Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/policycoreutils.git#b47cf5c7c221d52f659303fe41a406239a74d8d3

0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch

@@ -0,0 +1,34 @@
+From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
+From: "W. Michael Petullo" <mike@flyn.org>
+Date: Thu, 16 Jul 2020 15:29:20 -0500
+Subject: [PATCH] python/audit2allow: add #include <limits.h> to
+ sepolgen-ifgen-attr-helper.c
+
+I found that building on OpenWrt/musl failed with:
+
+  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
+
+Musl is less "generous" than glibc in recursively including header
+files, and I suspect this is the reason for this error. Explicitly
+including limits.h fixes the problem.
+
+Signed-off-by: W. Michael Petullo <mike@flyn.org>
+---
+ python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+index 53f20818722a..f010c9584c1f 100644
+--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
++++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+@@ -28,6 +28,7 @@
+ 
+ #include <selinux/selinux.h>
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-- 
+2.29.0
+

0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch

@@ -0,0 +1,26 @@
+From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Thu, 16 Jul 2020 14:22:13 +0200
+Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
+ restorecond.desktop file
+
+This completely inactivate the .desktop file incase the user session is
+managed by systemd as restorecond also provide a service file
+
+Signed-off-by: Laurent Bigonville <bigon@bigon.be>
+---
+ restorecond/restorecond.desktop | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
+index af7286801c24..7df854727a3f 100644
+--- a/restorecond/restorecond.desktop
++++ b/restorecond/restorecond.desktop
+@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
+ Type=Application
+ StartupNotify=false
+ X-GNOME-Autostart-enabled=false
++X-GNOME-HiddenUnderSystemd=true
+-- 
+2.29.0
+

0003-fixfiles-correctly-restore-context-of-mountpoints.patch

@@ -0,0 +1,136 @@
+From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
+From: bauen1 <j2468h@googlemail.com>
+Date: Thu, 6 Aug 2020 16:48:36 +0200
+Subject: [PATCH] fixfiles: correctly restore context of mountpoints
+
+By bind mounting every filesystem we want to relabel we can access all
+files without anything hidden due to active mounts.
+
+This comes at the cost of user experience, because setfiles only
+displays the percentage if no path is given or the path is /
+
+Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ policycoreutils/scripts/fixfiles   | 29 +++++++++++++++++++++++++----
+ policycoreutils/scripts/fixfiles.8 |  8 ++++++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 5d7770348349..30dadb4f4cb6 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -112,6 +112,7 @@ FORCEFLAG=""
+ RPMFILES=""
+ PREFC=""
+ RESTORE_MODE=""
++BIND_MOUNT_FILESYSTEMS=""
+ SETFILES=/sbin/setfiles
+ RESTORECON=/sbin/restorecon
+ FILESYSTEMSRW=`get_rw_labeled_mounts`
+@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
+ 	if [ -n "${FILESYSTEMSRW}" ]; then
+ 	    LogReadOnly
+ 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+-	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
++
++	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
++	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
++	    else
++	        # we bind mount so we can fix the labels of files that have already been
++	        # mounted over
++	        for m in `echo $FILESYSTEMSRW`; do
++	            TMP_MOUNT="$(mktemp -d)"
++	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
++
++	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
++	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
++	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
++	            umount "${TMP_MOUNT}${m}" || exit 1
++	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
++	        done;
++	    fi
+ 	else
+ 	    echo >&2 "fixfiles: No suitable file systems found"
+ 	fi
+@@ -313,6 +330,7 @@ case "$1" in
+ 	> /.autorelabel || exit $?
+ 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
+ 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
++	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
+ 	# Force full relabel if SELinux is not enabled
+ 	selinuxenabled || echo -F > /.autorelabel
+ 	echo "System will relabel on next boot"
+@@ -324,7 +342,7 @@ esac
+ }
+ usage() {
+ 	echo $"""
+-Usage: $0 [-v] [-F] [-f] relabel
++Usage: $0 [-v] [-F] [-M] [-f] relabel
+ or
+ Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
+ or
+@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
+ or
+ Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
+ or
+-Usage: $0 [-F] [-B] onboot
++Usage: $0 [-F] [-M] [-B] onboot
+ """
+ }
+ 
+@@ -353,7 +371,7 @@ set_restore_mode() {
+ }
+ 
+ # See how we were called.
+-while getopts "N:BC:FfR:l:v" i; do
++while getopts "N:BC:FfR:l:vM" i; do
+     case "$i" in
+ 	B)
+ 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
+@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
+ 		echo "Redirecting output to $OPTARG"
+ 		exec >>"$OPTARG" 2>&1
+ 		;;
++	M)
++		BIND_MOUNT_FILESYSTEMS="-M"
++		;;
+ 	F)
+ 		FORCEFLAG="-F"
+ 		;;
+diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
+index 9f447f03d444..123425308416 100644
+--- a/policycoreutils/scripts/fixfiles.8
++++ b/policycoreutils/scripts/fixfiles.8
+@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
+ .na
+ 
+ .B fixfiles
+-.I [\-v] [\-F] [\-f] relabel
++.I [\-v] [\-F] [-M] [\-f] relabel
+ 
+ .B fixfiles
+ .I [\-v] [\-F] { check | restore | verify } dir/file ...
+@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
+ .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
+ 
+ .B fixfiles
+-.I [-F] [-B] onboot
++.I [-F] [-M] [-B] onboot
+ 
+ .ad
+ 
+@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
+ Only act on files created after the specified date.  Date must be specified in
+ "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
+ 
++.TP
++.B \-M
++Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
++
+ .TP
+ .B -v
+ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
+-- 
+2.29.0
+

