From ba01c23cb66ec1f6b42c1e720f20da27afff62bd Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 24 Feb 2026 12:04:54 +0100
Subject: [PATCH] policycoreutils-3.6-6

- Improve semanage-fcontext(8) man page
Resolves: RHEL-16319
---
 ...-e-documentation-and-fix-delete-oper.patch | 92 +++++++++++++++++++
 ...-man-pages-Add-examples-for-r-RANGE-.patch | 66 +++++++++++++
 ...e-fcontext-8-improve-e-documentation.patch | 41 +++++++++
 policycoreutils.spec                          |  8 +-
 4 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 0026-semanage-improve-e-documentation-and-fix-delete-oper.patch
 create mode 100644 0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch
 create mode 100644 0028-semanage-fcontext-8-improve-e-documentation.patch

diff --git a/0026-semanage-improve-e-documentation-and-fix-delete-oper.patch b/0026-semanage-improve-e-documentation-and-fix-delete-oper.patch
new file mode 100644
index 0000000..56bc53e
--- /dev/null
+++ b/0026-semanage-improve-e-documentation-and-fix-delete-oper.patch
@@ -0,0 +1,92 @@
+From 17b468428b8a30476d6add39e8a83ff550005968 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 14 Jan 2025 16:52:28 +0100
+Subject: [PATCH] semanage: improve -e documentation and fix delete operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+Improve the documentation around the -e/--equal option for semanage
+fcontext.
+
+Closes: https://github.com/SELinuxProject/selinux/issues/457
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ python/semanage/semanage            | 13 +++++++------
+ python/semanage/semanage-fcontext.8 |  6 +++---
+ 2 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index b269b9fca65b..891662699afd 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -54,7 +54,7 @@ usage_login = "semanage login [-h] [-n] [-N] [-S STORE] ["
+ usage_login_dict = {' --add': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --modify': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --delete': ('LOGIN',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
+ 
+ usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-S STORE] ["
+-usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --list': ('[-C]',), ' --extract': ('',), ' --deleteall': ('',)}
++usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e TARGET_PATH', ')', 'FILE_SPEC',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e TARGET_PATH', ')', 'FILE_SPEC',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e TARGET_PATH', ')', 'FILE_SPEC',), ' --list': ('[-C]',), ' --extract': ('',), ' --deleteall': ('',)}
+ 
+ usage_user = "semanage user [-h] [-n] [-N] [-S STORE] ["
+ usage_user_dict = {' --add': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', 'SEUSER', ')'), ' --delete': ('SEUSER',), ' --modify': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'SEUSER', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
+@@ -306,7 +306,7 @@ def setupLoginParser(subparsers):
+ def handleFcontext(args):
+     fcontext_args = {'list': [('equal', 'ftype', 'seuser', 'type'), ('')], 'add': [('locallist'), ('type', 'file_spec')], 'modify': [('locallist'), ('type', 'file_spec')], 'delete': [('locallist'), ('file_spec')], 'extract': [('locallist', 'equal', 'ftype', 'seuser', 'type'), ('')], 'deleteall': [('locallist'), ('')]}
+     # we can not use mutually for equal because we can define some actions together with equal
+-    fcontext_equal_args = {'equal': [('list', 'locallist', 'type', 'ftype', 'seuser', 'deleteall', 'extract'), ()]}
++    fcontext_equal_args = {'equal': [('list', 'locallist', 'type', 'ftype', 'seuser', 'deleteall', 'extract'), ('file_spec')]}
+ 
+     if args.action and args.equal:
+         handle_opts(args, fcontext_equal_args, "equal")
+@@ -355,9 +355,10 @@ def setupFcontextParser(subparsers):
+     parser_add_extract(fcontext_action, "fcontext")
+     parser_add_deleteall(fcontext_action, "fcontext")
+ 
+-    fcontextParser.add_argument('-e', '--equal', help=_(
+-        'Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target \
+-path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.'
++    fcontextParser.add_argument('-e', '--equal', metavar='TARGET_PATH', help=_(
++        'Substitute FILE_SPEC with TARGET_PATH for file label lookup. This is used with fcontext. Requires source and target \
++path arguments to be path prefixes and does not support regular expressions. \
++The context labeling for the target subtree is made equivalent to that defined for the source.'
+     ))
+     fcontextParser.add_argument('-f', '--ftype', default="", choices=["a", "f", "d", "c", "b", "s", "l", "p"], help=_(
+         'File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use d to match only \
+@@ -368,7 +369,7 @@ If you do not specify a file type, the file type will default to "all files".'
+     parser_add_seuser(fcontextParser, "fcontext")
+     parser_add_type(fcontextParser, "fcontext")
+     parser_add_range(fcontextParser, "fcontext")
+-    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
++    fcontextParser.add_argument('file_spec', nargs='?', default=None, metavar='FILE_SPEC', help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
+     fcontextParser.set_defaults(func=handleFcontext)
+ 
+ 
+diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
+index 3e327d88d146..3a96c62fda5d 100644
+--- a/python/semanage/semanage-fcontext.8
++++ b/python/semanage/semanage-fcontext.8
+@@ -3,7 +3,7 @@
+ semanage\-fcontext \- SELinux Policy Management file context tool
+ 
+ .SH "SYNOPSIS"
+-.B semanage fcontext [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC | \-\-deleteall  | \-\-extract  | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ]
++.B semanage fcontext [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e TARGET_PATH ) FILE_SPEC | \-\-delete ( \-t TYPE \-f FTYPE | \-e TARGET_PATH ) FILE_SPEC | \-\-deleteall  | \-\-extract  | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e TARGET_PATH ) FILE_SPEC ]
+ 
+ .SH "DESCRIPTION"
+ semanage is used to configure certain elements of
+@@ -66,8 +66,8 @@ Extract customizable commands, for use within a transaction
+ .I   \-D, \-\-deleteall
+ Remove all local customizations
+ .TP
+-.I   \-e EQUAL, \-\-equal EQUAL
+-Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.
++.I   \-e TARGET_PATH, \-\-equal TARGET_PATH
++Substitute FILE_SPEC with TARGET_PATH for file label lookup. This is used with fcontext. Requires source and target path arguments to be path prefixes and does not support regular expressions. The context labeling for the target subtree is made equivalent to that defined for the source.
+ .TP
+ .I   \-f [{a,f,d,c,b,s,l,p}], \-\-ftype [{a,f,d,c,b,s,l,p}]
+ File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use 'd' to match only directories or 'f' to match only regular files. The following file type options can be passed: f (regular file),d (directory),c (character device), b (block device),s (socket),l (symbolic link),p (named pipe).  If you do not specify a file type, the file type will default to "all files".
+-- 
+2.53.0
+
diff --git a/0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch b/0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch
new file mode 100644
index 0000000..450f314
--- /dev/null
+++ b/0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch
@@ -0,0 +1,66 @@
+From eb250ffcf89287560ce1b1cda94ca429828ce645 Mon Sep 17 00:00:00 2001
+From: Pranav Lawate <pran.lawate@gmail.com>
+Date: Tue, 7 Oct 2025 20:36:13 +0530
+Subject: [PATCH] improve semanage man pages: Add examples for -r RANGE flag
+ usage
+Content-type: text/plain
+
+This patch adds missing examples to the semanage-port and
+semanage-fcontext man pages showing the correct usage of the -r RANGE
+flag for MLS/MCS systems. Currently, users who try to use the -r flag
+without proper examples often encounter unclear error messages when
+they provide invalid range formats.
+
+For example, here is a command with wrong range string value:
+libsepol.mls_from_string: invalid MLS context s0.c0 (No such file or directory)
+[...error output...]
+
+The added examples demonstrate:
+  - Correct MLS range format: s0:c0.c255
+  - Complete command syntax with the -r flag for both port and
+    fcontext operations
+  - Clear indication that this is for MLS/MCS systems only
+  - Verification method using seinfo for port changes (semanage port -l
+    only shows type, not MLS range)
+  - Use -F flag to restorecon in fcontext example (required to force
+    relabeling)
+
+Signed-off-by: Pranav Lawate <pran.lawate@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/semanage/semanage-fcontext.8 | 4 ++++
+ python/semanage/semanage-port.8     | 3 +++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
+index 3a96c62fda5d..a29b74994763 100644
+--- a/python/semanage/semanage-fcontext.8
++++ b/python/semanage/semanage-fcontext.8
+@@ -100,6 +100,10 @@ execute the following commands.
+ # semanage fcontext \-a \-e /home /disk6/home
+ # restorecon \-R \-v /disk6
+ 
++Add file-context with MLS range s0:c0.c255 for /secure directory (MLS/MCS systems only)
++# semanage fcontext \-a \-t admin_home_t \-r s0:c0.c255 "/secure(/.*)?"
