policycoreutils-2.6-5

- semanage: Unify argument handling (#1398987) - setfiles: set up a logging callback for libselinux - setfiles: Fix setfiles progress indicator - setfiles: stdout messages don't need program prefix - setfiles: don't scramble stdout and stderr together (#1435894) - restorecond: Decrease loglevel of termination message (#1264505) - fixfiles should handle path arguments more robustly - fixfiles: handle unexpected spaces in command - fixfiles: remove useless use of cat (#1435894) - semanage: Add checks if a module name is passed in (#1420707) - semanage: fix export of fcontext socket entries (#1435127) - selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674)
2017-04-06 15:38:16 +02:00 · 2017-04-06 15:38:16 +02:00 · b185f8151d
commit b185f8151d
parent db14db8479
2 changed files with 533 additions and 11 deletions
--- a/policycoreutils-fedora.patch
+++ b/policycoreutils-fedora.patch
@ -42,10 +42,36 @@ index 1d262a9..064001b 100644
         except ValueError as e:
             self.error(e.message)
             return True
 diff --git policycoreutils-2.6/gui/portsPage.py policycoreutils-2.6/gui/portsPage.py
 index b6445db..ed9d51b 100644
 --- policycoreutils-2.6/gui/portsPage.py
 +++ policycoreutils-2.6/gui/portsPage.py
@@ -34,6 +34,12 @@ from semanagePage import *
 ## I18N
 ##
 PROGNAME = "policycoreutils"
 +
 +TYPE_COL = 0
 +PROTOCOL_COL = 1
 +MLS_COL = 2
 +PORT_COL = 3
 +
 try:
     import gettext
     kwargs = {}
 diff --git policycoreutils-2.6/hll/pp/pp.c policycoreutils-2.6/hll/pp/pp.c
-index 2c9f53f..7f9afb0 100644
+index 2c9f53f..bf7582e 100644
 --- policycoreutils-2.6/hll/pp/pp.c
 +++ policycoreutils-2.6/hll/pp/pp.c
@@ -46,7 +46,7 @@ static void log_err(const char *fmt, ...)
 	}
 }
 -static void usage(int err)
 +static __attribute__((__noreturn__)) void usage(int err)
 {
 	fprintf(stderr, "Usage: %s [OPTIONS] [IN_FILE [OUT_FILE]]\n", progname);
 	fprintf(stderr, "\n");
@@ -141,7 +141,7 @@ int main(int argc, char **argv)
 		if (separator) {
 			*separator = '\0';
@ -55,6 +81,32 @@ index 2c9f53f..7f9afb0 100644
 			fprintf(stderr,	"Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, mod_name, cil_name);
 		}
 		free(cil_path);
 diff --git policycoreutils-2.6/load_policy/load_policy.c policycoreutils-2.6/load_policy/load_policy.c
 index 47d9b0f..7c2c2a7 100644
 --- policycoreutils-2.6/load_policy/load_policy.c
 +++ policycoreutils-2.6/load_policy/load_policy.c
@@ -17,7 +17,7 @@
 #define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 #endif
 -void usage(char *progname)
 +static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	fprintf(stderr, _("usage:  %s [-qi]\n"), progname);
 	exit(1);
 diff --git policycoreutils-2.6/restorecond/watch.c policycoreutils-2.6/restorecond/watch.c
 index bdfc99d..b6fa825 100644
 --- policycoreutils-2.6/restorecond/watch.c
 +++ policycoreutils-2.6/restorecond/watch.c
@@ -179,7 +179,7 @@ int watch(int fd, const char *watch_file)
 			syslog(LOG_ERR, "Read error (%s)", strerror(errno));
 			return 0;
 		}
 -		syslog(LOG_ERR, "terminated");
 +		syslog(LOG_INFO, "terminated");
 		return -1;
 	} else if (!len)
 		/* BUF_LEN too small? */
 diff --git policycoreutils-2.6/sandbox/sandboxX.sh policycoreutils-2.6/sandbox/sandboxX.sh
 index eaa500d..4774528 100644
 --- policycoreutils-2.6/sandbox/sandboxX.sh
@ -69,7 +121,7 @@ index eaa500d..4774528 100644
     cat > ~/seremote << __EOF
 #!/bin/sh
 diff --git policycoreutils-2.6/scripts/fixfiles policycoreutils-2.6/scripts/fixfiles
-index fa43a53..301fc34 100755
+index fa43a53..cc504b7 100755
 --- policycoreutils-2.6/scripts/fixfiles
 +++ policycoreutils-2.6/scripts/fixfiles
@@ -116,14 +116,11 @@ exclude_dirs() {
@ -107,7 +159,7 @@ index fa43a53..301fc34 100755
 fi
 }
 #
-@@ -244,6 +244,10 @@ then
+@@ -244,20 +244,24 @@ then
 		logit "skipping the directory ${p}"
 	done
 FC=$TEMPFCFILE
@ -118,6 +170,23 @@ index fa43a53..301fc34 100755
 fi
 if [ ! -z "$RPMFILES" ]; then
     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
 -	rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE
 +	rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - >>$LOGFILE 2>&1
     done
     exit $?
