- Fix up problems pointed out by solar designer on dropping capabilities

2010-11-08 15:12:25 -05:00 · 2010-11-08 15:12:25 -05:00 · b9b7f4161c
commit b9b7f4161c
parent d7e1c238f4
2 changed files with 122 additions and 88 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,6 +1,6 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.83/audit2allow/audit2allow
 --- nsapolicycoreutils/audit2allow/audit2allow	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/audit2allow	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/audit2allow/audit2allow	2010-11-08 13:46:37.000000000 -0500
@@ -1,4 +1,4 @@
 -#! /usr/bin/python -E
 +#! /usr/bin/python -Es
@ -121,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
     app = AuditToPolicy()
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.83/audit2allow/audit2allow.1
 --- nsapolicycoreutils/audit2allow/audit2allow.1	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/audit2allow.1	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/audit2allow/audit2allow.1	2010-11-08 13:46:37.000000000 -0500
@@ -1,5 +1,6 @@
 .\" Hey, Emacs! This is an -*- nroff -*- source file.
 .\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org>
@ -225,7 +225,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 .SH AUTHOR
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.83/audit2allow/sepolgen-ifgen
 --- nsapolicycoreutils/audit2allow/sepolgen-ifgen	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen	2010-11-08 13:46:37.000000000 -0500
@@ -1,4 +1,4 @@
 -#! /usr/bin/python -E
 +#! /usr/bin/python -Es
@ -321,7 +321,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.83/load_policy/load_policy.c
 --- nsapolicycoreutils/load_policy/load_policy.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/load_policy/load_policy.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/load_policy/load_policy.c	2010-11-08 13:46:37.000000000 -0500
@@ -1,3 +1,4 @@
 +#define _GNU_SOURCE
 #include <unistd.h>
@ -378,7 +378,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	exit(0);
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.83/Makefile
 --- nsapolicycoreutils/Makefile	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/Makefile	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -1,4 +1,4 @@
 -SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
 +SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui
@ -388,7 +388,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 Binary files nsapolicycoreutils/newrole/hashtab.o and policycoreutils-2.0.83/newrole/hashtab.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
 --- nsapolicycoreutils/newrole/Makefile	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/Makefile	2010-11-01 15:32:24.000000000 -0400
+++ policycoreutils-2.0.83/newrole/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -50,7 +50,7 @@
 endif
 ifeq (${IS_SUID},y)
@ -401,7 +401,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 Binary files nsapolicycoreutils/newrole/newrole and policycoreutils-2.0.83/newrole/newrole differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
 --- nsapolicycoreutils/newrole/newrole.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/newrole.c	2010-11-01 16:14:01.000000000 -0400
+++ policycoreutils-2.0.83/newrole/newrole.c	2010-11-08 14:56:31.000000000 -0500
@@ -77,7 +77,7 @@
 #endif
 #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
@ -411,9 +411,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #endif
 #ifdef USE_NLS
 #include <locale.h>		/* for setlocale() */
-@@ -540,67 +540,23 @@
+@@ -90,6 +90,9 @@
 #define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 #endif
 +# define TRUE 1
 +# define FALSE 0
 +
 /* USAGE_STRING describes the command-line args of this program. */
 #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
@@ -538,69 +541,23 @@
  * Returns zero on success, non-zero otherwise
  */
 #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
- static int drop_capabilities(void)
+-static int drop_capabilities(void)
 +static int drop_capabilities(int full)
 {
 -	int rc = 0;
 -	cap_t new_caps, tmp_caps;
@ -422,15 +435,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -	uid_t uid = getuid();
 -
 -	if (!uid)
-+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+-		return 0;
- 		return 0;
+-
 -	/* Non-root caller, suid root path */
 -	new_caps = cap_init();
 -	tmp_caps = cap_init();
 -	if (!new_caps || !tmp_caps) {
 -		fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
-		return -1;
+	capng_clear(CAPNG_SELECT_BOTH);
 +	if (capng_lock() < 0) 
 		return -1;
 -	}
 -	rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
 -	rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
@ -447,7 +461,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -		rc = -1;
 -		goto out;
 -	}
 +	capng_clear(CAPNG_SELECT_BOTH);
 -	/* Does this temporary change really buy us much? */
 -	/* We should still have root's caps, so drop most capabilities now */
@ -455,8 +468,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
 -		goto out;
 -	}
 +	if (capng_lock() < 0) 
 +		return -1;
