SELinux userspace 3.9 release

Resolves: RHEL-104006

.gitignore

@@ -365,3 +365,5 @@ policycoreutils-2.0.83.tgz
 /selinux-3.8.tar.gz.asc
 /selinux-3.9-rc2.tar.gz
 /selinux-3.9-rc2.tar.gz.asc
+/selinux-3.9.tar.gz
+/selinux-3.9.tar.gz.asc

0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,4 +1,4 @@
-From 8bbb7a654825223fccf5839d208cfc091a78d979 Mon Sep 17 00:00:00 2001
+From ce28d432bef8d1a346054b56a989e58533fecfa7 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty

0002-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,4 +1,4 @@
-From 0acd95264dadf06ad93591c949f6e8aebb559c11 Mon Sep 17 00:00:00 2001
+From 618ae48ebf1334f9380a9ae7460c553515f9c4ca Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types

0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,4 +1,4 @@
-From af70b132b985fd7fe7bf4e085082f7e821d54452 Mon Sep 17 00:00:00 2001
+From 16fd581da479f80b8f8ff8ae8ff58a4f0a610d54 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox

0004-Use-SHA-2-instead-of-SHA-1.patch

@@ -1,4 +1,4 @@
-From 661202f1fadb8b233df5ec92f620c866390304f6 Mon Sep 17 00:00:00 2001
+From 1a3fc195c6dc7fe51ef76e4484910f7b41161ccc Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Fri, 30 Jul 2021 14:14:37 +0200
 Subject: [PATCH] Use SHA-2 instead of SHA-1

0005-python-sepolicy-Fix-spec-file-dependencies.patch

@@ -1,4 +1,4 @@
-From 38e0ac0e99462a6e792e57fffa7b32498715f7f4 Mon Sep 17 00:00:00 2001
+From 84b051139ab536519cc8e9c333483475d830d40b Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Tue, 30 May 2023 09:07:28 +0200
 Subject: [PATCH] python/sepolicy: Fix spec file dependencies

0006-sepolicy-Fix-detection-of-writeable-locations.patch

@@ -1,4 +1,4 @@
-From 6773c49ffa8091d67452f4831defbe84e47bbd5b Mon Sep 17 00:00:00 2001
+From 98cd707e8106e9e77b179bccbeb4fd4004b4c601 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <lautrbach@redhat.com>
 Date: Mon, 5 May 2025 18:28:40 +0200
 Subject: [PATCH] sepolicy: Fix detection of writeable locations

0007-sepolicy-use-multiprocessing-fork-method.patch

@@ -1,58 +0,0 @@
-From cfec5c81d6513791a170d101cf2f27773f3052f1 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <lautrbach@redhat.com>
-Date: Mon, 30 Jun 2025 11:20:56 +0200
-Subject: [PATCH] sepolicy: use multiprocessing 'fork' method
-
-'fork' was the default starting method in Python before 3.14 and it's
-necessary for this code to work correctly
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2374569
-
-    sh-5.2# sepolicy manpage -a -p /builddir/build/BUILD/selinux-policy-41.43-build/BUILDROOT/usr/share/man/man8/ -w -r /builddir/build/BUILD/selinux-policy-41.43-build/BUILDROOT
-    ValueError: No SELinux Policy installed
-    Exception ignored while calling deallocator <function Pool.__del__ at 0x7f36f9d333d0>:
-    Traceback (most recent call last):
-      File "/usr/lib64/python3.14/multiprocessing/pool.py", line 271, in __del__
-        self._change_notifier.put(None)
-      File "/usr/lib64/python3.14/multiprocessing/queues.py", line 397, in put
-        self._writer.send_bytes(obj)
-      File "/usr/lib64/python3.14/multiprocessing/connection.py", line 206, in send_bytes
-        self._send_bytes(m[offset:offset + size])
-      File "/usr/lib64/python3.14/multiprocessing/connection.py", line 444, in _send_bytes
-        self._send(header + buf)
-      File "/usr/lib64/python3.14/multiprocessing/connection.py", line 400, in _send
-        n = write(self._handle, buf)
-    BrokenPipeError: [Errno 32] Broken pipe
-
-Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
-Acked-by: James Carter <jwcart2@gmail.com>
----
- python/sepolicy/sepolicy.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
-index 82ff6af2..febb2fc1 100755
---- a/python/sepolicy/sepolicy.py
-+++ b/python/sepolicy/sepolicy.py
-@@ -25,7 +25,7 @@ import os
- import sys
- import selinux
- import sepolicy
--from multiprocessing import Pool
-+import multiprocessing
- from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
- import argparse
- PROGNAME = "selinux-python"
-@@ -350,7 +350,8 @@ def manpage(args):
- 
-     manpage_domains = set()
-     manpage_roles = set()
--    p = Pool()
-+    multiprocessing.set_start_method('fork')
-+    p = multiprocessing.Pool()
-     async_results = []
-     for domain in test_domains:
-         async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]))
--- 
-2.49.0
-