 fi
 if [ ! -z "$FILEPATH" ]; then
 -    ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
 +    ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" >>$LOGFILE 2>&1
     return
 fi
 if [  -n "${FILESYSTEMSRW}" ]; then
     echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
 -    ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
 +    ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} >>$LOGFILE 2>&1
 else
     echo >&2 "fixfiles: No suitable file systems found"
 fi
@@ -265,7 +269,7 @@ if [ ${OPTION} != "Relabel" ]; then
     return
 fi
@ -136,6 +205,129 @@ index fa43a53..301fc34 100755
     relabel) relabel;;
     onboot)
 	> /.autorelabel
@@ -382,8 +386,8 @@ done
 shift $(( OPTIND - 1 ))
 # Check for the command
 -command=$1
 -if [ -z $command ]; then
 +command="$1"
 +if [ -z "$command" ]; then
     usage
 fi
@@ -395,17 +399,17 @@ shift
 #
 if [ ! -z "$RPMFILES" ]; then
 -    process $command
 +    process "$command"
     if [ $# -gt 0 ]; then
 	    usage
     fi
 else
     if [ -z "$1" ]; then
 -	process $command
 +	process "$command"
     else
 	while [ -n "$1" ]; do
 -	    FILEPATH=$1
 -	    process $command
 +	    FILEPATH="$1"
 +	    process "$command"
 	    shift
 	done
     fi
 diff --git policycoreutils-2.6/secon/secon.c policycoreutils-2.6/secon/secon.c
 index 134f4ee..c29d9fb 100644
 --- policycoreutils-2.6/secon/secon.c
 +++ policycoreutils-2.6/secon/secon.c
@@ -73,7 +73,7 @@ struct {
 		FALSE, FALSE, FALSE, FALSE, FALSE, FALSE,
 		    FALSE, FALSE, FALSE, OPTS_FROM_ARG, {0} } };
 -static void usage(const char *name, int exit_code)
 +static __attribute__((__noreturn__)) void usage(const char *name, int exit_code)
 {
 	fprintf(exit_code ? stderr : stdout,
 		"  Usage: %s [-%s] [ context | - ]\n"
 diff --git policycoreutils-2.6/semanage/semanage policycoreutils-2.6/semanage/semanage
 index 19a6c51..c109716 100644
 --- policycoreutils-2.6/semanage/semanage
 +++ policycoreutils-2.6/semanage/semanage
@@ -50,7 +50,7 @@ usage_login = "semanage login [-h] [-n] [-N] [-S STORE] ["
 usage_login_dict = {' --add': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --modify': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --delete': ('LOGIN',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
 usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-S STORE] ["
 -usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC )',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
 +usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --list': ('[-C]',), ' --extract': ('',), ' --deleteall': ('',)}
 usage_user = "semanage user [-h] [-n] [-N] [-S STORE] ["
 usage_user_dict = {' --add': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name'')'), ' --delete': ('selinux_name',), ' --modify': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
@@ -99,8 +99,8 @@ class seParser(argparse.ArgumentParser):
     def error(self, message):
         if len(sys.argv) == 2:
             self.print_help()
 -            sys.exit(2)
 -        self.print_usage()
 +        else:
 +            self.print_usage()
         self.exit(2, ('%s: error: %s\n') % (self.prog, message))
@@ -346,10 +346,7 @@ def handleFcontext(args):
     # we can not use mutually for equal because we can define some actions together with equal
     fcontext_equal_args = {'equal': [('list', 'locallist', 'type', 'ftype', 'seuser', 'deleteall', 'extract'), ()]}
 -    if args.action is None:
 -        print("usage: " + "%s" % generate_custom_usage(usage_fcontext, usage_fcontext_dict))
 -        sys.exit(2)
 -    elif args.action and args.equal:
 +    if args.action and args.equal:
         handle_opts(args, fcontext_equal_args, "equal")
     else:
         handle_opts(args, fcontext_args, args.action)
@@ -398,7 +395,7 @@ If you do not specify a file type, the file type will default to "all files".
