* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-5

- If restorecond running as a user has no files to watch then it should exit.  (NFS Homedirs)

policycoreutils-rhat.patch

@@ -140,7 +140,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
 --- nsapolicycoreutils/restorecond/Makefile	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.78/restorecond/Makefile	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/Makefile	2009-12-16 08:16:15.000000000 -0500
 @@ -1,17 +1,28 @@
  # Installation directories.
  PREFIX ?= ${DESTDIR}/usr
@@ -189,14 +189,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  	/sbin/restorecon $(SBINDIR)/restorecond 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
 --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service	2009-12-16 08:16:16.000000000 -0500
 @@ -0,0 +1,3 @@
 +[D-BUS Service]
 +Name=org.selinux.Restorecond
 +Exec=/usr/sbin/restorecond -u
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
 --- nsapolicycoreutils/restorecond/restorecond.8	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.78/restorecond/restorecond.8	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.8	2009-12-16 08:16:16.000000000 -0500
 @@ -3,7 +3,7 @@
  restorecond \- daemon that watches for file creation and then sets the default SELinux file context
  
@@ -233,7 +233,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  .BR restorecon (8),
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.78/restorecond/restorecond.c
 --- nsapolicycoreutils/restorecond/restorecond.c	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.78/restorecond/restorecond.c	2009-12-09 16:29:18.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.c	2009-12-16 08:16:17.000000000 -0500
 @@ -30,9 +30,11 @@
   * and makes sure that there security context matches the systems defaults
   *
@@ -670,7 +670,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  
  	/* Register sighandlers */
  	sa.sa_flags = 0;
-@@ -467,38 +174,59 @@
+@@ -467,38 +174,60 @@
  
  	set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
  
@@ -679,6 +679,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 -		exitApp("inotify_init");
 -
 -	while ((opt = getopt(argc, argv, "dv")) > 0) {
++	exclude_non_seclabel_mounts();
 +	atexit( done );
 +	while ((opt = getopt(argc, argv, "df:uv")) > 0) {
  		switch (opt) {
@@ -741,7 +742,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.78/restorecond/restorecond.conf
 --- nsapolicycoreutils/restorecond/restorecond.conf	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.78/restorecond/restorecond.conf	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.conf	2009-12-16 08:16:18.000000000 -0500
 @@ -4,8 +4,5 @@
  /etc/mtab
  /var/run/utmp
@@ -754,7 +755,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.78/restorecond/restorecond.desktop
 --- nsapolicycoreutils/restorecond/restorecond.desktop	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/restorecond/restorecond.desktop	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.desktop	2009-12-16 08:16:19.000000000 -0500
 @@ -0,0 +1,7 @@
 +[Desktop Entry]
 +Name=File Context maintainer
@@ -765,8 +766,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +StartupNotify=false
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.78/restorecond/restorecond.h
 --- nsapolicycoreutils/restorecond/restorecond.h	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.78/restorecond/restorecond.h	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.h	2009-12-16 08:16:20.000000000 -0500
-@@ -24,7 +24,21 @@
+@@ -24,7 +24,22 @@
  #ifndef RESTORED_CONFIG_H
  #define RESTORED_CONFIG_H
  
@@ -788,11 +789,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +extern void watch_list_add(int inotify_fd, const char *path);
 +extern int watch_list_find(int wd, const char *file);
 +extern void watch_list_free(int fd);
++extern int watch_list_isempty();
  