0008-policycoreutils-use-pkg-config-for-libsemanage.patch

@@ -1,76 +0,0 @@
-From 21955dcb5a201b0ec0487b3f1aa1da052afd9b97 Mon Sep 17 00:00:00 2001
-From: Alyssa Ross <hi@alyssa.is>
-Date: Wed, 25 Jun 2025 12:41:03 +0200
-Subject: [PATCH] policycoreutils: use pkg-config for libsemanage
-
-libaudit and libbz2 are only required to be in the linker path for
-static builds.  For dynamic builds, they'll be discovered through ELF
-metadata.  pkg-config knows how to do the right thing in both cases,
-so just use it rather than listing libsemanage's dependencies
-manually.
-
-Fixes: da6cd3d8 ("Support static-only builds")
-Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
-Signed-off-by: Alyssa Ross <hi@alyssa.is>
-Acked-by: James Carter <jwcart2@gmail.com>
----
- policycoreutils/Makefile           | 3 ++-
- policycoreutils/semodule/Makefile  | 3 +--
- policycoreutils/setsebool/Makefile | 3 +--
- 3 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
-index 7acd51dd..0f3d62f2 100644
---- a/policycoreutils/Makefile
-+++ b/policycoreutils/Makefile
-@@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
- PKG_CONFIG ?= pkg-config
- 
- LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
--export LIBSELINUX_LDLIBS
-+LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
-+export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
- 
- all install relabel clean indent:
- 	@for subdir in $(SUBDIRS); do \
-diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
-index 7c45831f..018ee2ca 100644
---- a/policycoreutils/semodule/Makefile
-+++ b/policycoreutils/semodule/Makefile
-@@ -7,12 +7,11 @@ MANDIR = $(PREFIX)/share/man
- CFLAGS ?= -Werror -Wall -W
- override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
- override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
--override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
-+override LDLIBS += $(LIBSEMANAGE_LDLIBS) -lsepol $(LIBSELINUX_LDLIBS)
- SEMODULE_OBJS = semodule.o
- 
- all: semodule genhomedircon
- 
--semodule: LDLIBS += -laudit -lbz2
- semodule: $(SEMODULE_OBJS)
- 
- genhomedircon:
-diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
-index 1d514846..87494c55 100644
---- a/policycoreutils/setsebool/Makefile
-+++ b/policycoreutils/setsebool/Makefile
-@@ -8,14 +8,13 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
- CFLAGS ?= -Werror -Wall -W
- override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
- override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
--override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
-+override LDLIBS += $(LIBSEMANAGE_LDLIBS) $(LIBSELINUX_LDLIBS)
- SETSEBOOL_OBJS = setsebool.o
- 
- BASHCOMPLETIONS=setsebool-bash-completion.sh 
- 
- all: setsebool
- 
--setsebool: LDLIBS += -laudit -lbz2
- setsebool: $(SETSEBOOL_OBJS)
- 
- install: all
--- 
-2.49.0
-