 +	uid_t uid = getuid();
 +	if (!uid) return 0;
@ -484,14 +495,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -	if (cap_free(tmp_caps) || cap_free(new_caps))
 -		fprintf(stderr, _("Error freeing caps\n"));
 -	return rc;
-+	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
+	if (! full) 
 +		capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
 +	return capng_apply(CAPNG_SELECT_BOTH);
 }
 #elif defined(NAMESPACE_PRIV)
 /**
-@@ -618,44 +574,22 @@
+@@ -616,50 +573,25 @@
  *
  * Returns zero on success, non-zero otherwise
  */
- static int drop_capabilities(void)
+-static int drop_capabilities(void)
 +static int drop_capabilities(int full)
 {
 -	int rc = 0;
 -	cap_t new_caps;
@ -501,14 +516,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -	};
 -
 -	if (!getuid())
-+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+-		return 0;
- 		return 0;
+-
 -	/* Non-root caller, suid root path */
 -	new_caps = cap_init();
 -	if (!new_caps) {
 -		fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
-		return -1;
+	capng_clear(CAPNG_SELECT_BOTH);
 +	if (capng_lock() < 0) 
 		return -1;
 -	}
 -	rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
 -	rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
@ -516,16 +532,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -		fprintf(stderr, _("Error setting capabilities, aborting\n"));
 -		goto out;
 -	}
 +	capng_clear(CAPNG_SELECT_BOTH);
 -	/* Ensure that caps are dropped after setuid call */
 -	if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
 -		fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
 -		goto out;
 -	}
-+	if (capng_lock() < 0) 
+-
 +		return -1;
 -	/* We should still have root's caps, so drop most capabilities now */
 -	if ((rc = cap_set_proc(new_caps))) {
 -		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
@ -540,12 +553,27 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -	if (cap_free(new_caps))
 -		fprintf(stderr, _("Error freeing caps\n"));
 -	return rc;
-+	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE | CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
+	if (! full) 
 +		capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
 +	return capng_apply(CAPNG_SELECT_BOTH);
 }
 #else
-@@ -1334,6 +1268,9 @@
+-static inline int drop_capabilities(void)
 +static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
 {
 	return 0;
 }
@@ -1098,7 +1030,7 @@
 	 * if it makes sense to continue to run newrole, and setting up
 	 * a scrubbed environment.
 	 */
 -	if (drop_capabilities())
 +	if (drop_capabilities(FALSE))
 		return -1;
 	if (set_signal_handles())
 		return -1;
@@ -1334,11 +1266,15 @@
 	if (send_audit_message(1, old_context, new_context, ttyn))
 		goto err_close_pam_session;
@ -555,10 +583,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #ifdef NAMESPACE_PRIV
 	if (transition_to_caller_uid())
 		goto err_close_pam_session;
 #endif
 +	drop_capabilities(TRUE);
 	/* Handle environment changes */
 	if (restore_environment(preserve_environment, old_environ, &pw)) {
 		fprintf(stderr, _("Unable to restore the environment, "
 Binary files nsapolicycoreutils/newrole/newrole.o and policycoreutils-2.0.83/newrole/newrole.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
 --- nsapolicycoreutils/restorecond/Makefile	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/Makefile	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -1,17 +1,28 @@
 # Installation directories.
 PREFIX ?= ${DESTDIR}/usr
@ -607,14 +641,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	/sbin/restorecon $(SBINDIR)/restorecond 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service
 --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,3 @@
 +[D-BUS Service]
 +Name=org.selinux.Restorecond
 +Exec=/usr/sbin/restorecond -u
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.83/restorecond/restorecond.8
 --- nsapolicycoreutils/restorecond/restorecond.8	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond.8	2010-11-08 13:46:37.000000000 -0500
@@ -3,7 +3,7 @@
 restorecond \- daemon that watches for file creation and then sets the default SELinux file context
@ -651,7 +685,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 .BR restorecon (8),
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.83/restorecond/restorecond.c
 --- nsapolicycoreutils/restorecond/restorecond.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond.c	2010-11-08 13:46:37.000000000 -0500
@@ -30,9 +30,11 @@
  * and makes sure that there security context matches the systems defaults
  *
@ -1156,7 +1190,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.83/restorecond/restorecond.conf
 --- nsapolicycoreutils/restorecond/restorecond.conf	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.conf	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond.conf	2010-11-08 13:46:37.000000000 -0500
@@ -4,8 +4,5 @@
 /etc/mtab
 /var/run/utmp
@ -1169,7 +1203,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.83/restorecond/restorecond.desktop