  #endif
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.78/restorecond/restorecond.init
 --- nsapolicycoreutils/restorecond/restorecond.init	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.78/restorecond/restorecond.init	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.init	2009-12-16 08:16:21.000000000 -0500
 @@ -75,16 +75,15 @@
  	status restorecond
  	RETVAL=$?
@@ -814,14 +816,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.78/restorecond/restorecond_user.conf
 --- nsapolicycoreutils/restorecond/restorecond_user.conf	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/restorecond/restorecond_user.conf	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond_user.conf	2009-12-16 08:16:22.000000000 -0500
 @@ -0,0 +1,2 @@
 +~/*
 +~/public_html/*
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.78/restorecond/user.c
 --- nsapolicycoreutils/restorecond/user.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/restorecond/user.c	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/user.c	2009-12-16 08:16:24.000000000 -0500
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,239 @@
 +/*
 + * restorecond
 + *
@@ -1046,6 +1048,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +
 +    read_config(master_fd, watch_file);
 +    
++    if (watch_list_isempty()) return 0;
++
 +    set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
 +    
 +    GIOChannel *c = g_io_channel_unix_new(master_fd);
@@ -1061,8 +1065,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.78/restorecond/watch.c
 --- nsapolicycoreutils/restorecond/watch.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/restorecond/watch.c	2009-12-09 16:31:48.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/watch.c	2009-12-16 08:16:27.000000000 -0500
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,260 @@
 +#define _GNU_SOURCE
 +#include <sys/inotify.h>
 +#include <errno.h>
@@ -1099,6 +1103,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +};
 +struct watchList *firstDir = NULL;
 +
++int watch_list_isempty() {
++	return firstDir == NULL;
++}
 +
 +void watch_list_add(int fd, const char *path)
 +{
@@ -1112,6 +1119,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +	char *dir = dirname(x);
 +	ptr = firstDir;
 +
++	if (exclude(path)) return;
++
 +	globbuf.gl_offs = 1;
 +	if (glob(path, 
 +		 GLOB_TILDE | GLOB_PERIOD,
@@ -1226,6 +1235,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +{
 +	char buf[BUF_LEN];
 +	int len, i = 0;
++	if (firstDir == NULL) return 0;
++
 +	len = read(fd, buf, BUF_LEN);
 +	if (len < 0) {
 +		if (terminate == 0) {
@@ -1316,7 +1327,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +	if (master_wd == -1)
 +		exitApp("Error watching config file.");
 +}
-+
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.78/sandbox/deliverables/basicwrapper
 --- nsapolicycoreutils/sandbox/deliverables/basicwrapper	1969-12-31 19:00:00.000000000 -0500
 +++ policycoreutils-2.0.78/sandbox/deliverables/basicwrapper	2009-12-08 17:05:49.000000000 -0500
@@ -1671,10 +1681,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +relabel:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/sandbox/sandbox	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/sandbox	2009-12-14 09:35:48.000000000 -0500
-@@ -0,0 +1,253 @@
+@@ -0,0 +1,272 @@
 +#!/usr/bin/python -E
-+import os, sys, getopt, socket, random, fcntl, shutil
++import os, sys, getopt, socket, random, fcntl, shutil, re
 +import selinux
 +import signal
 +
@@ -1779,7 +1789,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +              copyfile(f,homedir, newhomedir)
 +              copyfile(f,"/tmp", newtmpdir)
 +
-+def savefile(new, orig):
++def savefile(new, orig, X_ind):
++       copy = False
++       if(X_ind):
 +              import gtk
 +              dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
 +                                      gtk.BUTTONS_YES_NO,
@@ -1790,6 +1802,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +              rc = dlg.run()
 +              dlg.destroy()
 +              if rc == gtk.RESPONSE_YES:
++                     copy = True
++       else:
++              ans = raw_input(_("Do you want to save changes to '%s' (y/N): ") % orig)
++              if(re.match(_("[yY]"),ans)):
++                     copy = True
++       if(copy):
 +              shutil.copy2(new,orig)
 +
 +if __name__ == '__main__':
@@ -1801,19 +1819,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +
 +    def usage(message = ""):
 +        text = _("""
-+sandbox [-h] [-I includefile ] [[-i file ] ...] [ -t type ] command
++sandbox [-h] [-X] [-M][-I includefile ] [[-i file ] ...] [ -t type ] command
 +""")
 +        error_exit("%s\n%s" % (message, text))
 +
 +    setype = DEFAULT_TYPE
 +    X_ind = False
++    home_and_temp = False
 +    level=None
 +    try:
-+           gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:", 
++           gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:M", 
 +                                       ["help",
 +                                        "include=", 
 +                                        "includefile=", 
 +                                        "type=",
++                                        "mount",
 +                                        "level="
 +                                        ])
 +           for o, a in gopts:
@@ -1842,6 +1862,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +                         if DEFAULT_TYPE == setype:
 +                                setype = DEFAULT_X_TYPE
 +                         X_ind = True
++                         home_and_temp = True
++                  if o == "-M" or o == "--mount":
++                         home_and_temp = True
 +
 +                  if o == "-h" or o == "--help":
 +                         usage(_("Usage"));
@@ -1862,9 +1885,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +           try:
 +                  newhomedir = None
 +                  newtmpdir = None
-+                  if X_ind:
++                  if home_and_temp:
 +                         if not os.path.exists("/usr/sbin/seunshare"):
-+                                raise ValueError("""/usr/sbin/seunshare required for sandbox -X, to install you need to execute 
++                                raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute 
 +#yum install /usr/sbin/seunshare""")
 +                         import warnings
 +                         warnings.simplefilter("ignore")
@@ -1891,21 +1914,27 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +""" % " ".join(paths))
 +                         fd.close()
 +                         os.chmod(execfile, 0700)
-+                         
++                         if X_ind:
 +                                cmds =  ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
 +                                rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++                         else:
++                                cmds =  ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds
++                                rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++                                selinux.setexeccon(execcon)
++                                rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++                                selinux.setexeccon(None)
 +                         for i in paths:
 +                                if i not in X_FILES:
 +                                       continue
 +                                (dest, mtime) = X_FILES[i]
 +                                if os.path.getmtime(dest) > mtime:
-+                                       savefile(dest, i)
++                                       savefile(dest, i, X_ind)
 +                  else:
 +                         selinux.setexeccon(execcon)
 +                         rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
 +                         selinux.setexeccon(None)
 +           finally:
-+                  if X_ind:
++                  if home_and_temp:
 +                         if newhomedir:
 +                                shutil.rmtree(newhomedir)
 +                         if newtmpdir:
@@ -1928,30 +1957,43 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
 --- nsapolicycoreutils/sandbox/sandbox.8	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.78/sandbox/sandbox.8	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/sandbox.8	2009-12-14 09:37:40.000000000 -0500
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,39 @@
 +.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
 +.SH NAME
 +sandbox \- Run cmd under an SELinux sandbox
 +.SH SYNOPSIS
 +.B sandbox
-+[-X] [[-i file ]...] [ -t type ] cmd
++[-M] [-X] [-I includefile ] [[-i file ]...] [ -t type ] cmd
 +.br
 +.SH DESCRIPTION
 +.PP
-+Run application within a tightly confined SELinux domain,   The default sandbox allows the application to only read and write stdin and stdout along with files handled to it by the shell.  
++Run the 
-+Additionaly a -X qualifier allows you to run sandboxed X applications.  These apps will start up their own X Server and create a temporary homedir and /tmp.  The default policy does not allow any capabilities or network access.  Also prevents all access to the users other processes and files.  Any file specified on the command line will be copied into the sandbox.
++.I cmd 
++application within a tightly confined SELinux domain.  The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files.  
++
++If you have the 
++.I policycoreutils-sandbox 
++package installed, you can use the -X option.
++.B sandbox -X
++allows you to run sandboxed X applications.  These applications will start up their own X Server and create a temporary homedir and /tmp.  The default policy does not allow any capabilities or network access.  It also prevents all access to the users other processes and files.  Any file specified on the command line will be copied into the sandbox.
 +.PP
 +.TP
 +\fB\-t type\fR
 +Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
 +.TP
 +\fB\-i file\fR
-+Copy this file into the temporary sandbox homedir. Command can be repeated.
++Copy this file into the temporary sandbox appriate. Command can be repeated.
++.TP
++\fB\-I inputfile\fR
++Copy all files listed in inputfile into the appropriate temporary sandbox direcories. 
 +.TP
 +\fB\-X\fR
 +Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
 +.TP
++\fB\-M\fR
++Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t
++.TP
 +.SH "SEE ALSO"
 +.TP
 +runcon(1)
@@ -3360,8 +3402,24 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  					}
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.78/setfiles/restore.c
 --- nsapolicycoreutils/setfiles/restore.c	2009-11-03 09:21:40.000000000 -0500
-+++ policycoreutils-2.0.78/setfiles/restore.c	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/restore.c	2009-12-16 08:14:21.000000000 -0500
-@@ -303,6 +303,12 @@
+@@ -31,7 +31,6 @@
+ 
+ 
+ static file_spec_t *fl_head;
+-static int exclude(const char *file);
+ static int filespec_add(ino_t ino, const security_context_t con, const char *file);
+ static int only_changed_user(const char *a, const char *b);
+ struct restore_opts *r_opts = NULL;
+@@ -53,7 +52,6 @@
+ 		}
+ 	}
+ 	return;
+-
+ }
+ 
+ void restore_init(struct restore_opts *opts)
+@@ -303,6 +301,12 @@
  	FTS *fts_handle;
  	FTSENT *ftsent;
  