0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch

@@ -1,40 +0,0 @@
-From 0ca24e16ece36e6c45a50be350f82495abc742ec Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Tue, 1 Jul 2025 09:01:43 -0400
-Subject: [PATCH] Policycoreutils: Make pkg-config work for more types of
- builds
-
-To support static builds, pkg-config is used to add the libraries
-needed for libselinux and libsemanage during the build. Unforunately,
-pkg-config will always use the installed pc files for libselinux and
-libsemanage.
-
-Instead set PKG_CONFIG_PATH when invoking pkg-config so that
-it searches in order:
-1) The directory specified by PKG_CONFIG_PATH, if already set.
-2) The local src directories of libselinux and libsemaange.
-3) The default directories specified by the system.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
----
- policycoreutils/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
-index 0f3d62f2..7c9706e3 100644
---- a/policycoreutils/Makefile
-+++ b/policycoreutils/Makefile
-@@ -2,8 +2,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
- 
- PKG_CONFIG ?= pkg-config
- 
--LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
--LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
-+LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libselinux/src" $(PKG_CONFIG) --libs libselinux)
-+LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libsemanage/src" $(PKG_CONFIG) --libs libsemanage)
- export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
- 
- all install relabel clean indent:
--- 
-2.49.0
-

changelog

@@ -1,3 +1,6 @@
+* Wed Jul 23 2025 Vit Mojzis <vmojzis@redhat.com> - 3.9-1
+- SELinux userspace 3.9 release
+
 * Fri Jul 04 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.9-0.rc2.1
 - SELinux userspace 3.9-rc2 release
 

policycoreutils.spec

@@ -1,7 +1,7 @@
 %global libauditver     3.0
-%global libsepolver     3.9-0
-%global libsemanagever  3.9-0
-%global libselinuxver   3.9-0
+%global libsepolver     3.9-1
+%global libsemanagever  3.9-1
+%global libselinuxver   3.9-1
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -11,11 +11,11 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.9
-Release: 0.rc2.1%{?dist}
+Release: 1%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}-rc2/selinux-%{version}-rc2.tar.gz
-Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}-rc2/selinux-%{version}-rc2.tar.gz.asc
+Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz
+Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz.asc
 Source2: https://github.com/bachradsusi.gpg
 URL:     https://github.com/SELinuxProject/selinux
 Source13: system-config-selinux.png
@@ -35,7 +35,7 @@ Source22: selinux-gui.zip
 # wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
 Source23: selinux-sandbox.zip
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 3.9-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 3.9 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
 Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
@@ -44,9 +44,6 @@ Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
 Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
 Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch
-Patch0007: 0007-sepolicy-use-multiprocessing-fork-method.patch
-Patch0008: 0008-policycoreutils-use-pkg-config-for-libsemanage.patch
-Patch0009: 0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2
@@ -84,7 +81,7 @@ to switch roles.
 
 %prep -p /usr/bin/bash
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -p 1 -n selinux-%{version}-rc2
+%autosetup -p 1 -n selinux-%{version}
 
 cp %{SOURCE13} gui/
 tar -xvf %{SOURCE14} -C python/sepolicy/

sources

@@ -2,5 +2,5 @@ SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428
 SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd
 SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733
 SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7
-SHA512 (selinux-3.9-rc2.tar.gz) = d05d7633826154007117fc17a22de5dfb5f929fa124123341e98039ecf68a133b9ca70c575ca5e4aaa390daa930ffb6dda43b016b9cfcda8d8a901fb5204ba89
-SHA512 (selinux-3.9-rc2.tar.gz.asc) = 0fec5c55f48978829bbb61ac9e3330fbd42be08ecc89b9abb318ccd86feda41f7a5dea58aef73979c471b95b539202336a7336feb8c9014e32c7d7684ed081f1
+SHA512 (selinux-3.9.tar.gz) = ccfe9c8907ef50e35cda1e8282a4e02e8d2e1749dabde856343f236724214c89d0bcd4e799f383961b990c5fb9a6b0191880a478a8930af447951c8b36689720
+SHA512 (selinux-3.9.tar.gz.asc) = 598498e3919c72e1b7e6db85250ac7b1ff26e33598fb94c29ee74569dddee407fca73961d9fbb245ecf5ff5a7ee0eaa83031f79b7f0b2d89661119d45bbf5954