* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24

- Man page fixes - sandbox fixes Resolves: #595796 - Move seunshare to base package
2010-05-27 21:23:08 +00:00 · 2010-05-27 21:23:08 +00:00 · 829762e693
commit 829762e693
parent be45950990
10 changed files with 80190 additions and 83772 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -214,3 +214,9 @@ policycoreutils-2.0.77.tgz
 policycoreutils-2.0.78.tgz
 sepolgen-1.0.19.tgz
 policycoreutils-2.0.79.tgz
 policycoreutils-2.0.80.tgz
 policycoreutils-2.0.81.tgz
 sepolgen-1.0.20.tgz
 sepolgen-1.0.22.tgz
 policycoreutils-2.0.82.tgz
 sepolgen-1.0.23.tgz
--- a/policycoreutils-gui.patch
+++ b/policycoreutils-gui.patch
--- a/policycoreutils-po.patch
+++ b/policycoreutils-po.patch
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py	2009-05-18 13:53:14.000000000 -0400
+--- nsasepolgen/src/sepolgen/access.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py	2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py	2010-04-28 17:12:20.000000000 -0400
@@ -32,6 +32,7 @@
 """
@ -18,15 +18,6 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
         # The direction of the information flow represented by this
         # access vector - used for matching
@@ -127,7 +130,7 @@
         return self.to_string()
     def to_string(self):
 -        return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
 +        return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
                                         self.obj_class, self.perms.to_space_str())
     def __cmp__(self, other):
@@ -253,20 +256,22 @@
         for av in l:
             self.add_av(AccessVector(av))
@ -54,38 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
         access.perms.update(perms)
         if audit_msg:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py	2009-12-01 15:46:50.000000000 -0500
+--- nsasepolgen/src/sepolgen/audit.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py	2010-01-06 09:52:35.000000000 -0500
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py	2010-04-28 17:12:20.000000000 -0400
-@@ -23,6 +23,27 @@
+@@ -68,6 +68,17 @@
 # Convenience functions
 +def get_audit_boot_msgs():
 +    """Obtain all of the avc and policy load messages from the audit
 +    log. This function uses ausearch and requires that the current
 +    process have sufficient rights to run ausearch.
 +
 +    Returns:
 +       string contain all of the audit messages returned by ausearch.
 +    """
 +    import subprocess
 +    import time
 +    fd=open("/proc/uptime", "r")
 +    off=float(fd.read().split()[0])
 +    fd.close
 +    s = time.localtime(time.time() - off)
 +    date = time.strftime("%D/%Y", s).split("/")
 +    bootdate="%s/%s/%s" % (date[0], date[1], date[3])
 +    boottime = time.strftime("%X", s)
 +    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
 +                              stdout=subprocess.PIPE).communicate()[0]
 +    return output
 +
 def get_audit_msgs():
     """Obtain all of the avc and policy load messages from the audit
     log. This function uses ausearch and requires that the current
@@ -47,6 +68,17 @@
                               stdout=subprocess.PIPE).communicate()[0]
     return output
@ -103,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 # Classes representing audit messages
 class AuditMessage:
-@@ -106,6 +138,9 @@
+@@ -127,6 +138,9 @@
             if fields[0] == "path":
                 self.path = fields[1][1:-1]
                 return
@ -113,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 class AVCMessage(AuditMessage):
     """AVC message representing an access denial or granted message.
-@@ -146,6 +181,8 @@
+@@ -167,6 +181,8 @@
         self.path = ""
         self.accesses = []
         self.denial = True
@ -122,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
     def __parse_access(self, recs, start):
         # This is kind of sucky - the access that is in a space separated
-@@ -205,7 +242,31 @@
+@@ -226,7 +242,31 @@
         if not found_src or not found_tgt or not found_class or not found_access:
             raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -138,7 +101,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 +        else:
 +            self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
 +            if self.type == audit2why.NOPOLICY:
-+                raise ValueError("Must call policy_init first")
+                self.type = audit2why.TERULE
 +            if self.type == audit2why.BADTCON:
 +                raise ValueError("Invalid Target Context %s\n" % tcontext)
 +            if self.type == audit2why.BADSCON:
@ -149,39 +112,13 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 +                raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
 +            if self.type == audit2why.BADCOMPUTE:
 +                raise ValueError("Error during access vector computation")
-+
+            
 +            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
 +
 class PolicyLoadMessage(AuditMessage):
     """Audit message indicating that the policy was reloaded."""
