',
-- 'range=',
-- 'level=',
-- 'roles=',
-- 'type=',
-- 'prefix='
-- ])
-+ try:
-+ gopts, cmds = getopt.getopt(sys.argv[1:],
-+ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
-+ ['add',
-+ 'delete',
-+ 'deleteall',
-+ 'ftype=',
-+ 'file',
-+ 'help',
-+ 'input=',
-+ 'list',
-+ 'modify',
-+ 'noheading',
-+ 'localist',
-+ 'off',
-+ 'on',
-+ 'output=',
-+ 'proto=',
-+ 'seuser=',
-+ 'store=',
-+ 'range=',
-+ 'level=',
-+ 'roles=',
-+ 'type=',
-+ 'trans=',
-+ 'prefix='
-+ ])
-+ except getopt.error, error:
-+ usage(_("Options Error %s ") % error.msg)
-+
+ 'proto=',
+ 'seuser=',
+ 'store=',
+@@ -527,6 +449,7 @@ Object-specific Options (see above):
+ 'level=',
+ 'roles=',
+ 'type=',
++ 'trans=',
+ 'prefix='
+ ])
for o, a in gopts:
- if o == "-S" or o == '--store':
+@@ -534,16 +457,6 @@ Object-specific Options (see above):
store = a
-@@ -558,8 +567,6 @@ Object-specific Options (see above):
- else:
- process_args(sys.argv[1:])
-
-- except getopt.error, error:
-- usage(_("Options Error %s ") % error.msg)
- except ValueError, error:
- errorExit(error.args[0])
- except KeyError, error:
+ if o == "-i" or o == '--input':
+ input = a
+- if o == "-o" or o == '--output':
+- output = a
+-
+- if output != None:
+- if output != "-":
+- sys.stdout = open(output, 'w')
+- for i in manageditems:
+- print "%s -D" % i
+- process_args([i, "-E"])
+- sys.exit(0)
+
+ if input != None:
+ if input == "-":
+@@ -566,7 +479,3 @@ Object-specific Options (see above):
+ errorExit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ errorExit(error.args[1])
+- except OSError, error:
+- errorExit(error.args[1])
+- except RuntimeError, error:
+- errorExit(error.args[0])
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
-index a7008fc..9445b76 100644
+index 2628645..e5b6303 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -30,11 +30,10 @@ from IPy import IP
@@ -633,23 +778,7 @@ index a7008fc..9445b76 100644
import syslog
-@@ -166,6 +165,7 @@ class semanageRecords:
- transaction = False
- handle = None
- store = None
-+
- def __init__(self, store):
- global handle
-
-@@ -333,6 +333,7 @@ class permissiveRecords(semanageRecords):
- name = semanage_module_get_name(mod)
- if name and name.startswith("permissive_"):
- l.append(name.split("permissive_")[1])
-+
- return l
-
- def list(self, heading = 1, locallist = 0):
-@@ -431,7 +432,9 @@ class loginRecords(semanageRecords):
+@@ -431,7 +430,9 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
@@ -660,7 +789,7 @@ index a7008fc..9445b76 100644
if name[0] == '%':
try:
grp.getgrnam(name[1:])
-@@ -641,7 +644,8 @@ class seluserRecords(semanageRecords):
+@@ -641,7 +642,8 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
@@ -670,23 +799,15 @@ index a7008fc..9445b76 100644
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
-@@ -881,6 +885,7 @@ class portRecords(semanageRecords):
- return ( k, proto_d, low, high )
+@@ -1136,7 +1138,6 @@ class nodeRecords(semanageRecords):
+ return newaddr, newmask, newprotocol
- def __add(self, port, proto, serange, type):
-+
- if is_mls_enabled == 1:
- if serange == "":
- serange = "s0"
-@@ -943,6 +948,7 @@ class portRecords(semanageRecords):
- self.commit()
+ def __add(self, addr, mask, proto, serange, ctype):
+-
+ addr, mask, proto = self.validate(addr, mask, proto)
- def __modify(self, port, proto, serange, setype):
-+
- if serange == "" and setype == "":
- if is_mls_enabled == 1:
- raise ValueError(_("Requires setype or serange"))
-@@ -1156,7 +1162,8 @@ class nodeRecords(semanageRecords):
+ if is_mls_enabled == 1:
+@@ -1156,7 +1157,8 @@ class nodeRecords(semanageRecords):
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
@@ -696,7 +817,7 @@ index a7008fc..9445b76 100644
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
-@@ -1172,7 +1179,6 @@ class nodeRecords(semanageRecords):
+@@ -1172,7 +1174,6 @@ class nodeRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not set mask for %s") % addr)
@@ -704,13 +825,15 @@ index a7008fc..9445b76 100644
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in addr context for %s") % addr)
-@@ -1224,12 +1230,11 @@ class nodeRecords(semanageRecords):
- if not exists:
- raise ValueError(_("Addr %s is not defined") % addr)
