import setools-4.3.0-2.el8

.gitignore

@@ -1 +1 @@
-SOURCES/4.2.2.tar.gz
+SOURCES/4.3.0.tar.gz

.setools.metadata

@@ -1 +1 @@
-96da818e44293bac44d765453036b624ed573512 SOURCES/4.2.2.tar.gz
+7b4a07a20ecee70da558bfe4ad26edf7eb6ca103 SOURCES/4.3.0.tar.gz

SOURCES/0001-Support-old-boolean-names-in-policy-queries.patch

@@ -0,0 +1,94 @@
+From 97bd46865e12246c00517d1e07aabca530a305ac Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 17 Jun 2020 13:34:19 +0200
+Subject: [PATCH] Support old boolean names in policy queries
+
+Translate old boolean names based on /etc/selinux/*/booleans.subs_dist
+file. The translation is only attempted when "policy" was not specified
+to avoid influencing queries of policies from other systems.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ seinfo                        |  6 +++++-
+ sesearch                      |  7 ++++++-
+ setools/policyrep/selinux.pxd |  1 +
+ setools/policyrep/util.pxi    | 22 ++++++++++++++++++++++
+ 4 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/seinfo b/seinfo
+index d2caf7c..bc33e12 100755
+--- a/seinfo
++++ b/seinfo
+@@ -125,7 +125,11 @@ try:
+     if args.boolquery or args.all:
+         q = setools.BoolQuery(p)
+         if isinstance(args.boolquery, str):
+-            q.name = args.boolquery
++            if args.policy:
++                q.name = args.boolquery
++            else:
++                # try to find substitutions for old boolean names
++                q.name = setools.policyrep.lookup_boolean_name_sub(args.boolquery)
+ 
+         components.append(("Booleans", q, lambda x: x.statement()))
+ 
+diff --git a/sesearch b/sesearch
+index c4b1d38..733f3d3 100755
+--- a/sesearch
++++ b/sesearch
+@@ -189,7 +189,12 @@ try:
+             if args.boolean_regex:
+                 q.boolean = args.boolean
+             else:
+-                q.boolean = args.boolean.split(",")
++                if args.policy:
++                    q.boolean = args.boolean.split(",")
++                else:
++                    # try to find substitutions for old boolean names
++                    q.boolean = map(setools.policyrep.lookup_boolean_name_sub,
++                                    args.boolean.split(","))
+ 
+         for r in sorted(q.results()):
+             print(r)
+diff --git a/setools/policyrep/selinux.pxd b/setools/policyrep/selinux.pxd
+index a2e8af0..1686831 100644
+--- a/setools/policyrep/selinux.pxd
++++ b/setools/policyrep/selinux.pxd
+@@ -24,3 +24,4 @@ cdef extern from "<selinux/selinux.h>":
+     bint selinuxfs_exists()
+     const char* selinux_current_policy_path()
+     const char* selinux_binary_policy_path()
++    char* selinux_boolean_sub(const char *boolean_name);
+diff --git a/setools/policyrep/util.pxi b/setools/policyrep/util.pxi
+index 40f21a7..abc7be8 100644
+--- a/setools/policyrep/util.pxi
++++ b/setools/policyrep/util.pxi
+@@ -230,3 +230,25 @@ cdef flatten_list(input_list):
+             ret.append(i)
+ 
+     return ret
++
++
++def lookup_boolean_name_sub(name):
++    """
++    Read the /etc/selinux/TYPE/booleans.subs_dist file looking
++    for a record with 'name'.
++    Return the translated name if a corresponding substitution exists,
++    otherwise return the original name.
++    """
++    cdef:
++        char *_name = selinux.selinux_boolean_sub(name)
++        str new_name = name
++
++    if _name == NULL:
++        raise MemoryError
++    # cast "char *" to "str" and free
++    try:
++        new_name = _name
++    finally:
++        free(_name)
++
++    return new_name
+-- 
+2.25.4
+

SOURCES/1001-Do-not-use-Werror-during-build.patch

@@ -1,7 +1,7 @@
-From 4b3dc6b38abbd32cda557d5ef9ea1383ac5fdcf2 Mon Sep 17 00:00:00 2001
+From 8d98b324fabcad6b09f9c734f79e6da9f9e85786 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Thu, 23 Feb 2017 08:17:07 +0100
-Subject: [PATCH 2/3] Do not use -Werror during build
+Subject: [PATCH] Do not use -Werror during build
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -32,10 +32,10 @@ error: command 'gcc' failed with exit status 1
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/setup.py b/setup.py
-index c94daf1..a7442ac 100644
+index 457c830..4dcb301 100644
 --- a/setup.py
 +++ b/setup.py
-@@ -105,7 +105,7 @@ ext_py_mods = [Extension('setools.policyrep', ['setools/policyrep.pyx'],
+@@ -106,7 +106,7 @@ ext_py_mods = [Extension('setools.policyrep', ['setools/policyrep.pyx'],
                           libraries=['selinux', 'sepol'],
                           library_dirs=lib_dirs,
                           define_macros=macros,
@@ -45,5 +45,5 @@ index c94daf1..a7442ac 100644
                                               '-Wfloat-equal',
                                               '-Wformat', '-Wformat=2',
 -- 
-2.17.2
+2.25.1
 