     parser_add_noreload(fcontextParser, "fcontext")
     parser_add_store(fcontextParser, "fcontext")
 -    fcontext_action = fcontextParser.add_mutually_exclusive_group(required=False)
 +    fcontext_action = fcontextParser.add_mutually_exclusive_group(required=True)
     parser_add_add(fcontext_action, "fcontext")
     parser_add_delete(fcontext_action, "fcontext")
     parser_add_modify(fcontext_action, "fcontext")
@@ -645,19 +642,9 @@ def setupNodeParser(subparsers):
 def handleBoolean(args):
 -    boolean_args = {'list': [('state', 'boolean'), ('')], 'modify': [('localist'), ('')], 'extract': [('locallist', 'state', 'boolean'), ('')], 'deleteall': [('locallist'), ('')], 'state': [('locallist', 'list', 'extract', 'deleteall'), ('modify')]}
 -    if args.action is None:
 -        print("Usage: " + "%s" % generate_custom_usage(usage_boolean, usage_boolean_dict))
 -        sys.exit(2)
 -    # TODO: should be added to handle_opts logic
 -    elif args.action is "modify" and not args.boolean:
 -        print("boolean name required ")
 -        sys.exit(1)
 -    elif args.action is "modify" and args.boolean and not args.state:
 -        print("state option is needed")
 -        sys.exit(1)
 -    else:
 -        handle_opts(args, boolean_args, args.action)
 +    boolean_args = {'list': [('state', 'boolean'), ('')], 'modify': [('localist'), ('boolean', 'state')], 'extract': [('locallist', 'state', 'boolean'), ('')], 'deleteall': [('locallist'), ('')], 'state': [('locallist', 'list', 'extract', 'deleteall'), ('modify')]}
 +
 +    handle_opts(args, boolean_args, args.action)
     OBJECT = object_dict['boolean']()
     OBJECT.set_reload(args.noreload)
@@ -683,7 +670,7 @@ def setupBooleanParser(subparsers):
     parser_add_store(booleanParser, "boolean")
     booleanParser.add_argument('boolean', nargs="?", default=None, help=_('boolean'))
 -    boolean_action = booleanParser.add_mutually_exclusive_group(required=False)
 +    boolean_action = booleanParser.add_mutually_exclusive_group(required=True)
     #add_add(boolean_action)
     parser_add_modify(boolean_action, "boolean")
     parser_add_list(boolean_action, "boolean")
 diff --git policycoreutils-2.6/semanage/semanage.8 policycoreutils-2.6/semanage/semanage.8
 index ac39862..75b782f 100644
 --- policycoreutils-2.6/semanage/semanage.8
@ -151,19 +343,56 @@ index ac39862..75b782f 100644
 while the semanage user command deals with the mapping from SELinux
 user identities to authorized role sets.  In most cases, only the
 diff --git policycoreutils-2.6/semanage/seobject.py policycoreutils-2.6/semanage/seobject.py
-index bb049c0..c836cc5 100644
+index bb049c0..a977d68 100644
 --- policycoreutils-2.6/semanage/seobject.py
 +++ policycoreutils-2.6/semanage/seobject.py
-@@ -386,7 +386,7 @@ class moduleRecords(semanageRecords):
+@@ -84,7 +84,7 @@ file_type_str_to_option = {"all files": "a",
                            "directory": "d",
                            "character device": "c",
                            "block device": "b",
 -                           "socket file": "s",
 +                           "socket": "s",
                            "symbolic link": "l",
                            "named pipe": "p"}
@@ -385,8 +385,10 @@ class moduleRecords(semanageRecords):
             print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
     def add(self, file, priority):
 +        if not file:
 +            raise ValueError(_("You did not define module."))