@@ -3374,7 +3432,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  	fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
  	if (fts_handle  == NULL) {
  		fprintf(stderr,
-@@ -374,6 +380,7 @@
+@@ -374,6 +378,7 @@
  	} else {
  		rc = lstat(name, &sb);
  		if (rc < 0) {
@@ -3382,9 +3440,86 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  			fprintf(stderr, "%s:  lstat(%s) failed:  %s\n",
  				r_opts->progname, name,	strerror(errno));
  			return -1;
+@@ -409,7 +414,7 @@
+ 	}
+ }
+ 
+-static int exclude(const char *file)
++int exclude(const char *file)
+ {
+ 	int i = 0;
+ 	for (i = 0; i < excludeCtr; i++) {
+@@ -602,5 +607,67 @@
+ 	return -1;
+ }
+ 
++#include <sys/utsname.h>
++/*
++   Search /proc/mounts for all file systems that do not support extended
++   attributes and add them to the exclude directory table.  File systems
++   that support security labels have the seclabel option.
++*/
++void exclude_non_seclabel_mounts()
++{
++	struct utsname uts;
++	FILE *fp;
++	size_t len;
++	ssize_t num;
++	int index = 0, found = 0;
++	char *mount_info[4];
++	char *buf = NULL, *item;
++
++	/* Check to see if the kernel supports seclabel */
++	if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
++		return;
++	if (is_selinux_enabled() <= 0)
++		return;
++
++	fp = fopen("/proc/mounts", "r");
++	if (!fp)
++		return;
+ 
++	while ((num = getline(&buf, &len, fp)) != -1) {
++		found = 0;
++		index = 0;
++		item = strtok(buf, " ");
++		while (item != NULL) {
++			mount_info[index] = item;
++			if (index == 3)
++				break;
++			index++;
++			item = strtok(NULL, " ");
++		}
++		if (index < 3) {
++			fprintf(stderr,
++				"/proc/mounts record \"%s\" has incorrect format.\n",
++				buf);
++			continue;
++		}
++
++		/* remove pre-existing entry */
++		remove_exclude(mount_info[1]);
++
++		item = strtok(mount_info[3], ",");
++		while (item != NULL) {
++			if (strcmp(item, "seclabel") == 0) {
++				found = 1;
++				break;
++			}
++			item = strtok(NULL, ",");
++		}
++
++		/* exclude mount points without the seclabel option */
++		if (!found)
++			add_exclude(mount_info[1]);
++	}
++
++	free(buf);
++}
+ 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.78/setfiles/restorecon.8
 --- nsapolicycoreutils/setfiles/restorecon.8	2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.78/setfiles/restorecon.8	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/restorecon.8	2009-12-16 08:14:22.000000000 -0500
 @@ -4,10 +4,10 @@
  
  .SH "SYNOPSIS"
@@ -3410,7 +3545,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  show changes in file labels.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.78/setfiles/restore.h
 --- nsapolicycoreutils/setfiles/restore.h	2009-11-03 09:21:40.000000000 -0500
-+++ policycoreutils-2.0.78/setfiles/restore.h	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/restore.h	2009-12-16 08:14:23.000000000 -0500
 @@ -27,6 +27,7 @@
  	int hard_links;
  	int verbose;
@@ -3419,10 +3554,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  	char *rootpath;
  	int rootpathlen;
  	char *progname;
-Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.78/setfiles/restore.o differ
+@@ -44,7 +45,9 @@
+ void restore_init(struct restore_opts *opts);
+ void restore_finish();
+ int add_exclude(const char *directory);
++int exclude(const char *path);
+ void remove_exclude(const char *directory);
+ int process_one_realpath(char *name, int recurse);
++void exclude_non_seclabel_mounts();
+ 
+ #endif
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.78/setfiles/setfiles.8
 --- nsapolicycoreutils/setfiles/setfiles.8	2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.78/setfiles/setfiles.8	2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/setfiles.8	2009-12-16 08:14:25.000000000 -0500
 @@ -31,6 +31,9 @@
  .TP
  .B \-n
@@ -3435,8 +3579,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  suppress non-error output.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.78/setfiles/setfiles.c
 --- nsapolicycoreutils/setfiles/setfiles.c	2009-11-03 09:21:40.000000000 -0500
-+++ policycoreutils-2.0.78/setfiles/setfiles.c	2009-12-09 16:28:55.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/setfiles.c	2009-12-16 08:14:26.000000000 -0500
-@@ -25,7 +25,6 @@
+@@ -5,7 +5,6 @@
+ #include <ctype.h>
+ #include <regex.h>
+ #include <sys/vfs.h>
+-#include <sys/utsname.h>
+ #define __USE_XOPEN_EXTENDED 1	/* nftw */
+ #include <libgen.h>
+ #ifdef USE_AUDIT
+@@ -25,7 +24,6 @@
  static int warn_no_match = 0;
  static int null_terminated = 0;
  static int errors;
@@ -3444,7 +3596,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  static struct restore_opts r_opts;
  