 --- nsapolicycoreutils/restorecond/restorecond.desktop	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/restorecond.desktop	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond.desktop	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,7 @@
 +[Desktop Entry]
 +Name=File Context maintainer
@ -1180,7 +1214,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +StartupNotify=false
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.83/restorecond/restorecond.h
 --- nsapolicycoreutils/restorecond/restorecond.h	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.h	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond.h	2010-11-08 13:46:37.000000000 -0500
@@ -24,7 +24,22 @@
 #ifndef RESTORED_CONFIG_H
 #define RESTORED_CONFIG_H
@ -1208,7 +1242,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #endif
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.83/restorecond/restorecond.init
 --- nsapolicycoreutils/restorecond/restorecond.init	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.init	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond.init	2010-11-08 13:46:37.000000000 -0500
@@ -26,7 +26,7 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
@ -1239,13 +1273,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.83/restorecond/restorecond_user.conf
 --- nsapolicycoreutils/restorecond/restorecond_user.conf	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/restorecond_user.conf	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/restorecond_user.conf	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,2 @@
 +~/*
 +~/public_html/*
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.83/restorecond/user.c
 --- nsapolicycoreutils/restorecond/user.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/user.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/user.c	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,239 @@
 +/*
 + * restorecond
@ -1488,7 +1522,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-2.0.83/restorecond/utmpwatcher.c
 --- nsapolicycoreutils/restorecond/utmpwatcher.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/utmpwatcher.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/utmpwatcher.c	2010-11-08 13:46:37.000000000 -0500
@@ -72,8 +72,8 @@
 	if (utmp_wd == -1)
 		exitApp("Error watching utmp file.");
@ -1501,7 +1535,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	return changed;
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.83/restorecond/watch.c
 --- nsapolicycoreutils/restorecond/watch.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/watch.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/watch.c	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,260 @@
 +#define _GNU_SOURCE
 +#include <sys/inotify.h>
@ -1765,7 +1799,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +}
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.83/sandbox/deliverables/basicwrapper
 --- nsapolicycoreutils/sandbox/deliverables/basicwrapper	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,4 @@
 +import os, sys
 +SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
@ -1773,7 +1807,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.83/sandbox/deliverables/README
 --- nsapolicycoreutils/sandbox/deliverables/README	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/deliverables/README	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/deliverables/README	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,32 @@
 +Files:
 +run-in-sandbox.py:
@ -1809,7 +1843,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +Chris Pardy
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py
 --- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,49 @@
 +import os
 +import os.path
@ -1862,7 +1896,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.83/sandbox/Makefile
 --- nsapolicycoreutils/sandbox/Makefile	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/Makefile	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -7,8 +7,8 @@
 MANDIR ?= $(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale
@ -1895,7 +1929,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	@python test_sandbox.py -v
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/sandbox	2010-11-08 13:46:37.000000000 -0500
@@ -1,5 +1,6 @@
 -#! /usr/bin/python -E
 +#! /usr/bin/python -Es
@ -2116,7 +2150,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
                   rc = subprocess.Popen(self.__cmds).wait()
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.83/sandbox/sandbox.8
 --- nsapolicycoreutils/sandbox/sandbox.8	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/sandbox.8	2010-11-08 13:46:37.000000000 -0500
@@ -1,10 +1,13 @@
 -.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
 +.TH SANDBOX "8" "May 2010" "sandbox" "User Commands"
@ -2168,7 +2202,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.83/sandbox/sandbox.conf
 --- nsapolicycoreutils/sandbox/sandbox.conf	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/sandbox.conf	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/sandbox.conf	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,7 @@