         if not os.path.exists(file):
 -            raise ValueError(_("Module does not exists %s ") % file)
 +            raise ValueError(_("Module does not exist: %s ") % file)
         rc = semanage_set_default_priority(self.sh, priority)
         if rc < 0:
-@@ -492,7 +492,7 @@ class permissiveRecords(semanageRecords):
+@@ -397,6 +399,8 @@ class moduleRecords(semanageRecords):
             self.commit()
     def set_enabled(self, module, enable):
 +        if not module:
 +            raise ValueError(_("You did not define module name."))
         for m in module.split():
             rc, key = semanage_module_key_create(self.sh)
             if rc < 0:
@@ -415,11 +419,15 @@ class moduleRecords(semanageRecords):
         self.commit()
     def modify(self, file):
 +        if not file:
 +            raise ValueError(_("You did not define module."))
         rc = semanage_module_update_file(self.sh, file)
         if rc >= 0:
             self.commit()
     def delete(self, module, priority):
 +        if not module:
 +            raise ValueError(_("You did not define module name."))
         rc = semanage_set_default_priority(self.sh, priority)
         if rc < 0:
             raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
@@ -492,7 +500,7 @@ class permissiveRecords(semanageRecords):
         try:
             import sepolgen.module as module
         except ImportError:
@ -172,7 +401,7 @@ index bb049c0..c836cc5 100644
         name = "permissive_%s" % type
         modtxt = "(typepermissive %s)" % type
-@@ -1823,7 +1823,7 @@ class fcontextRecords(semanageRecords):
+@@ -1823,7 +1831,7 @@ class fcontextRecords(semanageRecords):
     def modify_equal(self, target, substitute):
         self.begin()
         if target not in self.equiv.keys():
@ -181,7 +410,7 @@ index bb049c0..c836cc5 100644
         self.equiv[target] = substitute
         self.equal_ind = True
-@@ -1953,10 +1953,12 @@ class fcontextRecords(semanageRecords):
+@@ -1953,10 +1961,12 @@ class fcontextRecords(semanageRecords):
             if not exists:
                 raise ValueError(_("File context for %s is not defined") % target)
@ -1747,3 +1976,282 @@ index 4b9534d..f267993 100644
 """
 if_initscript_admin_types="""
 diff --git policycoreutils-2.6/setfiles/.gitignore policycoreutils-2.6/setfiles/.gitignore
 index 583eb6c..5e899c9 100644
 --- policycoreutils-2.6/setfiles/.gitignore
 +++ policycoreutils-2.6/setfiles/.gitignore
@@ -1,2 +1 @@
 -restorecon.8.man
 setfiles.8.man
 diff --git policycoreutils-2.6/setfiles/Makefile policycoreutils-2.6/setfiles/Makefile
 index 43364f9..92300c9 100644
 --- policycoreutils-2.6/setfiles/Makefile
 +++ policycoreutils-2.6/setfiles/Makefile
@@ -5,7 +5,6 @@ MANDIR = $(PREFIX)/share/man
 LIBDIR ?= $(PREFIX)/lib
 AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
 -PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
 ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
 CFLAGS ?= -g -Werror -Wall -W
@@ -28,8 +27,6 @@ restorecon_xattr:  restorecon_xattr.o restore.o
 man:
 	@cp -af setfiles.8 setfiles.8.man
 -	@cp -af restorecon.8 restorecon.8.man
 -	@sed -i "s/STAR_COUNT/$(PROGRESS_STEP)/g" setfiles.8.man restorecon.8.man
 	@sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
 install: all
@@ -39,11 +36,11 @@ install: all
 	(cd $(SBINDIR) && ln -sf setfiles restorecon)
 	install -m 755 restorecon_xattr $(SBINDIR)
 	install -m 644 setfiles.8.man $(MANDIR)/man8/setfiles.8
 -	install -m 644 restorecon.8.man $(MANDIR)/man8/restorecon.8