+@@ -1208,7 +1209,6 @@ class nodeRecords(semanageRecords):
+ self.commit()
-- (rc, node) = semanage_node_query(self.sh, k)
-+ (rc, node) = semanage_node_query_local(self.sh, k)
- if rc < 0:
+ def __modify(self, addr, mask, proto, serange, setype):
+-
+ addr, mask, proto = self.validate(addr, mask, proto)
+
+ if serange == "" and setype == "":
+@@ -1229,7 +1229,6 @@ class nodeRecords(semanageRecords):
raise ValueError(_("Could not query addr %s") % addr)
con = semanage_node_get_con(node)
@@ -718,7 +841,7 @@ index a7008fc..9445b76 100644
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
-@@ -1357,7 +1362,8 @@ class interfaceRecords(semanageRecords):
+@@ -1357,7 +1356,8 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
@@ -728,53 +851,7 @@ index a7008fc..9445b76 100644
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
-@@ -1525,6 +1531,7 @@ class fcontextRecords(semanageRecords):
- def __init__(self, store = ""):
- semanageRecords.__init__(self, store)
- self.equiv = {}
-+ self.equiv_dist = {}
- self.equal_ind = False
- try:
- fd = open(selinux.selinux_file_context_subs_path(), "r")
-@@ -1534,6 +1541,14 @@ class fcontextRecords(semanageRecords):
- fd.close()
- except IOError:
- pass
-+ try:
-+ fd = open(selinux.selinux_file_context_subs_dist_path(), "r")
-+ for i in fd.readlines():
-+ src, dst = i.split()
-+ self.equiv_dist[src] = dst
-+ fd.close()
-+ except IOError:
-+ pass
-
- def commit(self):
- if self.equal_ind:
-@@ -1589,12 +1604,21 @@ class fcontextRecords(semanageRecords):
-
- return con
-
-+ def check_equiv(self, target, fdict):
-+ for i in fdict:
-+ if target.startswith(i+"/"):
-+ t = re.sub(i, fdict[i], target)
-+ raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead") % (target, i, fdict[i], t))
-+
-+
- def validate(self, target):
- if target == "" or target.find("\n") >= 0:
- raise ValueError(_("Invalid file specification"))
- if target.find(" ") != -1:
- raise ValueError(_("File specification can not include spaces"))
--
-+ self.check_equiv(target, self.equiv)
-+ self.check_equiv(target, self.equiv_dist)
-+
- def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
- self.validate(target)
-
-@@ -1618,7 +1642,8 @@ class fcontextRecords(semanageRecords):
+@@ -1640,7 +1640,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@ -784,50 +861,14 @@ index a7008fc..9445b76 100644
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
-@@ -1811,23 +1836,28 @@ class fcontextRecords(semanageRecords):
- def list(self, heading = 1, locallist = 0 ):
- fcon_dict = self.get_all(locallist)
- keys = fcon_dict.keys()
-- if len(keys) == 0:
-- return
-- keys.sort()
--
-- if heading:
-- print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
-- for k in keys:
-- if fcon_dict[k]:
-- if is_mls_enabled:
-- print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3],False))
-+ if len(keys) != 0:
-+ keys.sort()
-+ if heading:
-+ print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
-+ for k in keys:
-+ if fcon_dict[k]:
-+ if is_mls_enabled:
-+ print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3],False))
-+ else:
-+ print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
- else:
-- print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
-- else:
-- print "%-50s %-18s <<None>>" % (k[0], k[1])
-- if len(self.equiv.keys()) > 0:
-+ print "%-50s %-18s <<None>>" % (k[0], k[1])
-+
-+ if len(self.equiv_dist):
-+ if not locallist:
-+ if heading:
-+ print _("\nSELinux Distribution fcontext Equivalence \n")
-+ for src in self.equiv_dist.keys():
-+ print "%s = %s" % (src, self.equiv_dist[src])
-+ if len(self.equiv):
- if heading:
-- print _("\nSELinux fcontext Equivalence \n")
-+ print _("\nSELinux Local fcontext Equivalence \n")
+@@ -1734,7 +1735,6 @@ class fcontextRecords(semanageRecords):
+ self.begin()
+ self.__modify(target, setype, ftype, serange, seuser)
+ self.commit()
+-
- for src in self.equiv.keys():
- print "%s = %s" % (src, self.equiv[src])
+ def deleteall(self):
+ (rc, flist) = semanage_fcontext_list_local(self.sh)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9a7d315..e57d34f 100644
--- a/policycoreutils/setfiles/restore.c
diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch
index 0482ee2..d71fa33 100644
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@@ -163,29 +163,3 @@ index 0e6b502..4882999 100644
self.module.children.append(rule)
-diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
-index 955784d..9a79340 100644
---- a/sepolgen/src/sepolgen/refparser.py
-+++ b/sepolgen/src/sepolgen/refparser.py
-@@ -245,7 +245,7 @@ def t_refpolicywarn(t):
- t.lexer.lineno += 1
-
- def t_IDENTIFIER(t):
-- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"]*'
-+ r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"~]*'
- # Handle any keywords
- t.type = reserved.get(t.value,'IDENTIFIER')
- return t
-diff --git a/sepolgen/src/sepolgen/yacc.py b/sepolgen/src/sepolgen/yacc.py
-index 58332de..2f3c09d 100644
---- a/sepolgen/src/sepolgen/yacc.py
-+++ b/sepolgen/src/sepolgen/yacc.py
-@@ -594,7 +594,7 @@ class MiniProduction:
- pass
-
- # regex matching identifiers
--_is_identifier = re.compile(r'^[a-zA-Z0-9_-]+$')
-+_is_identifier = re.compile(r'^[a-zA-Z0-9_-~]+$')
-
- # -----------------------------------------------------------------------------
- # add_production()
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 117d52a..0cfb00a 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -1,13 +1,13 @@
%define libauditver 2.1.3-4
-%define libsepolver 2.1.3-2
-%define libsemanagever 2.1.4-3
-%define libselinuxver 2.1.7-1
-%define sepolgenver 1.1.3
+%define libsepolver 2.1.4-1
+%define libsemanagever 2.1.5-1
+%define libselinuxver 2.1.7-2
+%define sepolgenver 1.1.4
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.1.8
-Release: 7%{?dist}
+Version: 2.1.9
+Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -80,6 +80,7 @@ mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}/sbin
mkdir -p %{buildroot}%{_mandir}/man1
+mkdir -p %{buildroot}%{_mandir}/man5
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
@@ -183,7 +184,7 @@ The policycoreutils-sandbox package contains the scripts to create graphical san
%defattr(-,root,root,-)
%{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start
-%attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
+%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
%{_mandir}/man5/sandbox.5*
@@ -278,6 +279,8 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/pam.d/run_init
%config(noreplace) %{_sysconfdir}/sestatus.conf
# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
+%{_mandir}/man5/selinux_config.5.gz
+%{_mandir}/man5/sestatus.conf.5.gz
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
%{_mandir}/man8/load_policy.8*
@@ -352,6 +355,28 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
+- Upgrade to upstream
+ * sandbox: move sandbox.conf.5 to just sandbox.5
+ * po: Makefile use -p to preserve times to allow multilib simultatious installs
+ * of po files
+ * sandbox: Allow user to specify the DPI value for X in a sandbox
+ * sandbox: make sure the domain launching sandbox has at least 100 categories
+ * sandbox: do not try forever to find available category set
+ * sandbox: only complain if sandbox unable to launch
+ * sandbox: init script run twice is still successful
+ * semanage: print local and dristo equiv rules
+ * semanage: check file equivalence rules for conflict
+ * semanage: Make sure semanage fcontext -l -C prints even if local keys
+ * are not defined
+ * semanage: change src,dst to target,substitute for equivalency
+ * sestatus: Updated sestatus and man pages.
+ * Added SELinux config file man page.
+ * add clean target to man Makefile
+
+* Wed Nov 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-8
+- Fix semange fcontext -a to check for more conflicts on equivalency
+
* Tue Nov 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-7
- Fix dpi handling in sandbox
- Make sure semanage fcontext -l -C prints if only local equiv have changed
diff --git a/sources b/sources
index b2af9b5..91b04fe 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
-135674afd4eecd02ef441a9fd1d2c08a policycoreutils-2.1.8.tgz
-3bd4588bcf8608c6e8a18ad5a8b68971 sepolgen-1.1.3.tgz
+c7d17d1cb82dcb6f0dc15d3ce2203f27 policycoreutils-2.1.9.tgz
+fb184a69c16fd775527e0ca3176a422d sepolgen-1.1.4.tgz