.gitignore

@@ -1,13 +1,7 @@
-SOURCES/gui-po.tgz
-SOURCES/policycoreutils-2.9.tar.gz
-SOURCES/policycoreutils-po.tgz
-SOURCES/python-po.tgz
-SOURCES/restorecond-2.9.tar.gz
-SOURCES/sandbox-po.tgz
-SOURCES/selinux-dbus-2.9.tar.gz
-SOURCES/selinux-gui-2.9.tar.gz
-SOURCES/selinux-python-2.9.tar.gz
-SOURCES/selinux-sandbox-2.9.tar.gz
-SOURCES/semodule-utils-2.9.tar.gz
+SOURCES/selinux-3.6.tar.gz
+SOURCES/selinux-gui.zip
+SOURCES/selinux-policycoreutils.zip
+SOURCES/selinux-python.zip
+SOURCES/selinux-sandbox.zip
 SOURCES/sepolicy-icons.tgz
 SOURCES/system-config-selinux.png

.policycoreutils.metadata

@@ -1,13 +1,7 @@
-3f355f8cbfdf7be6f9a8190153090af95d2c7358 SOURCES/gui-po.tgz
-6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
-51122ae6029657bf762d72bff94bab38890fd1e7 SOURCES/policycoreutils-po.tgz
-c503e61733af54159d5950bbd9fa8080771ee938 SOURCES/python-po.tgz
-0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
-7df1784ab0c6b0823943571d733b856d10a87f76 SOURCES/sandbox-po.tgz
-8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
-5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
-660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
-0e208cad193021ad17a445b76b72af3fef8db999 SOURCES/selinux-sandbox-2.9.tar.gz
-a4414223e60bb664ada4824e54f8d36ab208d599 SOURCES/semodule-utils-2.9.tar.gz
+c1d6c443723b91295ca887eeea5c2d84a420593f SOURCES/selinux-3.6.tar.gz
+c2957ae26fcabe856439915bc03fb7d25c91b724 SOURCES/selinux-gui.zip
+8aec9d92a940e35756c4cf66891db7b070e00c5c SOURCES/selinux-policycoreutils.zip
+6a9a8a86bf4b66b484533e5a5b91acd9f2ba4ed1 SOURCES/selinux-python.zip
+c9b684345b0b6940afd38d8679e2838ad7ef5ffe SOURCES/selinux-sandbox.zip
 d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz
 611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png

SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch

@@ -1,43 +0,0 @@
-From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 5 Mar 2019 17:38:55 +0100
-Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
-
-polgengui.py is a standalone gui tool which should be in /usr/bin with other
-tools.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- gui/Makefile       | 2 +-
- gui/modulesPage.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/gui/Makefile b/gui/Makefile
-index c2f982de..b2375fbf 100644
---- a/gui/Makefile
-+++ b/gui/Makefile
-@@ -31,7 +31,7 @@ install: all
- 	-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
- 	install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
- 	install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
--	install -m 755 polgengui.py $(DESTDIR)$(SHAREDIR)
-+	install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
- 	install -m 644 $(TARGETS) $(DESTDIR)$(SHAREDIR)
- 	install -m 644 system-config-selinux.8 $(DESTDIR)$(MANDIR)/man8
- 	install -m 644 selinux-polgengui.8 $(DESTDIR)$(MANDIR)/man8
-diff --git a/gui/modulesPage.py b/gui/modulesPage.py
-index 34c5d9e3..cb856b2d 100644
---- a/gui/modulesPage.py
-+++ b/gui/modulesPage.py
-@@ -118,7 +118,7 @@ class modulesPage(semanagePage):
- 
-     def new_module(self, args):
-         try:
--            Popen(["/usr/share/system-config-selinux/polgengui.py"])
-+            Popen(["selinux-polgengui"])
-         except ValueError as e:
-             self.error(e.args[0])
- 
--- 
-2.21.0
-

SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,15 +1,16 @@
-From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
+From b1612f0ed2cabdf7f2a5ab44edc5be94ab4b84ed Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
  recent Fedoras
+Content-type: text/plain
 
 ---
  sandbox/sandboxX.sh | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
-index eaa500d0..47745280 100644
+index eaa500d08143..4774528027ef 100644
 --- a/sandbox/sandboxX.sh
 +++ b/sandbox/sandboxX.sh
 @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
@@ -22,5 +23,5 @@ index eaa500d0..47745280 100644
      cat > ~/seremote << __EOF
  #!/bin/sh
 -- 
-2.21.0
+2.41.0
 

SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,7 +1,8 @@
-From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
+From 2dade3b4302d6fb6c8abf94227d684ab284216e3 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
+Content-type: text/plain
 
 Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
 ---
@@ -9,10 +10,10 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 1d367962..24e311a3 100755
+index 629990194f83..b80a408a8f55 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -735,10 +735,13 @@ Default Defined Ports:""")
+@@ -679,10 +679,13 @@ Default Defined Ports:""")
  
      def _file_context(self):
          flist = []
@@ -26,9 +27,9 @@ index 1d367962..24e311a3 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
          if len(mpaths) == 0:
-@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -741,12 +744,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  SELinux defines the file context types for the %(domainname)s, if you wanted to
- store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
+ store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
  
 -.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
 +.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
@@ -42,5 +43,5 @@ index 1d367962..24e311a3 100755
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
 -- 
-2.21.0
+2.41.0
 

SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch

@@ -1,49 +0,0 @@
-From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 5 Mar 2019 17:25:00 +0100
-Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
- default
-
-/usr/share/applications is a standard directory for .desktop files.
-Installation path can be changed using DESKTOPDIR variable in installation
-phase, e.g.
-
-make DESKTOPDIR=/usr/local/share/applications install
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- gui/Makefile | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/gui/Makefile b/gui/Makefile
-index b2375fbf..ca965c94 100644
---- a/gui/Makefile
-+++ b/gui/Makefile
-@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
- SHAREDIR ?= $(PREFIX)/share/system-config-selinux
- DATADIR ?= $(PREFIX)/share
- MANDIR ?= $(PREFIX)/share/man
-+DESKTOPDIR ?= $(PREFIX)/share/applications
- 
- TARGETS= \
- booleansPage.py \
-@@ -29,6 +30,7 @@ install: all
- 	-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
- 	-mkdir -p $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
- 	-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
-+	-mkdir -p $(DESTDIR)$(DESKTOPDIR)
- 	install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
- 	install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
- 	install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
-@@ -44,7 +46,7 @@ install: all
- 	install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/pixmaps
- 	install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
- 	install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/system-config-selinux
--	install -m 644 *.desktop $(DESTDIR)$(DATADIR)/system-config-selinux
-+	install -m 644 *.desktop $(DESTDIR)$(DESKTOPDIR)
- 	-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
- 	install -m 644 sepolicy_256.png $(DESTDIR)$(DATADIR)/pixmaps/sepolicy.png
- 	for i in 16 22 32 48 256; do \
--- 
-2.21.0
-

SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,27 +1,28 @@
-From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
+From 91eebedb3f2af184720bf77f64133a9a2e0dc453 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
 Subject: [PATCH] If there is no executable we don't want to print a part of
  STANDARD FILE CONTEXT
+Content-type: text/plain
 
 ---
  python/sepolicy/sepolicy/manpage.py | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 24e311a3..46092be0 100755
+index b80a408a8f55..70a8ce848900 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  .PP
  """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
  
 -        self.fd.write(r"""
 +        if flist_non_exec:
-+                self.fd.write(r"""
++            self.fd.write(r"""
  .PP
  .B STANDARD FILE CONTEXT
  
 -- 
-2.21.0
+2.41.0
 

SOURCES/0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,14 +1,15 @@
-From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
+From 06c0d6d8f34becde1a8b4b2532e2a22abe9d4d94 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
+Content-type: text/plain
 
 ---
  policycoreutils/scripts/fixfiles | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index b2779581..53d28c7b 100755
+index 166af6f360a2..ebe64563c7d7 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@@ -17,8 +18,8 @@ index b2779581..53d28c7b 100755
  VERBOSE="-p"
 +[ -t 1 ] || VERBOSE=""
  FORCEFLAG=""
+ THREADS=""
  RPMFILES=""
- PREFC=""
 -- 
-2.21.0
+2.41.0
 

SOURCES/0005-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,7 +1,8 @@
-From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
+From ff5572d5cb4ee465b09e353b84a75dc5ec60307d Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
+Content-type: text/plain
 
 Currently only reserved_port_t, port_t and hi_reserved_port_t are
 handled as special when making a ports-dictionary.  However, as fas as
@@ -52,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 7175d36b..93caedee 100644
+index b6df3e91160b..36a3ea1196b1 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
 @@ -100,7 +100,9 @@ def get_all_ports():
@@ -67,5 +68,5 @@ index 7175d36b..93caedee 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.21.0
+2.41.0
 

SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,169 +0,0 @@
-From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
-From: Miroslav Grepl <mgrepl@redhat.com>
-Date: Thu, 19 Feb 2015 17:45:15 +0100
-Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
- system_release is no longer hardcoded and it creates only index.html and html
- man pages in the directory for the system release.
-
----
- python/sepolicy/sepolicy/__init__.py | 25 +++--------
- python/sepolicy/sepolicy/manpage.py  | 65 +++-------------------------
- 2 files changed, 13 insertions(+), 77 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index 6aed31bd..88a2b8f6 100644
---- a/python/sepolicy/sepolicy/__init__.py
-+++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1209,27 +1209,14 @@ def boolean_desc(boolean):
- 
- 
- def get_os_version():
--    os_version = ""
--    pkg_name = "selinux-policy"
-+    system_release = ""
-     try:
--        try:
--            from commands import getstatusoutput
--        except ImportError:
--            from subprocess import getstatusoutput
--        rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
--        if rc == 0:
--            os_version = output.split(".")[-2]
--    except:
--        os_version = ""
--
--    if os_version[0:2] == "fc":
--        os_version = "Fedora" + os_version[2:]
--    elif os_version[0:2] == "el":
--        os_version = "RHEL" + os_version[2:]
--    else:
--        os_version = ""
-+        with open('/etc/system-release') as f:
-+            system_release = f.readline()
-+    except IOError:
-+        system_release = "Misc"
- 
--    return os_version
-+    return system_release
- 
- 
- def reinit():
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 46092be0..d60acfaf 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -149,10 +149,6 @@ def prettyprint(f, trim):
- manpage_domains = []
- manpage_roles = []
- 
--fedora_releases = ["Fedora17", "Fedora18"]
--rhel_releases = ["RHEL6", "RHEL7"]
--
--
- def get_alphabet_manpages(manpage_list):
-     alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
-     for i in string.ascii_letters:
-@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
- class HTMLManPages:
- 
-     """
--            Generate a HHTML Manpages on an given SELinux domains
-+            Generate a HTML Manpages on an given SELinux domains
-     """
- 
-     def __init__(self, manpage_roles, manpage_domains, path, os_version):
-@@ -190,9 +186,9 @@ class HTMLManPages:
-         self.manpage_domains = get_alphabet_manpages(manpage_domains)
-         self.os_version = os_version
-         self.old_path = path + "/"
--        self.new_path = self.old_path + self.os_version + "/"
-+        self.new_path = self.old_path
- 
--        if self.os_version in fedora_releases or self.os_version in rhel_releases:
-+        if self.os_version:
-             self.__gen_html_manpages()
-         else:
-             print("SELinux HTML man pages can not be generated for this %s" % os_version)
-@@ -201,7 +197,6 @@ class HTMLManPages:
-     def __gen_html_manpages(self):
-         self._write_html_manpage()
-         self._gen_index()
--        self._gen_body()
-         self._gen_css()
- 
-     def _write_html_manpage(self):
-@@ -219,67 +214,21 @@ class HTMLManPages:
-                     convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
- 
-     def _gen_index(self):
--        index = self.old_path + "index.html"
--        fd = open(index, 'w')
--        fd.write("""
--<html>
--<head>
--    <link rel=stylesheet type="text/css" href="style.css" title="style">
--    <title>SELinux man pages online</title>
--</head>
--<body>
--<h1>SELinux man pages</h1>
--<br></br>
--Fedora or Red Hat Enterprise Linux Man Pages.</h2>
--<br></br>
--<hr>
--<h3>Fedora</h3>
--<table><tr>
--<td valign="middle">
--</td>
--</tr></table>
--<pre>
--""")
--        for f in fedora_releases:
--            fd.write("""
--<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
--
--        fd.write("""
--</pre>
--<hr>
--<h3>RHEL</h3>
--<table><tr>
--<td valign="middle">
--</td>
--</tr></table>
--<pre>
--""")
--        for r in rhel_releases:
--            fd.write("""
--<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
--
--        fd.write("""
--</pre>
--	""")
--        fd.close()
--        print("%s has been created" % index)
--
--    def _gen_body(self):
-         html = self.new_path + self.os_version + ".html"
-         fd = open(html, 'w')
-         fd.write("""
- <html>
- <head>
--	<link rel=stylesheet type="text/css" href="../style.css" title="style">
--	<title>Linux man-pages online for Fedora18</title>
-+	<link rel=stylesheet type="text/css" href="style.css" title="style">
-+	<title>SELinux man pages online</title>
- </head>
- <body>
--<h1>SELinux man pages for Fedora18</h1>
-+<h1>SELinux man pages for %s</h1>
- <hr>
- <table><tr>
- <td valign="middle">
- <h3>SELinux roles</h3>
--""")
-+""" % self.os_version)
-         for letter in self.manpage_roles:
-             if len(self.manpage_roles[letter]):
-                 fd.write("""
--- 
-2.21.0
-

SOURCES/0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,7 +1,8 @@
-From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
+From 8d751d18ea748de141880a726339e4aba4b7a437 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
+Content-type: text/plain
 
 ---
  sandbox/sandbox     |  4 ++--
@@ -10,10 +11,10 @@ Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
  3 files changed, 3 insertions(+), 17 deletions(-)
 
 diff --git a/sandbox/sandbox b/sandbox/sandbox
-index a12403b3..707959a6 100644
+index a2762a7d215a..a32a33ea3cf6 100644
 --- a/sandbox/sandbox
 +++ b/sandbox/sandbox
-@@ -268,7 +268,7 @@ class Sandbox:
+@@ -270,7 +270,7 @@ class Sandbox:
              copyfile(f, "/tmp", self.__tmpdir)
              copyfile(f, "/var/tmp", self.__tmpdir)
  
@@ -22,7 +23,7 @@ index a12403b3..707959a6 100644
          execfile = self.__homedir + "/.sandboxrc"
          fd = open(execfile, "w+")
          if self.__options.session:
-@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
  
          parser.add_option("-W", "--windowmanager", dest="wm",
                            type="string",
@@ -32,20 +33,20 @@ index a12403b3..707959a6 100644
  
          parser.add_option("-l", "--level", dest="level",
 diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
-index d83fee76..90ef4951 100644
+index 095b9e27042d..1c1870190e51 100644
 --- a/sandbox/sandbox.8
 +++ b/sandbox/sandbox.8
-@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
+@@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
  \fB\-W\fR \fB\-\-windowmanager\fR
- Select alternative window manager to run within 
+ Select alternative window manager to run within
  .B sandbox \-X.
 -Default to /usr/bin/openbox.
 +Default to /usr/bin/matchbox-window-manager.
  .TP
- \fB\-X\fR 
+ \fB\-X\fR
  Create an X based Sandbox for gui apps, temporary files for
 diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
-index 47745280..c211ebc1 100644
+index 4774528027ef..c211ebc14549 100644
 --- a/sandbox/sandboxX.sh
 +++ b/sandbox/sandboxX.sh
 @@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
@@ -70,5 +71,5 @@ index 47745280..c211ebc1 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 -- 
-2.21.0
+2.41.0
 

SOURCES/0007-Use-SHA-2-instead-of-SHA-1.patch

@@ -0,0 +1,178 @@
+From 5d257019cb4de4681e60f6e15bf2c1be73275b9c Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+Content-type: text/plain
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ policycoreutils/setfiles/restorecon.8       | 10 +++++-----
+ policycoreutils/setfiles/restorecon_xattr.8 |  8 ++++----
+ policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
+ policycoreutils/setfiles/setfiles.8         | 10 +++++-----
+ 4 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
+index c3cc5c9b0e52..6160aced5922 100644
+--- a/policycoreutils/setfiles/restorecon.8
++++ b/policycoreutils/setfiles/restorecon.8
+@@ -95,14 +95,14 @@ display usage information and exit.
+ ignore files that do not exist.
+ .TP
+ .B \-I
+-ignore digest to force checking of labels even if the stored SHA1 digest
+-matches the specfiles SHA1 digest. The digest will then be updated provided
++ignore digest to force checking of labels even if the stored SHA256 digest
++matches the specfiles SHA256 digest. The digest will then be updated provided
+ there are no errors. See the
+ .B NOTES
+ section for further details.
+ .TP
+ .B \-D
+-Set or update any directory SHA1 digests. Use this option to
++Set or update any directory SHA256 digests. Use this option to
+ enable usage of the
+ .IR security.sehash
+ extended attribute.
+@@ -200,7 +200,7 @@ the
+ .B \-D
+ option to
+ .B restorecon
+-will cause it to store a SHA1 digest of the default specfiles set in an extended
++will cause it to store a SHA256 digest of the default specfiles set in an extended
+ attribute named
+ .IR security.sehash
+ on each directory specified in
+@@ -217,7 +217,7 @@ for further details.
+ .sp
+ The
+ .B \-I
+-option will ignore the SHA1 digest from each directory specified in
++option will ignore the SHA256 digest from each directory specified in
+ .IR pathname \ ...
+ and provided the
+ .B \-n
+diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
+index 51d12a4dbb80..09bfd8c40ab4 100644
+--- a/policycoreutils/setfiles/restorecon_xattr.8
++++ b/policycoreutils/setfiles/restorecon_xattr.8
+@@ -23,7 +23,7 @@ or
+ 
+ .SH "DESCRIPTION"
+ .B restorecon_xattr
+-will display the SHA1 digests added to extended attributes
++will display the SHA256 digests added to extended attributes
+ .I security.sehash
+ or delete the attribute completely. These attributes are set by
+ .BR restorecon (8)
+@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
+ .sp
+ By default
+ .B restorecon_xattr
+-will display the SHA1 digests with "Match" appended if they match the default
++will display the SHA256 digests with "Match" appended if they match the default
+ specfile set or the
+ .I specfile
+ set used with the
+ .B \-f
+-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
++option. Non-matching SHA256 digests will be displayed with "No Match" appended.
+ This feature can be disabled by the
+ .B \-n
+ option.
+@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
+ recursively descend directories.
+ .TP
+ .B \-v
+-display SHA1 digest generated by specfile set (Note that this digest is not
++display SHA256 digest generated by specfile set (Note that this digest is not
+ used to match the
+ .I security.sehash
+ directory digest entries, and is shown for reference only).
+diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
+index 31fb82fd2099..bc22d3fd4560 100644
+--- a/policycoreutils/setfiles/restorecon_xattr.c
++++ b/policycoreutils/setfiles/restorecon_xattr.c
+@@ -38,7 +38,7 @@ int main(int argc, char **argv)
+ 	unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
+ 	unsigned int delete_all_digests = 0, ignore_mounts = 0;
+ 	bool display_digest = false;
+-	char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
++	char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ 	unsigned char *fc_digest = NULL;
+ 	size_t i, fc_digest_len = 0, num_specfiles;
+ 
+@@ -133,8 +133,8 @@ int main(int argc, char **argv)
+ 			exit(-1);
+ 		}
+ 
+-		sha1_buf = malloc(fc_digest_len * 2 + 1);
+-		if (!sha1_buf) {
++		sha256_buf = malloc(fc_digest_len * 2 + 1);
++		if (!sha256_buf) {
+ 			fprintf(stderr,
+ 				"Error allocating digest buffer: %s\n",
+ 							    strerror(errno));
+@@ -143,16 +143,16 @@ int main(int argc, char **argv)
+ 		}
+ 
+ 		for (i = 0; i < fc_digest_len; i++)
+-			sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
++			sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
+ 
+-		printf("specfiles SHA1 digest: %s\n", sha1_buf);
++		printf("specfiles SHA256 digest: %s\n", sha256_buf);
+ 
+ 		printf("calculated using the following specfile(s):\n");
+ 		if (specfiles) {
+ 			for (i = 0; i < num_specfiles; i++)
+ 				printf("%s\n", specfiles[i]);
+ 		}
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		printf("\n");
+ 	}
+ 
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index ee01725050bb..57c663a99d67 100644
+--- a/policycoreutils/setfiles/setfiles.8
++++ b/policycoreutils/setfiles/setfiles.8
+@@ -95,14 +95,14 @@ display usage information and exit.
+ ignore files that do not exist.
+ .TP
+ .B \-I
+-ignore digest to force checking of labels even if the stored SHA1 digest
+-matches the specfiles SHA1 digest. The digest will then be updated provided
++ignore digest to force checking of labels even if the stored SHA256 digest
++matches the specfiles SHA256 digest. The digest will then be updated provided
+ there are no errors. See the
+ .B NOTES
+ section for further details.
+ .TP
+ .B \-D
+-Set or update any directory SHA1 digests. Use this option to
++Set or update any directory SHA256 digests. Use this option to
+ enable usage of the
+ .IR security.sehash
+ extended attribute.
+@@ -261,7 +261,7 @@ the
+ .B \-D
+ option to
+ .B setfiles
+-will cause it to store a SHA1 digest of the
++will cause it to store a SHA256 digest of the
+ .B spec_file
+ set in an extended attribute named
+ .IR security.sehash
+@@ -282,7 +282,7 @@ for further details.
+ .sp
+ The
+ .B \-I
+-option will ignore the SHA1 digest from each directory specified in
++option will ignore the SHA256 digest from each directory specified in
+ .IR pathname \ ...
+ and provided the
+ .B \-n
+-- 
+2.41.0
+

SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,26 +0,0 @@
-From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
-From: Miroslav Grepl <mgrepl@redhat.com>
-Date: Fri, 20 Feb 2015 16:42:01 +0100
-Subject: [PATCH] We want to remove the trailing newline for
- /etc/system_release.
-
----
- python/sepolicy/sepolicy/__init__.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index 88a2b8f6..0c66f4d5 100644
---- a/python/sepolicy/sepolicy/__init__.py
-+++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1212,7 +1212,7 @@ def get_os_version():
-     system_release = ""
-     try:
-         with open('/etc/system-release') as f:
--            system_release = f.readline()
-+            system_release = f.readline().rstrip()
-     except IOError:
-         system_release = "Misc"
- 
--- 
-2.21.0
-

SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,25 +0,0 @@
-From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
-From: Miroslav Grepl <mgrepl@redhat.com>
-Date: Fri, 20 Feb 2015 16:42:53 +0100
-Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
-
----
- python/sepolicy/sepolicy/manpage.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index d60acfaf..de8184d8 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -220,7 +220,7 @@ class HTMLManPages:
- <html>
- <head>
- 	<link rel=stylesheet type="text/css" href="style.css" title="style">
--	<title>SELinux man pages online</title>
-+	<title>SELinux man pages</title>
- </head>
- <body>
- <h1>SELinux man pages for %s</h1>
--- 
-2.21.0
-

SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,8 +1,9 @@
-From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
+From ada7ed4b14f24086a4d1147fc281ca2d61e744eb Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  file_type_is_entrypoint(f)
+Content-type: text/plain
 
 - use direct queries
 - load exec_types and entry_types only once
@@ -11,10 +12,10 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  1 file changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index de8184d8..f8a94fc0 100755
+index 70a8ce848900..572c493f6a15 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -125,8 +125,24 @@ def gen_domains():
+@@ -127,8 +127,24 @@ def gen_domains():
      domains.sort()
      return domains
  
@@ -40,7 +41,7 @@ index de8184d8..f8a94fc0 100755
  
  def _gen_types():
      global types
-@@ -372,6 +388,8 @@ class ManPage:
+@@ -368,6 +384,8 @@ class ManPage:
          self.all_file_types = sepolicy.get_all_file_types()
          self.role_allows = sepolicy.get_all_role_allows()
          self.types = _gen_types()
@@ -49,15 +50,15 @@ index de8184d8..f8a94fc0 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -689,7 +707,7 @@ Default Defined Ports:""")
+@@ -684,7 +702,7 @@ Default Defined Ports:""")
          for f in self.all_file_types:
              if f.startswith(self.domainname):
                  flist.append(f)
 -                if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
-+                if not f in self.exec_types or not f in self.entry_types:
++                if f not in self.exec_types or f not in self.entry_types:
                      flist_non_exec.append(f)
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
 -- 
-2.21.0
+2.41.0
 

SOURCES/0009-python-sepolicy-Fix-spec-file-dependencies.patch

@@ -0,0 +1,48 @@
+From 5bd2a3a01ee3b645b5b665be4ef95ddae72806ee Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 30 May 2023 09:07:28 +0200
+Subject: [PATCH] python/sepolicy: Fix spec file dependencies
+Content-type: text/plain
+
+semanage is part of policycoreutils-python-utils package, selinuxenabled
+is part of libselinux-utils (required by ^^^) and restorecon/load_policy
+are part of policycoreutils (also required by policycoreutils-python-utils).
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/sepolicy/sepolicy/templates/spec.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
+index 433c298a17e0..a6d4508bb670 100644
+--- a/python/sepolicy/sepolicy/templates/spec.py
++++ b/python/sepolicy/sepolicy/templates/spec.py
+@@ -11,18 +11,20 @@ Version:	1.0
+ Release:	1%{?dist}
+ Summary:	SELinux policy module for MODULENAME
+ 
+-Group:	System Environment/Base		
+-License:	GPLv2+	
++Group:	System Environment/Base
++License:	GPLv2+
+ # This is an example. You will need to change it.
++# For a complete guide on packaging your policy
++# see https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+ URL:		http://HOSTNAME
+ Source0:	MODULENAME.pp
+ Source1:	MODULENAME.if
+ Source2:	DOMAINNAME_selinux.8
+ Source3:	DOMAINNAME_u
+ 
+-Requires: policycoreutils, libselinux-utils
+-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
+-Requires(postun): policycoreutils
++Requires: policycoreutils-python-utils, libselinux-utils
++Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
++Requires(postun): policycoreutils-python-utils
+ """
+ 
+ mid_section="""\
+-- 
+2.41.0
+

SOURCES/0010-Revert-Do-not-automatically-install-Russian-translat.patch

@@ -0,0 +1,264 @@
+From a87290f734ba136e7b648a9ce9754767cbb5eed3 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 13 Nov 2023 13:37:36 +0100
+Subject: [PATCH] Revert "Do not automatically install Russian translations"
+Content-type: text/plain
+
+This reverts commit 14f35fde50cd080650ac3b0136234464a3ea6fbe.
+---
+ gui/Makefile                             | 2 +-
+ policycoreutils/load_policy/Makefile     | 2 +-
+ policycoreutils/man/Makefile             | 2 +-
+ policycoreutils/newrole/Makefile         | 2 +-
+ policycoreutils/run_init/Makefile        | 2 +-
+ policycoreutils/scripts/Makefile         | 2 +-
+ policycoreutils/secon/Makefile           | 2 +-
+ policycoreutils/semodule/Makefile        | 2 +-
+ policycoreutils/sestatus/Makefile        | 2 +-
+ policycoreutils/setfiles/Makefile        | 2 +-
+ policycoreutils/setsebool/Makefile       | 2 +-
+ python/audit2allow/Makefile              | 2 +-
+ python/chcat/Makefile                    | 2 +-
+ python/semanage/Makefile                 | 2 +-
+ python/sepolicy/Makefile                 | 2 +-
+ restorecond/Makefile                     | 2 +-
+ sandbox/Makefile                         | 2 +-
+ semodule-utils/semodule_expand/Makefile  | 2 +-
+ semodule-utils/semodule_link/Makefile    | 2 +-
+ semodule-utils/semodule_package/Makefile | 2 +-
+ 20 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/gui/Makefile b/gui/Makefile
+index b29610d41b52..4035fb21b8c9 100644
+--- a/gui/Makefile
++++ b/gui/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ SHAREDIR ?= $(PREFIX)/share/system-config-selinux
+diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
+index ad80d500e53c..c1ba805b6a9a 100644
+--- a/policycoreutils/load_policy/Makefile
++++ b/policycoreutils/load_policy/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/policycoreutils/man/Makefile b/policycoreutils/man/Makefile
+index a4539f243b26..94bbf58652ad 100644
+--- a/policycoreutils/man/Makefile
++++ b/policycoreutils/man/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ MANDIR ?= $(PREFIX)/share/man
+ MAN5DIR ?= $(MANDIR)/man5
+diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
+index 4b8145d35a8b..b3ccf671a9ae 100644
+--- a/policycoreutils/newrole/Makefile
++++ b/policycoreutils/newrole/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
+index 619ebc1d7554..e86364a496e6 100644
+--- a/policycoreutils/run_init/Makefile
++++ b/policycoreutils/run_init/Makefile
+@@ -1,6 +1,6 @@
+ 
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
+index 6d8196c672d6..75e75b80a100 100644
+--- a/policycoreutils/scripts/Makefile
++++ b/policycoreutils/scripts/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
+index 440503a14682..576a6203dfa3 100644
+--- a/policycoreutils/secon/Makefile
++++ b/policycoreutils/secon/Makefile
+@@ -1,5 +1,5 @@
+ # secon tool - command-line context
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
+index 9fbf99d6177e..73801e487a76 100644
+--- a/policycoreutils/semodule/Makefile
++++ b/policycoreutils/semodule/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/share/man
+diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
+index aebf050c2fb9..3dbb792bf5e5 100644
+--- a/policycoreutils/sestatus/Makefile
++++ b/policycoreutils/sestatus/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
+index 84ffb08bf412..d7670a8ff54b 100644
+--- a/policycoreutils/setfiles/Makefile
++++ b/policycoreutils/setfiles/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= /sbin
+ MANDIR = $(PREFIX)/share/man
+diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
+index fc5b4ff63c01..c1440c1c04c8 100644
+--- a/policycoreutils/setsebool/Makefile
++++ b/policycoreutils/setsebool/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/share/man
+diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile
+index fb04b8bdc72e..76bf4e37f9a3 100644
+--- a/python/audit2allow/Makefile
++++ b/python/audit2allow/Makefile
+@@ -2,7 +2,7 @@ PYTHON ?= python3
+ SECILC ?= secilc
+ 
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/python/chcat/Makefile b/python/chcat/Makefile
+index 7b3ee17f49b1..e4873bf4ff8f 100644
+--- a/python/chcat/Makefile
++++ b/python/chcat/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/python/semanage/Makefile b/python/semanage/Makefile
+index 628d135a8606..b53ee33db6ac 100644
+--- a/python/semanage/Makefile
++++ b/python/semanage/Makefile
+@@ -1,7 +1,7 @@
+ PYTHON ?= python3
+ 
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/share/man
+diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
+index 1a26cfdce6cc..4e9e93d0779e 100644
+--- a/python/sepolicy/Makefile
++++ b/python/sepolicy/Makefile
+@@ -1,7 +1,7 @@
+ PYTHON ?= python3
+ 
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/restorecond/Makefile b/restorecond/Makefile
+index 1ddfcc9265ce..8e9a5ef1cfa1 100644
+--- a/restorecond/Makefile
++++ b/restorecond/Makefile
+@@ -1,7 +1,7 @@
+ PKG_CONFIG ?= pkg-config
+ 
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/share/man
+diff --git a/sandbox/Makefile b/sandbox/Makefile
+index 360a8bc5c125..84cb5a39bf7e 100644
+--- a/sandbox/Makefile
++++ b/sandbox/Makefile
+@@ -1,7 +1,7 @@
+ PYTHON ?= python3
+ 
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ SYSCONFDIR ?= /etc/sysconfig
+ BINDIR ?= $(PREFIX)/bin
+diff --git a/semodule-utils/semodule_expand/Makefile b/semodule-utils/semodule_expand/Makefile
+index ad776b15166c..e63dcff246d9 100644
+--- a/semodule-utils/semodule_expand/Makefile
++++ b/semodule-utils/semodule_expand/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/semodule-utils/semodule_link/Makefile b/semodule-utils/semodule_link/Makefile
+index 936d161cc16f..c5cf69cd9ca3 100644
+--- a/semodule-utils/semodule_link/Makefile
++++ b/semodule-utils/semodule_link/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+diff --git a/semodule-utils/semodule_package/Makefile b/semodule-utils/semodule_package/Makefile
+index 6a289f732a7e..680ab836cfe6 100644
+--- a/semodule-utils/semodule_package/Makefile
++++ b/semodule-utils/semodule_package/Makefile
+@@ -1,5 +1,5 @@
+ # Installation directories.
+-LINGUAS ?=
++LINGUAS ?= ru
+ PREFIX ?= /usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+-- 
+2.41.0
+