 +	install -m 644 restorecon.8 $(MANDIR)/man8/restorecon.8
 	install -m 644 restorecon_xattr.8 $(MANDIR)/man8/restorecon_xattr.8
 clean:
 -	rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man restorecon.8.man
 +	rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
 diff --git policycoreutils-2.6/setfiles/restore.c policycoreutils-2.6/setfiles/restore.c
 index cf04e96..50d192a 100644
 --- policycoreutils-2.6/setfiles/restore.c
 +++ policycoreutils-2.6/setfiles/restore.c
@@ -35,7 +35,8 @@ void restore_init(struct restore_opts *opts)
 			   r_opts->recurse | r_opts->userealpath |
 			   r_opts->xdev | r_opts->abort_on_error |
 			   r_opts->syslog_changes | r_opts->log_matches |
 -			   r_opts->ignore_noent | r_opts->ignore_mounts;
 +			   r_opts->ignore_noent | r_opts->ignore_mounts |
 +			   r_opts->mass_relabel;
 	/* Use setfiles, restorecon and restorecond own handles */
 	selinux_restorecon_set_sehandle(r_opts->hnd);
 diff --git policycoreutils-2.6/setfiles/restore.h policycoreutils-2.6/setfiles/restore.h
 index 97fbdf4..b64042a 100644
 --- policycoreutils-2.6/setfiles/restore.h
 +++ policycoreutils-2.6/setfiles/restore.h
@@ -17,18 +17,12 @@
 #include <limits.h>
 #include <stdint.h>
 -/*
 - * STAR_COUNT is also defined in libselinux/src/selinux_restorecon.c where it
 - * is used to output "*" for each number of files processed. Defined here for
 - * inclusion in man pages.
 -*/
 -#define STAR_COUNT 1000
 -
 /* Things that need to be init'd */
 struct restore_opts {
 	unsigned int nochange;
 	unsigned int verbose;
 	unsigned int progress;
 +	unsigned int mass_relabel;
 	unsigned int set_specctx;
 	unsigned int add_assoc;
 	unsigned int ignore_digest;
@@ -49,7 +43,6 @@ struct restore_opts {
 	const char *selabel_opt_path;
 	const char *selabel_opt_digest;
 	int debug;
 -	FILE *outfile;
 };
 void restore_init(struct restore_opts *opts);
 diff --git policycoreutils-2.6/setfiles/restorecon.8 policycoreutils-2.6/setfiles/restorecon.8
 index fdb468b..3b28482 100644
 --- policycoreutils-2.6/setfiles/restorecon.8
 +++ policycoreutils-2.6/setfiles/restorecon.8
@@ -109,10 +109,10 @@ don't change any file labels (passive check).  To display the files whose labels
 .BR \-v .
 .TP
 .BI \-o \ outfilename
 -Deprecated, SELinux policy will probably block this access.  Use shell redirection to save list of files with incorrect context in filename.
 +Deprecated - This option is no longer supported.
 .TP
 .B \-p
 -show progress by printing * every STAR_COUNT files unless relabeling the entire
 +show progress by printing the number of files in 1k blocks unless relabeling the entire
 OS, that will then show the approximate percentage complete. Note that the
 .B \-p
 and
 diff --git policycoreutils-2.6/setfiles/restorecon_xattr.c policycoreutils-2.6/setfiles/restorecon_xattr.c
 index 1c39efe..91c087f 100644
 --- policycoreutils-2.6/setfiles/restorecon_xattr.c
 +++ policycoreutils-2.6/setfiles/restorecon_xattr.c
@@ -14,7 +14,7 @@
 #include "restore.h"
 -static void usage(const char *progname)
 +static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	fprintf(stderr,
 		"\nusage: %s [-vnrmdD] [-e directory] [-f specfile] pathname\n"
 diff --git policycoreutils-2.6/setfiles/setfiles.8 policycoreutils-2.6/setfiles/setfiles.8
 index 6901e13..9501845 100644
 --- policycoreutils-2.6/setfiles/setfiles.8
 +++ policycoreutils-2.6/setfiles/setfiles.8
@@ -106,11 +106,11 @@ seclabel fs mounted on a directory below this.