  #define STAT_BLOCK_SIZE 1
-@@ -44,13 +43,13 @@
+@@ -44,13 +42,13 @@
  {
  	if (iamrestorecon) {
  		fprintf(stderr,
@@ -3460,7 +3612,77 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  			name);
  	}
  	exit(1);
-@@ -335,7 +334,7 @@
+@@ -138,69 +136,6 @@
+ #endif
+ }
+ 
+-/*
+-   Search /proc/mounts for all file systems that do not support extended
+-   attributes and add them to the exclude directory table.  File systems
+-   that support security labels have the seclabel option.
+-*/
+-static void exclude_non_seclabel_mounts()
+-{
+-	struct utsname uts;
+-	FILE *fp;
+-	size_t len;
+-	ssize_t num;
+-	int index = 0, found = 0;
+-	char *mount_info[4];
+-	char *buf = NULL, *item;
+-
+-	/* Check to see if the kernel supports seclabel */
+-	if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
+-		return;
+-	if (is_selinux_enabled() <= 0)
+-		return;
+-
+-	fp = fopen("/proc/mounts", "r");
+-	if (!fp)
+-		return;
+-
+-	while ((num = getline(&buf, &len, fp)) != -1) {
+-		found = 0;
+-		index = 0;
+-		item = strtok(buf, " ");
+-		while (item != NULL) {
+-			mount_info[index] = item;
+-			if (index == 3)
+-				break;
+-			index++;
+-			item = strtok(NULL, " ");
+-		}
+-		if (index < 3) {
+-			fprintf(stderr,
+-				"/proc/mounts record \"%s\" has incorrect format.\n",
+-				buf);
+-			continue;
+-		}
+-
+-		/* remove pre-existing entry */
+-		remove_exclude(mount_info[1]);
+-
+-		item = strtok(mount_info[3], ",");
+-		while (item != NULL) {
+-			if (strcmp(item, "seclabel") == 0) {
+-				found = 1;
+-				break;
+-			}
+-			item = strtok(NULL, ",");
+-		}
+-
+-		/* exclude mount points without the seclabel option */
+-		if (!found)
+-			add_exclude(mount_info[1]);
+-	}
+-
+-	free(buf);
+-}
+-
+ int main(int argc, char **argv)
+ {
+ 	struct stat sb;
+@@ -335,7 +270,7 @@
  			r_opts.debug = 1;
  			break;
  		case 'i':
@@ -3469,7 +3691,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
  			break;
  		case 'l':
  			r_opts.logging = 1;
-@@ -371,7 +370,7 @@
+@@ -371,7 +306,7 @@
  				break;
  			}
  			if (optind + 1 >= argc) {