SOURCES/0011-Revert-semodule-utils-Remove-the-Russian-translation.patch

@@ -0,0 +1,180 @@
+From 3895de8ec117fc9a9368ac34d8cc89805ac65b1e Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 13 Nov 2023 13:37:44 +0100
+Subject: [PATCH] Revert "semodule-utils: Remove the Russian translations"
+Content-type: text/plain
+
+This reverts commit 5149c39a4ed20ab170f4c4ae1893ff68cf7b7b21.
+---
+ .../semodule_expand/ru/semodule_expand.8      | 31 ++++++++++++
+ .../semodule_link/ru/semodule_link.8          | 32 +++++++++++++
+ .../semodule_package/ru/semodule_package.8    | 48 +++++++++++++++++++
+ .../semodule_package/ru/semodule_unpackage.8  | 24 ++++++++++
+ 4 files changed, 135 insertions(+)
+ create mode 100644 semodule-utils/semodule_expand/ru/semodule_expand.8
+ create mode 100644 semodule-utils/semodule_link/ru/semodule_link.8
+ create mode 100644 semodule-utils/semodule_package/ru/semodule_package.8
+ create mode 100644 semodule-utils/semodule_package/ru/semodule_unpackage.8
+
+diff --git a/semodule-utils/semodule_expand/ru/semodule_expand.8 b/semodule-utils/semodule_expand/ru/semodule_expand.8
+new file mode 100644
+index 000000000000..28b381af6001
+--- /dev/null
++++ b/semodule-utils/semodule_expand/ru/semodule_expand.8
+@@ -0,0 +1,31 @@
++.TH SEMODULE_EXPAND "8" "ноябрь 2005" "Security Enhanced Linux"
++.SH ИМЯ 
++semodule_expand \- расширить пакет модуля политики SELinux
++
++.SH ОБЗОР
++.B semodule_expand [-V ] [ -a ] [ -c [version]] basemodpkg outputfile
++.br
++.SH ОПИСАНИЕ
++.PP
++semodule_expand - утилита разработки для ручного расширения пакета базового модуля политики в двоичный файл политики ядра.
++Это средство не является необходимым для нормальной работы SELinux. Обычно такое расширение выполняется libsemanage внутренним образом в ответ на команды semodule. Пакеты базовых модулей политики можно создавать непосредственно с помощью semodule_package или semodule_link (при связывании набора пакетов в один пакет).
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.B \-V
++Показать версию
++.TP
++.B \-c [version]
++Версия политики, которую следует создать
++.TP
++.B \-a
++Не проверять утверждения. При использовании этого параметра политика не будет проверять запрещающие правила (neverallow).
++
++.SH СМОТРИТЕ ТАКЖЕ
++.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
++(8),
++.SH АВТОРЫ
++.nf
++Эта страница руководства была написана Dan Walsh <dwalsh@redhat.com>.
++Программа была написана Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/semodule-utils/semodule_link/ru/semodule_link.8 b/semodule-utils/semodule_link/ru/semodule_link.8
+new file mode 100644
+index 000000000000..4a8f414e0e8e
+--- /dev/null
++++ b/semodule-utils/semodule_link/ru/semodule_link.8
+@@ -0,0 +1,32 @@
++.TH SEMODULE_LINK "8" "Ноябрь 2005" "Security Enhanced Linux"
++.SH ИМЯ 
++semodule_link \- связать вместе пакеты модулей политики SELinux
++
++.SH ОБЗОР
++.B semodule_link [-Vv] [-o outfile] basemodpkg modpkg1 [modpkg2]...
++.br
++.SH ОПИСАНИЕ
++.PP
++semodule_link - утилита разработки для ручного связывания набора пакетов модулей политики SELinux в один пакет модулей политики. 
++Это средство не является необходимым для нормальной работы SELinux. Обычно такое связывание выполняется libsemanage внутренним образом в ответ на команды semodule. Пакеты модулей создаются с помощью semodule_package.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.B \-V
++Показать версию
++.TP
++.B \-v
++Подробный режим
++.TP
++.B \-o <output file> 
++Связанный пакет модулей политики, созданный с помощью этого средства
++
++
++.SH СМОТРИТЕ ТАКЖЕ
++.B checkmodule(8), semodule_package(8), semodule(8), semodule_expand(8)
++(8),
++.SH АВТОРЫ
++.nf
++Эта страница руководства была написана Dan Walsh <dwalsh@redhat.com>.
++Программа была написана Karl MacMillan <kmacmillan@tresys.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/semodule-utils/semodule_package/ru/semodule_package.8 b/semodule-utils/semodule_package/ru/semodule_package.8
+new file mode 100644
+index 000000000000..3f4b16a93322
+--- /dev/null
++++ b/semodule-utils/semodule_package/ru/semodule_package.8
+@@ -0,0 +1,48 @@
++.TH SEMODULE_PACKAGE "8" "Ноябрь 2005" "Security Enhanced Linux"
++.SH ИМЯ 
++semodule_package \- создать пакет модуля политики SELinux
++
++.SH ОБЗОР
++.B semodule_package \-o <output file> \-m <module> [\-f <file contexts>]
++.br
++.SH ОПИСАНИЕ
++.PP
++semodule_package - утилита, которая используется для создания пакета модуля политики SELinux из двоичного модуля политики и (необязательно) других данных, таких как контексты файлов. Команда semodule_package упаковывает двоичные модули политики, созданные с помощью checkmodule. Пакет политики, созданный с помощью semodule_package, затем можно установить через semodule. 
++
++.SH ПРИМЕР
++.nf
++# Собрать пакет политики для базового модуля.
++$ semodule_package \-o base.pp \-m base.mod \-f file_contexts
++# Собрать пакет политики для модуля httpd.
++$ semodule_package \-o httpd.pp \-m httpd.mod \-f httpd.fc
++# Собрать пакет политики для локальных правил принудительного присвоения типов, не включая контексты файлов.
++$ semodule_package \-o local.pp \-m local.mod
++.fi
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.B \-o \-\-outfile <output file> 
++Файл пакета модуля политики, созданный этим средством.
++.TP
++.B  \-s \-\-seuser <seuser file>
++Файл seuser, который следует включить в пакет.
++.TP
++.B  \-u \-\-user_extra <user extra file>
++Файл user_extra, который следует включить в пакет.
++.TP
++.B  \-m \-\-module <Module file>
++Файл модуля политики, который следует включить в пакет.
++.TP
++.B  \-f \-\-fc <File context file>
++Файл контекстов файлов для модуля (необязательно).
++.TP
++.B  \-n \-\-nc <netfilter context file>
++Файл контекста netfilter, который следует включить в пакет.
++
++.SH СМОТРИТЕ ТАКЖЕ
++.B checkmodule(8), semodule(8), semodule_unpackage(8)
++.SH АВТОРЫ
++.nf
++Эта страница руководства была написана Dan Walsh <dwalsh@redhat.com>.
++Программа была написана Karl MacMillan <kmacmillan@tresys.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/semodule-utils/semodule_package/ru/semodule_unpackage.8 b/semodule-utils/semodule_package/ru/semodule_unpackage.8
+new file mode 100644
+index 000000000000..057ae3d752f7
+--- /dev/null
++++ b/semodule-utils/semodule_package/ru/semodule_unpackage.8
+@@ -0,0 +1,24 @@
++.TH SEMODULE_PACKAGE "8" "Ноябрь 2005" "Security Enhanced Linux"
++.SH ИМЯ
++semodule_unpackage \- извлечь модуль политики и файл контекстов файлов из пакета модуля политики SELinux
++
++.SH ОБЗОР
++.B semodule_unpackage ppfile modfile [fcfile]
++.br
++.SH ОПИСАНИЕ
++.PP
++semodule_unpackage - утилита, которая используется для извлечения файла модуля политики SELinux и файла контекстов файлов из пакета политики SELinux.
++
++.SH ПРИМЕР
++.nf
++# Извлечь файл модуля httpd из пакета политики httpd.
++$ semodule_unpackage httpd.pp httpd.mod httpd.fc
++.fi
++
++.SH СМОТРИТЕ ТАКЖЕ
++.B semodule_package(8)
++.SH АВТОРЫ
++.nf
++Эта страница руководства была написана Dan Walsh <dwalsh@redhat.com>.
++Программа была написана Stephen Smalley <stephen.smalley.work@gmail.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+-- 
+2.41.0
+

SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,53 +0,0 @@
-From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 28 Feb 2017 21:29:46 +0100
-Subject: [PATCH] sepolicy: Another small optimization for mcs types
-
----
- python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index f8a94fc0..67d39301 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -142,6 +142,15 @@ def _gen_entry_types():
-         entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
-     return entry_types
- 
-+mcs_constrained_types = None
-+
-+def _gen_mcs_constrained_types():
-+    global mcs_constrained_types
-+    if mcs_constrained_types is None:
-+        mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
-+    return mcs_constrained_types
-+
-+
- types = None
- 
- def _gen_types():
-@@ -390,6 +399,7 @@ class ManPage:
-         self.types = _gen_types()
-         self.exec_types = _gen_exec_types()
-         self.entry_types = _gen_entry_types()
-+        self.mcs_constrained_types = _gen_mcs_constrained_types()
- 
-         if self.source_files:
-             self.fcpath = self.root + "file_contexts"
-@@ -944,11 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
- %s""" % ", ".join(paths))
- 
-     def _mcs_types(self):
--        try:
--            mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
--        except StopIteration:
--            return
--        if self.type not in mcs_constrained_type['types']:
-+        if self.type not in self.mcs_constrained_types['types']:
-             return
-         self.fd.write ("""
- .SH "MCS Constrained"
--- 
-2.21.0
-

SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,515 +0,0 @@
-From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Mon, 6 Aug 2018 13:23:00 +0200
-Subject: [PATCH] Move po/ translation files into the right sub-directories
-
-When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
-sub-directories, po/ translation files stayed in policycoreutils/.
-
-This commit split original policycoreutils/po directory into
-policycoreutils/po
-python/po
-gui/po
-sandbox/po
-
-See https://github.com/fedora-selinux/selinux/issues/43
----
- gui/Makefile                |  3 ++
- gui/po/Makefile             | 82 ++++++++++++++++++++++++++++++++++++
- gui/po/POTFILES             | 17 ++++++++
- policycoreutils/po/Makefile | 70 ++-----------------------------
- policycoreutils/po/POTFILES |  9 ++++
- python/Makefile             |  2 +-
- python/po/Makefile          | 83 +++++++++++++++++++++++++++++++++++++
- python/po/POTFILES          | 10 +++++
- sandbox/Makefile            |  2 +
- sandbox/po/Makefile         | 82 ++++++++++++++++++++++++++++++++++++
- sandbox/po/POTFILES         |  1 +
- 11 files changed, 293 insertions(+), 68 deletions(-)
- create mode 100644 gui/po/Makefile
- create mode 100644 gui/po/POTFILES
- create mode 100644 policycoreutils/po/POTFILES
- create mode 100644 python/po/Makefile
- create mode 100644 python/po/POTFILES
- create mode 100644 sandbox/po/Makefile
- create mode 100644 sandbox/po/POTFILES
-
-diff --git a/gui/Makefile b/gui/Makefile
-index ca965c94..5a5bf6dc 100644
---- a/gui/Makefile
-+++ b/gui/Makefile
-@@ -22,6 +22,7 @@ system-config-selinux.ui \
- usersPage.py
- 
- all: $(TARGETS) system-config-selinux.py polgengui.py
-+	(cd po && $(MAKE) $@)
- 
- install: all
- 	-mkdir -p $(DESTDIR)$(MANDIR)/man8
-@@ -54,6 +55,8 @@ install: all
- 		install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
- 	done
- 	install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
-+	(cd po && $(MAKE) $@)
-+
- clean:
- 
- indent:
-diff --git a/gui/po/Makefile b/gui/po/Makefile
-new file mode 100644
-index 00000000..a0f5439f
---- /dev/null
-+++ b/gui/po/Makefile
-@@ -0,0 +1,82 @@
-+#
-+# Makefile for the PO files (translation) catalog
-+#
-+
-+PREFIX ?= /usr
-+
-+# What is this package?
-+NLSPACKAGE	= gui
-+POTFILE		= $(NLSPACKAGE).pot
-+INSTALL		= /usr/bin/install -c -p
-+INSTALL_DATA	= $(INSTALL) -m 644
-+INSTALL_DIR	= /usr/bin/install -d
-+
-+# destination directory
-+INSTALL_NLS_DIR = $(PREFIX)/share/locale
-+
-+# PO catalog handling
-+MSGMERGE	= msgmerge
-+MSGMERGE_FLAGS	= -q
-+XGETTEXT	= xgettext --default-domain=$(NLSPACKAGE)
-+MSGFMT		= msgfmt
-+
-+# All possible linguas
-+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
-+
-+# Only the files matching what the user has set in LINGUAS
-+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
-+
-+# if no valid LINGUAS, build all languages
-+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
-+
-+POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
-+MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
-+POTFILES  = $(shell cat POTFILES)
-+
-+#default:: clean
-+
-+all::  $(MOFILES)
-+
-+$(POTFILE): $(POTFILES)
-+	$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
-+	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
-+	    rm -f $(NLSPACKAGE).po; \
-+	else \
-+	    mv -f $(NLSPACKAGE).po $(POTFILE); \
-+	fi; \
-+
-+
-+refresh-po: Makefile
-+	for cat in $(POFILES); do \
-+		lang=`basename $$cat .po`; \
-+		if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
-+			mv -f $$lang.pot $$lang.po ; \
-+			echo "$(MSGMERGE) of $$lang succeeded" ; \
-+		else \
-+			echo "$(MSGMERGE) of $$lang failed" ; \
-+			rm -f $$lang.pot ; \
-+		fi \
-+	done
-+
-+clean:
-+	@rm -fv *mo *~ .depend
-+	@rm -rf tmp
-+
-+install: $(MOFILES)
-+	@for n in $(MOFILES); do \
-+	    l=`basename $$n .mo`; \
-+	    $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
-+	    $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
-+	done
-+
-+%.mo: %.po
-+	$(MSGFMT) -o $@ $<
-+report:
-+	@for cat in $(wildcard *.po); do \
-+                echo -n "$$cat: "; \
-+                msgfmt -v --statistics -o /dev/null $$cat; \
-+        done
-+
-+.PHONY: missing depend
-+
-+relabel:
-diff --git a/gui/po/POTFILES b/gui/po/POTFILES
-new file mode 100644
-index 00000000..1795c5c1
---- /dev/null
-+++ b/gui/po/POTFILES
-@@ -0,0 +1,17 @@
-+../booleansPage.py
-+../domainsPage.py
-+../fcontextPage.py
-+../loginsPage.py
-+../modulesPage.py
-+../org.selinux.config.policy
-+../polgengui.py
-+../polgen.ui
-+../portsPage.py
-+../selinux-polgengui.desktop
-+../semanagePage.py
-+../sepolicy.desktop
-+../statusPage.py
-+../system-config-selinux.desktop
-+../system-config-selinux.py
-+../system-config-selinux.ui
-+../usersPage.py
-diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
-index 575e1431..18bc1dff 100644
---- a/policycoreutils/po/Makefile
-+++ b/policycoreutils/po/Makefile
-@@ -3,7 +3,6 @@
- #
- 
- PREFIX ?= /usr
--TOP	 = ../..
- 
- # What is this package?
- NLSPACKAGE	= policycoreutils
-@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
- 
- POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
- MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
--POTFILES = \
--	../run_init/open_init_pty.c \
--	../run_init/run_init.c \
--	../semodule_link/semodule_link.c \
--	../audit2allow/audit2allow \
--	../semanage/seobject.py \
--	../setsebool/setsebool.c \
--	../newrole/newrole.c \
--	../load_policy/load_policy.c \
--	../sestatus/sestatus.c \
--	../semodule/semodule.c \
--	../setfiles/setfiles.c \
--	../semodule_package/semodule_package.c \
--	../semodule_deps/semodule_deps.c \
--	../semodule_expand/semodule_expand.c \
--	../scripts/chcat \
--	../scripts/fixfiles \
--	../restorecond/stringslist.c \
--	../restorecond/restorecond.h \
--	../restorecond/utmpwatcher.h \
--	../restorecond/stringslist.h \
--	../restorecond/restorecond.c \
--	../restorecond/utmpwatcher.c \
--	../gui/booleansPage.py \
--	../gui/fcontextPage.py \
--	../gui/loginsPage.py \
--	../gui/mappingsPage.py \
--	../gui/modulesPage.py \
--	../gui/polgen.glade \
--	../gui/polgengui.py \
--	../gui/portsPage.py \
--	../gui/semanagePage.py \
--	../gui/statusPage.py \
--	../gui/system-config-selinux.glade \
--	../gui/system-config-selinux.py \
--	../gui/usersPage.py \
--	../secon/secon.c \
--	booleans.py \
--	../sepolicy/sepolicy.py \
--	../sepolicy/sepolicy/communicate.py \
--	../sepolicy/sepolicy/__init__.py \
--	../sepolicy/sepolicy/network.py \
--	../sepolicy/sepolicy/generate.py \
--	../sepolicy/sepolicy/sepolicy.glade \
--	../sepolicy/sepolicy/gui.py \
--	../sepolicy/sepolicy/manpage.py \
--	../sepolicy/sepolicy/transition.py \
--	../sepolicy/sepolicy/templates/executable.py \
--	../sepolicy/sepolicy/templates/__init__.py \
--	../sepolicy/sepolicy/templates/network.py \
--	../sepolicy/sepolicy/templates/rw.py \
--	../sepolicy/sepolicy/templates/script.py \
--	../sepolicy/sepolicy/templates/semodule.py \
--	../sepolicy/sepolicy/templates/tmp.py \
--	../sepolicy/sepolicy/templates/user.py \
--	../sepolicy/sepolicy/templates/var_lib.py \
--	../sepolicy/sepolicy/templates/var_log.py \
--	../sepolicy/sepolicy/templates/var_run.py \
--	../sepolicy/sepolicy/templates/var_spool.py
-+POTFILES  = $(shell cat POTFILES)
- 
- #default:: clean
- 
--all::  $(MOFILES)
-+all:: $(POTFILE) $(MOFILES)
- 
--booleans.py:
--	sepolicy booleans -a > booleans.py
--
--$(POTFILE): $(POTFILES) booleans.py
-+$(POTFILE): $(POTFILES)
- 	$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
- 	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
- 	    rm -f $(NLSPACKAGE).po; \
-@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
- 	    mv -f $(NLSPACKAGE).po $(POTFILE); \
- 	fi; \
- 
--update-po: Makefile $(POTFILE) refresh-po
--	@rm -f booleans.py
- 
- refresh-po: Makefile
- 	for cat in $(POFILES); do \
-diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
-new file mode 100644
-index 00000000..12237dc6
---- /dev/null
-+++ b/policycoreutils/po/POTFILES
-@@ -0,0 +1,9 @@
-+../run_init/open_init_pty.c
-+../run_init/run_init.c
-+../setsebool/setsebool.c
-+../newrole/newrole.c
-+../load_policy/load_policy.c
-+../sestatus/sestatus.c
-+../semodule/semodule.c
-+../setfiles/setfiles.c
-+../secon/secon.c
-diff --git a/python/Makefile b/python/Makefile
-index 9b66d52f..00312dbd 100644
---- a/python/Makefile
-+++ b/python/Makefile
-@@ -1,4 +1,4 @@
--SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
-+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
- 
- all install relabel clean indent test:
- 	@for subdir in $(SUBDIRS); do \
-diff --git a/python/po/Makefile b/python/po/Makefile
-new file mode 100644
-index 00000000..4e052d5a
---- /dev/null
-+++ b/python/po/Makefile
-@@ -0,0 +1,83 @@
-+#
-+# Makefile for the PO files (translation) catalog
-+#
-+
-+PREFIX ?= /usr
-+
-+# What is this package?
-+NLSPACKAGE	= python
-+POTFILE		= $(NLSPACKAGE).pot
-+INSTALL		= /usr/bin/install -c -p
-+INSTALL_DATA	= $(INSTALL) -m 644
-+INSTALL_DIR	= /usr/bin/install -d
-+
-+# destination directory
-+INSTALL_NLS_DIR = $(PREFIX)/share/locale
-+
-+# PO catalog handling
-+MSGMERGE	= msgmerge
-+MSGMERGE_FLAGS	= -q
-+XGETTEXT	= xgettext --default-domain=$(NLSPACKAGE)
-+MSGFMT		= msgfmt
-+
-+# All possible linguas
-+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
-+
-+# Only the files matching what the user has set in LINGUAS
-+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
-+
-+# if no valid LINGUAS, build all languages
-+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
-+
-+POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
-+MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
-+POTFILES  = $(shell cat POTFILES)
-+
-+#default:: clean
-+
-+all::  $(MOFILES)
-+
-+$(POTFILE): $(POTFILES) 
-+	$(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
-+	$(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
-+	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
-+	    rm -f $(NLSPACKAGE).po; \
-+	else \
-+	    mv -f $(NLSPACKAGE).po $(POTFILE); \
-+	fi; \
-+
-+
-+refresh-po: Makefile
-+	for cat in $(POFILES); do \
-+		lang=`basename $$cat .po`; \
-+		if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
-+			mv -f $$lang.pot $$lang.po ; \
-+			echo "$(MSGMERGE) of $$lang succeeded" ; \
-+		else \
-+			echo "$(MSGMERGE) of $$lang failed" ; \
-+			rm -f $$lang.pot ; \
-+		fi \
-+	done
-+
-+clean:
-+	@rm -fv *mo *~ .depend
-+	@rm -rf tmp
-+
-+install: $(MOFILES)
-+	@for n in $(MOFILES); do \
-+	    l=`basename $$n .mo`; \
-+	    $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
-+	    $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
-+	done
-+
-+%.mo: %.po
-+	$(MSGFMT) -o $@ $<
-+report:
-+	@for cat in $(wildcard *.po); do \
-+                echo -n "$$cat: "; \
-+                msgfmt -v --statistics -o /dev/null $$cat; \
-+        done
-+
-+.PHONY: missing depend
-+
-+relabel:
-diff --git a/python/po/POTFILES b/python/po/POTFILES
-new file mode 100644
-index 00000000..128eb870
---- /dev/null
-+++ b/python/po/POTFILES
-@@ -0,0 +1,10 @@
-+../audit2allow/audit2allow
-+../chcat/chcat
-+../semanage/semanage
-+../semanage/seobject.py
-+../sepolgen/src/sepolgen/interfaces.py
-+../sepolicy/sepolicy/generate.py
-+../sepolicy/sepolicy/gui.py
-+../sepolicy/sepolicy/__init__.py
-+../sepolicy/sepolicy/interface.py
-+../sepolicy/sepolicy.py
-diff --git a/sandbox/Makefile b/sandbox/Makefile
-index 9da5e58d..b817824e 100644
---- a/sandbox/Makefile
-+++ b/sandbox/Makefile
-@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
- SEUNSHARE_OBJS = seunshare.o
- 
- all: sandbox seunshare sandboxX.sh start
-+	(cd po && $(MAKE) $@)
- 
- seunshare: $(SEUNSHARE_OBJS)
- 
-@@ -39,6 +40,7 @@ install: all
- 	install -m 755 start $(DESTDIR)$(SHAREDIR)
- 	-mkdir -p $(DESTDIR)$(SYSCONFDIR)
- 	install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
-+	(cd po && $(MAKE) $@)
- 
- test:
- 	@$(PYTHON) test_sandbox.py -v
-diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
-new file mode 100644
-index 00000000..0556bbe9
---- /dev/null
-+++ b/sandbox/po/Makefile
-@@ -0,0 +1,82 @@
-+#
-+# Makefile for the PO files (translation) catalog
-+#
-+
-+PREFIX ?= /usr
-+
-+# What is this package?
-+NLSPACKAGE	= sandbox
-+POTFILE		= $(NLSPACKAGE).pot
-+INSTALL		= /usr/bin/install -c -p
-+INSTALL_DATA	= $(INSTALL) -m 644
-+INSTALL_DIR	= /usr/bin/install -d
-+
-+# destination directory
-+INSTALL_NLS_DIR = $(PREFIX)/share/locale
-+
-+# PO catalog handling
-+MSGMERGE	= msgmerge
-+MSGMERGE_FLAGS	= -q
-+XGETTEXT	= xgettext -L Python --default-domain=$(NLSPACKAGE)
-+MSGFMT		= msgfmt
-+
-+# All possible linguas
-+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
-+
-+# Only the files matching what the user has set in LINGUAS
-+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
-+
-+# if no valid LINGUAS, build all languages
-+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
-+
-+POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
-+MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
-+POTFILES  = $(shell cat POTFILES)
-+
-+#default:: clean
-+
-+all:: $(POTFILE) $(MOFILES)
-+
-+$(POTFILE): $(POTFILES)
-+	$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
-+	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
-+	    rm -f $(NLSPACKAGE).po; \
-+	else \
-+	    mv -f $(NLSPACKAGE).po $(POTFILE); \
-+	fi; \
-+
-+
-+refresh-po: Makefile
-+	for cat in $(POFILES); do \
-+		lang=`basename $$cat .po`; \
-+		if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
-+			mv -f $$lang.pot $$lang.po ; \
-+			echo "$(MSGMERGE) of $$lang succeeded" ; \
-+		else \
-+			echo "$(MSGMERGE) of $$lang failed" ; \
-+			rm -f $$lang.pot ; \
-+		fi \
-+	done
-+
-+clean:
-+	@rm -fv *mo *~ .depend
-+	@rm -rf tmp
-+
-+install: $(MOFILES)
-+	@for n in $(MOFILES); do \
-+	    l=`basename $$n .mo`; \
-+	    $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
-+	    $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
-+	done
-+
-+%.mo: %.po
-+	$(MSGFMT) -o $@ $<
-+report:
-+	@for cat in $(wildcard *.po); do \
-+                echo -n "$$cat: "; \
-+                msgfmt -v --statistics -o /dev/null $$cat; \
-+        done
-+
-+.PHONY: missing depend
-+
-+relabel:
-diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
-new file mode 100644
-index 00000000..deff3f2f
---- /dev/null
-+++ b/sandbox/po/POTFILES
-@@ -0,0 +1 @@
-+../sandbox
--- 
-2.21.0
-