 .B \-n
 don't change any file labels (passive check).
 .TP
 -.BI \-o \ filename
 -Deprecated, SELinux policy will probably block this access.  Use shell redirection to save list of files with incorrect context in filename.
 +.BI \-o \ outfilename
 +Deprecated - This option is no longer supported.
 .TP
 .B \-p
 -show progress by printing * every STAR_COUNT files unless relabeling the entire
 +show progress by printing the number of files in 1k blocks unless relabeling the entire
 OS, that will then show the approximate percentage complete. Note that the
 .B \-p
 and
 diff --git policycoreutils-2.6/setfiles/setfiles.c policycoreutils-2.6/setfiles/setfiles.c
 index 1a2d711..bc83c27 100644
 --- policycoreutils-2.6/setfiles/setfiles.c
 +++ policycoreutils-2.6/setfiles/setfiles.c
@@ -39,7 +39,7 @@ static int iamrestorecon;
 static int ctx_validate; /* Validate contexts */
 static const char *altpath; /* Alternate path to file_contexts */
 -void usage(const char *const name)
 +static __attribute__((__noreturn__)) void usage(const char *const name)
 {
 	if (iamrestorecon) {
 		fprintf(stderr,
@@ -138,6 +138,26 @@ static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs)
 #endif
 }
 +static int __attribute__ ((format(printf, 2, 3)))
 +log_callback(int type, const char *fmt, ...)
 +{
 +	int rc;
 +	FILE *out;
 +	va_list ap;
 +
 +	if (type == SELINUX_INFO) {
 +		out = stdout;
 +	} else {
 +		out = stderr;
 +		fflush(stdout);
 +		fprintf(out, "%s: ", r_opts.progname);
 +	}
 +	va_start(ap, fmt);
 +	rc = vfprintf(out, fmt, ap);
 +	va_end(ap);
 +	return rc;
 +}
 +
 int main(int argc, char **argv)
 {
 	struct stat sb;
@@ -147,10 +167,11 @@ int main(int argc, char **argv)
 	char *buf = NULL;
 	size_t buf_len;
 	const char *base;
 -	int mass_relabel = 0, errors = 0;
 +	int errors = 0;
 	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
 	const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0";
 	const char *opts;
 +	union selinux_callback cb;
 	/* Initialize variables */
 	memset(&r_opts, 0, sizeof(r_opts));
@@ -304,19 +325,8 @@ int main(int argc, char **argv)
 			r_opts.nochange = SELINUX_RESTORECON_NOCHANGE;
 			break;
 		case 'o': /* Deprecated */
 -			if (strcmp(optarg, "-") == 0) {
 -				r_opts.outfile = stdout;
 -				break;
 -			}
 -
 -			r_opts.outfile = fopen(optarg, "w");
 -			if (!r_opts.outfile) {
 -				fprintf(stderr, "Error opening %s: %s\n",
 -					optarg, strerror(errno));
 -
 -				usage(argv[0]);
 -			}
 -			__fsetlocking(r_opts.outfile, FSETLOCKING_BYCALLER);
 +			fprintf(stderr, "%s: -o option no longer supported\n",
 +				r_opts.progname);
 			break;
 		case 'q':
 			/* Deprecated - Was only used to say whether print
@@ -380,9 +390,12 @@ int main(int argc, char **argv)
 	for (i = optind; i < argc; i++) {
 		if (!strcmp(argv[i], "/"))
 -			mass_relabel = 1;
 +			r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL;
 	}
 +	cb.func_log = log_callback;
 +	selinux_set_callback(SELINUX_CB_LOG, cb);
 +
 	if (!iamrestorecon) {
 		if (policyfile) {
 			if (optind != (argc - 1))
@@ -401,8 +414,8 @@ int main(int argc, char **argv)
 		 * we can support either checking against the active policy or
 		 * checking against a binary policy file.
