From 986bf96d77a6d822d7035f37bc084acf5f727081 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 18 May 2021 02:53:40 -0400
Subject: [PATCH] import policycoreutils-2.9-14.el8

---
 .policycoreutils.metadata                     |   8 +-
 ...empty-stdout-before-exiting-on-Broke.patch |  55 +++++++++
 ...e-Sort-imports-in-alphabetical-order.patch |  41 +++++++
 ...allow-any-policy-statement-in-if-n-d.patch |  49 ++++++++
 ...files-Do-not-abort-on-labeling-error.patch |  68 +++++++++++
 ...rop-ABORT_ON_ERRORS-and-related-code.patch | 110 ++++++++++++++++++
 ...s-setfiles-Drop-unused-nerr-variable.patch |  44 +++++++
 ...escribe-fcontext-regular-expressions.patch |  62 ++++++++++
 SPECS/policycoreutils.spec                    |  27 ++++-
 9 files changed, 459 insertions(+), 5 deletions(-)
 create mode 100644 SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
 create mode 100644 SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch
 create mode 100644 SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
 create mode 100644 SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
 create mode 100644 SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
 create mode 100644 SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
 create mode 100644 SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch

diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata
index 9830082..5ef1737 100644
--- a/.policycoreutils.metadata
+++ b/.policycoreutils.metadata
@@ -1,9 +1,9 @@
-2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz
+3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz
 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
-af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz
-aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz
+d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz
+e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz
 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
-76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz
+2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz
 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
diff --git a/SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch b/SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
new file mode 100644
index 0000000..56a271b
--- /dev/null
+++ b/SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
@@ -0,0 +1,55 @@
+From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 5 Jan 2021 17:00:21 +0100
+Subject: [PATCH] python/semanage: empty stdout before exiting on
+ BrokenPipeError
+
+Empty stdout buffer before exiting when BrokenPipeError is
+encountered. Otherwise python will flush the bufer during exit, which
+may trigger the exception again.
+https://docs.python.org/3/library/signal.html#note-on-sigpipe
+
+Fixes:
+   #semanage fcontext -l | egrep -q -e '^/home'
+   BrokenPipeError: [Errno 32] Broken pipe
+   Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
+   BrokenPipeError: [Errno 32] Broken pipe
+
+Note that the error above only appears occasionally (usually only the
+first line is printed).
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ python/semanage/semanage | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index b2bd9df9..1abe3536 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -26,6 +26,7 @@
+ import traceback
+ import argparse
+ import sys
++import os
+ PROGNAME = "selinux-python"
+ try:
+     import gettext
+@@ -953,6 +954,13 @@ def do_parser():
+         args = commandParser.parse_args(make_args(sys.argv))
+         args.func(args)
+         sys.exit(0)
++    except BrokenPipeError as e:
++        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
++        # Python flushes standard streams on exit; redirect remaining output
++        # to devnull to avoid another BrokenPipeError at shutdown
++        devnull = os.open(os.devnull, os.O_WRONLY)
++        os.dup2(devnull, sys.stdout.fileno())
++        sys.exit(1)
+     except IOError as e:
+         sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+         sys.exit(1)
+-- 
+2.29.2
+
diff --git a/SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch b/SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch
new file mode 100644
index 0000000..8c1bab7
--- /dev/null
+++ b/SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch
@@ -0,0 +1,41 @@
+From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 6 Jan 2021 10:00:07 +0100
+Subject: [PATCH] python/semanage: Sort imports in alphabetical order
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/semanage | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 1abe3536..781e8645 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -23,10 +23,12 @@
+ #
+ #
+ 
+-import traceback
+ import argparse
+-import sys
+ import os
++import re
++import sys
++import traceback
++
+ PROGNAME = "selinux-python"
+ try:
+     import gettext
+@@ -786,8 +788,6 @@ def setupExportParser(subparsers):
+     exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
+     exportParser.set_defaults(func=handleExport)
+ 
+-import re
+-
+ 
+ def mkargv(line):
+     dquote = "\""
+-- 
+2.29.2
+
diff --git a/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
new file mode 100644
index 0000000..4ad47e4
--- /dev/null
+++ b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
@@ -0,0 +1,49 @@
+From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 22 Jan 2021 16:25:52 +0100
+Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def
+
+"ifdef/ifndef" statements can be used to conditionally define
+an interface, but this syntax is not recognised by sepolgen-ifgen.