     def __init__(self, message):
-@@ -285,6 +346,9 @@
+@@ -469,10 +509,10 @@
     def __initialize(self):
         self.avc_msgs = []
 +        self.constraint_msgs = []
 +        self.dontaudit_msgs = []
 +        self.rbac_msgs = []
         self.compute_sid_msgs = []
         self.invalid_msgs = []
         self.policy_load_msgs = []
@@ -314,7 +378,7 @@
             elif i == "security_compute_sid:":
                 msg = ComputeSidMessage(line)
                 found = True
 -            elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
 +            elif i == "type=MAC_POLICY_LOAD":
                 msg = PolicyLoadMessage(line)
                 found = True
             elif i == "type=AVC_PATH":
@@ -442,16 +506,17 @@
            audit logs parsed by this object.
         """
         av_set = access.AccessVectorSet()
 +
         for avc in self.avc_msgs:
             if avc.denial != True and only_denials:
                 continue
             if avc_filter:
                 if avc_filter.filter(avc):
                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@ -194,15 +131,171 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
         return av_set
 class AVCTypeFilter:
-@@ -477,5 +542,3 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py
-         if self.regex.match(avc.tcontext.type):
+--- nsasepolgen/src/sepolgen/defaults.py	2010-05-19 14:45:51.000000000 -0400
-             return True
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py	2010-04-28 17:12:20.000000000 -0400
-         return False
+@@ -30,6 +30,9 @@
-
+ def interface_info():
-
+     return data_dir() + "/interface_info"
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
+ 
--- nsasepolgen/src/sepolgen/policygen.py	2008-09-12 11:48:15.000000000 -0400
+def attribute_info():
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2010-01-08 09:33:54.000000000 -0500
+    return data_dir() + "/attribute_info"
 +
 def refpolicy_devel():
     return "/usr/share/selinux/devel"
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py
 --- nsasepolgen/src/sepolgen/interfaces.py	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py	2010-05-03 09:33:11.000000000 -0400
@@ -29,6 +29,8 @@
 from sepolgeni18n import _
 +import copy
 +
 class Param:
     """
     Object representing a paramater for an interface.
@@ -197,10 +199,48 @@
                 ret = 1
     return ret
 -            
 +
 +class AttributeVector:
 +    def __init__(self):
 +        self.name = ""
 +        self.access = access.AccessVectorSet()
 +
 +    def add_av(self, av):
 +        self.access.add_av(av)
 +
 +class AttributeSet:
 +    def __init__(self):
 +        self.attributes = { }
 +
 +    def add_attr(self, attr):
 +        self.attributes[attr.name] = attr
 +
 +    def from_file(self, fd):
 +        def parse_attr(line):
 +            fields = line[1:-1].split()
 +            if len(fields) != 2 or fields[0] != "Attribute":
 +                raise SyntaxError("Syntax error Attribute statement %s" % line)
 +            a = AttributeVector()
 +            a.name = fields[1]
 +
 +            return a
 +
 +        a = None
 +        for line in fd:
 +            line = line[:-1]
 +            if line[0] == "[":
 +                if a:
 +                    self.add_attr(a)
 +                a = parse_attr(line)
 +            elif a:
 +                l = line.split(",")
 +                av = access.AccessVector(l)
 +                a.add_av(av)
 +        if a:
 +            self.add_attr(a)
 class InterfaceVector:
 -    def __init__(self, interface=None):
 +    def __init__(self, interface=None, attributes={}):
         # Enabled is a loose concept currently - we are essentially
         # not enabling interfaces that we can't handle currently.
         # See InterfaceVector.add_ifv for more information.
@@ -214,10 +254,10 @@
         # value: Param object).
         self.params = { }
         if interface:
 -            self.from_interface(interface)
 +            self.from_interface(interface, attributes)
         self.expanded = False
 -    def from_interface(self, interface):
 +    def from_interface(self, interface, attributes={}):
         self.name = interface.name
         # Add allow rules
@@ -232,6 +272,23 @@
             for av in avs:
                 self.add_av(av)
 +        # Add typeattribute access
 +        if attributes != None:
 +            for typeattribute in interface.typeattributes():
 +                for attr in typeattribute.attributes:
 +                    if not attributes.attributes.has_key(attr):
 +                        # print "missing attribute " + attr
 +                        continue
 +                    attr_vec = attributes.attributes[attr]
 +                    for a in attr_vec.access:
 +                        av = copy.copy(a)
 +                        if av.src_type == attr_vec.name:
 +                            av.src_type = typeattribute.type
 +                        if av.tgt_type == attr_vec.name:
 +                            av.tgt_type = typeattribute.type
 +                        self.add_av(av)
 +
 +
         # Extract paramaters from roles
         for role in interface.roles():
             if role_extract_params(role, self.params):
@@ -346,13 +403,13 @@
                 l = self.tgt_type_map.setdefault(type, [])
                 l.append(ifv)
 -    def add(self, interface):
 -        ifv = InterfaceVector(interface)
 +    def add(self, interface, attributes={}):
 +        ifv = InterfaceVector(interface, attributes)
         self.add_ifv(ifv)
 -    def add_headers(self, headers, output=None):
 +    def add_headers(self, headers, output=None, attributes={}):
         for i in itertools.chain(headers.interfaces(), headers.templates()):
 -            self.add(i)
 +            self.add(i, attributes)
         self.expand_ifcalls(headers)
         self.index()
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py
 --- nsasepolgen/src/sepolgen/matching.py	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py	2010-04-28 17:12:20.000000000 -0400
@@ -50,7 +50,7 @@
                 return 1
 class MatchList:
 -    DEFAULT_THRESHOLD = 120
 +    DEFAULT_THRESHOLD = 150
     def __init__(self):
         # Match objects that pass the threshold
         self.children = []
@@ -63,14 +63,15 @@
     def best(self):
         if len(self.children):
             return self.children[0]
 -        else:
 -            return None
 +        if len(self.bastards):
 +            return self.bastards[0]
 +        return None
     def __len__(self):
         # Only return the length of the matches so
         # that this can be used to test if there is
         # a match.
 -        return len(self.children)
 +        return len(self.children) + len(self.bastards)
     def __iter__(self):
         return iter(self.children)
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py
 --- nsasepolgen/src/sepolgen/policygen.py	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py	2010-05-21 10:36:31.000000000 -0400
@@ -29,6 +29,8 @@
 import access
 import interfaces
@ -212,27 +305,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
 # Constants for the level of explanation from the generation
 # routines
-@@ -74,7 +76,7 @@
+@@ -77,6 +79,7 @@
-             self.moduel = module
+ 
-         else:
+         self.dontaudit = False
-             self.module = refpolicy.Module()
+ 
 -
 +        self.domains = None
     def set_gen_refpol(self, if_set=None, perm_maps=None):
         """Set whether reference policy interfaces are generated.
-@@ -141,15 +143,42 @@
+@@ -151,9 +154,41 @@
-         """Return the generated module"""
+             rule = refpolicy.AVRule(av)
-         return self.module
+             if self.dontaudit:
- 
+                 rule.rule_type = rule.DONTAUDIT
 -    def __add_allow_rules(self, avs):
 +    def __add_allow_rules(self, avs, dontaudit):
         for av in avs:
 -            rule = refpolicy.AVRule(av)
 +            rule = refpolicy.AVRule(av, dontaudit=dontaudit)
 +            rule.comment = ""
             if self.explain:
                 rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
 -            self.module.children.append(rule)
 +            if av.type == audit2why.ALLOW:
 +                rule.comment += "#!!!! This avc is allowed in the current policy\n" 
 +            if av.type == audit2why.DONTAUDIT:
@ -245,88 +333,170 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
 +
 +            if av.type == audit2why.CONSTRAINT:
 +                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n" 
 +                rule.comment += "#Contraint rule: "
 +
 +            if av.type == audit2why.TERULE:
 +                if "write" in av.perms:
 +                    if "dir" in av.obj_class or "open" in av.perms:
 +                        if not self.domains:
 +                            self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
 +                        types=[]
-+                        for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+                        
-+                            if i not in self.domains:
+                        try:
-+                                types.append(i)
+                            for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
-+                        if len(types) == 1:
+                                if i not in self.domains:
-+                            rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+                                    types.append(i)
-+                        elif len(types) >= 1:
+                                if len(types) == 1:
-+                            rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+                                    rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                            
+                                elif len(types) >= 1:
-             self.module.children.append(rule)
+                                    rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
 +                        except:
 +                            pass
 +                self.module.children.append(rule)
-    def add_access(self, av_set):
+     def add_access(self, av_set):
-+    def add_access(self, av_set, dontaudit=False):
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py
-         """Add the access from the access vector set to this
+--- nsasepolgen/src/sepolgen/refparser.py	2010-05-19 14:45:51.000000000 -0400
-         module.
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py	2010-05-21 10:26:43.000000000 -0400
-         """
+@@ -1044,7 +1044,7 @@
-@@ -165,7 +194,7 @@
+         # of misc_macros. We are just going to pretend that this is an interface
-             raw_allow = av_set
+         # to make the expansion work correctly.
         can_exec = refpolicy.Interface("can_exec")
 -        av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
 +        av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
                                   "getattr","lock","execute","ioctl"])
-         # Generate the raw allow rules from the filtered list
+         can_exec.children.append(refpolicy.AVRule(av))
-        self.__add_allow_rules(raw_allow)
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map
-+        self.__add_allow_rules(raw_allow, dontaudit)
+--- nsasepolgen/src/share/perm_map	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map	2010-04-28 17:12:20.000000000 -0400
@@ -124,7 +124,7 @@
           quotamod     w           1
           quotaget     r           1
-     def add_role_types(self, role_type_set):
+-class file 20
-         for role_type in role_type_set:
+class file 21
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
+   execute_no_trans     r           1
--- nsasepolgen/src/sepolgen/refparser.py	2009-10-29 15:21:39.000000000 -0400
+         entrypoint     r           1
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py	2009-12-08 17:05:49.000000000 -0500
+            execmod     n           1
-@@ -973,7 +973,7 @@
+@@ -141,48 +141,50 @@
- def list_headers(root):
+             unlink     w           1
-     modules = []
+               link     w           1
-     support_macros = None
+             rename     w           5
-    blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
+-           execute     r           100
-+    blacklist = ["uml.if", "thunderbird.if", "unconfined.if"]
+           execute     r           10
             swapon     b           1
            quotaon     b           1
            mounton     b           1
 +	      open     r	   1
-     for dirpath, dirnames, filenames in os.walk(root):
+-class dir 22
-         for name in filenames:
+-          add_name     w           5
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
+class dir 23
--- nsasepolgen/src/sepolgen/refpolicy.py	2009-10-29 15:21:39.000000000 -0400
+          add_name     w           1
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2010-01-08 09:33:37.000000000 -0500
+        remove_name     w           1
-@@ -398,6 +398,7 @@
+           reparent     w           1
-         return "attribute %s;" % self.name
+             search     r           1
              rmdir     b           1
              ioctl     n           1
 -              read     r          10
 -             write     w          10
 +              read     r           1
 +             write     w           1
             create     w           1
 -           getattr     r           7
 -           setattr     w           7
 +           getattr     r           1
 +           setattr     w           1
               lock     n           1
 -       relabelfrom     r           10
 -         relabelto     w           10
 +       relabelfrom     r           1
 +         relabelto     w           1
             append     w           1
             unlink     w           1
               link     w           1
 -            rename     w           5
 +            rename     w           1
            execute     r           1
             swapon     b           1
            quotaon     b           1
            mounton     b           1
 +	      open     r	   1
- # Classes representing rules
+ class fd 1
-+import selinux.audit2why as audit2why
+                use     b           1
- class AVRule(Leaf):
+-class lnk_file 17
-     """SELinux access vector (AV) rule.
+class lnk_file 18
-@@ -420,21 +421,26 @@
+              ioctl     n           1
-     AUDITALLOW = 2
+-              read     r          10
-     NEVERALLOW = 3
+-             write     w          10
 +              read     r           1
 +             write     w           1
             create     w           1
 -           getattr     r           7
 -           setattr     w           7
 +           getattr     r           1
 +           setattr     w           1
               lock     n           1
 -       relabelfrom     r           10
 -         relabelto     w           10
 +       relabelfrom     r           1
 +         relabelto     w           1
             append     w           1
             unlink     w           1
               link     w           1
@@ -191,8 +193,9 @@
             swapon     b           1
            quotaon     b           1
            mounton     b           1
 +	      open     r	   1
-    def __init__(self, av=None, parent=None):
+-class chr_file 20
-+    def __init__(self, av=None, parent=None, dontaudit=False):
+class chr_file 21
-         Leaf.__init__(self, parent)
+   execute_no_trans     r           1
-         self.src_types = IdSet()
+         entrypoint     r           1
-         self.tgt_types = IdSet()
+            execmod     n           1
-         self.obj_classes = IdSet()
+@@ -213,8 +216,9 @@
-         self.perms = IdSet()
+             swapon     b           1
-        self.rule_type = self.ALLOW
+            quotaon     b           1
-+        if dontaudit:
+            mounton     b           1
-+            self.rule_type = audit2why.DONTAUDIT
+	      open     r	   1
 +        else:
 +            self.rule_type = audit2why.TERULE
         if av:
             self.from_av(av)
-     def __rule_type_str(self):
+-class blk_file 17
-        if self.rule_type == self.ALLOW:
+class blk_file 18
-+        if self.rule_type == audit2why.TERULE:
+              ioctl     n           1
-             return "allow"
+               read     r          10
-        elif self.rule_type == self.DONTAUDIT:
+              write     w          10
-+        elif self.rule_type == audit2why.DONTAUDIT:
+@@ -232,8 +236,9 @@
-             return "dontaudit"
+             swapon     b           1
-+        elif self.rule_type == audit2why.CONSTRAINT:
+            quotaon     b           1
-+            return "#constraint allow"
+            mounton     b           1
-         else:
+	      open     r	   1
             return "auditallow"
 -class sock_file 17
 +class sock_file 18
              ioctl     n           1
               read     r          10
              write     w          10
@@ -251,8 +256,9 @@
             swapon     b           1
            quotaon     b           1
            mounton     b           1
 +	      open     r	   1
 -class fifo_file 17
 +class fifo_file 18
              ioctl     n           1
               read     r          10
              write     w          10
@@ -270,6 +276,7 @@
             swapon     b           1
            quotaon     b           1
            mounton     b           1
 +	      open     r	   1
 class socket 22
              ioctl     n           1
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -1,13 +1,13 @@
 %define	libauditver	1.4.2-1
-%define	libsepolver	2.0.41-1
+%define	libsepolver	2.0.41-3
-%define	libsemanagever	2.0.43-3
+%define	libsemanagever	2.0.43-4
-%define	libselinuxver	2.0.90-1
+%define	libselinuxver	2.0.90-3
-%define	sepolgenver	1.0.19
+%define	sepolgenver	1.0.23
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.0.79
+Version: 2.0.82
-Release: 1%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -20,7 +20,6 @@ Source5: system-config-selinux.console
 Source6: selinux-polgengui.desktop
 Source7: selinux-polgengui.console
 Source8: policycoreutils_man_ru2.tar.bz2
 Source9: sandbox.init
 Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
 Patch3:	 policycoreutils-gui.patch
@ -80,12 +79,14 @@ mkdir -p %{buildroot}%{_mandir}/man8
 mkdir -p %{buildroot}%{_sysconfdir}/pam.d
 mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
-install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
+%{__mkdir} -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
 %{__mkdir} -p %{buildroot}%{_datadir}/pixmaps
 make LSPP_PRIV=y  DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
 make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
-install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux/
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps
 install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
@ -127,11 +128,11 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_bindir}/chcat
 %{_bindir}/sandbox
 %{_bindir}/sepolgen-ifgen
 %{_bindir}/sepolgen-ifgen-attr-helper
 %{python_sitelib}/seobject.py*
 %{python_sitelib}/sepolgen
 %{python_sitelib}/%{name}	
 %{python_sitelib}/%{name}*.egg-info
-%{pkgpythondir}/default_encoding_utf8.so
+%{pkgpythondir}
 %dir  /var/lib/sepolgen
 %dir  /var/lib/selinux
 /var/lib/sepolgen/perm_map