SOURCES/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch

@@ -1,7 +1,7 @@
-From b960869bcbcb58f2ce9af598484f209935c096b0 Mon Sep 17 00:00:00 2001
+From 52f5f911c4ae481530a57b6a0dd42067406a9d36 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Fri, 26 Apr 2019 15:27:25 +0200
-Subject: [PATCH 3/3] Do not export/use setools.InfoFlowAnalysis and
+Subject: [PATCH] Do not export/use setools.InfoFlowAnalysis and
  setools.DomainTransitionAnalysis
 
 dta and infoflow modules require networkx which brings lot of dependencies.
@@ -44,7 +44,7 @@ index 60861ca..41e38a2 100755
      if args.shortest_path or args.all_paths:
          if args.shortest_path:
 diff --git a/seinfoflow b/seinfoflow
-index 97b14ba..e7f965d 100755
+index f10c39d..fee749a 100755
 --- a/seinfoflow
 +++ b/seinfoflow
 @@ -17,7 +17,7 @@
@@ -56,20 +56,20 @@ index 97b14ba..e7f965d 100755
  import argparse
  import sys
  import logging
-@@ -81,7 +81,7 @@ else:
+@@ -101,7 +101,7 @@ elif args.booleans is not None:
  try:
      p = setools.SELinuxPolicy(args.policy)
      m = setools.PermissionMap(args.map)
--    g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)
-+    g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)
+-    g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude,
++    g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude,
+                                  booleans=booleans)
  
      if args.shortest_path or args.all_paths:
-         if args.shortest_path:
 diff --git a/setools/__init__.py b/setools/__init__.py
-index 7b70f5e..5a5f7fe 100644
+index 26fa5aa..b7e51c4 100644
 --- a/setools/__init__.py
 +++ b/setools/__init__.py
-@@ -73,12 +73,8 @@ from .pcideviceconquery import PcideviceconQuery
+@@ -75,12 +75,8 @@ from .pcideviceconquery import PcideviceconQuery
  from .devicetreeconquery import DevicetreeconQuery
  
  # Information Flow Analysis
@@ -135,5 +135,5 @@ index aa0e44a..fca2848 100644
  from setools.exception import InvalidType
  from setools.permmap import PermissionMap
 -- 
-2.17.2
+2.25.1
 

SOURCES/1003-Require-networkx-on-package-level.patch

@@ -0,0 +1,24 @@
+From 67067b6df7139cc38cf33d3cb2c66434cf4e89e4 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 2 Apr 2020 16:06:14 +0200
+Subject: [PATCH] Require networkx on package level
+
+It allows us to ship python3-setools without dependency on python3-networkx
+---
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index 4dcb301..9333e0c 100644
+--- a/setup.py
++++ b/setup.py
+@@ -170,5 +170,5 @@ setup(name='setools',
+       # setup also requires libsepol and libselinux
+       # C libraries and headers to compile.
+       setup_requires=['setuptools', 'Cython>=0.27'],
+-      install_requires=['setuptools', 'networkx>=2.0']
++      install_requires=['setuptools']
+       )
+-- 
+2.25.1
+

SOURCES/1004-Do-not-use-NoteNotFound-as-it-s-not-implemented-in-n.patch

@@ -1,4 +1,4 @@
-From acfb532e781d600271e5ab1ebc5d9d6d6ea3a7f8 Mon Sep 17 00:00:00 2001
+From d249ea3316fcfaa203055d2b1f2c52423216e7e7 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 30 Jul 2019 17:13:44 +0200
 Subject: [PATCH] Do not use NoteNotFound as it's not implemented in networkx-1
@@ -49,7 +49,7 @@ index 3239d2d..e15d8b8 100644
              # NetworkXNoPath: no paths or the target type is
              # not in the graph
 diff --git a/setools/infoflow.py b/setools/infoflow.py
-index 1b88efa..4fbe682 100644
+index 579e064..89e5c8e 100644
 --- a/setools/infoflow.py
 +++ b/setools/infoflow.py
 @@ -21,7 +21,7 @@ import logging
@@ -60,8 +60,8 @@ index 1b88efa..4fbe682 100644
 +from networkx.exception import NetworkXError, NetworkXNoPath
  
  from .descriptors import EdgeAttrIntMax, EdgeAttrList
- from .policyrep import TERuletype
-@@ -118,7 +118,7 @@ class InfoFlowAnalysis:
+ from .exception import RuleNotConditional
+@@ -124,7 +124,7 @@ class InfoFlowAnalysis:
          self.log.info("Generating one shortest information flow path from {0} to {1}...".
                        format(s, t))
  