SOURCES/0012-Revert-sandbox-Remove-the-Russian-translations.patch

@@ -0,0 +1,221 @@
+From 77b0ab65d1440d47395ec9d2091c15f63ef07c4a Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 13 Nov 2023 13:37:46 +0100
+Subject: [PATCH] Revert "sandbox: Remove the Russian translations"
+Content-type: text/plain
+
+This reverts commit 8b2148f23853891eda00a4758cef2370880eb90c.
+---
+ sandbox/ru/sandbox.5   |  42 +++++++++++++++++
+ sandbox/ru/sandbox.8   | 100 +++++++++++++++++++++++++++++++++++++++++
+ sandbox/ru/seunshare.8 |  42 +++++++++++++++++
+ 3 files changed, 184 insertions(+)
+ create mode 100644 sandbox/ru/sandbox.5
+ create mode 100644 sandbox/ru/sandbox.8
+ create mode 100644 sandbox/ru/seunshare.8
+
+diff --git a/sandbox/ru/sandbox.5 b/sandbox/ru/sandbox.5
+new file mode 100644
+index 000000000000..69e822d8ad22
+--- /dev/null
++++ b/sandbox/ru/sandbox.5
+@@ -0,0 +1,42 @@
++.TH sandbox.conf "5" "Июнь 2010" "sandbox.conf" "Администрирование системы Linux"
++.SH ИМЯ
++sandbox.conf \- файл конфигурации пользователей для изолированной среды SELinux
++.SH ОПИСАНИЕ
++.PP
++Если изолированная среда запускается с аргументом -C, она будет ограничена с помощью групп управления. Системный администратор может указать, как именно ограничить изолированную среду.
++
++.PP
++Весь текст после "#" игнорируется, как и пустые строки. Все аргументы должны быть разделены пробелами и иметь знаки равенства ("=").
++
++.PP
++Эти ключевые слова разрешены.
++
++.RS
++.TP
++.B NAME
++Имя группы управления изолированной средой.  По умолчанию: "sandbox".
++
++.TP
++.B CPUAFFINITY
++Определяет, каким процессорам назначить изолированную среду. По умолчанию она назначается всем процессорам (ALL), но пользователи могут указать разделённый запятыми список с дефисами ("-"), чтобы представить диапазоны. Пример: 0-2,5
++
++.TP
++.B MEMUSAGE
++Определяет, сколько памяти разрешается использовать изолированной среде. Значение по умолчанию: 80%. Пользователи могут указать либо процентное значение, либо значение в виде числа, за которым следует суффикс  K, M, G, для соответствующего обозначения килобайтов, мегабайтов или гигабайтов. Пример: 50% или 100M
++
++.TP
++.B CPUUSAGE
++Процент использования ЦП, разрешённый для изолированной среды. По умолчанию: 80%. Укажите значение, за которым следует знак процента ("%"). Пример: 50%
++
++
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++.TP
++sandbox(8)
++.PP
++
++.SH АВТОРЫ
++Эта страница руководства была написана
++.I Thomas Liu <tliu@fedoraproject.org>.
++Перевод на русский язык выполнила
++.I Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/sandbox/ru/sandbox.8 b/sandbox/ru/sandbox.8
+new file mode 100644
+index 000000000000..5e6e0aad57e8
+--- /dev/null
++++ b/sandbox/ru/sandbox.8
+@@ -0,0 +1,100 @@
++.TH SANDBOX "8" "Май 2010" "sandbox" "Команды пользователя"
++.SH ИМЯ
++sandbox \- выполнить приложение cmd в изолированной среде SELinux
++.SH ОБЗОР
++.B sandbox
++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X]  \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
++
++.br
++.B sandbox
++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X]  \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
++.br
++.SH ОПИСАНИЕ
++.PP
++Выполнить приложение
++.I cmd 
++в строго ограниченном домене SELinux. По умолчанию в домене изолированной среды приложения могут только читать и записывать stdin, stdout и любые другие передаваемые дескрипторы файлов. Открывать другие файлы нельзя. Параметр \-M позволяет смонтировать альтернативные домашний каталог и временный каталог, которые будут использоваться изолированной средой.
++
++Если установлен пакет 
++.I policycoreutils-sandbox, 
++можно использовать параметр \-X и параметр \-M.
++.B sandbox \-X
++позволяет запускать приложения X в изолированной среде. Эти приложения запускаются на своём собственном X-сервере и создают временные домашний каталог и каталог /tmp. Политика SELinux по умолчанию не разрешает использовать какие-либо средства для управления привилегиями или осуществлять доступ к сети. Она также предотвращает доступ к другим процессам и файлам пользователей. Указанные в команде файлы, которые находятся в домашнем каталоге или каталоге /tmp, будут скопированы в каталоги изолированной среды.
++
++Если каталоги указаны с параметром \-H или \-T, их контекст будет изменён chcon(1) (если только с помощью параметра \-l не указан уровень). Если уровень безопасности MLS/MCS указан, пользователь должен установить правильные метки.
++.PP
++.TP
++\fB\-h\ \fB\-\-help\fR
++Показать сведения об использовании
++.TP
++\fB\-H\ \fB\-\-homedir\fR
++Указать альтернативный домашний каталог для монтирования вместо вашего домашнего каталога. По умолчанию используется временный каталог. Требуется \-X или \-M.
++.TP
++\fB\-i\fR \fB\-\-include\fR
++Копировать этот файл в соответствующий временный каталог изолированной среды. Команду можно повторять.
++.TP
++\fB\-I\fR \fB\-\-includefile\fR
++Копировать все файлы, перечисленные во входном файле (inputfile), в соответствующие временные каталоги изолированной среды.
++.TP
++\fB\-l\fR \fB\-\-level\fR
++Указать уровень безопасности MLS/MCS, с которым следует запускать изолированную среду. По умолчанию используется случайное значение.
++.TP
++\fB\-M\fR \fB\-\-mount\fR
++Создать изолированную среду с временными файлами для $HOME и /tmp.
++.TP
++\fB\-s\fR \fB\-\-shred\fR
++Уничтожить временные файлы, созданные в $HOME в /tmp, перед удалением.
++.TP
++\fB\-t\fR \fB\-\-type\fR
++Использовать альтернативный тип изолированной среды. По умолчанию: sandbox_t или sandbox_x_t для \-X.
++
++\fBПримеры:\fR
++.br
++sandbox_t	\-	без X, без доступа к сети, без открытия, чтение/запись передаются в дескрипторах файлов.
++.br
++sandbox_min_t	\-	без доступа к сети
++.br
++sandbox_x_t	\-	порты для X-приложений, которые следует запустить локально
++.br
++sandbox_web_t	\-	порты, необходимые для работы в Интернете
++.br
++sandbox_net_t	\-		сетевые порты (для серверного ПО)
++.br
++sandbox_net_client_t	\-	все сетевые порты
++
++.TP
++\fB\-T\fR \fB\-\-tmpdir\fR
++Использовать альтернативный временный каталог для монтирования в /tmp. По умолчанию: tmpfs. Требуется \-X или \-M.
++.TP
++\fB\-S\fR \fB\-\-session\fR
++Запустить полный сеанс рабочего стола. Требуется уровень, домашний каталог и временный каталог.
++.TP
++\fB\-w\fR \fB\-\-windowsize\fR
++Указать размер окна при создании изолированной среды на основе X. По умолчанию: 1000x700.
++.TP
++\fB\-W\fR \fB\-\-windowmanager\fR
++Выбрать альтернативный диспетчер окон для запуска в 
++.B sandbox \-X.
++По умолчанию: /usr/bin/openbox.
++.TP
++\fB\-X\fR 
++Создать изолированную среду на основе X для приложений графического интерфейса пользователя, временные файлы для $HOME и /tmp, дополнительный X-сервер. По умолчанию: sandbox_x_t
++.TP
++\fB\-d\fR \fB\-\-dpi\fR
++Указать значение разрешения (DPI) для X-сервера изолированной среды. По умолчанию используется значение разрешения текущего X-сервера.
++.TP
++\fB\-C\fR \fB\-\-capabilities\fR
++Использовать средства для управления привилегиями внутри изолированной среды. По умолчанию приложениям, которые выполняются в изолированной среде, запрещено использовать средства для управления привилегиями (setuid apps), но с флагом \-C можно использовать программы, которым необходимы средства для управления привилегиями.
++.PP
++.SH "СМОТРИТЕ ТАКЖЕ"
++.TP
++runcon(1), seunshare(8), selinux(8)
++.PP
++
++.SH АВТОРЫ
++Эта страница руководства была написана
++.I Dan Walsh <dwalsh@redhat.com>
++и
++.I Thomas Liu <tliu@fedoraproject.org>.
++Перевод на русский язык выполнила 
++.I Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/sandbox/ru/seunshare.8 b/sandbox/ru/seunshare.8
+new file mode 100644
+index 000000000000..f604b9eb28c5
+--- /dev/null
++++ b/sandbox/ru/seunshare.8
+@@ -0,0 +1,42 @@
++.TH SEUNSHARE "8" "Май 2010" "seunshare" "Команды пользователя"
++.SH ИМЯ
++seunshare \- выполнить cmd с другим домашним каталогом (homedir), временным каталогом (tmpdir) и/или контекстом SELinux 
++.SH ОБЗОР
++.B seunshare
++[ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
++.br
++.SH ОПИСАНИЕ
++.PP
++Запустите исполняемый файл
++.I executable
++в указанном контексте, используя альтернативный домашний каталог и каталог /tmp. Команда seunshare отменяет общий доступ из пространства имён по умолчанию, затем монтирует указанные домашний каталог и временный каталог вместо домашнего каталога и временного каталога по умолчанию. После этого команда сообщает ядру, что следует выполнить приложение в указанном контексте SELinux.
++
++.TP
++\fB\-h homedir\fR
++Альтернативный домашний каталог для использования приложением. Пользователь должен быть владельцем домашнего каталога.
++.TP
++\fB\-t\ tmpdir
++Использовать альтернативный временный каталог для монтирования в /tmp. Пользователь должен быть владельцем временного каталога.
++.TP
++\fB\-C --capabilities\fR
++Разрешить приложениям, исполняемым в пространстве имён, использовать средства для управления привилегиям. По умолчанию использование средств для управления привилегиями запрещено.
++.TP
++\fB\-k --kill\fR
++Завершить все процессы с соответствующим уровнем MCS.
++.TP
++\fB\-Z\ context
++Использовать альтернативный контекст SELinux при запуске исполняемого файла.
++.TP
++\fB\-v\fR
++Подробный вывод
++.SH "СМОТРИТЕ ТАКЖЕ"
++.TP
++runcon(1), sandbox(8), selinux(8)
++.PP
++.SH АВТОРЫ
++Эта страница руководства была написана
++.I Dan Walsh <dwalsh@redhat.com>
++и
++.I Thomas Liu <tliu@fedoraproject.org>.
++Перевод на русский язык выполнила
++.I Герасименко Олеся <gammaray@basealt.ru>.
+-- 
+2.41.0
+

SOURCES/0013-Revert-restorecond-Remove-the-Russian-translations.patch

@@ -0,0 +1,62 @@
+From 066b9c9505aa545ea341efc06eb757f2a6000858 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 13 Nov 2023 13:37:48 +0100
+Subject: [PATCH] Revert "restorecond: Remove the Russian translations"
+Content-type: text/plain
+
+This reverts commit 7021ccd4fbecb8092e2a127944444a8eeb179357.
+---
+ restorecond/ru/restorecond.8 | 41 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+ create mode 100644 restorecond/ru/restorecond.8
+
+diff --git a/restorecond/ru/restorecond.8 b/restorecond/ru/restorecond.8
+new file mode 100644
+index 000000000000..72d9119950eb
+--- /dev/null
++++ b/restorecond/ru/restorecond.8
+@@ -0,0 +1,41 @@
++.TH "restorecond" "8" "2002031409" "" ""
++.SH "ИМЯ"
++restorecond \- внутренняя служба, которая отслеживает создание файлов и затем задаёт для них SELinux-контекст по умолчанию
++
++.SH "ОБЗОР"
++.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-u] [\-v]
++.P
++
++.SH "ОПИСАНИЕ"
++Эта страница руководства содержит описание программы
++.BR restorecond.
++.P
++Эта внутренняя служба использует inotify для отслеживания файлов, перечисленных в /etc/selinux/restorecond.conf. После создания этих файлов эта служба обеспечивает присвоение им правильного контекста, связанного с политикой.
++
++.SH "ПАРАМЕТРЫ"
++.TP 
++.B \-d
++Включить режим отладки. Приложение останется на переднем плане, будет показано много отладочных сообщений.
++.TP
++. B \-h
++Вывести сведения об использовании.
++.TP
++.B \-f restorecond_file
++Использовать альтернативный файл restorecond.conf.
++.TP
++.B \-u
++Включить пользовательский режим. Запускает restorecond в сеансе пользователя и выполняет чтение /etc/selinux/restorecond_user.conf. Использует dbus, чтобы удостовериться, что в одном сеансе пользователя запущен только один экземпляр restorecond.
++.TP
++.B \-v
++Включить отладку с подробным выводом. (Сообщать об отсутствующих файлах)
++
++.SH "ФАЙЛЫ"
++/etc/selinux/restorecond.conf
++/etc/selinux/restorecond_user.conf
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++.BR restorecon (8)
++
++.SH "АВТОРЫ"
++Эта man-страница и программа были написаны Dan Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+-- 
+2.41.0
+

SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,306 +0,0 @@
-From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Mon, 6 Aug 2018 13:37:07 +0200
-Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
-
-https://github.com/fedora-selinux/selinux/issues/43
----
- gui/booleansPage.py                          | 2 +-
- gui/domainsPage.py                           | 2 +-
- gui/fcontextPage.py                          | 2 +-
- gui/loginsPage.py                            | 2 +-
- gui/modulesPage.py                           | 2 +-
- gui/polgengui.py                             | 2 +-
- gui/portsPage.py                             | 2 +-
- gui/semanagePage.py                          | 2 +-
- gui/statusPage.py                            | 2 +-
- gui/system-config-selinux.py                 | 2 +-
- gui/usersPage.py                             | 2 +-
- python/chcat/chcat                           | 2 +-
- python/semanage/semanage                     | 2 +-
- python/semanage/seobject.py                  | 2 +-
- python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
- python/sepolicy/sepolicy.py                  | 2 +-
- python/sepolicy/sepolicy/__init__.py         | 2 +-
- python/sepolicy/sepolicy/generate.py         | 2 +-
- python/sepolicy/sepolicy/gui.py              | 2 +-
- python/sepolicy/sepolicy/interface.py        | 2 +-
- sandbox/sandbox                              | 2 +-
- 21 files changed, 21 insertions(+), 21 deletions(-)
-
-diff --git a/gui/booleansPage.py b/gui/booleansPage.py
-index 7849bea2..dd12b6d6 100644
---- a/gui/booleansPage.py
-+++ b/gui/booleansPage.py
-@@ -38,7 +38,7 @@ DISABLED = 2
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/domainsPage.py b/gui/domainsPage.py
-index bad5140d..6bbe4de5 100644
---- a/gui/domainsPage.py
-+++ b/gui/domainsPage.py
-@@ -30,7 +30,7 @@ from semanagePage import *
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
-index 370bbee4..e424366d 100644
---- a/gui/fcontextPage.py
-+++ b/gui/fcontextPage.py
-@@ -47,7 +47,7 @@ class context:
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/loginsPage.py b/gui/loginsPage.py
-index b67eb8bc..cbfb0cc2 100644
---- a/gui/loginsPage.py
-+++ b/gui/loginsPage.py
-@@ -29,7 +29,7 @@ from semanagePage import *
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/modulesPage.py b/gui/modulesPage.py
-index cb856b2d..26ac5404 100644
---- a/gui/modulesPage.py
-+++ b/gui/modulesPage.py
-@@ -30,7 +30,7 @@ from semanagePage import *
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/polgengui.py b/gui/polgengui.py
-index b1cc9937..46a1bd2c 100644
---- a/gui/polgengui.py
-+++ b/gui/polgengui.py
-@@ -63,7 +63,7 @@ def get_all_modules():
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/portsPage.py b/gui/portsPage.py
-index 30f58383..a537ecc8 100644
---- a/gui/portsPage.py
-+++ b/gui/portsPage.py
-@@ -35,7 +35,7 @@ from semanagePage import *
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/semanagePage.py b/gui/semanagePage.py
-index 4127804f..5361d69c 100644
---- a/gui/semanagePage.py
-+++ b/gui/semanagePage.py
-@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/statusPage.py b/gui/statusPage.py
-index 766854b1..a8f079b9 100644
---- a/gui/statusPage.py
-+++ b/gui/statusPage.py
-@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
-index c42301b6..1e0d5eb1 100644
---- a/gui/system-config-selinux.py
-+++ b/gui/system-config-selinux.py
-@@ -45,7 +45,7 @@ import selinux
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/gui/usersPage.py b/gui/usersPage.py
-index 26794ed5..d15d4c5a 100644
---- a/gui/usersPage.py
-+++ b/gui/usersPage.py
-@@ -29,7 +29,7 @@ from semanagePage import *
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-gui"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/chcat/chcat b/python/chcat/chcat
-index ba398684..df2509f2 100755
---- a/python/chcat/chcat
-+++ b/python/chcat/chcat
-@@ -30,7 +30,7 @@ import getopt
- import selinux
- import seobject
- 
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index 144cc000..56db3e0d 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -27,7 +27,7 @@ import traceback
- import argparse
- import seobject
- import sys
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 13fdf531..b90b1070 100644
---- a/python/semanage/seobject.py
-+++ b/python/semanage/seobject.py
-@@ -29,7 +29,7 @@ import sys
- import stat
- import socket
- from semanage import *
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- import sepolicy
- import setools
- from IPy import IP
-diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
-index 998c4356..56ebd807 100644
---- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
-+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
-@@ -19,7 +19,7 @@
- 
- try: 
-     import gettext
--    t = gettext.translation( 'yumex' )
-+    t = gettext.translation( 'selinux-python' )
-     _ = t.gettext
- except:
-     def _(str):
-diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
-index 1934cd86..8bd6a579 100755
---- a/python/sepolicy/sepolicy.py
-+++ b/python/sepolicy/sepolicy.py
-@@ -27,7 +27,7 @@ import selinux
- import sepolicy
- from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
- import argparse
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index 0c66f4d5..b6ca57c3 100644
---- a/python/sepolicy/sepolicy/__init__.py
-+++ b/python/sepolicy/sepolicy/__init__.py
-@@ -13,7 +13,7 @@ import os
- import re
- import gzip
- 
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 019e7836..7175d36b 100644
---- a/python/sepolicy/sepolicy/generate.py
-+++ b/python/sepolicy/sepolicy/generate.py
-@@ -49,7 +49,7 @@ import sepolgen.defaults as defaults
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
-index 00fd7a11..805cee67 100644
---- a/python/sepolicy/sepolicy/gui.py
-+++ b/python/sepolicy/sepolicy/gui.py
-@@ -41,7 +41,7 @@ import os
- import re
- import unicodedata
- 
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
-index 583091ae..e2b8d23b 100644
---- a/python/sepolicy/sepolicy/interface.py
-+++ b/python/sepolicy/sepolicy/interface.py
-@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
- ##
- ## I18N
- ##
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-python"
- try:
-     import gettext
-     kwargs = {}
-diff --git a/sandbox/sandbox b/sandbox/sandbox
-index 1dec07ac..a12403b3 100644
---- a/sandbox/sandbox
-+++ b/sandbox/sandbox
-@@ -37,7 +37,7 @@ import sepolicy
- 
- SEUNSHARE = "/usr/sbin/seunshare"
- SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
--PROGNAME = "policycoreutils"
-+PROGNAME = "selinux-sandbox"
- try:
-     import gettext
-     kwargs = {}
--- 
-2.21.0
-