@ -140,12 +141,13 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_mandir}/man1/audit2why.1*
 %{_mandir}/man8/chcat.8*
 %{_mandir}/ru/man8/chcat.8*
 %{_mandir}/man8/genhomedircon.8*
 %{_mandir}/man8/sandbox.8*
 %{_mandir}/man8/semanage.8*
 %{_mandir}/ru/man8/semanage.8*
 %post python
-[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 
+selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null 
 exit 0
 %package sandbox
@ -162,12 +164,10 @@ The policycoreutils-python package contains the scripts to create graphical sand
 %files sandbox
 %defattr(-,root,root,-)
 %{_sysconfdir}/rc.d/init.d/sandbox
 %{_sbindir}/seunshare
 %{_datadir}/sandbox/sandboxX.sh
 %triggerin python -- selinux-policy
-[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 
+selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
 exit 0
 %post sandbox
@ -214,11 +214,12 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_bindir}/sepolgen
 %{_datadir}/applications/fedora-system-config-selinux.desktop
 %{_datadir}/applications/fedora-selinux-polgengui.desktop
 %{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
 %{_datadir}/pixmaps/system-config-selinux.png
 %dir %{_datadir}/system-config-selinux
 %dir %{_datadir}/system-config-selinux/templates
 %{_datadir}/system-config-selinux/*.py*
 %{_datadir}/system-config-selinux/selinux.tbl
 %{_datadir}/system-config-selinux/*png
 %{_datadir}/system-config-selinux/*.glade
 %{_datadir}/system-config-selinux/templates/*.py*
 %config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
@ -235,6 +236,7 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
 %{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/restorecond
@ -248,6 +250,8 @@ rm -rf %{buildroot}
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
 %{_sysconfdir}/rc.d/init.d/sandbox
 %config(noreplace) %{_sysconfdir}/sysconfig/sandbox
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
 %config(noreplace) %{_sysconfdir}/pam.d/run_init
 %config(noreplace) %{_sysconfdir}/sestatus.conf
@ -287,6 +291,7 @@ rm -rf %{buildroot}
 %{_mandir}/ru/man8/setsebool.8*
 %{_mandir}/man1/secon.1*
 %{_mandir}/ru/man1/secon.1*
 %{_mandir}/man8/seunshare.8*
 %preun
 if [ $1 -eq 0 ]; then
@ -306,7 +311,132 @@ fi
 exit 0
 %changelog
-* Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
+* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
 - Man page fixes
 - sandbox fixes
 Resolves: #595796
 - Move seunshare to base package
 * Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-23
 - Fix seunshare translations
 - Fix seunshare to work on all arches
 - Fix icon for system-config-selinux
 Resolves: #595276
 * Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-22
 - Fix can_exec definition in sepolgen
 * Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-21
 - Add man page for seunshare and genhomedircon
 Resolves: #594303
 - Fix node management via semanage
 Resolves: #591135
 * Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-20
 - Fixes from upstream for sandbox command
 Resolves: #580938
 * Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-18
 - Fix sandbox error handling on copyfile
 - Fix desktop files
 * Tue May 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-17
 - Fix policy tool to have correct name in menus
 - Fix seunshare to handle /tmp being in ~/home
 - Fix saving of altered files
 - Update translations
 * Tue May 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-15
 - Allow audit2allow to specify alternative policy file for analysis
 * Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-14
 - Update po
 - Fix sepolgen --no_attrs
 Resolves: #588280
 * Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-13
 - Make semanage boolean work on disabled machines and during livecd xguest
 - Fix homedir and tmpdir handling in sandbox
 Resolves: #587263
 * Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-11
 - Make semanage boolean work on disabled machines 
 * Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-10
 - Make sepolgen-ifgen be quiet
 * Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-8
 - Make sepolgen report on more interfaces 
 - Fix system-config-selinux display of modules
 * Thu Apr 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-7
 - Fix crash when args are empty
 Resolves: #582542
 - Fix semange to exit on bad options
 - Fix semanage dontaudit man page section
 Resolves: #582533
 * Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-6
 - Remove debug line from semanage
 - Update po
 * Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-5
 - Fix sandbox comment on HOMEDIRS
 - Fix sandbox to throw error on bad executable
 * Tue Apr 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-4
 - Fix spacing in templates 
 * Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-3
 - Fix semanage return codes
 * Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-2
 - Fix sepolgen to confirm to the "Reference Policy Style Guide" 
 * Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-1
 - Update to upstream 
 	* Add avc's since boot from Dan Walsh.