@@ -70,7 +70,7 @@ index 1b88efa..4fbe682 100644
              # NodeNotFound: the type is valid but not in graph, e.g.
              # excluded or disconnected due to min weight
              # NetworkXNoPath: no paths or the target type is
-@@ -157,7 +157,7 @@ class InfoFlowAnalysis:
+@@ -163,7 +163,7 @@ class InfoFlowAnalysis:
          self.log.info("Generating all information flow paths from {0} to {1}, max length {2}...".
                        format(s, t, maxlen))
  
@@ -79,7 +79,7 @@ index 1b88efa..4fbe682 100644
              # NodeNotFound: the type is valid but not in graph, e.g.
              # excluded or disconnected due to min weight
              # NetworkXNoPath: no paths or the target type is
-@@ -191,7 +191,7 @@ class InfoFlowAnalysis:
+@@ -197,7 +197,7 @@ class InfoFlowAnalysis:
          self.log.info("Generating all shortest information flow paths from {0} to {1}...".
                        format(s, t))
  
@@ -89,5 +89,5 @@ index 1b88efa..4fbe682 100644
              # excluded or disconnected due to min weight
              # NetworkXNoPath: no paths or the target type is
 -- 
-2.22.0
+2.25.1
 

SPECS/setools.spec

@@ -7,7 +7,7 @@
 %bcond_without     networkx
 
 Name:           setools
-Version:        4.2.2
+Version:        4.3.0
 Release:        2%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist}
 Summary:        Policy analysis tools for SELinux
 
@@ -16,9 +16,11 @@ URL:            https://github.com/SELinuxProject/setools/wiki
 Source0:        https://github.com/SELinuxProject/setools/archive/%{version}%{?setools_pre_ver:-%{setools_pre_ver}}.tar.gz
 Source1:        setools.pam
 Source2:        apol.desktop
+Patch0001:      0001-Support-old-boolean-names-in-policy-queries.patch
 Patch1001:      1001-Do-not-use-Werror-during-build.patch
 Patch1002:      1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
-Patch1003:      1003-Do-not-use-NoteNotFound-as-it-s-not-implemented-in-n.patch
+Patch1003:      1003-Require-networkx-on-package-level.patch
+Patch1004:      1004-Do-not-use-NoteNotFound-as-it-s-not-implemented-in-n.patch
 
 Obsoletes:      setools < 4.0.0, setools-devel < 4.0.0
 BuildRequires:  flex,  bison
@@ -32,7 +34,11 @@ BuildRequires:  python3-setuptools
 BuildRequires:  libselinux-devel
 
 # BuildArch:      
-Requires:       python3-%{name} = %{version}-%{release}
+Requires:       %{name}-console = %{version}-%{release}
+%if %{with networkx}
+Requires:       %{name}-console-analyses = %{version}-%{release}
+Requires:       %{name}-gui = %{version}-%{release}
+%endif
 
 %description
 SETools is a collection of graphical tools, command-line tools, and
@@ -121,9 +127,9 @@ Python modules designed to facilitate SELinux policy analysis.
 
 %if %{without networkx}
 rm -f %{buildroot}%{_bindir}/sedta %{buildroot}%{_bindir}/seinfoflow \
-  %{buildroot}%{_mandir}/man1/sedta* %{buildroot}%{_mandir}/man1/sedinfoflow*
+  %{buildroot}%{_mandir}*/man1/sedta* %{buildroot}%{_mandir}*/man1/sedinfoflow* \
 rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
-  %{buildroot}%{_mandir}/man1/apol*
+  %{buildroot}%{_mandir}*/man1/apol*
 %endif
 
 %check
@@ -141,6 +147,9 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 %{_mandir}/man1/sediff*
 %{_mandir}/man1/seinfo*
 %{_mandir}/man1/sesearch*
+%{_mandir}/ru/man1/sediff*
+%{_mandir}/ru/man1/seinfo*
+%{_mandir}/ru/man1/sesearch*
 
 %if %{with networkx}
 %files console-analyses
@@ -148,6 +157,8 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 %{_bindir}/seinfoflow
 %{_mandir}/man1/sedta*
 %{_mandir}/man1/seinfoflow*
+%{_mandir}/ru/man1/sedta*
+%{_mandir}/ru/man1/seinfoflow*
 %endif
 
 %files -n python3-setools
@@ -160,9 +171,26 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 %{_bindir}/apol
 %{python3_sitearch}/setoolsgui
 %{_mandir}/man1/apol*
+%{_mandir}/ru/man1/apol*
 %endif
 
 %changelog
+* Tue Jun 30 2020 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-2
+- Support old boolean names in policy queries (#1595572, #1581848)
+
+* Fri Apr 03 2020 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-1
+- SETools 4.3.0 release (#1820079)
+- Revised sediff method for TE rules. This drastically reduced memory and run time.
+- Added infiniband context support to seinfo, sediff, and apol.
+- Added apol configuration for location of Qt assistant.
+- