import policycoreutils-2.9-9.el8

.policycoreutils.metadata

@@ -1,9 +1,9 @@
-1774f04937a737c415273ee118b0d295e01864f3 SOURCES/gui-po.tgz
+2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz
 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
-136d495d4ad657aab34727edad0de2fc6a3c6553 SOURCES/policycoreutils-po.tgz
+af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz
-2218891a934c10bea73fd017a8aa5ce9417a78c4 SOURCES/python-po.tgz
+aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz
 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
-36c396e7151f3f6d55cbf4983d3d73a79be41899 SOURCES/sandbox-po.tgz
+76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz
 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz

SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch

@@ -1,7 +1,7 @@
 From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 5 Mar 2019 17:38:55 +0100
-Subject: [PATCH 01/20] gui: Install polgengui.py to /usr/bin/selinux-polgengui
+Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
 
 polgengui.py is a standalone gui tool which should be in /usr/bin with other
 tools.

SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch

@@ -1,8 +1,8 @@
 From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 5 Mar 2019 17:25:00 +0100
-Subject: [PATCH 02/20] gui: Install .desktop files to /usr/share/applications
+Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
- by default
+ default
 
 /usr/share/applications is a standard directory for .desktop files.
 Installation path can be changed using DESKTOPDIR variable in installation

SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,8 +1,8 @@
 From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
-Subject: [PATCH 03/20] sandbox: add -reset to Xephyr as it works better with
+Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
- it in recent Fedoras
+ recent Fedoras
 
 ---
  sandbox/sandboxX.sh | 2 +-

SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,7 +1,7 @@
 From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
-Subject: [PATCH 04/20] Fix STANDARD_FILE_CONTEXT section in man pages
+Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
 
 Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
 ---

SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,8 +1,8 @@
 From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
-Subject: [PATCH 05/20] If there is no executable we don't want to print a part
+Subject: [PATCH] If there is no executable we don't want to print a part of
- of STANDARD FILE CONTEXT
+ STANDARD FILE CONTEXT
 
 ---
  python/sepolicy/sepolicy/manpage.py | 3 ++-

SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,7 +1,7 @@
 From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Thu, 19 Feb 2015 17:45:15 +0100
-Subject: [PATCH 06/20] Simplication of sepolicy-manpage web functionality.
+Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
  system_release is no longer hardcoded and it creates only index.html and html
  man pages in the directory for the system release.
 

SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,7 +1,7 @@
 From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:01 +0100
-Subject: [PATCH 07/20] We want to remove the trailing newline for
+Subject: [PATCH] We want to remove the trailing newline for
  /etc/system_release.
 
 ---

SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,7 +1,7 @@
 From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:53 +0100
-Subject: [PATCH 08/20] Fix title in manpage.py to not contain 'online'.
+Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
 
 ---
  python/sepolicy/sepolicy/manpage.py | 2 +-

SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,7 +1,7 @@
 From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
-Subject: [PATCH 09/20] Don't be verbose if you are not on a tty
+Subject: [PATCH] Don't be verbose if you are not on a tty
 
 ---
  policycoreutils/scripts/fixfiles | 1 +

SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,8 +1,8 @@
 From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
-Subject: [PATCH 10/20] sepolicy: Drop old interface file_type_is_executable(f)
+Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
- and file_type_is_entrypoint(f)
+ file_type_is_entrypoint(f)
 
 - use direct queries
 - load exec_types and entry_types only once

SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,7 +1,7 @@
 From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 28 Feb 2017 21:29:46 +0100
-Subject: [PATCH 11/20] sepolicy: Another small optimization for mcs types
+Subject: [PATCH] sepolicy: Another small optimization for mcs types
 
 ---
  python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----

SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,8 +1,7 @@
 From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:23:00 +0200
-Subject: [PATCH 12/20] Move po/ translation files into the right
+Subject: [PATCH] Move po/ translation files into the right sub-directories
- sub-directories
 
 When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
 sub-directories, po/ translation files stayed in policycoreutils/.

SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,7 +1,7 @@
 From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:37:07 +0200
-Subject: [PATCH 13/20] Use correct gettext domains in python/ gui/ sandbox/
+Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
 
 https://github.com/fedora-selinux/selinux/issues/43
 ---

SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch

@@ -1,7 +1,7 @@
 From c8c59758d2fb7f6cbe368c9ff8f356ea7acebb4b Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 14:23:19 +0200
-Subject: [PATCH 14/20] Initial .pot files for gui/ python/ sandbox/
+Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
 
 https://github.com/fedora-selinux/selinux/issues/43
 ---

SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,8 +1,7 @@
 From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 21 Mar 2018 08:51:31 +0100
-Subject: [PATCH 16/20] policycoreutils/setfiles: Improve description of -d
+Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
- switch
 
 The "-q" switch is becoming obsolete (completely unused in fedora) and
 debug output ("-d" switch) makes sense in any scenario. Therefore both

SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,7 +1,7 @@
 From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
-Subject: [PATCH 17/20] sepolicy-generate: Handle more reserved port types
+Subject: [PATCH] sepolicy-generate: Handle more reserved port types
 
 Currently only reserved_port_t, port_t and hi_reserved_port_t are
 handled as special when making a ports-dictionary.  However, as fas as

SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,7 +1,7 @@
 From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 8 Nov 2018 09:20:58 +0100
-Subject: [PATCH 18/20] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
+Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
 
 ---
  semodule-utils/semodule_package/semodule_package.c | 1 +

SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,7 +1,7 @@
 From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
-Subject: [PATCH 19/20] sandbox: Use matchbox-window-manager instead of openbox
+Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
 
 ---
  sandbox/sandbox     |  4 ++--

SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch

@@ -1,7 +1,7 @@
 From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 3 Dec 2018 14:40:09 +0100
-Subject: [PATCH 20/20] python: Use ipaddress instead of IPy
+Subject: [PATCH] python: Use ipaddress instead of IPy
 
 ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
 ---

SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch

@@ -1,4 +1,4 @@
-From 6051f6a56d0ad63fc8aa7c806d43b0594652a0b9 Mon Sep 17 00:00:00 2001
+From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 4 Apr 2019 23:02:56 +0200
 Subject: [PATCH] python/semanage: Do not traceback when the default policy is

SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch

@@ -1,7 +1,7 @@
 From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 2 Jul 2019 17:11:32 +0200
-Subject: [PATCH 22/23] policycoreutils/fixfiles: Fix [-B] [-F] onboot
+Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
 
 Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
 command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
@@ -104,5 +104,5 @@ index 53d28c7b..9dd44213 100755
  	N)
  		BOOTTIME=$OPTARG
 -- 
-2.22.0
+2.21.0
 

SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch

@@ -1,8 +1,8 @@
 From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 2 Jul 2019 17:12:07 +0200
-Subject: [PATCH 23/23] policycoreutils/fixfiles: Force full relabel when
+Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
- SELinux is disabled
+ disabled
 
 The previous check used getfilecon to check whether / slash contains a label,
 but getfilecon fails only when SELinux is disabled. Therefore it's better to
@@ -29,5 +29,5 @@ index 9dd44213..a9d27d13 100755
  	;;
      *)
 -- 
-2.22.0
+2.21.0
 

SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch

@@ -28,5 +28,5 @@ index a9d27d13..df0042aa 100755
  	return
  fi
 -- 
-2.17.2
+2.21.0
 

SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch

@@ -0,0 +1,38 @@
+From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 29 Aug 2019 08:58:20 +0200
+Subject: [PATCH] gui: Fix remove module in system-config-selinux
+
+When a user tried to remove a policy module with priority other than 400 via
+GUI, it failed with a message:
+
+libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
+
+This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
+"semodule -r NAME".
+
+From Jono Hein <fredwacko40@hotmail.com>
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ gui/modulesPage.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gui/modulesPage.py b/gui/modulesPage.py
+index 26ac5404..35a0129b 100644
+--- a/gui/modulesPage.py
++++ b/gui/modulesPage.py
+@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
+     def delete(self):
+         store, iter = self.view.get_selection().get_selected()
+         module = store.get_value(iter, 0)
++        priority = store.get_value(iter, 1)
+         try:
+             self.wait()
+-            status, output = getstatusoutput("semodule -r %s" % module)
++            status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
+             self.ready()
+             if status != 0:
+                 self.error(output)
+-- 
+2.21.0
+

SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch

@@ -0,0 +1,30 @@
+From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 3 Sep 2019 15:17:27 +0200
+Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
+ login -a"
+
+Using the "s0" default means that new login mappings are always added with "s0"
+range instead of the range of SELinux user.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ python/semanage/semanage | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 4c766ae3..fa78afce 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
+ 
+ 
+ def parser_add_range(parser, name):
+-    parser.add_argument('-r', '--range', default="s0",
++    parser.add_argument('-r', '--range', default='',
+                         help=_('''
+ MLS/MCS Security Range (MLS/MCS Systems only)
+ SELinux Range  for SELinux login mapping
+-- 
+2.21.0
+

SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch

@@ -0,0 +1,33 @@
+From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 24 Sep 2019 08:41:30 +0200
+Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option
+
+"restorecon -n" (used in the "restore" function) has to be used with
+"-v" to display the files whose labels would be changed.
+
+Fixes:
+   Fixfiles verify does not report misslabelled files unless "-v" option is
+   used.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index df0042aa..be19e56c 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -304,7 +304,7 @@ process() {
+ case "$1" in
+     restore) restore Relabel;;
+     check) VERBOSE="-v"; restore Check -n;;
+-    verify) restore Verify -n;;
++    verify) VERBOSE="-v"; restore Verify -n;;
+     relabel) relabel;;
+     onboot)
+ 	if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
+-- 
+2.21.0
+

SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch

@@ -0,0 +1,102 @@
+From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 27 Sep 2019 16:13:47 +0200
+Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
+
+- Add "customized" method to permissiveRecords which is than used for
+  "semanage permissive --extract" and "semanage export"
+- Enable "semanage permissive --deleteall" (already implemented)
+- Add "permissive" to the list of modules exported using
+  "semanage export"
+- Update "semanage permissive" man page
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/semanage              | 11 ++++++++---
+ python/semanage/semanage-permissive.8 |  8 +++++++-
+ python/semanage/seobject.py           |  3 +++
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index fa78afce..b2bd9df9 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -722,6 +722,11 @@ def handlePermissive(args):
+ 
+     if args.action == "list":
+         OBJECT.list(args.noheading)
++    elif args.action == "deleteall":
++        OBJECT.deleteall()
++    elif args.action == "extract":
++        for i in OBJECT.customized():
++            print("permissive %s" % str(i))
+     elif args.type is not None:
+         if args.action == "add":
+             OBJECT.add(args.type)
+@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
+     pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
+     parser_add_add(pgroup, "permissive")
+     parser_add_delete(pgroup, "permissive")
++    parser_add_deleteall(pgroup, "permissive")
++    parser_add_extract(pgroup, "permissive")
+     parser_add_list(pgroup, "permissive")
+-    #TODO: probably should be also added => need to implement own option handling
+-    #parser_add_deleteall(pgroup)
+ 
+     parser_add_noheading(permissiveParser, "permissive")
+     parser_add_noreload(permissiveParser, "permissive")
+@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
+ 
+ 
+ def handleExport(args):
+-    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
++    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
+     for i in manageditems:
+         print("%s -D" % i)
+     for i in manageditems:
+diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
+index 1999a451..5c3364fa 100644
+--- a/python/semanage/semanage-permissive.8
++++ b/python/semanage/semanage-permissive.8
+@@ -2,7 +2,7 @@
+ .SH "NAME"
+ .B semanage\-permissive \- SELinux Policy Management permissive mapping tool
+ .SH "SYNOPSIS"
+-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
++.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
+ 
+ .SH "DESCRIPTION"
+ semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.  semanage permissive adds or removes a SELinux Policy permissive module.
+@@ -18,9 +18,15 @@ Add a record of the specified object type
+ .I   \-d, \-\-delete
+ Delete a record of the specified object type
+ .TP
++.I   \-D, \-\-deleteall
++Remove all local customizations of permissive domains
++.TP
+ .I   \-l, \-\-list
+ List records of the specified object type
+ .TP
++.I   \-E, \-\-extract
++Extract customizable commands, for use within a transaction
++.TP
+ .I   \-n, \-\-noheading
+ Do not print heading when listing the specified object type
+ .TP
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index 58497e3b..3959abc8 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
+                 l.append(name.split("permissive_")[1])
+         return l
+ 
++    def customized(self):
++        return ["-a %s" % x for x in sorted(self.get_all())]
++
+     def list(self, heading=1, locallist=0):
+         all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
+         if len(all) == 0:
+-- 
+2.21.0
+

SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch

@@ -0,0 +1,41 @@
+From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 30 Sep 2019 09:49:04 +0200
+Subject: [PATCH] python/semanage: fix moduleRecords.customized()
+
+Return value of "customized" has to be iterable.
+
+Fixes:
+   "semanage export" with no modules in the system (eg. monolithic policy)
+   crashes:
+
+   Traceback (most recent call last):
+     File "/usr/sbin/semanage", line 970, in <module>
+       do_parser()
+     File "/usr/sbin/semanage", line 949, in do_parser
+       args.func(args)
+     File "/usr/sbin/semanage", line 771, in handleExport
+       for c in OBJECT.customized():
+   TypeError: 'NoneType' object is not iterable
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/seobject.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index 3959abc8..16edacaa 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords):
+     def customized(self):
+         all = self.get_all()
+         if len(all) == 0:
+-            return
++            return []
+         return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]]
+ 
+     def list(self, heading=1, locallist=0):
+-- 
+2.21.0
+

SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch

@@ -0,0 +1,45 @@
+From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 8 Oct 2019 14:22:13 +0200
+Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols
+
+Fixes:
+   # semanage port -a -p sctp -t port_t 1234
+   ValueError: Protocol udp or tcp is required
+   # semanage port -d -p sctp -t port_t 1234
+   ValueError: Protocol udp or tcp is required
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/seobject.py | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index 16edacaa..70ebfd08 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords):
+             pass
+ 
+     def __genkey(self, port, proto):
+-        if proto == "tcp":
+-            proto_d = SEMANAGE_PROTO_TCP
++        protocols = {"tcp": SEMANAGE_PROTO_TCP,
++                     "udp": SEMANAGE_PROTO_UDP,
++                     "sctp": SEMANAGE_PROTO_SCTP,
++                     "dccp": SEMANAGE_PROTO_DCCP}
++
++        if proto in protocols.keys():
++            proto_d = protocols[proto]
+         else:
+-            if proto == "udp":
+-                proto_d = SEMANAGE_PROTO_UDP
+-            else:
+-                raise ValueError(_("Protocol udp or tcp is required"))
++            raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp"))
+         if port == "":
+             raise ValueError(_("Port is required"))
+ 
+-- 
+2.21.0
+

SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch

@@ -0,0 +1,40 @@
+From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 15 Nov 2019 09:15:49 +0100
+Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot
+
+When org.selinux.relabel_on_boot(0) was called twice, it failed with
+FileNotFoundError.
+
+Fixes:
+    $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1
+    method return sender=:1.53 -> dest=:1.54 reply_serial=2
+    $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
+    method return sender=:1.53 -> dest=:1.55 reply_serial=2
+    $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
+    Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel'
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ dbus/selinux_server.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
+index b9debc071485..be4f4557a9fa 100644
+--- a/dbus/selinux_server.py
++++ b/dbus/selinux_server.py
+@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object):
+             fd = open("/.autorelabel", "w")
+             fd.close()
+         else:
+-            os.unlink("/.autorelabel")
++            try:
++                os.unlink("/.autorelabel")
++            except FileNotFoundError:
++                pass
+ 
+     def write_selinux_config(self, enforcing=None, policy=None):
+         path = selinux.selinux_path() + "config"
+-- 
+2.23.0
+

SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch

@@ -0,0 +1,200 @@
+From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001
+From: Baichuan Kong <kongbaichuan@huawei.com>
+Date: Thu, 14 Nov 2019 10:48:07 +0800
+Subject: [PATCH] restorecond: Fix redundant console log output error
+
+When starting restorecond without any option the following redundant
+console log is outputed:
+
+/dev/log 100.0%
+/var/volatile/run/syslogd.pid 100.0%
+...
+
+This is caused by two global variables of same name r_opts. When
+executes r_opts = opts in restore_init(), it originally intends
+to assign the address of struct r_opts in "restorecond.c" to the
+pointer *r_opts in "restore.c".
+
+However, the address is assigned to the struct r_opts and covers
+the value of low eight bytes in it. That causes unexpected value
+of member varibale 'nochange' and 'verbose' in struct r_opts, thus
+affects value of 'restorecon_flags' and executes unexpected operations
+when restorecon the files such as the redundant console log output or
+file label nochange.
+
+Cause restorecond/restore.c is copied from policycoreutils/setfiles,
+which share the same pattern. It also has potential risk to generate
+same problems, So fix it in case.
+
+Signed-off-by: Baichuan Kong <kongbaichuan@huawei.com>
+
+(cherry-picked from SElinuxProject
+commit ad2208ec220f55877a4d31084be2b4d6413ee082)
+
+Resolves: rhbz#1626468
+---
+ policycoreutils/setfiles/restore.c | 42 ++++++++++++++----------------
+ restorecond/restore.c              | 40 +++++++++++++---------------
+ 2 files changed, 37 insertions(+), 45 deletions(-)
+
+diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
+index 9dea5656..d3335d1a 100644
+--- a/policycoreutils/setfiles/restore.c
++++ b/policycoreutils/setfiles/restore.c
+@@ -17,40 +17,37 @@
+ char **exclude_list;
+ int exclude_count;
+ 
+-struct restore_opts *r_opts;
+-
+ void restore_init(struct restore_opts *opts)
+ {
+ 	int rc;
+ 
+-	r_opts = opts;
+ 	struct selinux_opt selinux_opts[] = {
+-		{ SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
+-		{ SELABEL_OPT_PATH, r_opts->selabel_opt_path },
+-		{ SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
++		{ SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
++		{ SELABEL_OPT_PATH, opts->selabel_opt_path },
++		{ SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
+ 	};
+ 
+-	r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+-	if (!r_opts->hnd) {
+-		perror(r_opts->selabel_opt_path);
++	opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
++	if (!opts->hnd) {
++		perror(opts->selabel_opt_path);
+ 		exit(1);
+ 	}
+ 
+-	r_opts->restorecon_flags = 0;
+-	r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
+-			   r_opts->progress | r_opts->set_specctx  |
+-			   r_opts->add_assoc | r_opts->ignore_digest |
+-			   r_opts->recurse | r_opts->userealpath |
+-			   r_opts->xdev | r_opts->abort_on_error |
+-			   r_opts->syslog_changes | r_opts->log_matches |
+-			   r_opts->ignore_noent | r_opts->ignore_mounts |
+-			   r_opts->mass_relabel;
++	opts->restorecon_flags = 0;
++	opts->restorecon_flags = opts->nochange | opts->verbose |
++			   opts->progress | opts->set_specctx  |
++			   opts->add_assoc | opts->ignore_digest |
++			   opts->recurse | opts->userealpath |
++			   opts->xdev | opts->abort_on_error |
++			   opts->syslog_changes | opts->log_matches |
++			   opts->ignore_noent | opts->ignore_mounts |
++			   opts->mass_relabel;
+ 
+ 	/* Use setfiles, restorecon and restorecond own handles */
+-	selinux_restorecon_set_sehandle(r_opts->hnd);
++	selinux_restorecon_set_sehandle(opts->hnd);
+ 
+-	if (r_opts->rootpath) {
+-		rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
++	if (opts->rootpath) {
++		rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
+ 		if (rc) {
+ 			fprintf(stderr,
+ 				"selinux_restorecon_set_alt_rootpath error: %s.\n",
+@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts)
+ 	size_t i = 0;
+ 	int len, rc, errors;
+ 
+-	r_opts = opts;
+ 	memset(&globbuf, 0, sizeof(globbuf));
+ 
+ 	errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
+@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts)
+ 		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
+ 			continue;
+ 		rc = selinux_restorecon(globbuf.gl_pathv[i],
+-					r_opts->restorecon_flags);
++					opts->restorecon_flags);
+ 		if (rc < 0)
+ 			errors = rc;
+ 	}
+diff --git a/restorecond/restore.c b/restorecond/restore.c
+index f6e30001..b93b5fdb 100644
+--- a/restorecond/restore.c
++++ b/restorecond/restore.c
+@@ -12,39 +12,36 @@
+ char **exclude_list;
+ int exclude_count;
+ 
+-struct restore_opts *r_opts;
+-
+ void restore_init(struct restore_opts *opts)
+ {
+ 	int rc;
+ 
+-	r_opts = opts;
+ 	struct selinux_opt selinux_opts[] = {
+-		{ SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
+-		{ SELABEL_OPT_PATH, r_opts->selabel_opt_path },
+-		{ SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
++		{ SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
++		{ SELABEL_OPT_PATH, opts->selabel_opt_path },
++		{ SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
+ 	};
+ 
+-	r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+-	if (!r_opts->hnd) {
+-		perror(r_opts->selabel_opt_path);
++	opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
++	if (!opts->hnd) {
++		perror(opts->selabel_opt_path);
+ 		exit(1);
+ 	}
+ 
+-	r_opts->restorecon_flags = 0;
+-	r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
+-			   r_opts->progress | r_opts->set_specctx  |
+-			   r_opts->add_assoc | r_opts->ignore_digest |
+-			   r_opts->recurse | r_opts->userealpath |
+-			   r_opts->xdev | r_opts->abort_on_error |
+-			   r_opts->syslog_changes | r_opts->log_matches |
+-			   r_opts->ignore_noent | r_opts->ignore_mounts;
++	opts->restorecon_flags = 0;
++	opts->restorecon_flags = opts->nochange | opts->verbose |
++			   opts->progress | opts->set_specctx  |
++			   opts->add_assoc | opts->ignore_digest |
++			   opts->recurse | opts->userealpath |
++			   opts->xdev | opts->abort_on_error |
++			   opts->syslog_changes | opts->log_matches |
++			   opts->ignore_noent | opts->ignore_mounts;
+ 
+ 	/* Use setfiles, restorecon and restorecond own handles */
+-	selinux_restorecon_set_sehandle(r_opts->hnd);
++	selinux_restorecon_set_sehandle(opts->hnd);
+ 
+-	if (r_opts->rootpath) {
+-		rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
++	if (opts->rootpath) {
++		rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
+ 		if (rc) {
+ 			fprintf(stderr,
+ 				"selinux_restorecon_set_alt_rootpath error: %s.\n",
+@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts)
+ 	size_t i = 0;
+ 	int len, rc, errors;
+ 
+-	r_opts = opts;
+ 	memset(&globbuf, 0, sizeof(globbuf));
+ 
+ 	errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
+@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts)
+ 		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
+ 			continue;
+ 		rc = selinux_restorecon(globbuf.gl_pathv[i],
+-					r_opts->restorecon_flags);
++					opts->restorecon_flags);
+ 		if (rc < 0)
+ 			errors = rc;
+ 	}
+-- 
+2.21.0
+