0004-sepolgen-print-extended-permissions-in-hexadecimal.patch

@@ -0,0 +1,112 @@
+From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 19 Aug 2020 17:05:33 +0200
+Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+All tools like ausearch(8) or sesearch(1) and online documentation[1]
+use hexadecimal values for extended permissions.
+Hence use them, e.g. for audit2allow output, as well.
+
+[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/sepolgen/src/sepolgen/refpolicy.py |  5 ++---
+ python/sepolgen/tests/test_access.py      | 10 +++++-----
+ python/sepolgen/tests/test_refpolicy.py   | 12 ++++++------
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
+index 43cecfc77385..747636875ef7 100644
+--- a/python/sepolgen/src/sepolgen/refpolicy.py
++++ b/python/sepolgen/src/sepolgen/refpolicy.py
+@@ -407,10 +407,9 @@ class XpermSet():
+ 
+         # print single value without braces
+         if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
+-            return compl + str(self.ranges[0][0])
++            return compl + hex(self.ranges[0][0])
+ 
+-        vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
+-                   self.ranges)
++        vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
+ 
+         return "%s{ %s }" % (compl, " ".join(vals))
+ 
+diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
+index 73a5407df617..623588e09aeb 100644
+--- a/python/sepolgen/tests/test_access.py
++++ b/python/sepolgen/tests/test_access.py
+@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+ 
+     def text_merge_xperm2(self):
+         """Test merging AV that does not contain xperms with AV that does"""
+@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+ 
+     def test_merge_xperm_diff_op(self):
+         """Test merging two AVs that contain xperms with different operation"""
+@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(list(a.perms), ["read"])
+         self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
+-        self.assertEqual(a.xperms["asdf"].to_string(), "23")
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
++        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+                          
+     def test_merge_xperm_same_op(self):
+         """Test merging two AVs that contain xperms with same operation"""
+@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(list(a.perms), ["read"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
+ 
+ class TestUtilFunctions(unittest.TestCase):
+     def test_is_idparam(self):
+diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
+index 4b50c8aada96..c7219fd568e9 100644
+--- a/python/sepolgen/tests/test_refpolicy.py
++++ b/python/sepolgen/tests/test_refpolicy.py
+@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
+         a.complement = True
+         self.assertEqual(a.to_string(), "")
+         a.add(1234)
+-        self.assertEqual(a.to_string(), "~ 1234")
++        self.assertEqual(a.to_string(), "~ 0x4d2")
+         a.complement = False
+-        self.assertEqual(a.to_string(), "1234")
++        self.assertEqual(a.to_string(), "0x4d2")
+         a.add(2345)
+-        self.assertEqual(a.to_string(), "{ 1234 2345 }")
++        self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
+         a.complement = True
+-        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
++        self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
+         a.add(42,64)
+-        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
++        self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
+         a.complement = False
+-        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
++        self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
+ 
+ class TestSecurityContext(unittest.TestCase):
+     def test_init(self):
+-- 
+2.29.0
+

0005-sepolgen-sort-extended-rules-like-normal-ones.patch

@@ -0,0 +1,109 @@
+From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 19 Aug 2020 17:05:34 +0200
+Subject: [PATCH] sepolgen: sort extended rules like normal ones
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently:
+
+    #============= sshd_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t ptmx_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t sshd_devpts_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t user_devpts_t:chr_file ioctl;
+
+    #============= user_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t devtty_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t user_devpts_t:chr_file ioctl;
+    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
+    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
+    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
+    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
+    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
+
+Changed:
+
+    #============= sshd_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t ptmx_t:chr_file ioctl;
+    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t sshd_devpts_t:chr_file ioctl;
+    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t user_devpts_t:chr_file ioctl;
+    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
+
+    #============= user_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t devtty_t:chr_file ioctl;
+    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t user_devpts_t:chr_file ioctl;
+    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/sepolgen/src/sepolgen/output.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
+index 3a21b64c19f7..aeeaafc889e7 100644
+--- a/python/sepolgen/src/sepolgen/output.py
++++ b/python/sepolgen/src/sepolgen/output.py
+@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
+         return ret
+ 
+     # At this point, who cares - just return something
+-    return cmp(len(a.perms), len(b.perms))
++    return 0
+ 
+ # Compare two interface calls
+ def ifcall_cmp(a, b):
+@@ -100,7 +100,7 @@ def rule_cmp(a, b):
+         else:
+             return id_set_cmp([a.args[0]], b.src_types)
+     else:
+-        if isinstance(b, refpolicy.AVRule):
++        if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
+             return avrule_cmp(a,b)
+         else:
+             return id_set_cmp(a.src_types, [b.args[0]])
+@@ -130,6 +130,7 @@ def sort_filter(module):
+         # we assume is the first argument for interfaces).
+         rules = []
+         rules.extend(node.avrules())
++        rules.extend(node.avextrules())
+         rules.extend(node.interface_calls())
+         rules.sort(key=util.cmp_to_key(rule_cmp))
+ 
+-- 
+2.29.0
+

0006-newrole-support-cross-compilation-with-PAM-and-audit.patch

@@ -0,0 +1,32 @@
+From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@defensec.nl>
+Date: Tue, 1 Sep 2020 18:16:41 +0200
+Subject: [PATCH] newrole: support cross-compilation with PAM and audit
+
+Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
+
+Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ policycoreutils/newrole/Makefile | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
+index 73ebd413da85..0e7ebce3dd56 100644
+--- a/policycoreutils/newrole/Makefile
++++ b/policycoreutils/newrole/Makefile
+@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= /etc
+ LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
+-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
+-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
++INCLUDEDIR ?= $(PREFIX)/include
++PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
++AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+-- 
+2.29.0
+

0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,4 +1,4 @@
-From 269d3c64978af8053a84ecc54ab2adb7ee481d10 Mon Sep 17 00:00:00 2001
+From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
      cat > ~/seremote << __EOF
  #!/bin/sh
 -- 
-2.23.0
+2.29.0
 

0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,4 +1,4 @@
-From f8714034d527c1eb6bd698abcfd8f02d1542f648 Mon Sep 17 00:00:00 2001
+From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@@ -9,7 +9,7 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 442608191cc8..2ee9e37fde9f 100755
+index 3e8a3be907e3..a1d70623cff0 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -735,10 +735,13 @@ Default Defined Ports:""")
@@ -42,5 +42,5 @@ index 442608191cc8..2ee9e37fde9f 100755
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
 -- 
-2.23.0
+2.29.0
 

0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,4 +1,4 @@
-From 73cfd014130f4a37b1db29d5a7b840bf414e8f19 Mon Sep 17 00:00:00 2001
+From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
 Subject: [PATCH] If there is no executable we don't want to print a part of
@@ -9,7 +9,7 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 2ee9e37fde9f..ec17fb145375 100755
+index a1d70623cff0..2d33eabb2536 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -23,5 +23,5 @@ index 2ee9e37fde9f..ec17fb145375 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.23.0
+2.29.0
 