 		 */
 -		selinux_set_callback(SELINUX_CB_VALIDATE,
 -				     (union selinux_callback)&canoncon);
 +		cb.func_validate = canoncon;
 +		selinux_set_callback(SELINUX_CB_VALIDATE, cb);
 		if (stat(argv[optind], &sb) < 0) {
 			perror(argv[optind]);
@@ -449,7 +462,7 @@ int main(int argc, char **argv)
 		while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) {
 			buf[len - 1] = 0;
 			if (!strcmp(buf, "/"))
 -				mass_relabel = 1;
 +				r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL;
 			errors |= process_glob(buf, &r_opts) < 0;
 		}
 		if (strcmp(input_filename, "-") != 0)
@@ -459,7 +472,7 @@ int main(int argc, char **argv)
 			errors |= process_glob(argv[i], &r_opts) < 0;
 	}
 -	maybe_audit_mass_relabel(mass_relabel, errors);
 +	maybe_audit_mass_relabel(r_opts.mass_relabel, errors);
 	if (warn_no_match)
 		selabel_stats(r_opts.hnd);
@@ -467,8 +480,8 @@ int main(int argc, char **argv)
 	selabel_close(r_opts.hnd);
 	restore_finish();
 -	if (r_opts.outfile)
 -		fclose(r_opts.outfile);
 +	if (r_opts.progress)
 +		fprintf(stdout, "\n");
 	exit(errors ? -1 : 0);
 }
 diff --git policycoreutils-2.6/setsebool/setsebool.c policycoreutils-2.6/setsebool/setsebool.c
 index b101f08..53d3566 100644
 --- policycoreutils-2.6/setsebool/setsebool.c
 +++ policycoreutils-2.6/setsebool/setsebool.c
@@ -23,7 +23,7 @@ int verbose = 0;
 int setbool(char **list, size_t start, size_t end);
 -void usage(void)
 +static __attribute__((__noreturn__)) void usage(void)
 {
 	fputs
 	    ("\nUsage:  setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2...\n\n",
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -1,7 +1,7 @@
 %global	libauditver	2.1.3-4
 %global libsepolver	2.6-0
 %global	libsemanagever	2.6-0
-%global	libselinuxver	2.6-0
+%global	libselinuxver	2.6-5
 %global	sepolgenver	2.6
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -9,7 +9,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.6
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -27,7 +27,7 @@ Source9: selinux-autorelabel-generator.sh
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.6 ./make-fedora-selinux-patch.sh policycoreutils
-# FIXME: HEAD https://github.com/fedora-selinux/selinux/commit/223fc83c6e68cead9b3d8d4e5ca7e95a580952e7
+# HEAD https://github.com/fedora-selinux/selinux/commit/8a1941594a7221ec948b82b26636ad5a0d2dc724
 Patch:	 policycoreutils-fedora.patch
 # $ VERSION=2.6 ./make-fedora-selinux-patch.sh sepolgen
 # Patch1:  sepolgen-fedora.patch
@ -445,6 +445,20 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 %changelog
 * Thu Apr 06 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-5
 - semanage: Unify argument handling (#1398987)
 - setfiles: set up a logging callback for libselinux
 - setfiles: Fix setfiles progress indicator
 - setfiles: stdout messages don't need program prefix
 - setfiles: don't scramble stdout and stderr together (#1435894)
 - restorecond: Decrease loglevel of termination message (#1264505)
 - fixfiles should handle path arguments more robustly
 - fixfiles: handle unexpected spaces in command
 - fixfiles: remove useless use of cat (#1435894)
 - semanage: Add checks if a module name is passed in (#1420707)
 - semanage: fix export of fcontext socket entries (#1435127)
 - selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674)
 * Fri Mar 17 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-4
 - Fix selinux-polgengui (#1432337)
 - sepolicy - fix obtaining domain name in HTMLManPages