++# restorecon \-R \-F \-v /secure
++
+ .SH "SEE ALSO"
+ .BR selinux (8),
+ .BR semanage (8),
+diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8
+index c6048660ca21..0df442901378 100644
+--- a/python/semanage/semanage-port.8
++++ b/python/semanage/semanage-port.8
+@@ -61,6 +61,9 @@ Allow Apache to listen on tcp port 81 (i.e. assign tcp port 81 label http_port_t
+ # semanage port \-a \-t http_port_t \-p tcp 81
+ Allow sshd to listen on tcp port 8991 (i.e. assign tcp port 8991 label ssh_port_t, which sshd is allowed to listen on)
+ # semanage port \-a \-t ssh_port_t \-p tcp 8991
++Add a custom port 9999 with MLS range s0:c0.c255 (MLS/MCS systems only). Verify with seinfo.
++# semanage port \-a \-t http_port_t \-p tcp \-r s0:c0.c255 9999
++# seinfo \-\-portcon \-x | grep 9999
+ 
+ .SH "SEE ALSO"
+ .BR selinux (8),
+-- 
+2.53.0
+
diff --git a/0028-semanage-fcontext-8-improve-e-documentation.patch b/0028-semanage-fcontext-8-improve-e-documentation.patch
new file mode 100644
index 0000000..f2624f2
--- /dev/null
+++ b/0028-semanage-fcontext-8-improve-e-documentation.patch
@@ -0,0 +1,41 @@
+From fb10d6d66a4c93dda660f4c221646fbd0a0dca3f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Tue, 24 Feb 2026 11:36:41 +0100
+Subject: [PATCH] semanage-fcontext(8): improve -e documentation
+Content-type: text/plain
+
+Document that substitution based on another substitution does not work
+in semanage-fcontext(8) man page
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ python/semanage/semanage-fcontext.8 | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
+index a29b74994763..b037491e3394 100644
+--- a/python/semanage/semanage-fcontext.8
++++ b/python/semanage/semanage-fcontext.8
+@@ -67,7 +67,7 @@ Extract customizable commands, for use within a transaction
+ Remove all local customizations
+ .TP
+ .I   \-e TARGET_PATH, \-\-equal TARGET_PATH
+-Substitute FILE_SPEC with TARGET_PATH for file label lookup. This is used with fcontext. Requires source and target path arguments to be path prefixes and does not support regular expressions. The context labeling for the target subtree is made equivalent to that defined for the source.
++Substitute FILE_SPEC with TARGET_PATH for file label lookup. This is used with fcontext. Requires source and target path arguments to be path prefixes and does not support regular expressions. The context labeling for the target subtree is made equivalent to that defined for the source. Note that substitution based on another substitution does not work.
+ .TP
+ .I   \-f [{a,f,d,c,b,s,l,p}], \-\-ftype [{a,f,d,c,b,s,l,p}]
+ File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use 'd' to match only directories or 'f' to match only regular files. The following file type options can be passed: f (regular file),d (directory),c (character device), b (block device),s (socket),l (symbolic link),p (named pipe).  If you do not specify a file type, the file type will default to "all files".
+@@ -94,6 +94,10 @@ i.e. label everything under /home1 the same way /home is labeled
+ # semanage fcontext \-a \-e /home /home1
+ # restorecon \-R \-v /home1
+ 
++If you substitute /home2 with /home1 from the example above it will not work. You must use direct substitution
++# semanage fcontext \-a \-e /home /home2
++# restorecon \-R \-v /home2
++
+ For home directories under top level directory, for example /disk6/home,
+ execute the following commands.
+ # semanage fcontext \-a \-t home_root_t "/disk6"
+-- 
+2.53.0
+
diff --git a/policycoreutils.spec b/policycoreutils.spec
index e6706b9..efa26a5 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -11,7 +11,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.6
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz
@@ -61,6 +61,9 @@ Patch0022: 0022-semanage-Reset-active-value-when-deleting-boolean-cu.patch
 Patch0023: 0023-seunshare-always-use-translations-when-printing.patch
 Patch0024: 0024-seunshare-fix-the-frail-tmpdir-cleanup.patch
 Patch0025: 0025-sandbox-seunshare-Replace-system-with-execv-to-preve.patch
+Patch0026: 0026-semanage-improve-e-documentation-and-fix-delete-oper.patch
+Patch0027: 0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch
+Patch0028: 0028-semanage-fcontext-8-improve-e-documentation.patch
 # Patch list end
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -470,6 +473,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Tue Feb 24 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.6-6
+- Improve semanage-fcontext(8) man page
+
 * Tue Feb 03 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.6-5
 - sandbox/seunshare: Replace system() with execv() to prevent shell injection
 - seunshare: fix the frail tmpdir cleanup