- Remove setuid flag and replace with file capabilities

- Fix sandbox handling of files with spaces in them

policycoreutils.spec

@@ -7,11 +7,11 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 31%{?dist}
+Release: 32%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
-Source1: http://www.nsa.gov/selinux/archives/sepolgen-%{sepolgenver}.tgz
+Source1: git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
 URL:	 http://www.selinuxproject.org
 Source2: system-config-selinux.png
 Source3: system-config-selinux.desktop
@@ -64,7 +64,7 @@ context.
 %patch4 -p1 -b .sepolgen
 
 %build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE -DUSE_FILECAP" LDFLAGS="-pie -Wl,-z,relro" all 
 make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
 
 %install
@@ -192,7 +192,7 @@ or level of a logged in user.
 
 %files newrole
 %defattr(-,root,root)
-%attr(4755,root,root) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_audit_write=pe) %{_bindir}/newrole
 %{_mandir}/man1/newrole.1.gz
 
 %package gui
@@ -238,7 +238,7 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
-%{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/setsebool
@@ -326,6 +326,10 @@ fi
 exit 0
 
 %changelog
+* Mon Oct 25 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-32
+- Remove setuid flag and replace with file capabilities
+- Fix sandbox handling of files with spaces in them
+
 * Wed Sep 29 2010 jkeating - 2.0.83-31
 - Rebuilt for gcc bug 634757