+Fix sepolgen-ifgen to allow any policy statement inside an
+"ifdef/ifndef" statement.
+
+Fixes:
+        $ cat <<EOF > i.if
+ifndef(`apache_manage_pid_files',`
+        interface(`apache_manage_pid_files',`
+                manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+        ')
+')
+
+        #sepolgen-ifgen --interface=i.if
+        i.if: Syntax error on line 2 interface [type=INTERFACE]
+        i.if: Syntax error on line 4 ' [type=SQUOTE]
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+[OM: s/fidef/ifdef/]
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ python/sepolgen/src/sepolgen/refparser.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
+index f506dc3a..5d77e2a3 100644
+--- a/python/sepolgen/src/sepolgen/refparser.py
++++ b/python/sepolgen/src/sepolgen/refparser.py
+@@ -431,9 +431,9 @@ def p_ifelse(p):
+ 
+ 
+ def p_ifdef(p):
+-    '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+-             | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+-             | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
++    '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
++             | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
++             | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+     '''
+     x = refpolicy.IfDef(p[4])
+     if p[1] == 'ifdef':
+-- 
+2.29.2
+
diff --git a/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
new file mode 100644
index 0000000..aab207b
--- /dev/null
+++ b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
@@ -0,0 +1,68 @@
+From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 13 Jan 2021 22:09:47 +0100
+Subject: [PATCH] setfiles: Do not abort on labeling error
+
+Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
+selinux_restorecon") changed behavior of setfiles. Original
+implementation skipped files which it couldn't set context to while the
+new implementation aborts on them. setfiles should abort only if it
+can't validate a context from spec_file.
+
+Reproducer:
+
+    # mkdir -p r/1 r/2 r/3
+    # touch r/1/1 r/2/1
+    # chattr +i r/2/1
+    # touch r/3/1
+    # setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
+    Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
+    Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
+    setfiles: Could not set context for r/2/1:  Operation not permitted
+
+r/3 and r/1 are not relabeled.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/setfiles/setfiles.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index bc83c27b4c06..68eab45aa2b4 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -182,6 +182,7 @@ int main(int argc, char **argv)
+ 	policyfile = NULL;
+ 	nerr = 0;
+ 
++	r_opts.abort_on_error = 0;
+ 	r_opts.progname = strdup(argv[0]);
+ 	if (!r_opts.progname) {
+ 		fprintf(stderr, "%s:  Out of memory!\n", argv[0]);
+@@ -194,7 +195,6 @@ int main(int argc, char **argv)
+ 		 * setfiles:
+ 		 * Recursive descent,
+ 		 * Does not expand paths via realpath,
+-		 * Aborts on errors during the file tree walk,
+ 		 * Try to track inode associations for conflict detection,
+ 		 * Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
+ 		 * Validates all file contexts at init time.
+@@ -202,7 +202,6 @@ int main(int argc, char **argv)
+ 		iamrestorecon = 0;
+ 		r_opts.recurse = SELINUX_RESTORECON_RECURSE;
+ 		r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
+-		r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
+ 		r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
+ 		/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
+ 		r_opts.xdev = SELINUX_RESTORECON_XDEV;
+@@ -226,7 +225,6 @@ int main(int argc, char **argv)
+ 		iamrestorecon = 1;
+ 		r_opts.recurse = 0;
+ 		r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
+-		r_opts.abort_on_error = 0;
+ 		r_opts.add_assoc = 0;
+ 		r_opts.xdev = 0;
+ 		r_opts.ignore_mounts = 0;
+-- 
+2.30.0
+
diff --git a/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
new file mode 100644
index 0000000..349c675
--- /dev/null
+++ b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
@@ -0,0 +1,110 @@
+From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 13 Jan 2021 22:09:48 +0100
+Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code
+
+`setfiles -d` doesn't have any impact on number of errors before it
+aborts. It always aborts on first invalid context in spec file.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/setfiles/Makefile      |  3 ---
+ policycoreutils/setfiles/ru/setfiles.8 |  2 +-
+ policycoreutils/setfiles/setfiles.8    |  3 +--
+ policycoreutils/setfiles/setfiles.c    | 18 ------------------
+ 4 files changed, 2 insertions(+), 24 deletions(-)
+
+diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
+index bc5a8db789a5..a3bbbe116b7f 100644
+--- a/policycoreutils/setfiles/Makefile
++++ b/policycoreutils/setfiles/Makefile
+@@ -5,8 +5,6 @@ SBINDIR ?= /sbin
+ MANDIR = $(PREFIX)/share/man
+ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+ 
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+-
+ CFLAGS ?= -g -Werror -Wall -W
+ override LDLIBS += -lselinux -lsepol
+ 
+@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
+ 
+ man:
+ 	@cp -af setfiles.8 setfiles.8.man
+-	@sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
+ 
+ install: all
+ 	[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
+diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
+index 27815a3f1eee..910101452625 100644
+--- a/policycoreutils/setfiles/ru/setfiles.8
++++ b/policycoreutils/setfiles/ru/setfiles.8
+@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
+ проверить действительность контекстов относительно указанной двоичной политики.
+ .TP
+ .B \-d
+-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
++показать, какая спецификация соответствует каждому из файлов.
+ .TP
+ .BI \-e \ directory
+ исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index a8a76c860dac..b7d3cefb96ff 100644
+--- a/policycoreutils/setfiles/setfiles.8
++++ b/policycoreutils/setfiles/setfiles.8
+@@ -56,8 +56,7 @@ option will force a replacement of the entire context.
+ check the validity of the contexts against the specified binary policy.
+ .TP
+ .B \-d
+-show what specification matched each file (do not abort validation
+-after ABORT_ON_ERRORS errors). Not affected by "\-q"
++show what specification matched each file. Not affected by "\-q"
+ .TP
+ .BI \-e \ directory
+ directory to exclude (repeat option for more than one directory).
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index 68eab45aa2b4..bcbdfbfe53e2 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -23,14 +23,6 @@ static int nerr;
+ 
+ #define STAT_BLOCK_SIZE 1
+ 
+-/* setfiles will abort its operation after reaching the
+- * following number of errors (e.g. invalid contexts),
+- * unless it is used in "debug" mode (-d option).
+- */
+-#ifndef ABORT_ON_ERRORS
+-#define ABORT_ON_ERRORS	10
+-#endif
+-
+ #define SETFILES "setfiles"
+ #define RESTORECON "restorecon"
+ static int iamrestorecon;
+@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
+ 	exit(-1);
+ }
+ 
+-void inc_err(void)
+-{
+-	nerr++;
+-	if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
+-		fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
+-		exit(-1);
+-	}
+-}
+-
+ void set_rootpath(const char *arg)
+ {
+ 	if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
+@@ -98,7 +81,6 @@ int canoncon(char **contextp)
+ 		*contextp = tmpcon;
+ 	} else if (errno != ENOENT) {
+ 		rc = -1;
+-		inc_err();
+ 	}
+ 
+ 	return rc;
+-- 
+2.30.0
+
diff --git a/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
new file mode 100644
index 0000000..31b9a34
--- /dev/null
+++ b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
@@ -0,0 +1,44 @@
+From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 1 Feb 2021 15:24:32 +0100
+Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable
+
+Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/setfiles/setfiles.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index bcbdfbfe53e2..82d0aaa75893 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -19,7 +19,6 @@ static int warn_no_match;
+ static int null_terminated;
+ static int request_digest;
+ static struct restore_opts r_opts;
+-static int nerr;
+ 
+ #define STAT_BLOCK_SIZE 1
+ 
+@@ -162,7 +161,6 @@ int main(int argc, char **argv)
+ 	warn_no_match = 0;
+ 	request_digest = 0;
+ 	policyfile = NULL;
+-	nerr = 0;
+ 
+ 	r_opts.abort_on_error = 0;
+ 	r_opts.progname = strdup(argv[0]);
+@@ -417,9 +415,6 @@ int main(int argc, char **argv)
+ 	r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
+ 	r_opts.selabel_opt_path = altpath;
+ 
+-	if (nerr)
+-		exit(-1);
+-
+ 	restore_init(&r_opts);
+ 
+ 	if (use_input_file) {
+-- 
+2.30.0
+
diff --git a/SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch b/SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
new file mode 100644
index 0000000..b1f95a2
--- /dev/null
+++ b/SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
@@ -0,0 +1,62 @@
+From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 10 Feb 2021 18:05:29 +0100
+Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
+
+Describe which type of regular expression is used in file context
+definitions and which flags are in effect.