policycoreutils-sepolgen.patch

@@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
 --- nsasepolgen/src/sepolgen/access.py	2009-05-18 13:53:14.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py	2009-12-08 17:02:52.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py	2009-12-08 17:05:49.000000000 -0500
 @@ -32,6 +32,7 @@
  """
  
@@ -56,7 +56,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
          if audit_msg:
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
 --- nsasepolgen/src/sepolgen/audit.py	2009-12-01 15:46:50.000000000 -0500
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py	2009-12-08 17:02:17.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py	2009-12-08 17:05:49.000000000 -0500
 @@ -23,6 +23,27 @@
  
  # Convenience functions
@@ -194,7 +194,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 -
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
 --- nsasepolgen/src/sepolgen/policygen.py	2008-09-12 11:48:15.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2009-12-08 17:03:16.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2009-12-16 08:20:45.000000000 -0500
 @@ -29,6 +29,8 @@
  import access
  import interfaces
@@ -213,13 +213,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
      def set_gen_refpol(self, if_set=None, perm_maps=None):
          """Set whether reference policy interfaces are generated.
  
-@@ -144,8 +146,32 @@
+@@ -144,8 +146,35 @@
      def __add_allow_rules(self, avs):
          for av in avs:
              rule = refpolicy.AVRule(av)
 +            rule.comment = ""
              if self.explain:
                  rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
++            if av.type == audit2why.ALLOW:
++                rule.comment += "#!!!! This avc is allowed in the current policy\n" 
 +            if av.type == audit2why.DONTAUDIT:
 +                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" 
 +            if av.type == audit2why.BOOLEAN:
@@ -231,7 +233,8 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
 +            if av.type == audit2why.CONSTRAINT:
 +                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n" 
 +            if av.type == audit2why.TERULE:
-+                if "open" in av.perms and "write" in av.perms:
++                if "write" in av.perms:
++                    if "dir" in av.obj_class or "open" in av.perms:
 +                        if not self.domains:
 +                            self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
 +                        types=[]
@@ -248,7 +251,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
  
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/refparser.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py	2009-12-08 17:01:22.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py	2009-12-08 17:05:49.000000000 -0500
 @@ -973,7 +973,7 @@
  def list_headers(root):
      modules = []
@@ -260,7 +263,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
          for name in filenames:
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
 --- nsasepolgen/src/sepolgen/refpolicy.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2009-12-08 17:02:00.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2009-12-08 17:05:49.000000000 -0500
 @@ -398,6 +398,7 @@
          return "attribute %s;" % self.name
  

policycoreutils.spec

@@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.78
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -131,6 +131,7 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_mandir}/man1/audit2why.1*
 %{_mandir}/man8/chcat.8*
 %{_mandir}/ru/man8/chcat.8*
+%{_mandir}/man8/sandbox.8*
 %{_mandir}/man8/semanage.8*
 %{_mandir}/ru/man8/semanage.8*
 
@@ -152,7 +153,6 @@ The policycoreutils-python package contains the scripts to create graphical sand
 
 %files sandbox
 %{_sysconfdir}/rc.d/init.d/sandbox
-%{_mandir}/man8/sandbox.8*
 %{_sbindir}/seunshare
 %{_datadir}/sandbox/sandboxX.sh
 
@@ -296,6 +296,12 @@ fi
 exit 0
 
 %changelog
+* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-5
+- If restorecond running as a user has no files to watch then it should exit.  (NFS Homedirs)
+
+* Thu Dec 10 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-4
+- Move sandbox man page to base package
+
 * Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
 - Fix audit2allow to report constraints, dontaudits, types, booleans