SPECS/policycoreutils.spec

@@ -1,6 +1,6 @@
 %global libauditver     3.0
 %global libsepolver     2.9-1
-%global libsemanagever  2.9-1
+%global libsemanagever  2.9-2
 %global libselinuxver   2.9-1
 %global sepolgenver     2.9
 
@@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 3%{?dist}.1
+Release: 9%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@@ -62,6 +62,14 @@ Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
 Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
 Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
 Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
+Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch
+Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
+Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch
+Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch
+Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
+Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
+Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
+Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
 
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -499,9 +507,28 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
-* Fri Nov 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3.1
+* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
+- Update translations (#1754978)
+
+* Thu Nov 21 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
+- restorecond: Fix redundant console log output error (#1626468)
+
+* Tue Nov 19 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
+- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873)
+
+* Tue Nov 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
 - Configure autorelabel service to output to journal and to console if set (#1766578)
 
+* Wed Nov 06 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
+- fixfiles: Fix "verify" option (#1647532)
+- semanage: Improve handling of "permissive" statements (#1417455)
+- semanage: fix moduleRecords.customized()
+- semanage: Add support for DCCP and SCTP protocols (#1563742)
+
+* Wed Sep  4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-4
+- semanage: Do not use default s0 range in "semanage login -a" (#1554360)
+- gui: Fix remove module in system-config-selinux (#1748763)
+
 * Thu Aug 22 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
 - fixfiles: Fix unbound variable problem (#1743213)