+
+Explain how local file context modifications are processed.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ python/semanage/semanage            |  2 +-
+ python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 781e8645..ebb93ea5 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files".
+     parser_add_seuser(fcontextParser, "fcontext")
+     parser_add_type(fcontextParser, "fcontext")
+     parser_add_range(fcontextParser, "fcontext")
+-    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
++    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
+     fcontextParser.set_defaults(func=handleFcontext)
+ 
+ 
+diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
+index 561123af..49635ba7 100644
+--- a/python/semanage/semanage-fcontext.8
++++ b/python/semanage/semanage-fcontext.8
+@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
+ from policy sources.  semanage fcontext is used to  manage the default
+ file system labeling on an SELinux system.  This command maps file paths using regular expressions to SELinux labels.
+ 
++FILE_SPEC may contain either a fully qualified path,
++or a Perl compatible regular expression (PCRE),
++describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
++which causes a wildcard '.' to match anything, including a new line.
++Strings representing paths are processed as bytes (as opposed to Unicode),
++meaning that non-ASCII characters are not matched by a single wildcard.
++
++Note, that file context definitions specified using 'semanage fcontext'
++(i.e. local file context modifications stored in file_contexts.local)
++have higher priority than those specified in policy modules.
++This means that whenever a match for given file path is found in
++file_contexts.local, no other file context definitions are considered.
++Entries in file_contexts.local are processed from most recent one to the oldest,
++with first match being used (as opposed to the most specific match,
++which is used when matching other file context definitions).
++All regular expressions should therefore be as specific as possible,
++to avoid unintentionally impacting other parts of the filesystem.
++
+ .SH "OPTIONS"
+ .TP
+ .I  \-h, \-\-help
+-- 
+2.29.2
+
diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec
index 24ffe1c..06896f4 100644
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 9%{?dist}
+Release: 14%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@@ -70,6 +70,13 @@ Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
 Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
 Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
 Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
+Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
+Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch
+Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
+Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
+Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
+Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
+Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
 
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -130,6 +137,8 @@ tar -xvf %{SOURCE14} -C python/sepolicy/
 
 # Since patches containing translation changes were too big, translations were moved to separate tarballs
 # For more information see README.translations
+# First remove old translation files
+rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
 tar -x -f %{SOURCE20} -C policycoreutils -z
 tar -x -f %{SOURCE21} -C python -z
 tar -x -f %{SOURCE22} -C gui -z
@@ -507,6 +516,22 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
+- Update translations (#1899695)
+
+* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
+- selinux(8,5): Describe fcontext regular expressions (#1904059)
+
+* Tue Feb  2 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-12
+- setfiles: Do not abort on labeling error (#1794518)
+
+* Wed Jan 27 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-11
+- python/sepolgen: allow any policy statement in if(n)def (#1868717)
+
+* Sat Jan 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
+- python/semanage: Sort imports in alphabetical order
+- python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)
+
 * Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
 - Update translations (#1754978)