0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,4 +1,4 @@
-From 66766a7298065ae60819355f2b515fe3fcc248e3 Mon Sep 17 00:00:00 2001
+From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Thu, 19 Feb 2015 17:45:15 +0100
 Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@@ -49,7 +49,7 @@ index e4540977d042..ad718797ca68 100644
  
  def reinit():
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index ec17fb145375..8c529ddb07cd 100755
+index 2d33eabb2536..acc77f368d95 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -149,10 +149,6 @@ def prettyprint(f, trim):
@@ -165,5 +165,5 @@ index ec17fb145375..8c529ddb07cd 100755
              if len(self.manpage_roles[letter]):
                  fd.write("""
 -- 
-2.23.0
+2.29.0
 

0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,4 +1,4 @@
-From 59d6989beb341fb17f87b270e4fc8d55351d3a51 Mon Sep 17 00:00:00 2001
+From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:01 +0100
 Subject: [PATCH] We want to remove the trailing newline for
@@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
          system_release = "Misc"
  
 -- 
-2.23.0
+2.29.0
 

0012-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,4 +1,4 @@
-From 600fda8edf440acc3e5b32a31a044b16d65cbef9 Mon Sep 17 00:00:00 2001
+From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:53 +0100
 Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@@ -8,7 +8,7 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 8c529ddb07cd..10e2c1745f8b 100755
+index acc77f368d95..4aeb3e2e51ba 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -220,7 +220,7 @@ class HTMLManPages:
@@ -21,5 +21,5 @@ index 8c529ddb07cd..10e2c1745f8b 100755
  <body>
  <h1>SELinux man pages for %s</h1>
 -- 
-2.23.0
+2.29.0
 

0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,4 +1,4 @@
-From b45d202d954bad6cd4e96fe22d35677717e5eff9 Mon Sep 17 00:00:00 2001
+From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
@@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
  1 file changed, 1 insertion(+)
 
 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5d7770348349..fd43aab0cb6a 100755
+index 30dadb4f4cb6..e73bb81c3336 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@@ -20,5 +20,5 @@ index 5d7770348349..fd43aab0cb6a 100755
  RPMFILES=""
  PREFC=""
 -- 
-2.23.0
+2.29.0
 

0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,4 +1,4 @@
-From 61fcb9e5af82482d79c9e9edacb1a7f30686ee4a Mon Sep 17 00:00:00 2001
+From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@@ -11,7 +11,7 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  1 file changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 10e2c1745f8b..9a4b24743aca 100755
+index 4aeb3e2e51ba..330b055af214 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -125,8 +125,24 @@ def gen_domains():
@@ -59,5 +59,5 @@ index 10e2c1745f8b..9a4b24743aca 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
 -- 
-2.23.0
+2.29.0
 

0015-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,4 +1,4 @@
-From 15d2491e3c455f740a20eaf93f2c6a9b89e79d7a Mon Sep 17 00:00:00 2001
+From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 28 Feb 2017 21:29:46 +0100
 Subject: [PATCH] sepolicy: Another small optimization for mcs types
@@ -8,7 +8,7 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
  1 file changed, 11 insertions(+), 5 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 9a4b24743aca..736ae13b0524 100755
+index 330b055af214..f8584436960d 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -142,6 +142,15 @@ def _gen_entry_types():
@@ -49,5 +49,5 @@ index 9a4b24743aca..736ae13b0524 100755
          self.fd.write ("""
  .SH "MCS Constrained"
 -- 
-2.23.0
+2.29.0
 

0016-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,4 +1,4 @@
-From 8e02b757f90827f4e850b732ccea32c2897036a8 Mon Sep 17 00:00:00 2001
+From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:23:00 +0200
 Subject: [PATCH] Move po/ translation files into the right sub-directories
@@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
 @@ -0,0 +1 @@
 +../sandbox
 -- 
-2.23.0
+2.29.0
 

0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,4 +1,4 @@
-From c19dde7c189cba536d79331baff24d987b3fae4d Mon Sep 17 00:00:00 2001
+From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:37:07 +0200
 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
      import gettext
      kwargs = {}
 -- 
-2.26.2
+2.29.0
 