 +# Space separate list of homedirs
 +HOMEDIRS="/home"
@ -2179,7 +2213,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +CPUUSAGE=80%
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.83/sandbox/sandbox.conf.5
 --- nsapolicycoreutils/sandbox/sandbox.conf.5	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/sandbox.conf.5	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/sandbox.conf.5	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,40 @@
 +.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
 +.SH NAME
@ -2229,7 +2263,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -HOMEDIRS="/home"
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.83/sandbox/sandbox.init
 --- nsapolicycoreutils/sandbox/sandbox.init	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox.init	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/sandbox.init	2010-11-08 13:46:37.000000000 -0500
@@ -10,17 +10,12 @@
 #
 # chkconfig: 345 1 99
@ -2256,7 +2290,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 # Source function library.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.83/sandbox/sandboxX.sh
 --- nsapolicycoreutils/sandbox/sandboxX.sh	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandboxX.sh	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/sandboxX.sh	2010-11-08 13:46:37.000000000 -0500
@@ -1,13 +1,26 @@
 #!/bin/bash 
 context=`id -Z | secon -t -l -P`
@ -2290,7 +2324,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
 --- nsapolicycoreutils/sandbox/seunshare.8	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/seunshare.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/seunshare.8	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,37 @@
 +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
 +.SH NAME
@ -2331,7 +2365,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-11-01 16:13:56.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-11-08 14:17:14.000000000 -0500
@@ -1,13 +1,21 @@
 +/*
 + * Authors: Dan Walsh <dwalsh@redhat.com>
@ -2371,7 +2405,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #ifdef USE_NLS
 #include <locale.h>		/* for setlocale() */
 #include <libintl.h>		/* for gettext() */
-@@ -39,16 +44,26 @@
+@@ -39,6 +44,12 @@
 #define MS_PRIVATE 1<<18
 #endif
@ -2384,21 +2418,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 /**
  * This function will drop all capabilities 
  * Returns zero on success, non-zero otherwise
-  */
+@@ -46,9 +57,9 @@
 static int drop_capabilities(uid_t uid)
 {
 +	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
 +		return 0;
 +
 	capng_clear(CAPNG_SELECT_BOTH);
- 
+-
 	if (capng_lock() < 0) 
 		return -1;
 +
 	/* Change uid */
 	if (setresuid(uid, uid, uid)) {
 		fprintf(stderr, _("Error changing uid, aborting.\n"));
-@@ -134,42 +149,98 @@
+@@ -134,42 +145,98 @@
 static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
 	if (verbose)
 		printf("Mount %s on %s\n", src, dst);
@ -2502,7 +2533,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		{NULL, 0, 0, 0}
 	};
-@@ -180,6 +251,12 @@
+@@ -180,6 +247,12 @@
 		return -1;
 	}
@ -2515,7 +2546,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	struct passwd *pwd=getpwuid(uid);
 	if (!pwd) {
 		perror(_("getpwduid failed"));
-@@ -192,30 +269,30 @@
+@@ -192,30 +265,30 @@
 	}
 	while (1) {
@ -2555,7 +2586,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		default:
 			fprintf(stderr, "%s\n", USAGE_STRING);
 			return -1;
-@@ -223,21 +300,179 @@
+@@ -223,21 +296,179 @@
 	}
 	if (! homedir_s && ! tmpdir_s) {
@ -2741,7 +2772,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
         if (unshare(CLONE_NEWNS) < 0) {
 		perror(_("Failed to unshare"));
-@@ -286,11 +521,13 @@
+@@ -286,11 +517,13 @@
 			exit(-1);
 		}
@ -2760,7 +2791,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		}
 		if (display) 
-@@ -305,17 +542,14 @@
+@@ -305,17 +538,14 @@
 			perror(_("Failed to change dir to homedir"));
 			exit(-1);
 		}
@ -2782,7 +2813,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
 --- nsapolicycoreutils/scripts/chcat	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/scripts/chcat	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/scripts/chcat	2010-11-08 13:46:37.000000000 -0500
@@ -1,4 +1,4 @@
 -#! /usr/bin/python -E
 +#! /usr/bin/python -Es
@ -2791,7 +2822,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.83/scripts/fixfiles
 --- nsapolicycoreutils/scripts/fixfiles	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/scripts/fixfiles	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/scripts/fixfiles	2010-11-08 13:46:37.000000000 -0500
@@ -21,6 +21,17 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
@ -2885,7 +2916,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.83/scripts/genhomedircon.8
 --- nsapolicycoreutils/scripts/genhomedircon.8	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/scripts/genhomedircon.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/scripts/genhomedircon.8	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,37 @@
 +.\" Hey, Emacs! This is an -*- nroff -*- source file.
 +.\" Copyright (c) 2010 Dan Walsh <dwalsh@redhat.com>
@ -2926,7 +2957,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Dan Walsh <dwalsh@redhat.com>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.83/scripts/Makefile
 --- nsapolicycoreutils/scripts/Makefile	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/scripts/Makefile	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/scripts/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -14,6 +14,7 @@
 	install -m 755 genhomedircon  $(SBINDIR)
 	-mkdir -p $(MANDIR)/man8
@ -2937,7 +2968,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 clean:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/severify.py policycoreutils-2.0.83/scripts/severify.py
 --- nsapolicycoreutils/scripts/severify.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/scripts/severify.py	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/scripts/severify.py	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,21 @@
 +#! /usr/bin/python -Es
 +import seobject
@ -2962,7 +2993,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c
 --- nsapolicycoreutils/semanage/default_encoding/default_encoding.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,59 @@
 +/*
 + * Authors:
@ -3025,7 +3056,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +}
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.83/semanage/default_encoding/Makefile
 --- nsapolicycoreutils/semanage/default_encoding/Makefile	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/Makefile	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/default_encoding/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,8 @@
 +all: 
 +	LDFLAGS="" python setup.py build
@ -3037,7 +3068,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	rm -rf build *~
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py
 --- nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,17 @@
 +#
 +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
@ -3058,7 +3089,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +#
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.83/semanage/default_encoding/setup.py
 --- nsapolicycoreutils/semanage/default_encoding/setup.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/setup.py	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/default_encoding/setup.py	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,38 @@
 +# Authors:
 +#   John Dennis <jdennis@redhat.com>
@ -3100,7 +3131,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +)
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.83/semanage/semanage
 --- nsapolicycoreutils/semanage/semanage	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/semanage	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/semanage	2010-11-08 13:46:37.000000000 -0500
@@ -1,4 +1,4 @@
 -#! /usr/bin/python -E
 +#! /usr/bin/python -Es
@ -3513,7 +3544,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		errorExit(error.args[1])
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.83/semanage/semanage.8
 --- nsapolicycoreutils/semanage/semanage.8	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/semanage.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/semanage.8	2010-11-08 13:46:37.000000000 -0500
@@ -1,29 +1,69 @@
 -.TH "semanage" "8" "2005111103" "" ""
 +.TH "semanage" "8" "20100223" "" ""
@ -3722,7 +3753,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 Examples by Thomas Bleher <ThomasBleher@gmx.de>.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.83/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/seobject.py	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/semanage/seobject.py	2010-11-08 13:46:37.000000000 -0500
@@ -29,47 +29,12 @@
 import gettext
 gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@ -4478,7 +4509,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		if use_file:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/Makefile policycoreutils-2.0.83/sepolgen-ifgen/Makefile
 --- nsapolicycoreutils/sepolgen-ifgen/Makefile	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,25 @@
 +# Installation directories.
 +PREFIX ?= ${DESTDIR}/usr
@ -4507,7 +4538,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +relabel: ;
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
 --- nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c	2010-11-08 13:46:37.000000000 -0500
@@ -0,0 +1,230 @@
 +/* Authors: Frank Mayer <mayerf@tresys.com>
 + *   and Karl MacMillan <kmacmillan@tresys.com>
@ -4741,7 +4772,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +}
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.83/setfiles/restore.c
 --- nsapolicycoreutils/setfiles/restore.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/restore.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/setfiles/restore.c	2010-11-08 13:46:37.000000000 -0500
@@ -1,4 +1,5 @@
 #include "restore.h"
 +#include <glob.h>
@ -4925,7 +4956,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.83/setfiles/restorecon.8
 --- nsapolicycoreutils/setfiles/restorecon.8	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/restorecon.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/setfiles/restorecon.8	2010-11-08 13:46:37.000000000 -0500
@@ -4,10 +4,10 @@
 .SH "SYNOPSIS"
@ -4951,7 +4982,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 show changes in file labels.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.83/setfiles/restore.h
 --- nsapolicycoreutils/setfiles/restore.h	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/restore.h	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/setfiles/restore.h	2010-11-08 13:46:37.000000000 -0500
@@ -27,6 +27,7 @@
 	int hard_links;
 	int verbose;
@ -4973,7 +5004,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #endif
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.83/setfiles/setfiles.8
 --- nsapolicycoreutils/setfiles/setfiles.8	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/setfiles.8	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/setfiles/setfiles.8	2010-11-08 13:46:37.000000000 -0500
@@ -31,6 +31,9 @@
 .TP
 .B \-n
@ -4986,7 +5017,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 suppress non-error output.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.83/setfiles/setfiles.c
 --- nsapolicycoreutils/setfiles/setfiles.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/setfiles.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/setfiles/setfiles.c	2010-11-08 13:46:37.000000000 -0500
@@ -5,7 +5,6 @@
 #include <ctype.h>
 #include <regex.h>
@ -5128,7 +5159,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.83/VERSION
 --- nsapolicycoreutils/VERSION	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/VERSION	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/VERSION	2010-11-08 13:46:37.000000000 -0500
@@ -1 +1 @@
 -2.0.83
 +2.0.82
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -192,7 +192,7 @@ or level of a logged in user.
 %files newrole
 %defattr(-,root,root)
-%attr(0755,root,root) %caps(cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
 %{_mandir}/man1/newrole.1.gz
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
@ -240,7 +240,7 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
-%attr(0755,root,root) %caps(cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/setsebool
@ -327,6 +327,9 @@ fi
 exit 0
 %changelog
 * Mon Nov 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-36
 - Fix up problems pointed out by solar designer on dropping capabilities
 * Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-35
 - Check if you have full privs and reset otherwise dont drop caps