 	* Fix unit tests from Dan Walsh.
 * Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-4
 - Update to upstream - sepolgen
 	* Add since-last-boot option to audit2allow from Dan Walsh.
 	* Fix sepolgen output to match what Chris expects for upstream
 	  refpolicy from Dan Walsh.
 * Mon Mar 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-3
 - Allow restorecon on > 2 Gig files
 * Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-2
 - Fix semanage handling of boolean options
 - Update translations
 * Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-1
 - Update to upstream
 	* Add dontaudit flag to audit2allow from Dan Walsh.
 * Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-2
 - Use --rbind in sandbox init scripts
 * Mon Mar 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-1
 - Update to upstream
 	* Module enable/disable support from Dan Walsh.
 * Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-5
 - Rewrite of sandbox script, add unit test for sandbox 
 - Update translations
 * Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-4
 - Fix patch for dontaudit rules from audit2allow for upstream acceptance
 * Fri Feb 26 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-3
 - Fixes for fixfiles
 * Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
 - Fix sandbox to complain if mount-shared has not been run
 - Fix to use /etc/sysconfig/sandbox
 * Tue Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
 - Update to upstream
 	* Fix double-free in newrole
 - Fix python language handling
--- a/sandbox.init
+++ b/sandbox.init
@ -1,60 +0,0 @@
 #!/bin/bash
 ## BEGIN INIT INFO
 # Provides: sandbox
 # Default-Start: 5
 # Default-Stop: 0 1 2 3 4 6
 # Required-Start:
 #              
 ## END INIT INFO
 # sandbox:        Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
 #
 # chkconfig: 5 1 99
 #
 # Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and 
 #              /home/sandbox accounts.  This script will setup the / mount 
 #              point as shared and all of the subdirectories just these 
 #              directories as unshared.
 #
 # Source function library.
 . /etc/init.d/functions
 LOCKFILE=/var/lock/subsys/sandbox
 base=${0##*/}
 case "$1" in
    start)
 	[ -f "$LOCKFILE" ] && exit 0
 	touch $LOCKFILE
 	mount --make-rshared /
 	mount --bind /tmp /tmp
 	mount --bind /var/tmp /var/tmp
 	mount --bind /home /home
 	mount --make-private /home
 	mount --make-private /tmp
 	mount --make-private /var/tmp
 	RETVAL=$?
 	exit $RETVAL
 	;;
    status)
 	if [ -f "$LOCKFILE" ]; then 
 	    echo "$base is running"
 	else
 	    echo "$base is stopped"
 	fi
 	exit 0
 	;;
    stop)
 	rm -f $LOCKFILE
 	exit 0
 	;;
    *)
 	echo $"Usage: $0 {start|stop}"
 	exit 3
 	;;
 esac
--- a/selinux-polgengui.desktop
+++ b/selinux-polgengui.desktop
@ -1,9 +1,8 @@
 [Desktop Entry]
 Name=SELinux Policy Generation Tool
 GenericName=SELinux
 Comment=Generate SELinux policy modules
 StartupNotify=true
-Icon=/usr/share/system-config-selinux/system-config-selinux.png
+Icon=system-config-selinux
 Exec=/usr/bin/selinux-polgengui
 Type=Application
 Terminal=false
--- a/4
+++ b/4
@ -1,3 +1,3 @@
-2ae1a9f7242e33413aae036d2edeb1d8  sepolgen-1.0.19.tgz
+e4deacb4df1e2ec081a91fd59da1dcc5  policycoreutils-2.0.82.tgz
-e09466b2b02ca5672ce3b43e02c5498f  policycoreutils-2.0.79.tgz
+49faa2e5f343317bcfcf34d7286f6037  sepolgen-1.0.23.tgz
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2
--- a/system-config-selinux.desktop
+++ b/system-config-selinux.desktop
@ -1,9 +1,8 @@
 [Desktop Entry]
 Name=SELinux Management
 GenericName=SELinux
 Comment=Configure SELinux in a graphical setting
 StartupNotify=true
-Icon=/usr/share/system-config-selinux/system-config-selinux.png
+Icon=system-config-selinux
 Exec=/usr/bin/system-config-selinux
 Type=Application
 Terminal=false