SOURCES/0014-Revert-python-Remove-the-Russian-translations.patch

@@ -0,0 +1,645 @@
+From 9f8bc9f0bdcd5fffeb1f68a9761ade647b16a504 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 13 Nov 2023 13:37:50 +0100
+Subject: [PATCH] Revert "python: Remove the Russian translations"
+Content-type: text/plain
+
+This reverts commit cb0b5f3aebbee84924413f8530d4f2c0e2609791.
+---
+ python/sepolicy/ru/sepolgen.8             |   1 +
+ python/sepolicy/ru/sepolicy-booleans.8    |  29 ++++
+ python/sepolicy/ru/sepolicy-communicate.8 |  40 +++++
+ python/sepolicy/ru/sepolicy-generate.8    | 173 ++++++++++++++++++++++
+ python/sepolicy/ru/sepolicy-gui.8         |  29 ++++
+ python/sepolicy/ru/sepolicy-interface.8   |  41 +++++
+ python/sepolicy/ru/sepolicy-manpage.8     |  38 +++++
+ python/sepolicy/ru/sepolicy-network.8     |  90 +++++++++++
+ python/sepolicy/ru/sepolicy-transition.8  |  34 +++++
+ python/sepolicy/ru/sepolicy.8             |  77 ++++++++++
+ 10 files changed, 552 insertions(+)
+ create mode 100644 python/sepolicy/ru/sepolgen.8
+ create mode 100644 python/sepolicy/ru/sepolicy-booleans.8
+ create mode 100644 python/sepolicy/ru/sepolicy-communicate.8
+ create mode 100644 python/sepolicy/ru/sepolicy-generate.8
+ create mode 100644 python/sepolicy/ru/sepolicy-gui.8
+ create mode 100644 python/sepolicy/ru/sepolicy-interface.8
+ create mode 100644 python/sepolicy/ru/sepolicy-manpage.8
+ create mode 100644 python/sepolicy/ru/sepolicy-network.8
+ create mode 100644 python/sepolicy/ru/sepolicy-transition.8
+ create mode 100644 python/sepolicy/ru/sepolicy.8
+
+diff --git a/python/sepolicy/ru/sepolgen.8 b/python/sepolicy/ru/sepolgen.8
+new file mode 100644
+index 000000000000..3ecf3eb2969b
+--- /dev/null
++++ b/python/sepolicy/ru/sepolgen.8
+@@ -0,0 +1 @@
++.so man8/sepolicy-generate.8
+diff --git a/python/sepolicy/ru/sepolicy-booleans.8 b/python/sepolicy/ru/sepolicy-booleans.8
+new file mode 100644
+index 000000000000..0f8f8ef68235
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-booleans.8
+@@ -0,0 +1,29 @@
++.TH "sepolicy-booleans" "8" "20121112" "" ""
++.SH "ИМЯ"
++sepolicy-booleans \- запросить описание логических переключателей из политики SELinux
++
++.SH "ОБЗОР"
++
++.br
++.B sepolicy booleans [\-h] [ \-a | \-b booleanname ... ]
++
++.SH "ОПИСАНИЕ"
++Утилита sepolicy booleans показывает все логические переключатели и их описание (либо можно вывести описание для отдельных логических переключателей)
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-h, \-\-help       
++показать справочное сообщение
++.TP
++.I                \-a, \-\-all
++показать все описания логических переключателей
++.TP
++.I                \-b, \-\-boolean
++логический переключатель, для которого следует получить описание
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8), getsebool(8), setsebool(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy-communicate.8 b/python/sepolicy/ru/sepolicy-communicate.8
+new file mode 100644
+index 000000000000..3a8c535cb75a
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-communicate.8
+@@ -0,0 +1,40 @@
++.TH "sepolicy-communicate" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy-communicate \- создать отчёт, который покажет, могут ли связываться два домена политики SELinux
++
++.SH "ОБЗОР"
++
++.br
++.B sepolicy communicate [\-h] \-s SOURCE \-t TARGET [\-c TCLASS] [\-S SOURCEACCESS] [\-T TARGETACCESS]
++
++.SH "ОПИСАНИЕ"
++Команда sepolicy communicate позволяет проанализировать политику SELinux, чтобы узнать, может ли исходный домен SELinux связываться с целевым доменом SELinux.
++Команда по умолчанию проверяет, имеются ли какие-либо типы файлов, которые может записывать исходный домен и читать целевой домен.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-c, \-\-class
++Указать класс SELinux, который исходный домен попытается использовать для связи с целевым доменом. По умолчанию: file.
++.TP
++.I                \-h, \-\-help       
++Показать справочное сообщение
++.TP
++.I                \-s, \-\-source
++Указать тип исходного домена SELinux
++.TP
++.I                \-S, \-\-sourceaccess
++Указать список доступов, используемых типом исходного домена SELinux для связи с целевым доменом. По умолчанию: Open, Write.
++.TP
++.I                \-t, \-\-target
++Указать тип целевого домена SELinux
++.TP
++.I                \-T, \-\-targetaccess
++Указать список доступов, используемых типом целевого домена SELinux для получения обращений от исходного домена. По умолчанию: Open, Read.
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
++
+diff --git a/python/sepolicy/ru/sepolicy-generate.8 b/python/sepolicy/ru/sepolicy-generate.8
+new file mode 100644
+index 000000000000..d2e98861881a
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-generate.8
+@@ -0,0 +1,173 @@
++.TH "sepolicy-generate" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy-generate \- создать исходный шаблон модуля политики SELinux.
++
++.SH "ОБЗОР"
++
++Общие параметры
++
++.B sepolicy generate [\-h ] [\-p PATH]
++
++.br
++
++Ограниченные приложения
++
++.br
++.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ]
++.br
++.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
++.br
++.B sepolicy generate \-\-dbus [\-n NAME] command [\-w WRITE_PATH ]
++.br
++.B sepolicy generate \-\-inetd [\-n NAME] command [\-w WRITE_PATH ]
++.br
++.B sepolicy generate \-\-init [\-n NAME] command [\-w WRITE_PATH ]
++
++Ограниченные пользователи
++
++.br
++.B sepolicy generate \-\-admin_user [\-r TRANSITION_ROLE] \-n NAME
++.br
++.B sepolicy generate \-\-confined_admin \-n NAME [\-a ADMIN_DOMAIN] [\-u USER] [\-n NAME] [\-w WRITE_PATH]
++.br
++.B sepolicy generate \-\-desktop_user \-n NAME [\-w WRITE_PATH]
++.br
++.B sepolicy generate \-\-term_user \-n NAME [\-w WRITE_PATH]
++.br
++.B sepolicy generate \-\-x_user \-n NAME [\-w WRITE_PATH]
++.br
++
++Разное
++
++.br
++.B sepolicy generate \-\-customize \-d DOMAIN \-n NAME [\-a ADMIN_DOMAIN]
++.br
++.B sepolicy generate \-\-newtype \-t type \-n NAME
++.br
++.B sepolicy generate \-\-sandbox \-n NAME
++
++.SH "ОПИСАНИЕ"
++Используйте команду \fBsepolicy generate\fP для создания модуля политики SELinux.
++
++.br
++\fBsepolicy generate\fP создаст 5 файлов.
++
++При указании \fBconfined application\fP необходимо указать путь. Команда \fBsepolicy generate\fP будет использовать полезную нагрузку rpm-пакета приложения вместе с \fBnm \-D APPLICATION\fP, чтобы создать типы и правила политики для ваших файлов политики.
++
++.B Файл принудительного назначения типов NAME.te
++.br
++Этот файл можно использовать, чтобы определить для конкретного домена все правила типов.
++
++.I Примечание:
++Политика, созданная с помощью команды \fBsepolicy generate\fP, автоматически добавит разрешительный домен (DOMAIN) в ваш файл .te. Когда вы закончите настройку политики, из файла .te будет необходимо удалить разрешительную строку, чтобы запустить домен в принудительном режиме.
++
++.B Файл интерфейсов NAME.if
++.br
++Этот файл определяет интерфейсы для созданных в файле .te типов, которые могут использоваться другими доменами политики.
++
++.B Контексты файлов NAME.fc
++.br
++Этот файл определяет контексты файлов по умолчанию для системы; он берёт типы файлов, созданные в файле .te, и связывает пути файлов с этими типами. Такие утилиты, как restorecon и RPM, будут использовать эти пути для проставления меток.
++
++.B Файл спецификации RPM NAME_selinux.spec
++.br
++Этот файл - файл СПЕЦИФИКАЦИИ, который можно использовать для установки политики SELinux на компьютеры и настройки проставления меток. Файл спецификации также устанавливает файл интерфейсов и man-страницу с описанием политики. Для создания man-страницы можно использовать команду \fBsepolicy manpage \-d NAME\fP.
++
++.B Файл оболочки NAME.sh
++.br
++Это вспомогательный сценарий оболочки для компиляции, установки и исправления меток в тестовой системе. Он также создаёт man-страницу на основе установленной политики, компилирует и собирает RPM, который подходит для установки на других компьютерах.
++
++Если создание возможно, эта утилита выведет на экран все пути создания из исходного домена в целевой домен
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-h, \-\-help
++Показать справочное сообщение
++.TP
++.I                \-d, \-\-domain
++Ввести тип домена, который будет расширен
++.TP
++.I                \-n, \-\-name
++Указать альтернативное имя политики. По умолчанию: указанный исполняемый файл или имя.
++.TP
++.I                \-p, \-\-path
++Указать каталог для сохранения созданных файлов политики. По умолчанию: текущий рабочий каталог.
++Необязательные аргументы:
++.TP
++.I                \-r, \-\-role
++Ввести роль (роли), в которую перейдёт этот администратор
++.TP
++.I                \-t, \-\-type
++Ввести тип (типы), для которого создаётся новое определение и правило (правила)
++.TP
++.I                \-u, \-\-user
++Пользователь (пользователи) SELinux, который перейдёт в этот домен
++.TP
++.I                \-w, \-\-writepath
++Путь (пути), который требуется для записи ограниченным процессам
++.TP
++.I                \-a, \-\-admin
++Домен (домены), который будет администрировать ограниченный администратор 
++.TP
++.I  \-\-admin_user 
++Создать политику для роли авторизации администратора
++.TP
++.I  \-\-application
++Создать политику для приложения пользователя
++.TP
++.I  \-\-cgi
++Создать политику для веб-приложения/сценария (CGI)
++.TP
++.I  \-\-confined_admin
++Создать политику для роли ограниченного администратора root
++.TP
++.I  \-\-customize
++Создать политику для типа существующего домена
++.TP
++.I  \-\-dbus
++Создать политику для системной внутренней службы DBUS
++.TP
++.I  \-\-desktop_user
++Создать политику для роли авторизации на рабочем столе
++.TP
++.I  \-\-inetd
++Создать политику для внутренней службы Интернет-служб
++.TP
++.I  \-\-init
++Создать политику для стандартной внутренней службы init (по умолчанию)
++.TP
++.I  \-\-newtype
++Создать политику для новых типов, которые будут добавлены в существующую политику.
++.TP
++.I  \-\-sandbox
++Создать политику для изолированной среды
++.TP
++.I  \-\-term_user
++Создать политику для минимальной роли авторизации пользователя терминала
++.TP
++.I  \-\-x_user
++Создать политику для минимальной роли авторизации пользователя X Windows
++
++.SH "ПРИМЕР"
++.B > sepolicy generate --init /usr/sbin/rwhod
++.br
++Создание политики для /usr/sbin/rwhod с именем rwhod
++.br
++Созданы следующие файлы:
++.br
++rwhod.te # файл принудительного присвоения типов
++.br
++rwhod.if # файл интерфейсов
++.br
++rwhod.fc # файл контекстов файлов
++.br
++rwhod_selinux.spec # файл спецификации
++.br
++rwhod.sh # сценарий настройки
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy-gui.8 b/python/sepolicy/ru/sepolicy-gui.8
+new file mode 100644
+index 000000000000..1912c58b30e1
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-gui.8
+@@ -0,0 +1,29 @@
++.TH "sepolicy-gui" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy-gui \- графический интерфейс пользователя политики SELinux
++
++.SH "ОБЗОР"
++
++Общие параметры
++
++.B sepolicy gui [\-h ] [ \-d DOMAIN ]
++
++.br
++
++.SH "ОПИСАНИЕ"
++Используйте утилиту \fBsepolicy gui\fP для запуска графического интерфейса пользователя, с помощью которого можно посмотреть, как SELinux ограничивает различные домены процессов.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-h, \-\-help
++Показать справочное сообщение
++.TP
++.I                \-d, \-\-domain
++Инициализировать для выбранного домена графический интерфейс пользователя 
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy-interface.8 b/python/sepolicy/ru/sepolicy-interface.8
+new file mode 100644
+index 000000000000..b78a7925fd5e
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-interface.8
+@@ -0,0 +1,41 @@
++.TH "sepolicy-interface" "8" "20121222" "" ""
++.SH "ИМЯ"
++sepolicy-interface \- вывести сведения об интерфейсах на основе установленной политики SELinux
++
++.SH "ОБЗОР"
++
++.br
++.B sepolicy interface  [\-h] [\-c] [\-v] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
++
++.SH "ОПИСАНИЕ"
++Используйте утилиту sepolicy interface для вывода сведений об интерфейсах на основе политики SELinux.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-a, \-\-list_admin
++Вывести список всех доменов с интерфейсом администратора
++.TP
++.I                \-c, \-\-compile
++Проверить сборку интерфейсов
++.TP
++.I                \-h, \-\-help       
++Показать справочное сообщение
++.TP
++.I                \-i, \-\-interface
++Интерфейс (интерфейсы), которые следует показать
++.TP
++.I                \-l, \-\-list
++Вывести список всех интерфейсов
++.TP
++.I                \-u, \-\-list_user
++Вывести список всех доменов с интерфейсом роли пользователя SELinux
++.TP
++.I                \-v, \-\-verbose
++Показать расширенные сведения об интерфейсе, включая параметры и описание (если доступно).
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy-manpage.8 b/python/sepolicy/ru/sepolicy-manpage.8
+new file mode 100644
+index 000000000000..35d7c683d9e6
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-manpage.8
+@@ -0,0 +1,38 @@
++.TH "sepolicy-manpage" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy-manpage \- создать man-страницу на основе установленной политики SELinux
++
++.SH "ОБЗОР"
++
++.br
++.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
++
++.SH "ОПИСАНИЕ"
++Используйте утилиту sepolicy manpage для создания man-страниц на основе политики SELinux.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-a, \-\-all        
++Создать man-страницы для всех доменов
++.TP
++.I                \-d, \-\-domain     
++Создать man-страницу для указанного домена. (Поддерживает несколько команд)
++.TP
++.I                \-h, \-\-help       
++Показать справочное сообщение
++.TP
++.I                \-p, \-\-path
++Указать каталог для сохранения созданных man-страниц. (По умолчанию: /tmp)
++.TP
++.I                \-r, \-\-root
++Указать альтернативный корневой каталог для создания man-страниц. (По умолчанию: /)
++.TP
++.I                \-w, \-\-web
++Создать дополнительные man-страницы в формате HTML для указанного домена (доменов).
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy-network.8 b/python/sepolicy/ru/sepolicy-network.8
+new file mode 100644
+index 000000000000..ba78eced9d90
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-network.8
+@@ -0,0 +1,90 @@
++.TH "sepolicy-network" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy-network \- проанализировать политику SELinux и создать отчёт о сети
++
++.SH "ОБЗОР"
++
++.br
++.B sepolicy network [\-h] (\-l | \-a application [application ...] | \-p PORT [PORT ...] | \-t TYPE [TYPE ...] | \-d DOMAIN [DOMAIN ...])
++
++.SH "ОПИСАНИЕ"
++Используйте команду sepolicy network для анализа политики SELinux и создания отчётов о сети.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-a, \-\-application
++Создать отчёт с перечнем портов, к которым разрешено подключение и/или привязка указанного приложения инициализации.
++.TP
++.I                \-d, \-\-domain     
++Создать отчёт с перечнем портов, к которым разрешено подключение и/или привязка указанного домена.
++.TP
++.I                \-l, \-\-list        
++Вывести список всех типов сетевых портов, определённых в политике SELinux
++.TP
++.I                \-h, \-\-help       
++Показать справочное сообщение
++.TP
++.I                \-t, \-\-type
++Создать отчёт с перечнем номеров портов, связанных с указанным типом портов SELinux.
++.TP
++.I                \-p, \-\-port
++Создать отчёт с перечнем типов портов SELinux, связанных с указанным номером порта.
++
++.SH "ПРИМЕРЫ"
++
++.B sepolicy network -p 22
++.br
++22: tcp ssh_port_t 22
++.br
++22: udp reserved_port_t 1-511
++.br
++22: tcp reserved_port_t 1-511
++
++.B sepolicy network -a /usr/sbin/sshd
++.br
++sshd_t: tcp name_connect
++.br
++	111 (portmap_port_t)
++.br
++	53 (dns_port_t)
++.br
++	88, 750, 4444 (kerberos_port_t)
++.br
++	9080 (ocsp_port_t)
++.br
++	9180, 9701, 9443-9447 (pki_ca_port_t)
++.br
++	32768-61000 (ephemeral_port_t)
++.br
++	all ports < 1024 (reserved_port_type)
++.br
++	all ports with out defined types (port_t)
++.br
++sshd_t: tcp name_bind
++.br
++	22 (ssh_port_t)
++.br
++	5900-5983, 5985-5999 (vnc_port_t)
++.br
++	6000-6020 (xserver_port_t)
++.br
++	32768-61000 (ephemeral_port_t)
++.br
++	all ports > 500 and  < 1024 (rpc_port_type)
++.br
++	all ports with out defined types (port_t)
++.br
++sshd_t: udp name_bind
++.br
++	32768-61000 (ephemeral_port_t)
++.br
++	all ports > 500 and  < 1024 (rpc_port_type)
++.br
++	all ports with out defined types (port_t)
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8), semanage(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy-transition.8 b/python/sepolicy/ru/sepolicy-transition.8
+new file mode 100644
+index 000000000000..77c2520376dc
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy-transition.8
+@@ -0,0 +1,34 @@
++.TH "sepolicy-transition" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy-transition \- проанализировать политику SELinux и создать отчёт о переходах процессов
++
++.SH "ОБЗОР"
++
++.br
++.B sepolicy transition [\-h] \-s SOURCE
++
++.br
++.B sepolicy transition [\-h] \-s SOURCE \-t TARGET
++
++.SH "ОПИСАНИЕ"
++Утилита sepolicy transition покажет все домены, в которые может перейти указанный исходный домен SELinux, включая точку входа.
++
++Если указан целевой домен, команда sepolicy transition проанализирует политику на предмет наличия путей перехода из исходного домена в целевой домен и выведет список этих путей. Если переход возможен, эта утилита выведет все пути перехода из исходного домена в целевой домен.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-h, \-\-help       
++Показать справочное сообщение
++.TP
++.I                \-s, \-\-source
++Указать тип исходного домена SELinux
++.TP
++.I                \-t, \-\-target
++Указать тип целевого домена SELinux
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++sepolicy(8), selinux(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/python/sepolicy/ru/sepolicy.8 b/python/sepolicy/ru/sepolicy.8
+new file mode 100644
+index 000000000000..1d8d39112e15
+--- /dev/null
++++ b/python/sepolicy/ru/sepolicy.8
+@@ -0,0 +1,77 @@
++.TH "sepolicy" "8" "20121005" "" ""
++.SH "ИМЯ"
++sepolicy \- утилита анализа политики SELinux
++
++.SH "ОБЗОР"
++.B sepolicy [-h] [-P policy_path ] {booleans,communicate,generate,interface,manpage,network,transition} OPTIONS
++
++.br
++Аргументы:
++.br
++
++.B    booleans
++.br
++Отправить запрос к политике SELinux, чтобы просмотреть описание логических переключателей
++.B sepolicy-boolean(8)
++.br
++
++.B    communicate
++.br
++Отправить запрос к политике SELinux, чтобы узнать, могут ли домены связываться друг с другом
++.B sepolicy-communicate(8)
++.br
++
++.B    generate
++.br
++Создать шаблон модуля политики SELinux
++.B sepolicy-generate(8)
++.br
++
++.B    gui
++.br
++Запустить графический интерфейс пользователя политики SELinux (требуется пакет policycoreutils-gui)
++.B sepolicy-gui(8)
++.br
++
++.B    interface
++.br 
++.br
++Вывести сведения интерфейса политики SELinux
++.B sepolicy-interface(8)
++.br
++
++.B    manpage
++.br
++Создать man-страницы SELinux 
++.B sepolicy-manpage(8)
++.br
++
++.B    network
++.br
++Запросить сведения о сети политики SELinux
++.B sepolicy-network(8)
++.br
++
++.B    transition 
++.br
++Отправить запрос к политике SELinux, чтобы узнать, как исходный домен процесса может перейти в целевой домен процесса 
++.B sepolicy-transition(8)
++
++.SH "ОПИСАНИЕ"
++sepolicy - это набор средств, опрашивающих установленную политику SELinux и создающих полезные отчёты,  man-страницы или даже новые модули политики.
++Параметры и их описание доступны на man-страницах соответствующих аргументов.
++
++.SH "ПАРАМЕТРЫ"
++.TP
++.I                \-P, \-\-policy
++Альтернативная политика для анализа. (По умолчанию: текущая установленная политика /sys/fs/selinux/policy)
++.TP
++.I                \-h, \-\-help       
++Показать справочное сообщение
++
++.SH "СМОТРИТЕ ТАКЖЕ"
++selinux(8), sepolicy-booleans(8), sepolicy-communicate(8), sepolicy-generate(8),sepolicy-gui(8), sepolicy-interface(8),  sepolicy-network(8), sepolicy-manpage(8), sepolicy-transition(8)
++
++.SH "АВТОРЫ"
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>.
++Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+-- 
+2.41.0
+

SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,30 +0,0 @@
-From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Wed, 21 Mar 2018 08:51:31 +0100
-Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
-
-The "-q" switch is becoming obsolete (completely unused in fedora) and
-debug output ("-d" switch) makes sense in any scenario. Therefore both
-options can be specified at once.
-
-Resolves: rhbz#1271327
----
- policycoreutils/setfiles/setfiles.8 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index ccaaf4de..a8a76c86 100644
---- a/policycoreutils/setfiles/setfiles.8
-+++ b/policycoreutils/setfiles/setfiles.8
-@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy.
- .TP
- .B \-d
- show what specification matched each file (do not abort validation
--after ABORT_ON_ERRORS errors).
-+after ABORT_ON_ERRORS errors). Not affected by "\-q"
- .TP
- .BI \-e \ directory
- directory to exclude (repeat option for more than one directory).
--- 
-2.21.0
-

SOURCES/0017-Revert-gui-Remove-the-Russian-translations.patch

@@ -0,0 +1,100 @@
+From c22c5bfc40dd572e18352ba418570a12aa335796 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 13 Nov 2023 13:38:04 +0100
+Subject: [PATCH] Revert "gui: Remove the Russian translations"
+Content-type: text/plain
+
+This reverts commit fb58fa97359c9206bccdb1088f92245d6fa0095e.
+---
+ gui/ru/selinux-polgengui.8     | 35 +++++++++++++++++++++++++++++++++
+ gui/ru/system-config-selinux.8 | 36 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+)
+ create mode 100644 gui/ru/selinux-polgengui.8
+ create mode 100644 gui/ru/system-config-selinux.8
+
+diff --git a/gui/ru/selinux-polgengui.8 b/gui/ru/selinux-polgengui.8
+new file mode 100644
+index 000000000000..a8e692a64d38
+--- /dev/null
++++ b/gui/ru/selinux-polgengui.8
+@@ -0,0 +1,35 @@
++.TH "selinux-polgengui" "8" "8 апреля 2013" "Руководство по утилитам настройки системы"
++
++.SH ИМЯ
++selinux\-polgengui \- утилита для создания политики SELinux
++
++.SH ОБЗОР
++.B selinux-polgengui
++
++.SH ОПИСАНИЕ
++\fBselinux-polgengui\fP - графическая утилита, которую можно использовать, чтобы создать платформу для сборки политики SELinux.
++.SH ПАРАМЕТРЫ
++Нет
++
++.SH ФАЙЛЫ
++\fi/usr/bin/selinux-polgengui\fP
++
++.SH Примеры
++Чтобы запустить программу, введите:
++
++selinux-polgengui
++
++.PP
++.SH "СМОТРИТЕ ТАКЖЕ"
++.TP
++selinux(1), sepolicy(8), sepolicy-generate(8)
++.PP
++
++.SH СООБЩЕНИЯ ОБ ОШИБКАХ
++Отправляйте сообщения об ошибках по адресу <http://bugzilla.redhat.com>.
++
++.SH ЛИЦЕНЗИЯ И АВТОРЫ
++\fBselinux-polgengui\fP распространяется на условиях Стандартной Общественной Лицензии 
++GNU, авторские права принадлежат Red Hat, Inc.
++.br
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>. Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+diff --git a/gui/ru/system-config-selinux.8 b/gui/ru/system-config-selinux.8
+new file mode 100644
+index 000000000000..0b91a3bd62fc
+--- /dev/null
++++ b/gui/ru/system-config-selinux.8
+@@ -0,0 +1,36 @@
++.TH "system-config-selinux" "8" "8 апреля 2013" "Руководство по утилитам настройки системы"
++
++.SH ИМЯ
++system\-config\-selinux \- утилита для управления SELinux
++
++.SH ОБЗОР
++.B system-config-selinux
++
++.SH ОПИСАНИЕ
++Утилита \fBsystem-config-selinux\fP предоставляет графический интерфейс для управления конфигурацией SELinux.
++
++.SH ПАРАМЕТРЫ
++Нет
++
++.SH ФАЙЛЫ
++\fi/usr/bin/system-config-selinux\fP
++
++.SH Примеры
++Чтобы запустить программу, введите:
++
++system-config-selinux
++
++.PP
++.SH "СМОТРИТЕ ТАКЖЕ"
++.TP
++selinux(1), semanage(8)
++.PP
++
++.SH СООБЩЕНИЯ ОБ ОШИБКАХ
++Отправляйте сообщения об ошибках по адресу <http://bugzilla.redhat.com>.
++
++.SH ЛИЦЕНЗИЯ И АВТОРЫ
++\fBsystem-config-selinux\fP распространяется на условиях Стандартной Общественной Лицензии 
++GNU, авторские права принадлежат Red Hat, Inc.
++.br
++Эта man-страница была написана Daniel Walsh <dwalsh@redhat.com>. Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
+-- 
+2.41.0
+

SOURCES/0018-python-semanage-Allow-modifying-records-on-add.patch

@@ -0,0 +1,396 @@
+From 78e4c9f2c2e97d23a67254647339d3c75bb7986d Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 14 Feb 2024 13:08:40 +0100
+Subject: [PATCH] python/semanage: Allow modifying records on "add"
+Content-type: text/plain
+
+When trying to add a record with a key that already exists, modify
+the existing record instead.
+
+Also, fix "semanage -m -e" (add_equal was called instead of
+modify_equal), which meant that existing local equivalency couldn't be
+modified (though a user could remove it and add a modified
+equivalency).
+
+Fixes:
+  https://github.com/SELinuxProject/selinux/issues/412
+  When a port or login definition present in the policy is modified
+  using "semanage port -m", "semanage export" exports the command as
+  "port -a" instead of "port -m". This results in "semanage import"
+  failing (port already defined). The same is true for port, user,
+  login, ibpkey, ibendport, node, interface and fcontext.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/semanage    |   2 +-
+ python/semanage/seobject.py | 208 +++++++++++++++++++++++++-----------
+ 2 files changed, 147 insertions(+), 63 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 4fdb490f7df4..b269b9fca65b 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -322,7 +322,7 @@ def handleFcontext(args):
+             OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
+     if args.action == "modify":
+         if args.equal:
+-            OBJECT.add_equal(args.file_spec, args.equal)
++            OBJECT.modify_equal(args.file_spec, args.equal)
+         else:
+             OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
+     if args.action == "delete":
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index cc944ae202c9..12133b53fe91 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -557,11 +557,6 @@ class loginRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create a key for %s") % name)
+ 
+-        (rc, exists) = semanage_seuser_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+-        if exists:
+-            raise ValueError(_("Login mapping for %s is already defined") % name)
+         if name[0] == '%':
+             try:
+                 grp.getgrnam(name[1:])
+@@ -600,11 +595,29 @@ class loginRecords(semanageRecords):
+     def add(self, name, sename, serange):
+         try:
+             self.begin()
+-            self.__add(name, sename, serange)
++            # Add a new mapping, or modify an existing one
++            if self.__exists(name):
++                print(_("Login mapping for %s is already defined, modifying instead") % name)
++                self.__modify(name, sename, serange)
++            else:
++                self.__add(name, sename, serange)
+             self.commit()
+         except ValueError as error:
+             raise error
+ 
++    # check if login mapping for given user exists
++    def __exists(self, name):
++        (rc, k) = semanage_seuser_key_create(self.sh, name)
++        if rc < 0:
++            raise ValueError(_("Could not create a key for %s") % name)
++
++        (rc, exists) = semanage_seuser_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if login mapping for %s is defined") % name)
++        semanage_seuser_key_free(k)
++
++        return exists
++
+     def __modify(self, name, sename="", serange=""):
+         rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
+         if sename == "" and serange == "":
+@@ -821,12 +834,6 @@ class seluserRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create a key for %s") % name)
+ 
+-        (rc, exists) = semanage_user_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+-        if exists:
+-            raise ValueError(_("SELinux user %s is already defined") % name)
+-
+         (rc, u) = semanage_user_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create SELinux user for %s") % name)
+@@ -866,12 +873,28 @@ class seluserRecords(semanageRecords):
+     def add(self, name, roles, selevel, serange, prefix):
+         try:
+             self.begin()
+-            self.__add(name, roles, selevel, serange, prefix)
++            if self.__exists(name):
++                print(_("SELinux user %s is already defined, modifying instead") % name)
++                self.__modify(name, roles, selevel, serange, prefix)
++            else:
++                self.__add(name, roles, selevel, serange, prefix)
+             self.commit()
+         except ValueError as error:
+             self.mylog.commit(0)
+             raise error
+ 
++    def __exists(self, name):
++        (rc, k) = semanage_user_key_create(self.sh, name)
++        if rc < 0:
++            raise ValueError(_("Could not create a key for %s") % name)
++
++        (rc, exists) = semanage_user_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if SELinux user %s is defined") % name)
++        semanage_user_key_free(k)
++
++        return exists
++
+     def __modify(self, name, roles=[], selevel="", serange="", prefix=""):
+         oldserole = ""
+         oldserange = ""
+@@ -1103,12 +1126,6 @@ class portRecords(semanageRecords):
+ 
+         (k, proto_d, low, high) = self.__genkey(port, proto)
+ 
+-        (rc, exists) = semanage_port_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
+-        if exists:
+-            raise ValueError(_("Port {proto}/{port} already defined").format(proto=proto, port=port))
+-
+         (rc, p) = semanage_port_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create port for {proto}/{port}").format(proto=proto, port=port))
+@@ -1152,9 +1169,23 @@ class portRecords(semanageRecords):
+ 
+     def add(self, port, proto, serange, type):
+         self.begin()
+-        self.__add(port, proto, serange, type)
++        if self.__exists(port, proto):
++            print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port))
++            self.__modify(port, proto, serange, type)
++        else:
++            self.__add(port, proto, serange, type)
+         self.commit()
+ 
++    def __exists(self, port, proto):
++        (k, proto_d, low, high) = self.__genkey(port, proto)
++
++        (rc, exists) = semanage_port_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
++        semanage_port_key_free(k)
++
++        return exists
++
+     def __modify(self, port, proto, serange, setype):
+         if serange == "" and setype == "":
+             if is_mls_enabled == 1:
+@@ -1377,12 +1408,6 @@ class ibpkeyRecords(semanageRecords):
+ 
+         (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+ 
+-        (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
+-        if exists:
+-            raise ValueError(_("ibpkey {subnet_prefix}/{pkey} already defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
+-
+         (rc, p) = semanage_ibpkey_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create ibpkey for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
+@@ -1424,9 +1449,23 @@ class ibpkeyRecords(semanageRecords):
+ 
+     def add(self, pkey, subnet_prefix, serange, type):
+         self.begin()
+-        self.__add(pkey, subnet_prefix, serange, type)
++        if self.__exists(pkey, subnet_prefix):
++            print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey))
++            self.__modify(pkey, subnet_prefix, serange, type)
++        else:
++            self.__add(pkey, subnet_prefix, serange, type)
+         self.commit()
+ 
++    def __exists(self, pkey, subnet_prefix):
++        (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
++
++        (rc, exists) = semanage_ibpkey_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
++        semanage_ibpkey_key_free(k)
++
++        return exists
++
+     def __modify(self, pkey, subnet_prefix, serange, setype):
+         if serange == "" and setype == "":
+             if is_mls_enabled == 1:
+@@ -1631,12 +1670,6 @@ class ibendportRecords(semanageRecords):
+             raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
+         (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+ 
+-        (rc, exists) = semanage_ibendport_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
+-        if exists:
+-            raise ValueError(_("ibendport {ibdev_name}/{port} already defined").format(ibdev_name=ibdev_name, port=port))
+-
+         (rc, p) = semanage_ibendport_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create ibendport for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
+@@ -1678,9 +1711,23 @@ class ibendportRecords(semanageRecords):
+ 
+     def add(self, ibendport, ibdev_name, serange, type):
+         self.begin()
+-        self.__add(ibendport, ibdev_name, serange, type)
++        if self.__exists(ibendport, ibdev_name):
++            print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port))
++            self.__modify(ibendport, ibdev_name, serange, type)
++        else:
++            self.__add(ibendport, ibdev_name, serange, type)
+         self.commit()
+ 
++    def __exists(self, ibendport, ibdev_name):
++        (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
++
++        (rc, exists) = semanage_ibendport_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
++        semanage_ibendport_key_free(k)
++
++        return exists
++
+     def __modify(self, ibendport, ibdev_name, serange, setype):
+         if serange == "" and setype == "":
+             if is_mls_enabled == 1:
+@@ -1902,12 +1949,6 @@ class nodeRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create key for %s") % addr)
+ 
+-        (rc, exists) = semanage_node_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if addr %s is defined") % addr)
+-        if exists:
+-            raise ValueError(_("Addr %s already defined") % addr)
+-
+         (rc, node) = semanage_node_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create addr for %s") % addr)
+@@ -1955,9 +1996,27 @@ class nodeRecords(semanageRecords):
+ 
+     def add(self, addr, mask, proto, serange, ctype):
+         self.begin()
+-        self.__add(addr, mask, proto, serange, ctype)
++        if self.__exists(addr, mask, proto):
++            print(_("Addr %s already defined, modifying instead") % addr)
++            self.__modify(addr, mask, proto, serange, ctype)
++        else:
++            self.__add(addr, mask, proto, serange, ctype)
+         self.commit()
+ 
++    def __exists(self, addr, mask, proto):
++        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
++
++        (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
++        if rc < 0:
++            raise ValueError(_("Could not create key for %s") % addr)
++
++        (rc, exists) = semanage_node_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if addr %s is defined") % addr)
++        semanage_node_key_free(k)
++
++        return exists
++
+     def __modify(self, addr, mask, proto, serange, setype):
+         addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
+ 
+@@ -2111,12 +2170,6 @@ class interfaceRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create key for %s") % interface)
+ 
+-        (rc, exists) = semanage_iface_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if interface %s is defined") % interface)
+-        if exists:
+-            raise ValueError(_("Interface %s already defined") % interface)
+-
+         (rc, iface) = semanage_iface_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create interface for %s") % interface)
+@@ -2163,9 +2216,25 @@ class interfaceRecords(semanageRecords):
+ 
+     def add(self, interface, serange, ctype):
+         self.begin()
+-        self.__add(interface, serange, ctype)
++        if self.__exists(interface):
++            print(_("Interface %s already defined, modifying instead") % interface)
++            self.__modify(interface, serange, ctype)
++        else:
++            self.__add(interface, serange, ctype)
+         self.commit()
+ 
++    def __exists(self, interface):
++        (rc, k) = semanage_iface_key_create(self.sh, interface)
++        if rc < 0:
++            raise ValueError(_("Could not create key for %s") % interface)
++
++        (rc, exists) = semanage_iface_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if interface %s is defined") % interface)
++        semanage_iface_key_free(k)
++
++        return exists
++
+     def __modify(self, interface, serange, setype):
+         if serange == "" and setype == "":
+             raise ValueError(_("Requires setype or serange"))
+@@ -2353,7 +2422,13 @@ class fcontextRecords(semanageRecords):
+             raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
+ 
+         if target in self.equiv.keys():
+-            raise ValueError(_("Equivalence class for %s already exists") % target)
++            print(_("Equivalence class for %s already exists, modifying instead") % target)
++            self.equiv[target] = substitute
++            self.equal_ind = True
++            self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
++            self.commit()
++            return
++
+         self.validate(target)
+ 
+         for fdict in (self.equiv, self.equiv_dist):
+@@ -2429,18 +2504,6 @@ class fcontextRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create key for %s") % target)
+ 
+-        (rc, exists) = semanage_fcontext_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if file context for %s is defined") % target)
+-
+-        if not exists:
+-            (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+-            if rc < 0:
+-                raise ValueError(_("Could not check if file context for %s is defined") % target)
+-
+-        if exists:
+-            raise ValueError(_("File context for %s already defined") % target)
+-
+         (rc, fcontext) = semanage_fcontext_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create file context for %s") % target)
+@@ -2479,9 +2542,30 @@ class fcontextRecords(semanageRecords):
+ 
+     def add(self, target, type, ftype="", serange="", seuser="system_u"):
+         self.begin()
+-        self.__add(target, type, ftype, serange, seuser)
++        if self.__exists(target, ftype):
++            print(_("File context for %s already defined, modifying instead") % target)
++            self.__modify(target, type, ftype, serange, seuser)
++        else:
++            self.__add(target, type, ftype, serange, seuser)
+         self.commit()
+ 
++    def __exists(self, target, ftype):
++        (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
++        if rc < 0:
++            raise ValueError(_("Could not create key for %s") % target)
++
++        (rc, exists) = semanage_fcontext_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if file context for %s is defined") % target)
++
++        if not exists:
++            (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
++            if rc < 0:
++                raise ValueError(_("Could not check if file context for %s is defined") % target)
++        semanage_fcontext_key_free(k)
++
++        return exists
++
+     def __modify(self, target, setype, ftype, serange, seuser):
+         if serange == "" and setype == "" and seuser == "":
+             raise ValueError(_("Requires setype, serange or seuser"))
+-- 
+2.43.2
+

SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,24 +0,0 @@
-From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Thu, 8 Nov 2018 09:20:58 +0100
-Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
-
----
- semodule-utils/semodule_package/semodule_package.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
-index 3515234e..7b75b3fd 100644
---- a/semodule-utils/semodule_package/semodule_package.c
-+++ b/semodule-utils/semodule_package/semodule_package.c
-@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
- 	}
- 	if (!sb.st_size) {
- 		*len = 0;
-+		close(fd);
- 		return 0;
- 	}
- 
--- 
-2.21.0
-

SOURCES/0019-python-semanage-Do-not-sort-local-fcontext-definitio.patch

@@ -0,0 +1,64 @@
+From 616db16b5729a9473cf27edc32a03f38eca417e7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 7 Feb 2024 15:46:23 +0100
+Subject: [PATCH] python/semanage: Do not sort local fcontext definitions
+Content-type: text/plain
+
+Entries in file_contexts.local are processed from the most recent one to
+the oldest, with first match being used. Therefore it is important to
+preserve their order when listing (semanage fcontext -lC) and exporting
+(semanage export).
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ gui/fcontextPage.py         | 6 +++++-
+ python/semanage/seobject.py | 9 +++++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
+index 767664f26ec8..c88df580400f 100644
+--- a/gui/fcontextPage.py
++++ b/gui/fcontextPage.py
+@@ -133,7 +133,11 @@ class fcontextPage(semanagePage):
+         self.fcontext = seobject.fcontextRecords()
+         self.store.clear()
+         fcon_dict = self.fcontext.get_all(self.local)
+-        for k in sorted(fcon_dict.keys()):
++        if self.local:
++            fkeys = fcon_dict.keys()
++        else:
++            fkeys = sorted(fcon_dict.keys())
++        for k in fkeys:
+             if not self.match(fcon_dict, k, filter):
+                 continue
+             iter = self.store.append()
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index dfb15b1d77e4..25ec43154848 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -2735,7 +2735,7 @@ class fcontextRecords(semanageRecords):
+     def customized(self):
+         l = []
+         fcon_dict = self.get_all(True)
+-        for k in sorted(fcon_dict.keys()):
++        for k in fcon_dict.keys():
+             if fcon_dict[k]:
+                 if fcon_dict[k][3]:
+                     l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
+@@ -2752,7 +2752,12 @@ class fcontextRecords(semanageRecords):
+         if len(fcon_dict) != 0:
+             if heading:
+                 print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
+-            for k in sorted(fcon_dict.keys()):
++            # do not sort local customizations since they are evaluated based on the order they where added in
++            if locallist:
++                fkeys = fcon_dict.keys()
++            else:
++                fkeys = sorted(fcon_dict.keys())
++            for k in fkeys:
+                 if fcon_dict[k]:
+                     if is_mls_enabled:
+                         print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
+-- 
+2.43.0
+

SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch

@@ -1,45 +0,0 @@
-From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Mon, 3 Dec 2018 14:40:09 +0100
-Subject: [PATCH] python: Use ipaddress instead of IPy
-
-ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
----
- python/semanage/seobject.py | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index b90b1070..58497e3b 100644
---- a/python/semanage/seobject.py
-+++ b/python/semanage/seobject.py
-@@ -32,7 +32,7 @@ from semanage import *
- PROGNAME = "selinux-python"
- import sepolicy
- import setools
--from IPy import IP
-+import ipaddress
- 
- try:
-     import gettext
-@@ -1851,13 +1851,13 @@ class nodeRecords(semanageRecords):
- 
-         # verify valid comination
-         if len(mask) == 0 or mask[0] == "/":
--            i = IP(addr + mask)
--            newaddr = i.strNormal(0)
--            newmask = str(i.netmask())
--            if newmask == "0.0.0.0" and i.version() == 6:
-+            i = ipaddress.ip_network(addr + mask)
-+            newaddr = str(i.network_address)
-+            newmask = str(i.netmask)
-+            if newmask == "0.0.0.0" and i.version == 6:
-                 newmask = "::"
- 
--            protocol = "ipv%d" % i.version()
-+            protocol = "ipv%d" % i.version
- 
-         try:
-             newprotocol = self.protocol.index(protocol)
--- 
-2.21.0
-

SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch

@@ -1,93 +0,0 @@
-From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Thu, 4 Apr 2019 23:02:56 +0200
-Subject: [PATCH] python/semanage: Do not traceback when the default policy is
- not available
-
-"import seobject" causes "import sepolicy" which crashes when the system policy
-is not available. It's better to provide an error message instead.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- python/semanage/semanage | 37 +++++++++++++++++++++----------------
- 1 file changed, 21 insertions(+), 16 deletions(-)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index 56db3e0d..4c766ae3 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -25,7 +25,6 @@
- 
- import traceback
- import argparse
--import seobject
- import sys
- PROGNAME = "selinux-python"
- try:
-@@ -129,21 +128,6 @@ class SetImportFile(argparse.Action):
-                 sys.exit(1)
-         setattr(namespace, self.dest, values)
- 
--# define dictonary for seobject OBEJCTS
--object_dict = {
--    'login': seobject.loginRecords,
--    'user': seobject.seluserRecords,
--    'port': seobject.portRecords,
--    'module': seobject.moduleRecords,
--    'interface': seobject.interfaceRecords,
--    'node': seobject.nodeRecords,
--    'fcontext': seobject.fcontextRecords,
--    'boolean': seobject.booleanRecords,
--    'permissive': seobject.permissiveRecords,
--    'dontaudit': seobject.dontauditClass,
--    'ibpkey': seobject.ibpkeyRecords,
--    'ibendport': seobject.ibendportRecords
--}
- 
- def generate_custom_usage(usage_text, usage_dict):
-     # generate custom usage from given text and dictonary
-@@ -608,6 +592,7 @@ def setupInterfaceParser(subparsers):
- 
- 
- def handleModule(args):
-+    import seobject
-     OBJECT = seobject.moduleRecords(args)
-     if args.action_add:
-         OBJECT.add(args.action_add[0], args.priority)
-@@ -846,6 +831,7 @@ def mkargv(line):
- 
- 
- def handleImport(args):
-+    import seobject
-     trans = seobject.semanageRecords(args)
-     trans.start()
- 
-@@ -887,6 +873,25 @@ def createCommandParser():
-     #To add a new subcommand define the parser for it in a function above and call it here.
-     subparsers = commandParser.add_subparsers(dest='subcommand')
-     subparsers.required = True
-+
-+    import seobject
-+    # define dictonary for seobject OBEJCTS
-+    global object_dict
-+    object_dict = {
-+        'login': seobject.loginRecords,
-+        'user': seobject.seluserRecords,
-+        'port': seobject.portRecords,
-+        'module': seobject.moduleRecords,
-+        'interface': seobject.interfaceRecords,
-+        'node': seobject.nodeRecords,
-+        'fcontext': seobject.fcontextRecords,
-+        'boolean': seobject.booleanRecords,
-+        'permissive': seobject.permissiveRecords,
-+        'dontaudit': seobject.dontauditClass,
-+        'ibpkey': seobject.ibpkeyRecords,
-+        'ibendport': seobject.ibendportRecords
-+    }
-+
-     setupImportParser(subparsers)
-     setupExportParser(subparsers)
-     setupLoginParser(subparsers)
--- 
-2.21.0
-

SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch

@@ -1,108 +0,0 @@
-From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 2 Jul 2019 17:11:32 +0200
-Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
-
-Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
-command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
-`fixfiles -B onboot` to show usage instead of updating /.autorelabel
-
-The code is restructured to handle -B for different modes correctly.
-
-Fixes:
-    # fixfiles -B onboot
-    Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
-    ...
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
- 1 file changed, 15 insertions(+), 14 deletions(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 53d28c7b..9dd44213 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -112,7 +112,7 @@ VERBOSE="-p"
- FORCEFLAG=""
- RPMFILES=""
- PREFC=""
--RESTORE_MODE="DEFAULT"
-+RESTORE_MODE=""
- SETFILES=/sbin/setfiles
- RESTORECON=/sbin/restorecon
- FILESYSTEMSRW=`get_rw_labeled_mounts`
-@@ -214,16 +214,17 @@ restore () {
- OPTION=$1
- shift
- 
--case "$RESTORE_MODE" in
--    PREFC)
--	diff_filecontext $*
--	return
--    ;;
--    BOOTTIME)
-+# [-B | -N time ]
-+if [ -z "$BOOTTIME" ]; then
- 	newer $BOOTTIME $*
- 	return
--    ;;
--esac
-+fi
-+
-+# -C PREVIOUS_FILECONTEXT
-+if [ "$RESTORE_MODE" == PREFC ]; then
-+	diff_filecontext $*
-+	return
-+fi
- 
- [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
- 
-@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
-     FILEPATH)
- 	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
-     ;;
--    DEFAULT)
-+    *)
- 	if [ -n "${FILESYSTEMSRW}" ]; then
- 	    LogReadOnly
- 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
-@@ -272,7 +273,7 @@ fullrelabel() {
- 
- 
- relabel() {
--    if [ "$RESTORE_MODE" != DEFAULT ]; then
-+    if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
- 	usage
- 	exit 1
-     fi
-@@ -306,7 +307,7 @@ case "$1" in
-     verify) restore Verify -n;;
-     relabel) relabel;;
-     onboot)
--	if [ "$RESTORE_MODE" != DEFAULT ]; then
-+	if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
- 	    usage
- 	    exit 1
- 	fi
-@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
- fi
- 
- set_restore_mode() {
--	if [ "$RESTORE_MODE" != DEFAULT ]; then
-+	if [ -n "$RESTORE_MODE" ]; then
- 		# can't specify two different modes
- 		usage
- 		exit 1
-@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
-     case "$i" in
- 	B)
- 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
--		set_restore_mode BOOTTIME
-+		set_restore_mode DEFAULT
- 		;;
- 	N)
- 		BOOTTIME=$OPTARG
--- 
-2.21.0
-

SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch

@@ -1,33 +0,0 @@
-From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 2 Jul 2019 17:12:07 +0200
-Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
- disabled
-
-The previous check used getfilecon to check whether / slash contains a label,
-but getfilecon fails only when SELinux is disabled. Therefore it's better to
-check this using selinuxenabled.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- policycoreutils/scripts/fixfiles | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 9dd44213..a9d27d13 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -314,8 +314,8 @@ case "$1" in
- 	> /.autorelabel || exit $?
- 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
- 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
--	# Force full relabel if / does not have a label on it
--	getfilecon / > /dev/null 2>&1  || echo -F >/.autorelabel
-+	# Force full relabel if SELinux is not enabled
-+	selinuxenabled || echo -F > /.autorelabel
- 	echo "System will relabel on next boot"
- 	;;
-     *)
--- 
-2.21.0
-

SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch

@@ -1,32 +0,0 @@
-From 7383f8fbab82826de21d3013a43680867642e49e Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Wed, 21 Aug 2019 17:43:25 +0200
-Subject: [PATCH] policycoreutils/fixfiles: Fix unbound variable problem
-
-Fix a typo introduced in commit d3f8b2c3cd909 ("policycoreutils/fixfiles: Fix
-[-B] [-F] onboot"), which broke  "fixfiles relabel":
-
-    #fixfiles relabel
-    /sbin/fixfiles: line 151: $1: unbound variable
-
-Resolves: rhbz#1743213
----
- policycoreutils/scripts/fixfiles | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index a9d27d13..df0042aa 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -215,7 +215,7 @@ OPTION=$1
- shift
- 
- # [-B | -N time ]
--if [ -z "$BOOTTIME" ]; then
-+if [ -n "$BOOTTIME" ]; then
- 	newer $BOOTTIME $*
- 	return
- fi
--- 
-2.21.0
-

SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch

@@ -1,38 +0,0 @@
-From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Thu, 29 Aug 2019 08:58:20 +0200
-Subject: [PATCH] gui: Fix remove module in system-config-selinux
-
-When a user tried to remove a policy module with priority other than 400 via
-GUI, it failed with a message:
-
-libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
-
-This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
-"semodule -r NAME".
-
-From Jono Hein <fredwacko40@hotmail.com>
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- gui/modulesPage.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/gui/modulesPage.py b/gui/modulesPage.py
-index 26ac5404..35a0129b 100644
---- a/gui/modulesPage.py
-+++ b/gui/modulesPage.py
-@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
-     def delete(self):
-         store, iter = self.view.get_selection().get_selected()
-         module = store.get_value(iter, 0)
-+        priority = store.get_value(iter, 1)
-         try:
-             self.wait()
--            status, output = getstatusoutput("semodule -r %s" % module)
-+            status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
-             self.ready()
-             if status != 0:
-                 self.error(output)
--- 
-2.21.0
-

SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch

@@ -1,30 +0,0 @@
-From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 3 Sep 2019 15:17:27 +0200
-Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
- login -a"
-
-Using the "s0" default means that new login mappings are always added with "s0"
-range instead of the range of SELinux user.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- python/semanage/semanage | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index 4c766ae3..fa78afce 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
- 
- 
- def parser_add_range(parser, name):
--    parser.add_argument('-r', '--range', default="s0",
-+    parser.add_argument('-r', '--range', default='',
-                         help=_('''
- MLS/MCS Security Range (MLS/MCS Systems only)
- SELinux Range  for SELinux login mapping
--- 
-2.21.0
-

SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch

@@ -1,33 +0,0 @@
-From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 24 Sep 2019 08:41:30 +0200
-Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option
-
-"restorecon -n" (used in the "restore" function) has to be used with
-"-v" to display the files whose labels would be changed.
-
-Fixes:
-   Fixfiles verify does not report misslabelled files unless "-v" option is
-   used.
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- policycoreutils/scripts/fixfiles | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index df0042aa..be19e56c 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -304,7 +304,7 @@ process() {
- case "$1" in
-     restore) restore Relabel;;
-     check) VERBOSE="-v"; restore Check -n;;
--    verify) restore Verify -n;;
-+    verify) VERBOSE="-v"; restore Verify -n;;
-     relabel) relabel;;
-     onboot)
- 	if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
--- 
-2.21.0
-

SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch

@@ -1,102 +0,0 @@
-From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Fri, 27 Sep 2019 16:13:47 +0200
-Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
-
-- Add "customized" method to permissiveRecords which is than used for
-  "semanage permissive --extract" and "semanage export"
-- Enable "semanage permissive --deleteall" (already implemented)
-- Add "permissive" to the list of modules exported using
-  "semanage export"
-- Update "semanage permissive" man page
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/semanage/semanage              | 11 ++++++++---
- python/semanage/semanage-permissive.8 |  8 +++++++-
- python/semanage/seobject.py           |  3 +++
- 3 files changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index fa78afce..b2bd9df9 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -722,6 +722,11 @@ def handlePermissive(args):
- 
-     if args.action == "list":
-         OBJECT.list(args.noheading)
-+    elif args.action == "deleteall":
-+        OBJECT.deleteall()
-+    elif args.action == "extract":
-+        for i in OBJECT.customized():
-+            print("permissive %s" % str(i))
-     elif args.type is not None:
-         if args.action == "add":
-             OBJECT.add(args.type)
-@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
-     pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
-     parser_add_add(pgroup, "permissive")
-     parser_add_delete(pgroup, "permissive")
-+    parser_add_deleteall(pgroup, "permissive")
-+    parser_add_extract(pgroup, "permissive")
-     parser_add_list(pgroup, "permissive")
--    #TODO: probably should be also added => need to implement own option handling
--    #parser_add_deleteall(pgroup)
- 
-     parser_add_noheading(permissiveParser, "permissive")
-     parser_add_noreload(permissiveParser, "permissive")
-@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
- 
- 
- def handleExport(args):
--    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
-+    manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
-     for i in manageditems:
-         print("%s -D" % i)
-     for i in manageditems:
-diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
-index 1999a451..5c3364fa 100644
---- a/python/semanage/semanage-permissive.8
-+++ b/python/semanage/semanage-permissive.8
-@@ -2,7 +2,7 @@
- .SH "NAME"
- .B semanage\-permissive \- SELinux Policy Management permissive mapping tool
- .SH "SYNOPSIS"
--.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
-+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
- 
- .SH "DESCRIPTION"
- semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.  semanage permissive adds or removes a SELinux Policy permissive module.
-@@ -18,9 +18,15 @@ Add a record of the specified object type
- .I   \-d, \-\-delete
- Delete a record of the specified object type
- .TP
-+.I   \-D, \-\-deleteall
-+Remove all local customizations of permissive domains
-+.TP
- .I   \-l, \-\-list
- List records of the specified object type
- .TP
-+.I   \-E, \-\-extract
-+Extract customizable commands, for use within a transaction
-+.TP
- .I   \-n, \-\-noheading
- Do not print heading when listing the specified object type
- .TP
-diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 58497e3b..3959abc8 100644
---- a/python/semanage/seobject.py
-+++ b/python/semanage/seobject.py
-@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
-                 l.append(name.split("permissive_")[1])
-         return l
- 
-+    def customized(self):
-+        return ["-a %s" % x for x in sorted(self.get_all())]
-+
-     def list(self, heading=1, locallist=0):
-         all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
-         if len(all) == 0:
--- 
-2.21.0
-

SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch

@@ -1,41 +0,0 @@
-From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Mon, 30 Sep 2019 09:49:04 +0200
-Subject: [PATCH] python/semanage: fix moduleRecords.customized()
-
-Return value of "customized" has to be iterable.
-
-Fixes:
-   "semanage export" with no modules in the system (eg. monolithic policy)
-   crashes:
-
-   Traceback (most recent call last):
-     File "/usr/sbin/semanage", line 970, in <module>
-       do_parser()
-     File "/usr/sbin/semanage", line 949, in do_parser
-       args.func(args)
-     File "/usr/sbin/semanage", line 771, in handleExport
-       for c in OBJECT.customized():
-   TypeError: 'NoneType' object is not iterable
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/semanage/seobject.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 3959abc8..16edacaa 100644
---- a/python/semanage/seobject.py
-+++ b/python/semanage/seobject.py
-@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords):
-     def customized(self):
-         all = self.get_all()
-         if len(all) == 0:
--            return
-+            return []
-         return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]]
- 
-     def list(self, heading=1, locallist=0):
--- 
-2.21.0
-

SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch

@@ -1,45 +0,0 @@
-From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 8 Oct 2019 14:22:13 +0200
-Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols
-
-Fixes:
-   # semanage port -a -p sctp -t port_t 1234
-   ValueError: Protocol udp or tcp is required
-   # semanage port -d -p sctp -t port_t 1234
-   ValueError: Protocol udp or tcp is required
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/semanage/seobject.py | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 16edacaa..70ebfd08 100644
---- a/python/semanage/seobject.py
-+++ b/python/semanage/seobject.py
-@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords):
-             pass
- 
-     def __genkey(self, port, proto):
--        if proto == "tcp":
--            proto_d = SEMANAGE_PROTO_TCP
-+        protocols = {"tcp": SEMANAGE_PROTO_TCP,
-+                     "udp": SEMANAGE_PROTO_UDP,
-+                     "sctp": SEMANAGE_PROTO_SCTP,
-+                     "dccp": SEMANAGE_PROTO_DCCP}
-+
-+        if proto in protocols.keys():
-+            proto_d = protocols[proto]
-         else:
--            if proto == "udp":
--                proto_d = SEMANAGE_PROTO_UDP
--            else:
--                raise ValueError(_("Protocol udp or tcp is required"))
-+            raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp"))
-         if port == "":
-             raise ValueError(_("Port is required"))
- 
--- 
-2.21.0
-

SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch

@@ -1,40 +0,0 @@
-From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 15 Nov 2019 09:15:49 +0100
-Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot
-
-When org.selinux.relabel_on_boot(0) was called twice, it failed with
-FileNotFoundError.
-
-Fixes:
-    $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1
-    method return sender=:1.53 -> dest=:1.54 reply_serial=2
-    $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
-    method return sender=:1.53 -> dest=:1.55 reply_serial=2
-    $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
-    Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel'
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- dbus/selinux_server.py | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
-index b9debc071485..be4f4557a9fa 100644
---- a/dbus/selinux_server.py
-+++ b/dbus/selinux_server.py
-@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object):
-             fd = open("/.autorelabel", "w")
-             fd.close()
-         else:
--            os.unlink("/.autorelabel")
-+            try:
-+                os.unlink("/.autorelabel")
-+            except FileNotFoundError:
-+                pass
- 
-     def write_selinux_config(self, enforcing=None, policy=None):
-         path = selinux.selinux_path() + "config"
--- 
-2.23.0
-

SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch

@@ -1,200 +0,0 @@
-From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001
-From: Baichuan Kong <kongbaichuan@huawei.com>
-Date: Thu, 14 Nov 2019 10:48:07 +0800
-Subject: [PATCH] restorecond: Fix redundant console log output error
-
-When starting restorecond without any option the following redundant
-console log is outputed:
-
-/dev/log 100.0%
-/var/volatile/run/syslogd.pid 100.0%
-...
-
-This is caused by two global variables of same name r_opts. When
-executes r_opts = opts in restore_init(), it originally intends
-to assign the address of struct r_opts in "restorecond.c" to the
-pointer *r_opts in "restore.c".
-
-However, the address is assigned to the struct r_opts and covers
-the value of low eight bytes in it. That causes unexpected value
-of member varibale 'nochange' and 'verbose' in struct r_opts, thus
-affects value of 'restorecon_flags' and executes unexpected operations
-when restorecon the files such as the redundant console log output or
-file label nochange.
-
-Cause restorecond/restore.c is copied from policycoreutils/setfiles,
-which share the same pattern. It also has potential risk to generate
-same problems, So fix it in case.
-
-Signed-off-by: Baichuan Kong <kongbaichuan@huawei.com>
-
-(cherry-picked from SElinuxProject
-commit ad2208ec220f55877a4d31084be2b4d6413ee082)
-
-Resolves: rhbz#1626468
----
- policycoreutils/setfiles/restore.c | 42 ++++++++++++++----------------
- restorecond/restore.c              | 40 +++++++++++++---------------
- 2 files changed, 37 insertions(+), 45 deletions(-)
-
-diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
-index 9dea5656..d3335d1a 100644
---- a/policycoreutils/setfiles/restore.c
-+++ b/policycoreutils/setfiles/restore.c
-@@ -17,40 +17,37 @@
- char **exclude_list;
- int exclude_count;
- 
--struct restore_opts *r_opts;
--
- void restore_init(struct restore_opts *opts)
- {
- 	int rc;
- 
--	r_opts = opts;
- 	struct selinux_opt selinux_opts[] = {
--		{ SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
--		{ SELABEL_OPT_PATH, r_opts->selabel_opt_path },
--		{ SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
-+		{ SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
-+		{ SELABEL_OPT_PATH, opts->selabel_opt_path },
-+		{ SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
- 	};
- 
--	r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
--	if (!r_opts->hnd) {
--		perror(r_opts->selabel_opt_path);
-+	opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
-+	if (!opts->hnd) {
-+		perror(opts->selabel_opt_path);
- 		exit(1);
- 	}
- 
--	r_opts->restorecon_flags = 0;
--	r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
--			   r_opts->progress | r_opts->set_specctx  |
--			   r_opts->add_assoc | r_opts->ignore_digest |
--			   r_opts->recurse | r_opts->userealpath |
--			   r_opts->xdev | r_opts->abort_on_error |
--			   r_opts->syslog_changes | r_opts->log_matches |
--			   r_opts->ignore_noent | r_opts->ignore_mounts |
--			   r_opts->mass_relabel;
-+	opts->restorecon_flags = 0;
-+	opts->restorecon_flags = opts->nochange | opts->verbose |
-+			   opts->progress | opts->set_specctx  |
-+			   opts->add_assoc | opts->ignore_digest |
-+			   opts->recurse | opts->userealpath |
-+			   opts->xdev | opts->abort_on_error |
-+			   opts->syslog_changes | opts->log_matches |
-+			   opts->ignore_noent | opts->ignore_mounts |
-+			   opts->mass_relabel;
- 
- 	/* Use setfiles, restorecon and restorecond own handles */
--	selinux_restorecon_set_sehandle(r_opts->hnd);
-+	selinux_restorecon_set_sehandle(opts->hnd);
- 
--	if (r_opts->rootpath) {
--		rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
-+	if (opts->rootpath) {
-+		rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
- 		if (rc) {
- 			fprintf(stderr,
- 				"selinux_restorecon_set_alt_rootpath error: %s.\n",
-@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts)
- 	size_t i = 0;
- 	int len, rc, errors;
- 
--	r_opts = opts;
- 	memset(&globbuf, 0, sizeof(globbuf));
- 
- 	errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
-@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts)
- 		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
- 			continue;
- 		rc = selinux_restorecon(globbuf.gl_pathv[i],
--					r_opts->restorecon_flags);
-+					opts->restorecon_flags);
- 		if (rc < 0)
- 			errors = rc;
- 	}
-diff --git a/restorecond/restore.c b/restorecond/restore.c
-index f6e30001..b93b5fdb 100644
---- a/restorecond/restore.c
-+++ b/restorecond/restore.c
-@@ -12,39 +12,36 @@
- char **exclude_list;
- int exclude_count;
- 
--struct restore_opts *r_opts;
--
- void restore_init(struct restore_opts *opts)
- {
- 	int rc;
- 
--	r_opts = opts;
- 	struct selinux_opt selinux_opts[] = {
--		{ SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
--		{ SELABEL_OPT_PATH, r_opts->selabel_opt_path },
--		{ SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
-+		{ SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
-+		{ SELABEL_OPT_PATH, opts->selabel_opt_path },
-+		{ SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
- 	};
- 
--	r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
--	if (!r_opts->hnd) {
--		perror(r_opts->selabel_opt_path);
-+	opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
-+	if (!opts->hnd) {
-+		perror(opts->selabel_opt_path);
- 		exit(1);
- 	}
- 
--	r_opts->restorecon_flags = 0;
--	r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
--			   r_opts->progress | r_opts->set_specctx  |
--			   r_opts->add_assoc | r_opts->ignore_digest |
--			   r_opts->recurse | r_opts->userealpath |
--			   r_opts->xdev | r_opts->abort_on_error |
--			   r_opts->syslog_changes | r_opts->log_matches |
--			   r_opts->ignore_noent | r_opts->ignore_mounts;
-+	opts->restorecon_flags = 0;
-+	opts->restorecon_flags = opts->nochange | opts->verbose |
-+			   opts->progress | opts->set_specctx  |
-+			   opts->add_assoc | opts->ignore_digest |
-+			   opts->recurse | opts->userealpath |
-+			   opts->xdev | opts->abort_on_error |
-+			   opts->syslog_changes | opts->log_matches |
-+			   opts->ignore_noent | opts->ignore_mounts;
- 
- 	/* Use setfiles, restorecon and restorecond own handles */
--	selinux_restorecon_set_sehandle(r_opts->hnd);
-+	selinux_restorecon_set_sehandle(opts->hnd);
- 
--	if (r_opts->rootpath) {
--		rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
-+	if (opts->rootpath) {
-+		rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
- 		if (rc) {
- 			fprintf(stderr,
- 				"selinux_restorecon_set_alt_rootpath error: %s.\n",
-@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts)
- 	size_t i = 0;
- 	int len, rc, errors;
- 
--	r_opts = opts;
- 	memset(&globbuf, 0, sizeof(globbuf));
- 
- 	errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
-@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts)
- 		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
- 			continue;
- 		rc = selinux_restorecon(globbuf.gl_pathv[i],
--					r_opts->restorecon_flags);
-+					opts->restorecon_flags);
- 		if (rc < 0)
- 			errors = rc;
- 	}
--- 
-2.21.0
-

SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch

@@ -1,55 +0,0 @@
-From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 5 Jan 2021 17:00:21 +0100
-Subject: [PATCH] python/semanage: empty stdout before exiting on
- BrokenPipeError
-
-Empty stdout buffer before exiting when BrokenPipeError is
-encountered. Otherwise python will flush the bufer during exit, which
-may trigger the exception again.
-https://docs.python.org/3/library/signal.html#note-on-sigpipe
-
-Fixes:
-   #semanage fcontext -l | egrep -q -e '^/home'
-   BrokenPipeError: [Errno 32] Broken pipe
-   Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
-   BrokenPipeError: [Errno 32] Broken pipe
-
-Note that the error above only appears occasionally (usually only the
-first line is printed).
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
-Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- python/semanage/semanage | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index b2bd9df9..1abe3536 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -26,6 +26,7 @@
- import traceback
- import argparse
- import sys
-+import os
- PROGNAME = "selinux-python"
- try:
-     import gettext
-@@ -953,6 +954,13 @@ def do_parser():
-         args = commandParser.parse_args(make_args(sys.argv))
-         args.func(args)
-         sys.exit(0)
-+    except BrokenPipeError as e:
-+        sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
-+        # Python flushes standard streams on exit; redirect remaining output
-+        # to devnull to avoid another BrokenPipeError at shutdown
-+        devnull = os.open(os.devnull, os.O_WRONLY)
-+        os.dup2(devnull, sys.stdout.fileno())
-+        sys.exit(1)
-     except IOError as e:
-         sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
-         sys.exit(1)
--- 
-2.29.2
-

SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch

@@ -1,41 +0,0 @@
-From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Wed, 6 Jan 2021 10:00:07 +0100
-Subject: [PATCH] python/semanage: Sort imports in alphabetical order
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/semanage/semanage | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index 1abe3536..781e8645 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -23,10 +23,12 @@
- #
- #
- 
--import traceback
- import argparse
--import sys
- import os
-+import re
-+import sys
-+import traceback
-+
- PROGNAME = "selinux-python"
- try:
-     import gettext
-@@ -786,8 +788,6 @@ def setupExportParser(subparsers):
-     exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
-     exportParser.set_defaults(func=handleExport)
- 
--import re
--
- 
- def mkargv(line):
-     dquote = "\""
--- 
-2.29.2
-

SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch

@@ -1,49 +0,0 @@
-From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Fri, 22 Jan 2021 16:25:52 +0100
-Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def
-
-"ifdef/ifndef" statements can be used to conditionally define
-an interface, but this syntax is not recognised by sepolgen-ifgen.
-Fix sepolgen-ifgen to allow any policy statement inside an
-"ifdef/ifndef" statement.
-
-Fixes:
-        $ cat <<EOF > i.if
-ifndef(`apache_manage_pid_files',`
-        interface(`apache_manage_pid_files',`
-                manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
-        ')
-')
-
-        #sepolgen-ifgen --interface=i.if
-        i.if: Syntax error on line 2 interface [type=INTERFACE]
-        i.if: Syntax error on line 4 ' [type=SQUOTE]
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
-[OM: s/fidef/ifdef/]
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- python/sepolgen/src/sepolgen/refparser.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
-index f506dc3a..5d77e2a3 100644
---- a/python/sepolgen/src/sepolgen/refparser.py
-+++ b/python/sepolgen/src/sepolgen/refparser.py
-@@ -431,9 +431,9 @@ def p_ifelse(p):
- 
- 
- def p_ifdef(p):
--    '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
--             | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
--             | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
-+    '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
-+             | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
-+             | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
-     '''
-     x = refpolicy.IfDef(p[4])
-     if p[1] == 'ifdef':
--- 
-2.29.2
-

SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch

@@ -1,68 +0,0 @@
-From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Wed, 13 Jan 2021 22:09:47 +0100
-Subject: [PATCH] setfiles: Do not abort on labeling error
-
-Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
-selinux_restorecon") changed behavior of setfiles. Original
-implementation skipped files which it couldn't set context to while the
-new implementation aborts on them. setfiles should abort only if it
-can't validate a context from spec_file.
-
-Reproducer:
-
-    # mkdir -p r/1 r/2 r/3
-    # touch r/1/1 r/2/1
-    # chattr +i r/2/1
-    # touch r/3/1
-    # setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
-    Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
-    Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
-    setfiles: Could not set context for r/2/1:  Operation not permitted
-
-r/3 and r/1 are not relabeled.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- policycoreutils/setfiles/setfiles.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
-index bc83c27b4c06..68eab45aa2b4 100644
---- a/policycoreutils/setfiles/setfiles.c
-+++ b/policycoreutils/setfiles/setfiles.c
-@@ -182,6 +182,7 @@ int main(int argc, char **argv)
- 	policyfile = NULL;
- 	nerr = 0;
- 
-+	r_opts.abort_on_error = 0;
- 	r_opts.progname = strdup(argv[0]);
- 	if (!r_opts.progname) {
- 		fprintf(stderr, "%s:  Out of memory!\n", argv[0]);
-@@ -194,7 +195,6 @@ int main(int argc, char **argv)
- 		 * setfiles:
- 		 * Recursive descent,
- 		 * Does not expand paths via realpath,
--		 * Aborts on errors during the file tree walk,
- 		 * Try to track inode associations for conflict detection,
- 		 * Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
- 		 * Validates all file contexts at init time.
-@@ -202,7 +202,6 @@ int main(int argc, char **argv)
- 		iamrestorecon = 0;
- 		r_opts.recurse = SELINUX_RESTORECON_RECURSE;
- 		r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
--		r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
- 		r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
- 		/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
- 		r_opts.xdev = SELINUX_RESTORECON_XDEV;
-@@ -226,7 +225,6 @@ int main(int argc, char **argv)
- 		iamrestorecon = 1;
- 		r_opts.recurse = 0;
- 		r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
--		r_opts.abort_on_error = 0;
- 		r_opts.add_assoc = 0;
- 		r_opts.xdev = 0;
- 		r_opts.ignore_mounts = 0;
--- 
-2.30.0
-

SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch

@@ -1,110 +0,0 @@
-From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Wed, 13 Jan 2021 22:09:48 +0100
-Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code
-
-`setfiles -d` doesn't have any impact on number of errors before it
-aborts. It always aborts on first invalid context in spec file.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- policycoreutils/setfiles/Makefile      |  3 ---
- policycoreutils/setfiles/ru/setfiles.8 |  2 +-
- policycoreutils/setfiles/setfiles.8    |  3 +--
- policycoreutils/setfiles/setfiles.c    | 18 ------------------
- 4 files changed, 2 insertions(+), 24 deletions(-)
-
-diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
-index bc5a8db789a5..a3bbbe116b7f 100644
---- a/policycoreutils/setfiles/Makefile
-+++ b/policycoreutils/setfiles/Makefile
-@@ -5,8 +5,6 @@ SBINDIR ?= /sbin
- MANDIR = $(PREFIX)/share/man
- AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
- 
--ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
--
- CFLAGS ?= -g -Werror -Wall -W
- override LDLIBS += -lselinux -lsepol
- 
-@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
- 
- man:
- 	@cp -af setfiles.8 setfiles.8.man
--	@sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
- 
- install: all
- 	[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
-diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
-index 27815a3f1eee..910101452625 100644
---- a/policycoreutils/setfiles/ru/setfiles.8
-+++ b/policycoreutils/setfiles/ru/setfiles.8
-@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
- проверить действительность контекстов относительно указанной двоичной политики.
- .TP
- .B \-d
--показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
-+показать, какая спецификация соответствует каждому из файлов.
- .TP
- .BI \-e \ directory
- исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
-diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index a8a76c860dac..b7d3cefb96ff 100644
---- a/policycoreutils/setfiles/setfiles.8
-+++ b/policycoreutils/setfiles/setfiles.8
-@@ -56,8 +56,7 @@ option will force a replacement of the entire context.
- check the validity of the contexts against the specified binary policy.
- .TP
- .B \-d
--show what specification matched each file (do not abort validation
--after ABORT_ON_ERRORS errors). Not affected by "\-q"
-+show what specification matched each file. Not affected by "\-q"
- .TP
- .BI \-e \ directory
- directory to exclude (repeat option for more than one directory).
-diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
-index 68eab45aa2b4..bcbdfbfe53e2 100644
---- a/policycoreutils/setfiles/setfiles.c
-+++ b/policycoreutils/setfiles/setfiles.c
-@@ -23,14 +23,6 @@ static int nerr;
- 
- #define STAT_BLOCK_SIZE 1
- 
--/* setfiles will abort its operation after reaching the
-- * following number of errors (e.g. invalid contexts),
-- * unless it is used in "debug" mode (-d option).
-- */
--#ifndef ABORT_ON_ERRORS
--#define ABORT_ON_ERRORS	10
--#endif
--
- #define SETFILES "setfiles"
- #define RESTORECON "restorecon"
- static int iamrestorecon;
-@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
- 	exit(-1);
- }
- 
--void inc_err(void)
--{
--	nerr++;
--	if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
--		fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
--		exit(-1);
--	}
--}
--
- void set_rootpath(const char *arg)
- {
- 	if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
-@@ -98,7 +81,6 @@ int canoncon(char **contextp)
- 		*contextp = tmpcon;
- 	} else if (errno != ENOENT) {
- 		rc = -1;
--		inc_err();
- 	}
- 
- 	return rc;
--- 
-2.30.0
-

SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch

@@ -1,44 +0,0 @@
-From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Mon, 1 Feb 2021 15:24:32 +0100
-Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable
-
-Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- policycoreutils/setfiles/setfiles.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
-index bcbdfbfe53e2..82d0aaa75893 100644
---- a/policycoreutils/setfiles/setfiles.c
-+++ b/policycoreutils/setfiles/setfiles.c
-@@ -19,7 +19,6 @@ static int warn_no_match;
- static int null_terminated;
- static int request_digest;
- static struct restore_opts r_opts;
--static int nerr;
- 
- #define STAT_BLOCK_SIZE 1
- 
-@@ -162,7 +161,6 @@ int main(int argc, char **argv)
- 	warn_no_match = 0;
- 	request_digest = 0;
- 	policyfile = NULL;
--	nerr = 0;
- 
- 	r_opts.abort_on_error = 0;
- 	r_opts.progname = strdup(argv[0]);
-@@ -417,9 +415,6 @@ int main(int argc, char **argv)
- 	r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
- 	r_opts.selabel_opt_path = altpath;
- 
--	if (nerr)
--		exit(-1);
--
- 	restore_init(&r_opts);
- 
- 	if (use_input_file) {
--- 
-2.30.0
-

SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch

@@ -1,62 +0,0 @@
-From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Wed, 10 Feb 2021 18:05:29 +0100
-Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
-
-Describe which type of regular expression is used in file context
-definitions and which flags are in effect.
-
-Explain how local file context modifications are processed.
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- python/semanage/semanage            |  2 +-
- python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index 781e8645..ebb93ea5 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files".
-     parser_add_seuser(fcontextParser, "fcontext")
-     parser_add_type(fcontextParser, "fcontext")
-     parser_add_range(fcontextParser, "fcontext")
--    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
-+    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
-     fcontextParser.set_defaults(func=handleFcontext)
- 
- 
-diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
-index 561123af..49635ba7 100644
---- a/python/semanage/semanage-fcontext.8
-+++ b/python/semanage/semanage-fcontext.8
-@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
- from policy sources.  semanage fcontext is used to  manage the default
- file system labeling on an SELinux system.  This command maps file paths using regular expressions to SELinux labels.
- 
-+FILE_SPEC may contain either a fully qualified path,
-+or a Perl compatible regular expression (PCRE),
-+describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
-+which causes a wildcard '.' to match anything, including a new line.
-+Strings representing paths are processed as bytes (as opposed to Unicode),
-+meaning that non-ASCII characters are not matched by a single wildcard.
-+
-+Note, that file context definitions specified using 'semanage fcontext'
-+(i.e. local file context modifications stored in file_contexts.local)
-+have higher priority than those specified in policy modules.
-+This means that whenever a match for given file path is found in
-+file_contexts.local, no other file context definitions are considered.
-+Entries in file_contexts.local are processed from most recent one to the oldest,
-+with first match being used (as opposed to the most specific match,
-+which is used when matching other file context definitions).
-+All regular expressions should therefore be as specific as possible,
-+to avoid unintentionally impacting other parts of the filesystem.
-+
- .SH "OPTIONS"
- .TP
- .I  \-h, \-\-help
--- 
-2.29.2
-

SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch

@@ -1,69 +0,0 @@
-From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
-From: Antoine Tenart <antoine.tenart@bootlin.com>
-Date: Tue, 7 Jul 2020 16:35:01 +0200
-Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
- binary policy
-
-The -c option allows to check the validity of contexts against a
-specified binary policy. Its use is restricted: no pathname can be used
-when a binary policy is given to setfiles. It's not clear if this is
-intentional as the built-in help and the man page are not stating the
-same thing about this (the man page document -c as a normal option,
-while the built-in help shows it is restricted).
-
-When generating full system images later used with SELinux in enforcing
-mode, the extended attributed of files have to be set by the build
-machine. The issue is setfiles always checks the contexts against a
-policy (ctx_validate = 1) and using an external binary policy is not
-currently possible when using a pathname. This ends up in setfiles
-failing early as the contexts of the target image are not always
-compatible with the ones of the build machine.
-
-This patch reworks a check on optind only made when -c is used, that
-enforced the use of a single argument to allow 1+ arguments, allowing to
-use setfiles with an external binary policy and pathnames. The following
-command is then allowed, as already documented in the man page:
-
-  $ setfiles -m -r target/ -c policy.32 file_contexts target/
-
-Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-
-(cherry-picked from SElinuxProject
- commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
----
- policycoreutils/setfiles/setfiles.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
-index 82d0aaa7..4fd3d756 100644
---- a/policycoreutils/setfiles/setfiles.c
-+++ b/policycoreutils/setfiles/setfiles.c
-@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
- 			name, name);
- 	} else {
- 		fprintf(stderr,
--			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
--			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
--			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n"
--			"usage:  %s -c policyfile spec_file\n",
--			name, name, name, name);
-+			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
-+			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
-+			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n",
-+			name, name, name);
- 	}
- 	exit(-1);
- }
-@@ -376,7 +375,7 @@ int main(int argc, char **argv)
- 
- 	if (!iamrestorecon) {
- 		if (policyfile) {
--			if (optind != (argc - 1))
-+			if (optind > (argc - 1))
- 				usage(argv[0]);
- 		} else if (use_input_file) {
- 			if (optind != (argc - 1)) {
--- 
-2.30.2
-

SOURCES/0041-semodule-add-m-checksum-option.patch

@@ -1,674 +0,0 @@
-From e748832819b781507903838483376d308c90ca79 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 16 Nov 2021 14:27:11 +0100
-Subject: [PATCH] semodule: add -m | --checksum option
-
-Since cil doesn't store module name and module version in module itself,
-there's no simple way how to compare that installed module is the same
-version as the module which is supposed to be installed. Even though the
-version was not used by semodule itself, it was apparently used by some
-team.
-
-With `semodule -l --checksum` users get SHA256 hashes of modules and
-could compare them with their files which is faster than installing
-modules again and again.
-
-E.g.
-
-    # time (
-    semodule -l --checksum | grep localmodule
-    /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
-    )
-    localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
-    db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd  -
-
-    real    0m0.876s
-    user    0m0.849s
-    sys     0m0.028s
-
-vs
-
-    # time semodule -i localmodule.pp
-
-    real    0m6.147s
-    user    0m5.800s
-    sys     0m0.231s
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
-Acked-by: James Carter <jwcart2@gmail.com>
----
- policycoreutils/semodule/Makefile   |   2 +-
- policycoreutils/semodule/semodule.8 |   6 +
- policycoreutils/semodule/semodule.c |  95 ++++++++-
- policycoreutils/semodule/sha256.c   | 294 ++++++++++++++++++++++++++++
- policycoreutils/semodule/sha256.h   |  89 +++++++++
- 5 files changed, 480 insertions(+), 6 deletions(-)
- create mode 100644 policycoreutils/semodule/sha256.c
- create mode 100644 policycoreutils/semodule/sha256.h
-
-diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
-index 73801e487a76..9875ac383280 100644
---- a/policycoreutils/semodule/Makefile
-+++ b/policycoreutils/semodule/Makefile
-@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
- 
- CFLAGS ?= -Werror -Wall -W
- override LDLIBS += -lsepol -lselinux -lsemanage
--SEMODULE_OBJS = semodule.o
-+SEMODULE_OBJS = semodule.o sha256.o
- 
- all: semodule genhomedircon
- 
-diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
-index 18d4f708661c..3a2fb21c2481 100644
---- a/policycoreutils/semodule/semodule.8
-+++ b/policycoreutils/semodule/semodule.8
-@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option.
- .B  \-H,\-\-hll
- Extract module as an HLL file. This only affects the \-\-extract option and
- only modules listed in \-\-extract after this option.
-+.TP
-+.B  \-m,\-\-checksum
-+Add SHA256 checksum of modules to the list output.
- 
- .SH EXAMPLE
- .nf
-@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux"
- # Write the HLL version of puppet and the CIL version of wireshark
- # modules at priority 400 to the current working directory
- $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
-+# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
-+$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
-+$ semodule -l -m | grep localmodule
- .fi
- 
- .SH SEE ALSO
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index a76797f505cd..300a97d735cc 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -24,6 +24,8 @@
- 
- #include <semanage/modules.h>
- 
-+#include "sha256.h"
-+
- enum client_modes {
- 	NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
- 	LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
-@@ -56,6 +58,7 @@ static semanage_handle_t *sh = NULL;
- static char *store;
- static char *store_root;
- int extract_cil = 0;
-+static int checksum = 0;
- 
- extern char *optarg;
- extern int optind;
-@@ -146,6 +149,7 @@ static void usage(char *progname)
- 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
- 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
- 	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
-+	printf("  -m, --checksum   print module checksum (SHA256).\n");
- }
- 
- /* Sets the global mode variable to new_mode, but only if no other
-@@ -199,6 +203,7 @@ static void parse_command_line(int argc, char **argv)
- 		{"disable", required_argument, NULL, 'd'},
- 		{"path", required_argument, NULL, 'p'},
- 		{"store-path", required_argument, NULL, 'S'},
-+		{"checksum", 0, NULL, 'm'},
- 		{NULL, 0, NULL, 0}
- 	};
- 	int extract_selected = 0;
-@@ -209,7 +214,7 @@ static void parse_command_line(int argc, char **argv)
- 	no_reload = 0;
- 	priority = 400;
- 	while ((i =
--		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
-+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
- 			    NULL)) != -1) {
- 		switch (i) {
- 		case 'b':
-@@ -286,6 +291,9 @@ static void parse_command_line(int argc, char **argv)
- 		case 'd':
- 			set_mode(DISABLE_M, optarg);
- 			break;
-+		case 'm':
-+			checksum = 1;
-+			break;
- 		case '?':
- 		default:{
- 				usage(argv[0]);
-@@ -337,6 +345,61 @@ static void parse_command_line(int argc, char **argv)
- 	}
- }
- 
-+/* Get module checksum */
-+static char *hash_module_data(const char *module_name, const int prio) {
-+	semanage_module_info_t *extract_info = NULL;
-+	semanage_module_key_t *modkey = NULL;
-+	Sha256Context context;
-+	uint8_t sha256_hash[SHA256_HASH_SIZE];
-+	char *sha256_buf = NULL;
-+	void *data;
-+	size_t data_len = 0, i;
-+	int result;
-+
-+	result = semanage_module_key_create(sh, &modkey);
-+	if (result != 0) {
-+		goto cleanup_extract;
-+	}
-+
-+	result = semanage_module_key_set_name(sh, modkey, module_name);
-+	if (result != 0) {
-+		goto cleanup_extract;
-+	}
-+
-+	result = semanage_module_key_set_priority(sh, modkey, prio);
-+	if (result != 0) {
-+		goto cleanup_extract;
-+	}
-+
-+	result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
-+									 &extract_info);
-+	if (result != 0) {
-+		goto cleanup_extract;
-+	}
-+
-+	Sha256Initialise(&context);
-+	Sha256Update(&context, data, data_len);
-+
-+	Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
-+
-+	sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
-+
-+	if (sha256_buf == NULL)
-+		goto cleanup_extract;
-+
-+	for (i = 0; i < SHA256_HASH_SIZE; i++) {
-+		sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
-+	}
-+	sha256_buf[i * 2] = 0;
-+
-+cleanup_extract:
-+	semanage_module_info_destroy(sh, extract_info);
-+	free(extract_info);
-+	semanage_module_key_destroy(sh, modkey);
-+	free(modkey);
-+	return sha256_buf;
-+}
-+
- int main(int argc, char *argv[])
- {
- 	int i, commit = 0;
-@@ -544,6 +607,8 @@ cleanup_extract:
- 				int modinfos_len = 0;
- 				semanage_module_info_t *m = NULL;
- 				int j = 0;
-+				char *module_checksum = NULL;
-+				uint16_t pri = 0;
- 
- 				if (verbose) {
- 					printf
-@@ -568,7 +633,18 @@ cleanup_extract:
- 						result = semanage_module_info_get_name(sh, m, &name);
- 						if (result != 0) goto cleanup_list;
- 
--						printf("%s\n", name);
-+						result = semanage_module_info_get_priority(sh, m, &pri);
-+						if (result != 0) goto cleanup_list;
-+
-+						printf("%s", name);
-+						if (checksum) {
-+							module_checksum = hash_module_data(name, pri);
-+							if (module_checksum) {
-+								printf(" %s", module_checksum);
-+								free(module_checksum);
-+							}
-+						}
-+						printf("\n");
- 					}
- 				}
- 				else if (strcmp(mode_arg, "full") == 0) {
-@@ -583,11 +659,12 @@ cleanup_extract:
- 					}
- 
- 					/* calculate column widths */
--					size_t column[4] = { 0, 0, 0, 0 };
-+					size_t column[5] = { 0, 0, 0, 0, 0 };
- 
- 					/* fixed width columns */
- 					column[0] = sizeof("000") - 1;
- 					column[3] = sizeof("disabled") - 1;
-+					column[4] = 64; /* SHA256_HASH_SIZE * 2 */
- 
- 					/* variable width columns */
- 					const char *tmp = NULL;
-@@ -610,7 +687,6 @@ cleanup_extract:
- 
- 					/* print out each module */
- 					for (j = 0; j < modinfos_len; j++) {
--						uint16_t pri = 0;
- 						const char *name = NULL;
- 						int enabled = 0;
- 						const char *lang_ext = NULL;
-@@ -629,11 +705,20 @@ cleanup_extract:
- 						result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
- 						if (result != 0) goto cleanup_list;
- 
--						printf("%0*u %-*s %-*s %-*s\n",
-+						printf("%0*u %-*s %-*s %-*s",
- 							(int)column[0], pri,
- 							(int)column[1], name,
- 							(int)column[2], lang_ext,
- 							(int)column[3], enabled ? "" : "disabled");
-+						if (checksum) {
-+							module_checksum = hash_module_data(name, pri);
-+							if (module_checksum) {
-+								printf(" %-*s", (int)column[4], module_checksum);
-+								free(module_checksum);
-+							}
-+						}
-+						printf("\n");
-+
- 					}
- 				}
- 				else {
-diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
-new file mode 100644
-index 000000000000..fe2aeef07f53
---- /dev/null
-+++ b/policycoreutils/semodule/sha256.c
-@@ -0,0 +1,294 @@
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  WjCryptLib_Sha256
-+//
-+//  Implementation of SHA256 hash function.
-+//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-+//  Modified by WaterJuice retaining Public Domain license.
-+//
-+//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  IMPORTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#include "sha256.h"
-+#include <memory.h>
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  MACROS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
-+
-+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
-+
-+#define STORE32H(x, y)                                                                     \
-+     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
-+       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
-+
-+#define LOAD32H(x, y)                            \
-+     { x = ((uint32_t)((y)[0] & 255)<<24) | \
-+           ((uint32_t)((y)[1] & 255)<<16) | \
-+           ((uint32_t)((y)[2] & 255)<<8)  | \
-+           ((uint32_t)((y)[3] & 255)); }
-+
-+#define STORE64H(x, y)                                                                     \
-+   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
-+     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
-+     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
-+     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  CONSTANTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+// The K array
-+static const uint32_t K[64] = {
-+    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
-+    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
-+    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
-+    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
-+    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
-+    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
-+    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
-+    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
-+    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
-+    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
-+    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
-+    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
-+    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-+};
-+
-+#define BLOCK_SIZE          64
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  INTERNAL FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+// Various logical functions
-+#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
-+#define Maj( x, y, z )    (((x | y) & z) | (x & y))
-+#define S( x, n )         ror((x),(n))
-+#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
-+#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-+#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-+#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-+#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
-+
-+#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
-+     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
-+     t1 = Sigma0(a) + Maj(a, b, c);                    \
-+     d += t0;                                          \
-+     h  = t0 + t1;
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  TransformFunction
-+//
-+//  Compress 512-bits
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+static
-+void
-+    TransformFunction
-+    (
-+        Sha256Context*      Context,
-+        uint8_t const*      Buffer
-+    )
-+{
-+    uint32_t    S[8];
-+    uint32_t    W[64];
-+    uint32_t    t0;
-+    uint32_t    t1;
-+    uint32_t    t;
-+    int         i;
-+
-+    // Copy state into S
-+    for( i=0; i<8; i++ )
-+    {
-+        S[i] = Context->state[i];
-+    }
-+
-+    // Copy the state into 512-bits into W[0..15]
-+    for( i=0; i<16; i++ )
-+    {
-+        LOAD32H( W[i], Buffer + (4*i) );
-+    }
-+
-+    // Fill W[16..63]
-+    for( i=16; i<64; i++ )
-+    {
-+        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
-+    }
-+
-+    // Compress
-+    for( i=0; i<64; i++ )
-+    {
-+        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
-+        t = S[7];
-+        S[7] = S[6];
-+        S[6] = S[5];
-+        S[5] = S[4];
-+        S[4] = S[3];
-+        S[3] = S[2];
-+        S[2] = S[1];
-+        S[1] = S[0];
-+        S[0] = t;
-+    }
-+
-+    // Feedback
-+    for( i=0; i<8; i++ )
-+    {
-+        Context->state[i] = Context->state[i] + S[i];
-+    }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  PUBLIC FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Initialise
-+//
-+//  Initialises a SHA256 Context. Use this to initialise/reset a context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Initialise
-+    (
-+        Sha256Context*      Context         // [out]
-+    )
-+{
-+    Context->curlen = 0;
-+    Context->length = 0;
-+    Context->state[0] = 0x6A09E667UL;
-+    Context->state[1] = 0xBB67AE85UL;
-+    Context->state[2] = 0x3C6EF372UL;
-+    Context->state[3] = 0xA54FF53AUL;
-+    Context->state[4] = 0x510E527FUL;
-+    Context->state[5] = 0x9B05688CUL;
-+    Context->state[6] = 0x1F83D9ABUL;
-+    Context->state[7] = 0x5BE0CD19UL;
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Update
-+//
-+//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-+//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Update
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        void const*         Buffer,         // [in]
-+        uint32_t            BufferSize      // [in]
-+    )
-+{
-+    uint32_t n;
-+
-+    if( Context->curlen > sizeof(Context->buf) )
-+    {
-+       return;
-+    }
-+
-+    while( BufferSize > 0 )
-+    {
-+        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
-+        {
-+           TransformFunction( Context, (uint8_t*)Buffer );
-+           Context->length += BLOCK_SIZE * 8;
-+           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
-+           BufferSize -= BLOCK_SIZE;
-+        }
-+        else
-+        {
-+           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
-+           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
-+           Context->curlen += n;
-+           Buffer = (uint8_t*)Buffer + n;
-+           BufferSize -= n;
-+           if( Context->curlen == BLOCK_SIZE )
-+           {
-+              TransformFunction( Context, Context->buf );
-+              Context->length += 8*BLOCK_SIZE;
-+              Context->curlen = 0;
-+           }
-+       }
-+    }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Finalise
-+//
-+//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-+//  calling this, Sha256Initialised must be used to reuse the context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Finalise
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        SHA256_HASH*        Digest          // [out]
-+    )
-+{
-+    int i;
-+
-+    if( Context->curlen >= sizeof(Context->buf) )
-+    {
-+       return;
-+    }
-+
-+    // Increase the length of the message
-+    Context->length += Context->curlen * 8;
-+
-+    // Append the '1' bit
-+    Context->buf[Context->curlen++] = (uint8_t)0x80;
-+
-+    // if the length is currently above 56 bytes we append zeros
-+    // then compress.  Then we can fall back to padding zeros and length
-+    // encoding like normal.
-+    if( Context->curlen > 56 )
-+    {
-+        while( Context->curlen < 64 )
-+        {
-+            Context->buf[Context->curlen++] = (uint8_t)0;
-+        }
-+        TransformFunction(Context, Context->buf);
-+        Context->curlen = 0;
-+    }
-+
-+    // Pad up to 56 bytes of zeroes
-+    while( Context->curlen < 56 )
-+    {
-+        Context->buf[Context->curlen++] = (uint8_t)0;
-+    }
-+
-+    // Store length
-+    STORE64H( Context->length, Context->buf+56 );
-+    TransformFunction( Context, Context->buf );
-+
-+    // Copy output
-+    for( i=0; i<8; i++ )
-+    {
-+        STORE32H( Context->state[i], Digest->bytes+(4*i) );
-+    }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Calculate
-+//
-+//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-+//  buffer.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Calculate
-+    (
-+        void  const*        Buffer,         // [in]
-+        uint32_t            BufferSize,     // [in]
-+        SHA256_HASH*        Digest          // [in]
-+    )
-+{
-+    Sha256Context context;
-+
-+    Sha256Initialise( &context );
-+    Sha256Update( &context, Buffer, BufferSize );
-+    Sha256Finalise( &context, Digest );
-+}
-diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
-new file mode 100644
-index 000000000000..406ed869cd82
---- /dev/null
-+++ b/policycoreutils/semodule/sha256.h
-@@ -0,0 +1,89 @@
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  WjCryptLib_Sha256
-+//
-+//  Implementation of SHA256 hash function.
-+//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-+//  Modified by WaterJuice retaining Public Domain license.
-+//
-+//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#pragma once
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  IMPORTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+typedef struct
-+{
-+    uint64_t    length;
-+    uint32_t    state[8];
-+    uint32_t    curlen;
-+    uint8_t     buf[64];
-+} Sha256Context;
-+
-+#define SHA256_HASH_SIZE           ( 256 / 8 )
-+
-+typedef struct
-+{
-+    uint8_t      bytes [SHA256_HASH_SIZE];
-+} SHA256_HASH;
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  PUBLIC FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Initialise
-+//
-+//  Initialises a SHA256 Context. Use this to initialise/reset a context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Initialise
-+    (
-+        Sha256Context*      Context         // [out]
-+    );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Update
-+//
-+//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-+//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Update
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        void const*         Buffer,         // [in]
-+        uint32_t            BufferSize      // [in]
-+    );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Finalise
-+//
-+//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-+//  calling this, Sha256Initialised must be used to reuse the context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Finalise
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        SHA256_HASH*        Digest          // [out]
-+    );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Calculate
-+//
-+//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-+//  buffer.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Calculate
-+    (
-+        void  const*        Buffer,         // [in]
-+        uint32_t            BufferSize,     // [in]
-+        SHA256_HASH*        Digest          // [in]
-+    );
--- 
-2.33.1
-

SOURCES/0042-semodule-Fix-lang_ext-column-index.patch

@@ -1,29 +0,0 @@
-From 14084bad4f5bcfdb769ba39c9a6f12e4787ab909 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 16 Nov 2021 16:11:22 +0100
-Subject: [PATCH] semodule: Fix lang_ext column index
-
-lang_ext is 3. column - index number 2.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
-Acked-by: James Carter <jwcart2@gmail.com>
----
- policycoreutils/semodule/semodule.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index 300a97d735cc..c677cc4f1d81 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -682,7 +682,7 @@ cleanup_extract:
- 						if (result != 0) goto cleanup_list;
- 
- 						size = strlen(tmp);
--						if (size > column[3]) column[3] = size;
-+						if (size > column[2]) column[2] = size;
- 					}
- 
- 					/* print out each module */
--- 
-2.33.1
-

SOURCES/0043-semodule-Don-t-forget-to-munmap-data.patch

@@ -1,32 +0,0 @@
-From 61f05b6d26063e1ebdc06609c29a067d44579b41 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Tue, 23 Nov 2021 17:38:51 +0100
-Subject: [PATCH] semodule: Don't forget to munmap() data
-
-semanage_module_extract() mmap()'s the module raw data but it leaves on
-the caller to munmap() them.
-
-Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
-Acked-by: James Carter <jwcart2@gmail.com>
----
- policycoreutils/semodule/semodule.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index c677cc4f1d81..dc227058b073 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -393,6 +393,9 @@ static char *hash_module_data(const char *module_name, const int prio) {
- 	sha256_buf[i * 2] = 0;
- 
- cleanup_extract:
-+	if (data_len > 0) {
-+		munmap(data, data_len);
-+	}
- 	semanage_module_info_destroy(sh, extract_info);
- 	free(extract_info);
- 	semanage_module_key_destroy(sh, modkey);
--- 
-2.33.1
-

SOURCES/0044-policycoreutils-Improve-error-message-when-selabel_o.patch

@@ -1,41 +0,0 @@
-From 69da6239d8505a9d6ca547187f71a351df17f157 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Mon, 10 Jan 2022 18:35:27 +0100
-Subject: [PATCH] policycoreutils: Improve error message when selabel_open
- fails
-
-When selabel_open fails to locate file_context files and
-selabel_opt_path is not specified (e.g. when the policy type is
-missconfigured in /etc/selinux/config), perror only prints
-"No such file or directory".
-This can be confusing in case of "restorecon" since it's
-not apparent that the issue is in policy store.
-
-Before:
-  \# restorecon -v /tmp/foo.txt
-  No such file or directory
-After:
-  \# restorecon -v /tmp/foo.txt
-  /etc/selinux/yolo/contexts/files/file_contexts: No such file or directory
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- policycoreutils/setfiles/restore.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
-index d3335d1a..ba2668b3 100644
---- a/policycoreutils/setfiles/restore.c
-+++ b/policycoreutils/setfiles/restore.c
-@@ -29,7 +29,7 @@ void restore_init(struct restore_opts *opts)
- 
- 	opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- 	if (!opts->hnd) {
--		perror(opts->selabel_opt_path);
-+		perror(opts->selabel_opt_path ? opts->selabel_opt_path : selinux_file_context_path());
- 		exit(1);
- 	}
- 
--- 
-2.30.2
-

SOURCES/0045-semodule-libsemanage-move-module-hashing-into-libsem.patch

@@ -1,539 +0,0 @@
-From 066007029b3dd250305d7fac0bfd53aa1e4543cf Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Thu, 3 Feb 2022 17:53:23 +0100
-Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage
-
-The main goal of this move is to have the SHA-256 implementation under
-libsemanage, since upcoming patches will make use of SHA-256 for a
-different (but similar) purpose in libsemanage. Having the hashing code
-in libsemanage will reduce code duplication and allow for easier hash
-algorithm upgrade in the future.
-
-Note that libselinux currently also contains a hash function
-implementation (for yet another different purpose). This patch doesn't
-make any effort to address that duplicity yet.
-
-This patch also changes the format of the hash string printed by
-semodule to include the name of the hash. The intent is to avoid
-ambiguity and potential collisions when the algorithm is potentially
-changed in the future.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- policycoreutils/semodule/Makefile   |   2 +-
- policycoreutils/semodule/semodule.c |  53 ++---
- policycoreutils/semodule/sha256.c   | 294 ----------------------------
- policycoreutils/semodule/sha256.h   |  89 ---------
- 4 files changed, 17 insertions(+), 421 deletions(-)
- delete mode 100644 policycoreutils/semodule/sha256.c
- delete mode 100644 policycoreutils/semodule/sha256.h
-
-diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
-index 9875ac38..73801e48 100644
---- a/policycoreutils/semodule/Makefile
-+++ b/policycoreutils/semodule/Makefile
-@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
- 
- CFLAGS ?= -Werror -Wall -W
- override LDLIBS += -lsepol -lselinux -lsemanage
--SEMODULE_OBJS = semodule.o sha256.o
-+SEMODULE_OBJS = semodule.o
- 
- all: semodule genhomedircon
- 
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index dc227058..243b1add 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -24,8 +24,6 @@
- 
- #include <semanage/modules.h>
- 
--#include "sha256.h"
--
- enum client_modes {
- 	NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
- 	LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
-@@ -347,60 +345,38 @@ static void parse_command_line(int argc, char **argv)
- 
- /* Get module checksum */
- static char *hash_module_data(const char *module_name, const int prio) {
--	semanage_module_info_t *extract_info = NULL;
- 	semanage_module_key_t *modkey = NULL;
--	Sha256Context context;
--	uint8_t sha256_hash[SHA256_HASH_SIZE];
--	char *sha256_buf = NULL;
--	void *data;
--	size_t data_len = 0, i;
-+	char *hash_str = NULL;
-+	void *hash = NULL;
-+	size_t hash_len = 0;
- 	int result;
- 
- 	result = semanage_module_key_create(sh, &modkey);
- 	if (result != 0) {
--		goto cleanup_extract;
-+		goto cleanup;
- 	}
- 
- 	result = semanage_module_key_set_name(sh, modkey, module_name);
- 	if (result != 0) {
--		goto cleanup_extract;
-+		goto cleanup;
- 	}
- 
- 	result = semanage_module_key_set_priority(sh, modkey, prio);
- 	if (result != 0) {
--		goto cleanup_extract;
-+		goto cleanup;
- 	}
- 
--	result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
--									 &extract_info);
-+	result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str,
-+						  &hash_len);
- 	if (result != 0) {
--		goto cleanup_extract;
--	}
--
--	Sha256Initialise(&context);
--	Sha256Update(&context, data, data_len);
--
--	Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
--
--	sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
--
--	if (sha256_buf == NULL)
--		goto cleanup_extract;
--
--	for (i = 0; i < SHA256_HASH_SIZE; i++) {
--		sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
-+		goto cleanup;
- 	}
--	sha256_buf[i * 2] = 0;
- 
--cleanup_extract:
--	if (data_len > 0) {
--		munmap(data, data_len);
--	}
--	semanage_module_info_destroy(sh, extract_info);
--	free(extract_info);
-+cleanup:
-+	free(hash);
- 	semanage_module_key_destroy(sh, modkey);
- 	free(modkey);
--	return sha256_buf;
-+	return hash_str;
- }
- 
- int main(int argc, char *argv[])
-@@ -667,7 +643,10 @@ cleanup_extract:
- 					/* fixed width columns */
- 					column[0] = sizeof("000") - 1;
- 					column[3] = sizeof("disabled") - 1;
--					column[4] = 64; /* SHA256_HASH_SIZE * 2 */
-+
-+					result = semanage_module_compute_checksum(sh, NULL, 0, NULL,
-+										  &column[4]);
-+					if (result != 0) goto cleanup_list;
- 
- 					/* variable width columns */
- 					const char *tmp = NULL;
-diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
-deleted file mode 100644
-index fe2aeef0..00000000
---- a/policycoreutils/semodule/sha256.c
-+++ /dev/null
-@@ -1,294 +0,0 @@
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  WjCryptLib_Sha256
--//
--//  Implementation of SHA256 hash function.
--//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
--//  Modified by WaterJuice retaining Public Domain license.
--//
--//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  IMPORTS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#include "sha256.h"
--#include <memory.h>
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  MACROS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
--
--#define MIN(x, y) ( ((x)<(y))?(x):(y) )
--
--#define STORE32H(x, y)                                                                     \
--     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
--       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
--
--#define LOAD32H(x, y)                            \
--     { x = ((uint32_t)((y)[0] & 255)<<24) | \
--           ((uint32_t)((y)[1] & 255)<<16) | \
--           ((uint32_t)((y)[2] & 255)<<8)  | \
--           ((uint32_t)((y)[3] & 255)); }
--
--#define STORE64H(x, y)                                                                     \
--   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
--     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
--     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
--     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  CONSTANTS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--// The K array
--static const uint32_t K[64] = {
--    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
--    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
--    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
--    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
--    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
--    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
--    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
--    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
--    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
--    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
--    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
--    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
--    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
--};
--
--#define BLOCK_SIZE          64
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  INTERNAL FUNCTIONS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--// Various logical functions
--#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
--#define Maj( x, y, z )    (((x | y) & z) | (x & y))
--#define S( x, n )         ror((x),(n))
--#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
--#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
--#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
--#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
--#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
--
--#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
--     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
--     t1 = Sigma0(a) + Maj(a, b, c);                    \
--     d += t0;                                          \
--     h  = t0 + t1;
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  TransformFunction
--//
--//  Compress 512-bits
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--static
--void
--    TransformFunction
--    (
--        Sha256Context*      Context,
--        uint8_t const*      Buffer
--    )
--{
--    uint32_t    S[8];
--    uint32_t    W[64];
--    uint32_t    t0;
--    uint32_t    t1;
--    uint32_t    t;
--    int         i;
--
--    // Copy state into S
--    for( i=0; i<8; i++ )
--    {
--        S[i] = Context->state[i];
--    }
--
--    // Copy the state into 512-bits into W[0..15]
--    for( i=0; i<16; i++ )
--    {
--        LOAD32H( W[i], Buffer + (4*i) );
--    }
--
--    // Fill W[16..63]
--    for( i=16; i<64; i++ )
--    {
--        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
--    }
--
--    // Compress
--    for( i=0; i<64; i++ )
--    {
--        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
--        t = S[7];
--        S[7] = S[6];
--        S[6] = S[5];
--        S[5] = S[4];
--        S[4] = S[3];
--        S[3] = S[2];
--        S[2] = S[1];
--        S[1] = S[0];
--        S[0] = t;
--    }
--
--    // Feedback
--    for( i=0; i<8; i++ )
--    {
--        Context->state[i] = Context->state[i] + S[i];
--    }
--}
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  PUBLIC FUNCTIONS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Initialise
--//
--//  Initialises a SHA256 Context. Use this to initialise/reset a context.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Initialise
--    (
--        Sha256Context*      Context         // [out]
--    )
--{
--    Context->curlen = 0;
--    Context->length = 0;
--    Context->state[0] = 0x6A09E667UL;
--    Context->state[1] = 0xBB67AE85UL;
--    Context->state[2] = 0x3C6EF372UL;
--    Context->state[3] = 0xA54FF53AUL;
--    Context->state[4] = 0x510E527FUL;
--    Context->state[5] = 0x9B05688CUL;
--    Context->state[6] = 0x1F83D9ABUL;
--    Context->state[7] = 0x5BE0CD19UL;
--}
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Update
--//
--//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
--//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Update
--    (
--        Sha256Context*      Context,        // [in out]
--        void const*         Buffer,         // [in]
--        uint32_t            BufferSize      // [in]
--    )
--{
--    uint32_t n;
--
--    if( Context->curlen > sizeof(Context->buf) )
--    {
--       return;
--    }
--
--    while( BufferSize > 0 )
--    {
--        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
--        {
--           TransformFunction( Context, (uint8_t*)Buffer );
--           Context->length += BLOCK_SIZE * 8;
--           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
--           BufferSize -= BLOCK_SIZE;
--        }
--        else
--        {
--           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
--           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
--           Context->curlen += n;
--           Buffer = (uint8_t*)Buffer + n;
--           BufferSize -= n;
--           if( Context->curlen == BLOCK_SIZE )
--           {
--              TransformFunction( Context, Context->buf );
--              Context->length += 8*BLOCK_SIZE;
--              Context->curlen = 0;
--           }
--       }
--    }
--}
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Finalise
--//
--//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
--//  calling this, Sha256Initialised must be used to reuse the context.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Finalise
--    (
--        Sha256Context*      Context,        // [in out]
--        SHA256_HASH*        Digest          // [out]
--    )
--{
--    int i;
--
--    if( Context->curlen >= sizeof(Context->buf) )
--    {
--       return;
--    }
--
--    // Increase the length of the message
--    Context->length += Context->curlen * 8;
--
--    // Append the '1' bit
--    Context->buf[Context->curlen++] = (uint8_t)0x80;
--
--    // if the length is currently above 56 bytes we append zeros
--    // then compress.  Then we can fall back to padding zeros and length
--    // encoding like normal.
--    if( Context->curlen > 56 )
--    {
--        while( Context->curlen < 64 )
--        {
--            Context->buf[Context->curlen++] = (uint8_t)0;
--        }
--        TransformFunction(Context, Context->buf);
--        Context->curlen = 0;
--    }
--
--    // Pad up to 56 bytes of zeroes
--    while( Context->curlen < 56 )
--    {
--        Context->buf[Context->curlen++] = (uint8_t)0;
--    }
--
--    // Store length
--    STORE64H( Context->length, Context->buf+56 );
--    TransformFunction( Context, Context->buf );
--
--    // Copy output
--    for( i=0; i<8; i++ )
--    {
--        STORE32H( Context->state[i], Digest->bytes+(4*i) );
--    }
--}
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Calculate
--//
--//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
--//  buffer.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Calculate
--    (
--        void  const*        Buffer,         // [in]
--        uint32_t            BufferSize,     // [in]
--        SHA256_HASH*        Digest          // [in]
--    )
--{
--    Sha256Context context;
--
--    Sha256Initialise( &context );
--    Sha256Update( &context, Buffer, BufferSize );
--    Sha256Finalise( &context, Digest );
--}
-diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
-deleted file mode 100644
-index 406ed869..00000000
---- a/policycoreutils/semodule/sha256.h
-+++ /dev/null
-@@ -1,89 +0,0 @@
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  WjCryptLib_Sha256
--//
--//  Implementation of SHA256 hash function.
--//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
--//  Modified by WaterJuice retaining Public Domain license.
--//
--//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#pragma once
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  IMPORTS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#include <stdint.h>
--#include <stdio.h>
--
--typedef struct
--{
--    uint64_t    length;
--    uint32_t    state[8];
--    uint32_t    curlen;
--    uint8_t     buf[64];
--} Sha256Context;
--
--#define SHA256_HASH_SIZE           ( 256 / 8 )
--
--typedef struct
--{
--    uint8_t      bytes [SHA256_HASH_SIZE];
--} SHA256_HASH;
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  PUBLIC FUNCTIONS
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Initialise
--//
--//  Initialises a SHA256 Context. Use this to initialise/reset a context.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Initialise
--    (
--        Sha256Context*      Context         // [out]
--    );
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Update
--//
--//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
--//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Update
--    (
--        Sha256Context*      Context,        // [in out]
--        void const*         Buffer,         // [in]
--        uint32_t            BufferSize      // [in]
--    );
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Finalise
--//
--//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
--//  calling this, Sha256Initialised must be used to reuse the context.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Finalise
--    (
--        Sha256Context*      Context,        // [in out]
--        SHA256_HASH*        Digest          // [out]
--    );
--
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha256Calculate
--//
--//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
--//  buffer.
--////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha256Calculate
--    (
--        void  const*        Buffer,         // [in]
--        uint32_t            BufferSize,     // [in]
--        SHA256_HASH*        Digest          // [in]
--    );
--- 
-2.30.2
-

SOURCES/0046-semodule-add-command-line-option-to-detect-module-ch.patch

@@ -1,144 +0,0 @@
-From e3fc737e43561ecadcb977ce4c9a1db44be636ae Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Thu, 3 Feb 2022 17:53:27 +0100
-Subject: [PATCH] semodule: add command-line option to detect module changes
-
-Add a new command-line option "--rebuild-if-modules-changed" to control
-the newly introduced check_ext_changes libsemanage flag.
-
-For example, running `semodule --rebuild-if-modules-changed` will ensure
-that any externally added/removed modules (e.g. by an RPM transaction)
-are reflected in the compiled policy, while skipping the most expensive
-part of the rebuild if no module change was deteceted since the last
-libsemanage transaction.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- policycoreutils/semodule/semodule.8 |  7 +++++++
- policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++-------
- 2 files changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
-index 3a2fb21c..d1735d21 100644
---- a/policycoreutils/semodule/semodule.8
-+++ b/policycoreutils/semodule/semodule.8
-@@ -23,6 +23,13 @@ force a reload of policy
- .B \-B, \-\-build
- force a rebuild of policy (also reloads unless \-n is used)
- .TP
-+.B \-\-rebuild-if-modules-changed
-+Force a rebuild of the policy if any changes to module content are detected
-+(by comparing with checksum from the last transaction).  One can use this
-+instead of \-B to ensure that any changes to the module store done by an
-+external tool (e.g. a package manager) are applied, while automatically
-+skipping the rebuild if there are no new changes.
-+.TP
- .B \-D, \-\-disable_dontaudit
- Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt
- .TP
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index 243b1add..22a42a75 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -46,6 +46,7 @@ static int verbose;
- static int reload;
- static int no_reload;
- static int build;
-+static int check_ext_changes;
- static int disable_dontaudit;
- static int preserve_tunables;
- static int ignore_module_cache;
-@@ -148,6 +149,9 @@ static void usage(char *progname)
- 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
- 	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
- 	printf("  -m, --checksum   print module checksum (SHA256).\n");
-+	printf("      --rebuild-if-modules-changed\n"
-+	       "                   force policy rebuild if module content changed since\n"
-+	       "                   last rebuild (based on checksum)\n");
- }
- 
- /* Sets the global mode variable to new_mode, but only if no other
-@@ -179,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
- static void parse_command_line(int argc, char **argv)
- {
- 	static struct option opts[] = {
-+		{"rebuild-if-modules-changed", 0, NULL, '\0'},
- 		{"store", required_argument, NULL, 's'},
- 		{"base", required_argument, NULL, 'b'},
- 		{"help", 0, NULL, 'h'},
-@@ -206,15 +211,26 @@ static void parse_command_line(int argc, char **argv)
- 	};
- 	int extract_selected = 0;
- 	int cil_hll_set = 0;
--	int i;
-+	int i, longind;
- 	verbose = 0;
- 	reload = 0;
- 	no_reload = 0;
-+	check_ext_changes = 0;
- 	priority = 400;
- 	while ((i =
--		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
--			    NULL)) != -1) {
-+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
-+			    opts, &longind)) != -1) {
- 		switch (i) {
-+		case '\0':
-+			switch(longind) {
-+			case 0: /* --rebuild-if-modules-changed */
-+				check_ext_changes = 1;
-+				break;
-+			default:
-+				usage(argv[0]);
-+				exit(1);
-+			}
-+			break;
- 		case 'b':
- 			fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
- 			set_mode(INSTALL_M, optarg);
-@@ -299,13 +315,13 @@ static void parse_command_line(int argc, char **argv)
- 			}
- 		}
- 	}
--	if ((build || reload) && num_commands) {
-+	if ((build || reload || check_ext_changes) && num_commands) {
- 		fprintf(stderr,
- 			"build or reload should not be used with other commands\n");
- 		usage(argv[0]);
- 		exit(1);
- 	}
--	if (num_commands == 0 && reload == 0 && build == 0) {
-+	if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) {
- 		fprintf(stderr, "At least one mode must be specified.\n");
- 		usage(argv[0]);
- 		exit(1);
-@@ -392,7 +408,7 @@ int main(int argc, char *argv[])
- 	}
- 	parse_command_line(argc, argv);
- 
--	if (build)
-+	if (build || check_ext_changes)
- 		commit = 1;
- 
- 	sh = semanage_handle_create();
-@@ -431,7 +447,7 @@ int main(int argc, char *argv[])
- 		}
- 	}
- 
--	if (build) {
-+	if (build || check_ext_changes) {
- 		if ((result = semanage_begin_transaction(sh)) < 0) {
- 			fprintf(stderr, "%s:  Could not begin transaction:  %s\n",
- 				argv[0], errno ? strerror(errno) : "");
-@@ -805,6 +821,8 @@ cleanup_disable:
- 			semanage_set_reload(sh, 0);
- 		if (build)
- 			semanage_set_rebuild(sh, 1);
-+		if (check_ext_changes)
-+			semanage_set_check_ext_changes(sh, 1);
- 		if (disable_dontaudit)
- 			semanage_set_disable_dontaudit(sh, 1);
- 		else if (build)
--- 
-2.30.2
-

SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch

@@ -1,64 +0,0 @@
-From 09c944561c76146b1fc11e99e95b6a674366cddf Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Mon, 30 May 2022 14:20:21 +0200
-Subject: [PATCH] python: Split "semanage import" into two transactions
-
-First transaction applies all deletion operations, so that there are no
-collisions when applying the rest of the changes.
-
-Fixes:
-  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
-  # semanage export | semanage import
-  ValueError: Port tcp/3024 already defined
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/semanage/semanage | 21 +++++++++++++++++++--
- 1 file changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index ebb93ea5..b8842d28 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -841,10 +841,29 @@ def handleImport(args):
-     trans = seobject.semanageRecords(args)
-     trans.start()
- 
-+    deleteCommands = []
-+    commands = []
-+    # separate commands for deletion from the rest so they can be
-+    # applied in a separate transaction
-     for l in sys.stdin.readlines():
-         if len(l.strip()) == 0:
-             continue
-+        if "-d" in l or "-D" in l:
-+            deleteCommands.append(l)
-+        else:
-+            commands.append(l)
-+
-+    if deleteCommands:
-+        importHelper(deleteCommands)
-+        trans.finish()
-+        trans.start()
-+
-+    importHelper(commands)
-+    trans.finish()
- 
-+
-+def importHelper(commands):
-+    for l in commands:
-         try:
-             commandParser = createCommandParser()
-             args = commandParser.parse_args(mkargv(l))
-@@ -858,8 +877,6 @@ def handleImport(args):
-         except KeyboardInterrupt:
-             sys.exit(0)
- 
--    trans.finish()
--
- 
- def setupImportParser(subparsers):
-     importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--- 
-2.35.3
-

SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch

@@ -1,81 +0,0 @@
-From c0ca652dce6b1d5d11e697cc3a4695d87944f9ad Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Wed, 8 Jun 2022 19:09:54 +0200
-Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
-
-After the last commit this option's name and description no longer
-matches the semantic, so give it a new one and update the descriptions.
-The old name is still recognized and aliased to the new one for
-backwards compatibility.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
-Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- policycoreutils/semodule/semodule.8 | 12 ++++++------
- policycoreutils/semodule/semodule.c | 13 ++++++++++---
- 2 files changed, 16 insertions(+), 9 deletions(-)
-
-diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
-index d1735d21..c56e580f 100644
---- a/policycoreutils/semodule/semodule.8
-+++ b/policycoreutils/semodule/semodule.8
-@@ -23,12 +23,12 @@ force a reload of policy
- .B \-B, \-\-build
- force a rebuild of policy (also reloads unless \-n is used)
- .TP
--.B \-\-rebuild-if-modules-changed
--Force a rebuild of the policy if any changes to module content are detected
--(by comparing with checksum from the last transaction).  One can use this
--instead of \-B to ensure that any changes to the module store done by an
--external tool (e.g. a package manager) are applied, while automatically
--skipping the rebuild if there are no new changes.
-+.B \-\-refresh
-+Like \-\-build, but reuses existing linked policy if no changes to module
-+files are detected (by comparing with checksum from the last transaction).
-+One can use this instead of \-B to ensure that any changes to the module
-+store done by an external tool (e.g. a package manager) are applied, while
-+automatically skipping the module re-linking if there are no module changes.
- .TP
- .B \-D, \-\-disable_dontaudit
- Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index 22a42a75..324ec9fb 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -149,9 +149,12 @@ static void usage(char *progname)
- 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
- 	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
- 	printf("  -m, --checksum   print module checksum (SHA256).\n");
--	printf("      --rebuild-if-modules-changed\n"
--	       "                   force policy rebuild if module content changed since\n"
--	       "                   last rebuild (based on checksum)\n");
-+	printf("      --refresh    like --build, but reuses existing linked policy if no\n"
-+	       "                   changes to module files are detected (via checksum)\n");
-+	printf("Deprecated options:\n");
-+	printf("  -b,--base	   same as --install\n");
-+	printf("  --rebuild-if-modules-changed\n"
-+	       "                   same as --refresh\n");
- }
- 
- /* Sets the global mode variable to new_mode, but only if no other
-@@ -184,6 +187,7 @@ static void parse_command_line(int argc, char **argv)
- {
- 	static struct option opts[] = {
- 		{"rebuild-if-modules-changed", 0, NULL, '\0'},
-+		{"refresh", 0, NULL, '\0'},
- 		{"store", required_argument, NULL, 's'},
- 		{"base", required_argument, NULL, 'b'},
- 		{"help", 0, NULL, 'h'},
-@@ -224,6 +228,9 @@ static void parse_command_line(int argc, char **argv)
- 		case '\0':
- 			switch(longind) {
- 			case 0: /* --rebuild-if-modules-changed */
-+				fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n");
-+				/* fallthrough */
-+			case 1: /* --refresh */
- 				check_ext_changes = 1;
- 				break;
- 			default:
--- 
-2.35.3
-

SOURCES/0049-python-Harden-tools-against-rogue-modules.patch

@@ -1,79 +0,0 @@
-From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Thu, 13 Oct 2022 17:33:18 +0200
-Subject: [PATCH] python: Harden tools against "rogue" modules
-
-Python scripts present in "/usr/sbin" override regular modules.
-Make sure /usr/sbin is not present in PYTHONPATH.
-
-Fixes:
-  #cat > /usr/sbin/audit.py <<EOF
-  import sys
-  print("BAD GUY!", file=sys.stderr)
-  sys.exit(1)
-  EOF
-  #semanage boolean -l
-  BAD GUY!
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/audit2allow/audit2allow    | 2 +-
- python/audit2allow/sepolgen-ifgen | 2 +-
- python/chcat/chcat                | 2 +-
- python/semanage/semanage          | 2 +-
- python/sepolicy/sepolicy.py       | 2 +-
- 5 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
-index 09b06f66..eafeea88 100644
---- a/python/audit2allow/audit2allow
-+++ b/python/audit2allow/audit2allow
-@@ -1,4 +1,4 @@
--#!/usr/bin/python3 -Es
-+#!/usr/bin/python3 -EsI
- # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
- # Authors: Dan Walsh <dwalsh@redhat.com>
- #
-diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
-index be2d093b..f25f8af1 100644
---- a/python/audit2allow/sepolgen-ifgen
-+++ b/python/audit2allow/sepolgen-ifgen
-@@ -1,4 +1,4 @@
--#!/usr/bin/python3 -Es
-+#!/usr/bin/python3 -EsI
- #
- # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
- #
-diff --git a/python/chcat/chcat b/python/chcat/chcat
-index df2509f2..5671cec6 100755
---- a/python/chcat/chcat
-+++ b/python/chcat/chcat
-@@ -1,4 +1,4 @@
--#!/usr/bin/python3 -Es
-+#!/usr/bin/python3 -EsI
- # Copyright (C) 2005 Red Hat
- # see file 'COPYING' for use and warranty information
- #
-diff --git a/python/semanage/semanage b/python/semanage/semanage
-index b8842d28..1f170f60 100644
---- a/python/semanage/semanage
-+++ b/python/semanage/semanage
-@@ -1,4 +1,4 @@
--#!/usr/bin/python3 -Es
-+#!/usr/bin/python3 -EsI
- # Copyright (C) 2012-2013 Red Hat
- # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
- # AUTHOR: David Quigley <selinux@davequigley.com>
-diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
-index 8bd6a579..0c1d9641 100755
---- a/python/sepolicy/sepolicy.py
-+++ b/python/sepolicy/sepolicy.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python3 -Es
-+#!/usr/bin/python3 -EsI
- # Copyright (C) 2012 Red Hat
- # AUTHOR: Dan Walsh <dwalsh@redhat.com>
- # see file 'COPYING' for use and warranty information
--- 
-2.37.3
-

SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch

@@ -1,65 +0,0 @@
-From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Wed, 19 Oct 2022 14:20:11 -0400
-Subject: [PATCH] python: Do not query the local database if the fcontext is
- non-local
-
-Vit Mojzis reports that an error message is produced when modifying
-a non-local fcontext.
-
-He gives the following example:
-  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
-  libsemanage.dbase_llist_query: could not query record value (No such file or directory).
-
-When modifying an fcontext, the non-local database is checked for the
-key and then, if it is not found there, the local database is checked.
-If the key doesn't exist, then an error is raised. If the key exists
-then the local database is queried first and, if that fails, the non-
-local database is queried.
-
-The error is from querying the local database when the fcontext is in
-the non-local database.
-
-Instead, if the fcontext is in the non-local database, just query
-the non-local database. Only query the local database if the
-fcontext was found in it.
-
-Reported-by: Vit Mojzis <vmojzis@redhat.com>
-Signed-off-by: James Carter <jwcart2@gmail.com>
----
- python/semanage/seobject.py | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
-diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 70ebfd08..0e923a0d 100644
---- a/python/semanage/seobject.py
-+++ b/python/semanage/seobject.py
-@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords):
-         (rc, exists) = semanage_fcontext_exists(self.sh, k)
-         if rc < 0:
-             raise ValueError(_("Could not check if file context for %s is defined") % target)
--        if not exists:
-+        if exists:
-+            try:
-+                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
-+            except OSError:
-+                raise ValueError(_("Could not query file context for %s") % target)
-+        else:
-             (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
-+            if rc < 0:
-+                raise ValueError(_("Could not check if file context for %s is defined") % target)
-             if not exists:
-                 raise ValueError(_("File context for %s is not defined") % target)
--
--        try:
--            (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
--        except OSError:
-             try:
--                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
-+                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
-             except OSError:
-                 raise ValueError(_("Could not query file context for %s") % target)
- 
--- 
-2.37.3
-

SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch

@@ -1,112 +0,0 @@
-From f3ddbd8220d9646072c9a4c9ed37f2dff998a53c Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 10 Jan 2023 11:37:26 +0100
-Subject: [PATCH] python/sepolicy: add missing booleans to man pages
-
-get_bools should return a list of booleans that can affect given type,
-but it did not handle non trivial conditional statements properly
-(returning the whole conditional statement instead of a list of booleans
-in the statement).
-
-e.g. for
-allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
-get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
-[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]
-
-- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
-  it can contain multiple values and make sure it is populated correctly
-- add "conditional" key to the rule dictionary to accommodate
-  get_conditionals, which requires the whole conditional statement
-- extend get_bools search to dontaudit rules so that it covers booleans
-  like httpd_dontaudit_search_dirs
-
-Note: get_bools uses security_get_boolean_active to get the boolean
-      value, but the value is later used to represent the default.
-      Not ideal, but I'm not aware of a way to get the actual defaults.
-
-Fixes:
-        "sepolicy manpage" generates man pages that are missing booleans
-        which are included in non trivial conditional expressions
-        e.g. httpd_selinux(8) does not include httpd_can_check_spam,
-        httpd_tmp_exec, httpd_unified, or httpd_use_gpg
-
-        This fix, however, also adds some not strictly related booleans
-        to some man pages. e.g. use_nfs_home_dirs and
-        use_samba_home_dirs are added to httpd_selinux(8)
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
-Acked-by: Jason Zaman <jason@perfinion.com>
----
- python/sepolicy/sepolicy/__init__.py | 21 +++++++++++++--------
- 1 file changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index b6ca57c3..0f51174d 100644
---- a/python/sepolicy/sepolicy/__init__.py
-+++ b/python/sepolicy/sepolicy/__init__.py
-@@ -324,7 +324,12 @@ def _setools_rule_to_dict(rule):
-         pass
- 
-     try:
--        d['boolean'] = [(str(rule.conditional), enabled)]
-+        d['booleans'] = [(str(b), b.state) for b in rule.conditional.booleans]
-+    except AttributeError:
-+        pass
-+
-+    try:
-+        d['conditional'] = str(rule.conditional)
-     except AttributeError:
-         pass
- 
-@@ -426,12 +431,12 @@ def get_conditionals(src, dest, tclass, perm):
-                 x['source'] in src_list and
-                 x['target'] in dest_list and
-                 set(perm).issubset(x[PERMS]) and
--                'boolean' in x,
-+                'conditional' in x,
-                 get_all_allow_rules()))
- 
-     try:
-         for i in allows:
--            tdict.update({'source': i['source'], 'boolean': i['boolean']})
-+            tdict.update({'source': i['source'], 'conditional': (i['conditional'], i['enabled'])})
-             if tdict not in tlist:
-                 tlist.append(tdict)
-                 tdict = {}
-@@ -445,10 +450,10 @@ def get_conditionals_format_text(cond):
- 
-     enabled = False
-     for x in cond:
--        if x['boolean'][0][1]:
-+        if x['conditional'][1]:
-             enabled = True
-             break
--    return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
-+    return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['conditional'][0], x['conditional'][1]), cond))))
- 
- 
- def get_types_from_attribute(attribute):
-@@ -703,9 +708,9 @@ def get_boolean_rules(setype, boolean):
-     boollist = []
-     permlist = search([ALLOW], {'source': setype})
-     for p in permlist:
--        if "boolean" in p:
-+        if "booleans" in p:
-             try:
--                for b in p["boolean"]:
-+                for b in p["booleans"]:
-                     if boolean in b:
-                         boollist.append(p)
-             except:
-@@ -1124,7 +1129,7 @@ def get_bools(setype):
-     bools = []
-     domainbools = []
-     domainname, short_name = gen_short_name(setype)
--    for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())):
-+    for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
-         for b in i:
-             if not isinstance(b, tuple):
-                 continue
--- 
-2.37.3
-

SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch

@@ -1,73 +0,0 @@
-From 25373db5cac520b85350db91b8a7ed0737d3316c Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 24 Jan 2023 21:05:05 +0100
-Subject: [PATCH] python/sepolicy: Cache conditional rule queries
-
-Commit 7506771e4b630fe0ab853f96574e039055cb72eb
-"add missing booleans to man pages" dramatically slowed down
-"sepolicy manpage -a" by removing caching of setools rule query.
-Re-add said caching and update the query to only return conditional
-rules.
-
-Before commit 7506771e:
- #time sepolicy manpage -a
- real	1m43.153s
- # time sepolicy manpage -d httpd_t
- real	0m4.493s
-
-After commit 7506771e:
- #time sepolicy manpage -a
- real   1h56m43.153s
- # time sepolicy manpage -d httpd_t
- real	0m8.352s
-
-After this commit:
- #time sepolicy manpage -a
- real	1m41.074s
- # time sepolicy manpage -d httpd_t
- real	0m7.358s
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- python/sepolicy/sepolicy/__init__.py | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index 0f51174d..f48231e9 100644
---- a/python/sepolicy/sepolicy/__init__.py
-+++ b/python/sepolicy/sepolicy/__init__.py
-@@ -114,6 +114,7 @@ all_attributes = None
- booleans = None
- booleans_dict = None
- all_allow_rules = None
-+all_bool_rules = None
- all_transitions = None
- 
- 
-@@ -1119,6 +1120,14 @@ def get_all_allow_rules():
-         all_allow_rules = search([ALLOW])
-     return all_allow_rules
- 
-+def get_all_bool_rules():
-+    global all_bool_rules
-+    if not all_bool_rules:
-+        q = setools.TERuleQuery(_pol, boolean=".*", boolean_regex=True,
-+                                ruletype=[ALLOW, DONTAUDIT])
-+        all_bool_rules = [_setools_rule_to_dict(x) for x in q.results()]
-+    return all_bool_rules
-+
- def get_all_transitions():
-     global all_transitions
-     if not all_transitions:
-@@ -1129,7 +1138,7 @@ def get_bools(setype):
-     bools = []
-     domainbools = []
-     domainname, short_name = gen_short_name(setype)
--    for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
-+    for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, get_all_bool_rules())):
-         for b in i:
-             if not isinstance(b, tuple):
-                 continue
--- 
-2.37.3
-

SOURCES/selinux-autorelabel

@@ -51,9 +51,15 @@ relabel_selinux() {
 	echo $"*** Relabeling could take a very long time, depending on file"
 	echo $"*** system size and speed of hard drives."
 
-	FORCE=`cat /.autorelabel`
-        [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
-	/sbin/fixfiles $FORCE restore
+	OPTS=`cat /.autorelabel`
+	# by default, use as many threads as there are available
+	# another -T X in $OPTS will override the default value
+	OPTS="-T 0 $OPTS"
+
+	[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
+	echo
+	echo $"Running: /sbin/fixfiles $OPTS restore"
+	/sbin/fixfiles $OPTS restore
     fi
 
     rm -f  /.autorelabel

SOURCES/selinux-autorelabel-generator.sh

@@ -18,6 +18,15 @@ fi
 set_target ()
 {
     ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+    AUTORELABEL="1"
+    source /etc/selinux/config
+    if [ "$AUTORELABEL" = "0" ]; then
+        mkdir -p "$earlydir/selinux-autorelabel.service.d"
+        cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <<EOF
+[Service]
+StandardInput=tty
+EOF
+    fi
 }
 
 if selinuxenabled; then

SPECS/policycoreutils.spec

@@ -1,8 +1,7 @@
 %global libauditver     3.0
-%global libsepolver     2.9-1
-%global libsemanagever  2.9-7
-%global libselinuxver   2.9-1
-%global sepolgenver     2.9
+%global libsepolver     3.6-1
+%global libsemanagever  3.6-1
+%global libselinuxver   3.6-1
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -11,17 +10,11 @@
 
 Summary: SELinux policy core utilities
 Name:    policycoreutils
-Version: 2.9
-Release: 24%{?dist}
-License: GPLv2
+Version: 3.6
+Release: 2.1%{?dist}
+License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
-Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz
-Source2: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-gui-2.9.tar.gz
-Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz
-Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz
-Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz
-Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz
 URL:     https://github.com/SELinuxProject/selinux
 Source13: system-config-selinux.png
 Source14: sepolicy-icons.tgz
@@ -30,67 +23,39 @@ Source16: selinux-autorelabel.service
 Source17: selinux-autorelabel-mark.service
 Source18: selinux-autorelabel.target
 Source19: selinux-autorelabel-generator.sh
-Source20: policycoreutils-po.tgz
-Source21: python-po.tgz
-Source22: gui-po.tgz
-Source23: sandbox-po.tgz
-# https://gitlab.cee.redhat.com/SELinux/selinux
-# $ git format-patch -N 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# Drop this when upstream updates translations and the package is rebased
+# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/policycoreutils --output ./
+Source20: selinux-policycoreutils.zip
+# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/python --output ./
+Source21: selinux-python.zip
+# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/gui --output ./
+Source22: selinux-gui.zip
+# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
+Source23: selinux-sandbox.zip
+# https://github.com/fedora-selinux/selinux
+# $ git format-patch -N 3.6 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
-Patch0001: 0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch
-Patch0002: 0002-gui-Install-.desktop-files-to-usr-share-applications.patch
-Patch0003: 0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
-Patch0004: 0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
-Patch0005: 0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
-Patch0006: 0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch
-Patch0007: 0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
-Patch0008: 0008-Fix-title-in-manpage.py-to-not-contain-online.patch
-Patch0009: 0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
-Patch0010: 0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch
-Patch0011: 0011-sepolicy-Another-small-optimization-for-mcs-types.patch
-Patch0012: 0012-Move-po-translation-files-into-the-right-sub-directo.patch
-Patch0013: 0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch
-Patch0014: 0014-Initial-.pot-files-for-gui-python-sandbox.patch
-# this is too big and it's covered by sources 20 - 23
-# Patch0015: 0015-Update-.po-files-from-fedora.zanata.org.patch
-Patch0016: 0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch
-Patch0017: 0017-sepolicy-generate-Handle-more-reserved-port-types.patch
-Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
-Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
-Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch
-Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
-Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
-Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
-Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
-Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch
-Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
-Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch
-Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch
-Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
-Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
-Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
-Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
-Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
-Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch
-Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
-Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
-Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
-Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
-Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
-Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
-Patch0041: 0041-semodule-add-m-checksum-option.patch
-Patch0042: 0042-semodule-Fix-lang_ext-column-index.patch
-Patch0043: 0043-semodule-Don-t-forget-to-munmap-data.patch
-Patch0044: 0044-policycoreutils-Improve-error-message-when-selabel_o.patch
-Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
-Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
-Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
-Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
-Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
-Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
-Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
-Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
-
+# Patch list start
+Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+Patch0004: 0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+Patch0005: 0005-sepolicy-generate-Handle-more-reserved-port-types.patch
+Patch0006: 0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0007: 0007-Use-SHA-2-instead-of-SHA-1.patch
+Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+Patch0009: 0009-python-sepolicy-Fix-spec-file-dependencies.patch
+Patch0010: 0010-Revert-Do-not-automatically-install-Russian-translat.patch
+Patch0011: 0011-Revert-semodule-utils-Remove-the-Russian-translation.patch
+Patch0012: 0012-Revert-sandbox-Remove-the-Russian-translations.patch
+Patch0013: 0013-Revert-restorecond-Remove-the-Russian-translations.patch
+Patch0014: 0014-Revert-python-Remove-the-Russian-translations.patch
+Patch0015: 0015-Revert-python-Remove-the-Russian-translations.patch
+Patch0016: 0016-Revert-policycoreutils-Remove-the-Russian-translatio.patch
+Patch0017: 0017-Revert-gui-Remove-the-Russian-translations.patch
+Patch0018: 0018-python-semanage-Allow-modifying-records-on-add.patch
+Patch0019: 0019-python-semanage-Do-not-sort-local-fcontext-definitio.patch
+# Patch list end
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
 # initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@@ -98,12 +63,12 @@ Conflicts: initscripts < 9.66
 Provides: /sbin/fixfiles
 Provides: /sbin/restorecon
 
-BuildRequires: gcc
-BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
+BuildRequires: gcc make
+BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
-BuildRequires: python3-devel
+BuildRequires: python3-devel python3-pip
 BuildRequires: systemd
-BuildRequires: git
+BuildRequires: git-core
 Requires: util-linux grep gawk diffutils rpm sed
 Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >=  %{libselinuxver}
 
@@ -124,26 +89,7 @@ load_policy to load policies, setfiles to label filesystems, newrole
 to switch roles.
 
 %prep -p /usr/bin/bash
-# create selinux/ directory and extract sources
-%autosetup -S git -N -c -n selinux
-%autosetup -S git -N -T -D -a 1 -n selinux
-%autosetup -S git -N -T -D -a 2 -n selinux
-%autosetup -S git -N -T -D -a 3 -n selinux
-%autosetup -S git -N -T -D -a 4 -n selinux
-%autosetup -S git -N -T -D -a 5 -n selinux
-%autosetup -S git -N -T -D -a 6 -n selinux
-
-for i in *; do
-    git mv $i ${i/-%{version}/}
-    git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
-done
-
-for i in selinux-*; do
-    git mv $i ${i#selinux-}
-    git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i#selinux-}"
-done
-
-git am %{_sourcedir}/[0-9]*.patch
+%autosetup -p 1 -n selinux-%{version}
 
 cp %{SOURCE13} gui/
 tar -xvf %{SOURCE14} -C python/sepolicy/
@@ -152,16 +98,20 @@ tar -xvf %{SOURCE14} -C python/sepolicy/
 # For more information see README.translations
 # First remove old translation files
 rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
-tar -x -f %{SOURCE20} -C policycoreutils -z
-tar -x -f %{SOURCE21} -C python -z
-tar -x -f %{SOURCE22} -C gui -z
-tar -x -f %{SOURCE23} -C sandbox -z
+unzip %{SOURCE20}
+cp -r selinux/policycoreutils/po policycoreutils
+unzip %{SOURCE21}
+cp -r selinux/python/po python
+unzip %{SOURCE22}
+cp -r selinux/gui/po gui
+unzip %{SOURCE23}
+cp -r selinux/sandbox/po sandbox
 
-%build
+%Build
 %set_build_flags
 export PYTHON=%{__python3}
 
-make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
+make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
@@ -177,19 +127,19 @@ mkdir -p %{buildroot}%{_mandir}/man5
 mkdir -p %{buildroot}%{_mandir}/man8
 %{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
 
-make -C policycoreutils LSPP_PRIV=y  DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a"
 
-make -C python PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C python PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
 
-make -C gui PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C gui PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
 
-make -C sandbox PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C sandbox PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
 
-make -C dbus PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C dbus PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
 
-make -C semodule-utils PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C semodule-utils PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
 
-make -C restorecond PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
+%make_install -C restorecond PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
 
 # Fix perms on newrole so that objcopy can process it
 chmod 0755 %{buildroot}%{_bindir}/newrole
@@ -214,27 +164,6 @@ install -m 644 -p %{SOURCE18} %{buildroot}/%{_unitdir}/
 install -m 755 -p %{SOURCE19} %{buildroot}/%{generatorsdir}/
 install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/
 
-# change /usr/bin/python to %%{__python3} in policycoreutils-python3
-pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
-
-# change /usr/bin/python to %%{__python3} in policycoreutils-python-utils
-pathfix.py -i "%{__python3} -EsI" -p \
-    %{buildroot}%{_sbindir}/semanage \
-    %{buildroot}%{_bindir}/chcat \
-    %{buildroot}%{_bindir}/sandbox \
-    %{buildroot}%{_datadir}/sandbox/start \
-    %{buildroot}%{_bindir}/audit2allow \
-    %{buildroot}%{_bindir}/sepolicy \
-    %{buildroot}%{_bindir}/sepolgen-ifgen \
-    %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \
-    %{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \
-    %nil
-
-# clean up ~ files from pathfix - https://bugzilla.redhat.com/show_bug.cgi?id=1546990
-find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
-     %{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} \
-     -type f -name '*~' | xargs rm -f
-
 # Manually invoke the python byte compile macro for each path that needs byte
 # compilation.
 %py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
@@ -257,7 +186,6 @@ an SELinux environment.
 %files python-utils
 %{_sbindir}/semanage
 %{_bindir}/chcat
-%{_bindir}/sandbox
 %{_bindir}/audit2allow
 %{_bindir}/audit2why
 %{_mandir}/man1/audit2allow.1*
@@ -267,8 +195,6 @@ an SELinux environment.
 %{_sysconfdir}/dbus-1/system.d/org.selinux.conf
 %{_mandir}/man8/chcat.8*
 %{_mandir}/ru/man8/chcat.8*
-%{_mandir}/man8/sandbox.8*
-%{_mandir}/ru/man8/sandbox.8*
 %{_mandir}/man8/semanage*.8*
 %{_mandir}/ru/man8/semanage*.8*
 %{_datadir}/bash-completion/completions/semanage
@@ -276,7 +202,8 @@ an SELinux environment.
 %package dbus
 Summary:    SELinux policy core DBUS api
 Requires:   python3-policycoreutils = %{version}-%{release}
-Requires:   python3-slip-dbus
+Requires:   python3-gobject-base
+Requires:   polkit
 BuildArch:  noarch
 
 %description dbus
@@ -304,7 +231,8 @@ Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
 # no python3-audit-libs yet
 Requires:audit-libs-python3 >=  %{libauditver}
 Requires: checkpolicy
-Requires: python3-setools >= 4.1.1
+Requires: python3-setools >= 4.4.0
+Requires: python3-distro
 BuildArch: noarch
 
 %description -n python3-policycoreutils
@@ -335,7 +263,7 @@ by python 3 in an SELinux environment.
 Summary: SELinux policy core policy devel utilities
 Requires: policycoreutils-python-utils = %{version}-%{release}
 Requires: /usr/bin/make dnf
-Requires: selinux-policy-devel
+Requires: (selinux-policy-devel if selinux-policy)
 
 %description devel
 The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
@@ -379,8 +307,11 @@ sandboxes
 %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
 %{_mandir}/man8/seunshare.8*
 %{_mandir}/ru/man8/seunshare.8*
+%{_bindir}/sandbox
 %{_mandir}/man5/sandbox.5*
 %{_mandir}/ru/man5/sandbox.5*
+%{_mandir}/man8/sandbox.8*
+%{_mandir}/ru/man8/sandbox.8*
 
 %package newrole
 Summary: The newrole application for RBAC/MLS
@@ -443,12 +374,14 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_sbindir}/genhomedircon
 %{_sbindir}/setsebool
 %{_sbindir}/semodule
+# symlink to %%{_bindir}/sestatus
 %{_sbindir}/sestatus
 %{_bindir}/secon
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
 %{_bindir}/semodule_unpackage
+%{_bindir}/sestatus
 %{_libexecdir}/selinux/hll
 %{_libexecdir}/selinux/selinux-autorelabel
 %{_unitdir}/selinux-autorelabel-mark.service
@@ -491,7 +424,7 @@ system-config-selinux is a utility for managing the SELinux environment
 %dir %{_datadir}/bash-completion
 %{_datadir}/bash-completion/completions/setsebool
 %{!?_licensedir:%global license %%doc}
-%license policycoreutils/COPYING
+%license policycoreutils/LICENSE
 %doc %{_usr}/share/doc/%{name}
 
 %package restorecond
@@ -504,14 +437,16 @@ The policycoreutils-restorecond package contains the restorecond service.
 %files restorecond
 %{_sbindir}/restorecond
 %{_unitdir}/restorecond.service
+%{_userunitdir}/restorecond_user.service
 %config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
 %config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
 %{_sysconfdir}/xdg/autostart/restorecond.desktop
 %{_datadir}/dbus-1/services/org.selinux.Restorecond.service
 %{_mandir}/man8/restorecond.8*
 %{_mandir}/ru/man8/restorecond.8*
+
 %{!?_licensedir:%global license %%doc}
-%license policycoreutils/COPYING
+%license policycoreutils/LICENSE
 
 %post
 %systemd_post selinux-autorelabel-mark.service
@@ -529,163 +464,303 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
-* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
-- Update translations (#2124826)
+* Mon Feb 19 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.6-2.1
+- semanage: Allow modifying records on "add"
+- semanage: Do not sort local fcontext definitions
 
-* Wed Feb 08 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-23
-- python/sepolicy: Cache conditional rule queries (#2155540)
+* Thu Dec 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-1
+- SELinux userspace 3.6 release
 
-* Mon Jan 09 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-22
-- python/sepolicy: add missing booleans to man pages (#2155540)
+* Mon Nov 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.0-0.rc1.1
+- SELinux userspace 3.6-rc1 release
 
-* Mon Dec 19 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-21.1
-- python: Harden tools against "rogue" modules (#2128976)
-- Update "pathfix" arguments to match ^^^ (#2128976)
-- python: Do not query the local database if the fcontext is non-local (#2124825)
+* Mon Oct 30 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-3
+- Update translations
+  https://translate.fedoraproject.org/projects/selinux/
 
-* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
+* Tue Jun 27 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2
+- Improve man pages (RHEL-672)
+- Unwrap strings - remove hard returns and initial white spaces from strings (RHEL-606)
+
+* Thu Feb 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
+- SELinux userspace 3.5 release
+
+* Tue Feb 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1.1
+- SELinux userspace 3.5-rc3 release
+
+* Wed Feb  8 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.3
+- Attach tty to selinux-autorelabel.service when AUTORELABEL=0
+
+* Thu Jan 26 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-0.rc2.2
+- python/sepolicy: Cache conditional rule queries
+
+* Tue Jan 17 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
+- SELinux userspace 3.5-rc2 release
+
+* Mon Jan  2 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.2
+- SELinux userspace 3.5-rc1 release
+
+* Tue Sep 06 2022 Vit Mojzis <vmojzis@redhat.com> - 3.4-4
+- Update translations (#2062630)
+
+* Mon Aug  8 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-3
+- Run autorelabel in parallel by default
+  https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
+
+* Mon Jul 18 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
+- gettext: handle unsupported languages properly (#2100378)
+- semodule: rename --rebuild-if-modules-changed to --refresh
 - python: Split "semanage import" into two transactions (#2063353)
-- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)
 - selinux-autorelabel: Do not force reboot (#2093133)
 
-* Thu Feb 17 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-19
-- semodule: move module hashing into libsemanage (requires libsemanage-2.9-7)
-- semodule: add command-line option to detect module changes (#2049189)
+* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
+- SELinux userspace 3.4 release
 
-* Fri Jan 14 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-18
-- Improve error message when selabel_open fails (#1926511)
+* Tue Feb 15 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4.2
+- semodule: add command-line option to detect module changes
 
-* Tue Nov 30 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-17
+* Tue Feb 15 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-5
+- Improve error message when selabel_open fails
+
+* Mon Feb 14 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-3
+- fixfiles: Use parallel relabeling
+
+* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
+- setfiles/restorecon: support parallel relabeling with -T <N> option
 - semodule: add -m | --checksum option
 
-* Thu Sep 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-16
-- Update translations (#1962009)
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
 
-* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
-- setfiles: do not restrict checks against a binary policy (#1973754)
+* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
 
-* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
-- Update translations (#1899695)
+* Wed Sep 29 2021 Vit Mojzis <vmojzis@redhat.com> - 3.3-0.rc2.2
+- Update translations (#2003127)
 
-* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
-- selinux(8,5): Describe fcontext regular expressions (#1904059)
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
 
-* Tue Feb  2 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-12
-- setfiles: Do not abort on labeling error (#1794518)
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Jan 27 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-11
-- python/sepolgen: allow any policy statement in if(n)def (#1868717)
+* Tue Aug  3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
+- Drop forgotten ru/ man pages from -restorecond
 
-* Sat Jan 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
-- python/semanage: Sort imports in alphabetical order
-- python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)
+* Fri Jul 30 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
+- Use SHA-2 instead of SHA-1 (#1934964)
+- Fix COPY_PASTE_ERROR (CWE-398)
 
-* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
-- Update translations (#1754978)
+* Thu May 13 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
+- policycoreutils-dbus requires polkit
+- fixfiles: do not exclude /dev and /run in -C mode
+- dbus: use GLib.MainLoop
 
-* Thu Nov 21 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
-- restorecond: Fix redundant console log output error (#1626468)
+* Fri Apr 23 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3.1
+- Do not use Python slip (#1949841)
 
-* Tue Nov 19 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
-- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873)
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Tue Nov 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
-- Configure autorelabel service to output to journal and to console if set (#1766578)
+* Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
 
-* Wed Nov 06 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
-- fixfiles: Fix "verify" option (#1647532)
-- semanage: Improve handling of "permissive" statements (#1417455)
-- semanage: fix moduleRecords.customized()
-- semanage: Add support for DCCP and SCTP protocols (#1563742)
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.2-0.rc2.1.1
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
 
-* Wed Sep  4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-4
-- semanage: Do not use default s0 range in "semanage login -a" (#1554360)
-- gui: Fix remove module in system-config-selinux (#1748763)
+* Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
 
-* Thu Aug 22 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
-- fixfiles: Fix unbound variable problem (#1743213)
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Tue Jul  2 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
-- Update transition
+* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
+* Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
+- Fix BuildRequires to libsemanage-devel
+
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-7
+- python/sepolicy: allow to override manpage date
+- selinux_config(5): add a note that runtime disable is deprecated
+
+* Mon Nov  9 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-6
+- Require latest setools
+
+* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- Build with libsepol.so.1 and libsemanage.so.2
+- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
+- fixfiles: correctly restore context of mountpoints
+- sepolgen: print extended permissions in hexadecimal
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-4
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
+- SELinux userspace 3.1 release
+
+* Mon Jun  1 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
+- policycoreutils-dbus requires python3-gobject-base
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-3
+- Rebuilt for Python 3.9
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
+- SELinux userspace 3.0 release
+
+* Wed Sep  4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
+- semanage: Do not use default s0 range in "semanage login -a" (#1312283)
+
+* Thu Aug 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
+- gui: Fix remove module in system-config-selinux (#1740936)
+
+* Fri Aug 23 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
+- fixfiles: Fix unbound variable problem
+
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-4
+- Rebuilt for Python 3.8
+
+* Mon Aug  5 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
+- Drop python2-policycoreutils
+- Update ru man page translations
 - fixfiles: Fix [-B] [-F] onboot
 
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
 * Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
 - SELinux userspace 2.9 release
 
-* Fri Dec 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-16.1
-- semanage: move valid_types initialisations to class constructors
-- semanage: import sepolicy only when it's needed
-- sepolicy: Add sepolicy.load_store_policy(store)
+* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
+- SELinux userspace 2.9-rc2 release
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
+- SELinux userspace 2.9-rc1 release candidate
+
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-17
+- python2-policycoreutils requires python2-ipaddress (#1669230)
+
+* Tue Jan 22 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-16
+- restorecond: Install DBUS service file with 644 permissions
+
+* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
+- setsebool: support use of -P on SELinux-disabled hosts
+- sepolicy: initialize mislabeled_files in __init__()
+- audit2allow: use local sepolgen-ifgen-attr-helper for tests
+- audit2allow: allow using audit2why as non-root user
+- audit2allow/sepolgen-ifgen: show errors on stderr
+- audit2allow/sepolgen-ifgen: add missing \n to error message
+- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
+- sepolicy: Make policy files sorting more robust
+- semanage: Load a store policy and set the store SELinux policy root
+
+* Thu Dec 20 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
+- chcat: fix removing categories on users with Fedora default setup
+- semanage: Include MCS/MLS range when exporting local customizations
 - semanage: Start exporting "ibendport" and "ibpkey" entries
+- semanage: do not show "None" levels when using a non-MLS policy
+- sepolicy: Add sepolicy.load_store_policy(store)
+- semanage: import sepolicy only when it's needed
+- semanage: move valid_types initialisations to class constructors
 
-* Wed Dec  5 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
+* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
 - chcat: use check_call instead of getstatusoutput
-- semanage: Use standard argparse.error() method
+- Use matchbox-window-manager instead of openbox
+- Use ipaddress python module instead of IPy
 - semanage: Fix handling of -a/-e/-d/-r options
+- semanage: Use standard argparse.error() method
 
-* Tue Dec  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
-- Update translations
-
-* Mon Dec  3 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
-- Use ipaddress module instead of IPy
-
-* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
-- Handle more reserved port types
-- Replace aliases with corresponding type names
-
-* Thu Nov  8 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11.1
+* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
+- sepolicy,semanage: replace aliases with corresponding type names
+- sepolicy-generate: Handle more reserved port types
 - Fix RESOURCE_LEAK coverity scan defects
 
-* Thu Oct 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-10
-- sepolicy: Update to work with setools-4.2.0
-- gui: Make all polgen button labels translatable
-
-* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
+* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11
 - sepolicy: Fix get_real_type_name to handle query failure properly
-
-* Mon Oct 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
 - sepolicy: search() for dontaudit rules as well
 
-* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
-- setfiles: Improve description of -d switch
-- Fix typo in newrole.1 manpage
+* Tue Oct  2 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-10
+- semanage: "semanage user" does not use -s, fix documentation
+- semanage: add a missing space in ibendport help
+- sepolicy: Update to work with setools-4.2.0
+
+* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
 - semanage: Stop rejecting aliases in semanage commands
 - sepolicy: Stop rejecting aliases in sepolicy commands
 - sepolicy: Fix "info" to search aliases as well
-- sepolgen: fix refpolicy parsing of "permissive"
-- sepolgen: return NotImplemented instead of raising it
-- semanage: fix Python syntax of catching several exceptions
-- semanage: Replace bare except with specific one
-- semanage: Fix logger class definition
-- semanage: Stop logging loginRecords changes
-- add xperms support to audit2allow
-- sepolgen: fix access vector initialization
-- sepolgen: print all AV rules correctly
+- setfiles: Improve description of -d switch
 
-* Thu Sep 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6.1
+* Wed Sep 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
 - Update translations
 
-* Tue Jul 24 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
-- sandbox: Use matchbox-window-manager instead of openbox (#1568295)
+* Tue Sep  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
+- Fix typo in newrole.1 manpage
+- sepolgen: print all AV rules correctly
+- sepolgen: fix access vector initialization
+- Add xperms support to audit2allow
+- semanage: Stop logging loginRecords changes
+- semanage: Fix logger class definition
+- semanage: Replace bare except with specific one
+- semanage: fix Python syntax of catching several exceptions
+- sepolgen: return NotImplemented instead of raising it
+- sepolgen: fix refpolicy parsing of "permissive"
 
-* Thu Jul 19 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
+* Mon Aug  6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
+- Use split translation files
+  https://github.com/fedora-selinux/selinux/issues/43
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-4
+- Rebuilt for Python 3.7
+
+* Mon Jun 18 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
 - selinux-autorelabel: Use plymouth --quit rather then --hide-splash (#1592221)
 - selinux-autorelabel: Increment boot_indeterminate grub environment variable (#1592221)
-- Do not require libcgroup - it's not used anymore
 
-* Tue Jun 26 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
-- Do not use symlinks to enable selinux-autorelabel-mark.service (#1589720)
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
+- Rebuilt for Python 3.7
 
-* Wed Jun  6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
-- Don't build the Python 2 subpackages (#1567354)
-
-* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1.1
+* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
 - SELinux userspace 2.8 release
 
-* Tue May 22 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-19
+* Tue May 22 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.2
 - selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent
 - selinux-autorelabel: synchronize cached writes before reboot (#1385272)
 
+* Tue May 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
+- SELinux userspace 2.8-rc2 release candidate
+
+* Fri May  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
+- SELinux userspace 2.8-rc2 release candidate
+
+* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
+- SELinux userspace 2.8-rc1 release candidate
+
+* Thu Apr 19 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-20
+- Drop python2 sepolicy gui files from policycoreutils-gui (#1566618)
+
+* Wed Apr 18 2018 Iryna Shcherbina <shcherbina.iryna@gmail.com> - 2.7-19
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
 * Tue Apr  3 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-18
 - Move semodule_* utilities to policycoreutils package (#1562549)