0018-Initial-.pot-files-for-gui-python-sandbox.patch

@@ -1,4 +1,4 @@
-From 8384f31cdcf0afd2b13f93f4e8bc42254b4b7928 Mon Sep 17 00:00:00 2001
+From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 14:23:19 +0200
 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
 +msgid "Invalid value %s"
 +msgstr ""
 -- 
-2.23.0
+2.29.0
 

0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,4 +1,4 @@
-From 38586b84c3bae778883e43d72700ef1491abae17 Mon Sep 17 00:00:00 2001
+From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 21 Mar 2018 08:51:31 +0100
 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644
  .BI \-e \ directory
  directory to exclude (repeat option for more than one directory).
 -- 
-2.26.2
+2.29.0
 

0020-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,4 +1,4 @@
-From f2625885226a65df2b0d7f825bafe462a6454c49 Mon Sep 17 00:00:00 2001
+From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@@ -52,7 +52,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 744ee13f692d..a6309783e85e 100644
+index 43180ca6fda4..d60a08e1d72c 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
 @@ -99,7 +99,9 @@ def get_all_ports():
@@ -67,5 +67,5 @@ index 744ee13f692d..a6309783e85e 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.23.0
+2.29.0
 

0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,4 +1,4 @@
-From 6f510c03e54b0058b74fabae6489099f5369a957 Mon Sep 17 00:00:00 2001
+From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 8 Nov 2018 09:20:58 +0100
 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
  	}
  
 -- 
-2.23.0
+2.29.0
 

0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,4 +1,4 @@
-From 7afddf20e889731126fda14b2fa713a367d9dd84 Mon Sep 17 00:00:00 2001
+From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 -- 
-2.23.0
+2.29.0
 

0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch

@@ -0,0 +1,46 @@
+From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 28 Jul 2020 14:37:13 +0200
+Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
+
+Fixes:
+$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
+Analyzing 187 Python scripts
+./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
+./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented
+./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
+./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented
+./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
+./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented
+The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ python/sepolicy/sepolicy/manpage.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index f8584436960d..6a3e08fca58c 100755
+--- a/python/sepolicy/sepolicy/manpage.py
++++ b/python/sepolicy/sepolicy/manpage.py
+@@ -717,7 +717,7 @@ Default Defined Ports:""")
+         for f in self.all_file_types:
+             if f.startswith(self.domainname):
+                 flist.append(f)
+-                if not f in self.exec_types or not f in self.entry_types:
++                if f not in self.exec_types or f not in self.entry_types:
+                     flist_non_exec.append(f)
+                 if f in self.fcdict:
+                     mpaths = mpaths + self.fcdict[f]["regex"]
+@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+ """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
+ 
+         if flist_non_exec:
+-                self.fd.write(r"""
++            self.fd.write(r"""
+ .PP
+ .B STANDARD FILE CONTEXT
+ 
+-- 
+2.29.0
+

policycoreutils.spec

@@ -1,8 +1,8 @@
 %global libauditver     3.0
-%global libsepolver     3.1
-%global libsemanagever  3.1
-%global libselinuxver   3.1
-%global sepolgenver     3.1
+%global libsepolver     3.1-4
+%global libsemanagever  3.1-4
+%global libselinuxver   3.1-4
+%global sepolgenver     3.1-4
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz
@@ -38,22 +38,29 @@ Source23: sandbox-po.tgz
 # $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
-Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
-Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
-Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
-Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
-Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
-Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
-Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
-Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
-Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
-Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
-Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
-Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
-Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
-Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
-Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
-Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
+Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
+Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
+Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
+Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
+Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
+Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
+Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
+Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
+Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
+Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
+Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
+Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
+Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
+Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
+Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
+Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2
@@ -68,7 +75,7 @@ BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >=
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
 BuildRequires: python3-devel
 BuildRequires: systemd
-BuildRequires: git
+BuildRequires: git-core
 Requires: util-linux grep gawk diffutils rpm sed
 Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >=  %{libselinuxver}
 
@@ -531,6 +538,12 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- Build with libsepol.so.1 and libsemanage.so.2
+- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
+- fixfiles: correctly restore context of mountpoints
+- sepolgen: print extended permissions in hexadecimal
+
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-4
 - Second attempt - Rebuilt for
   https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild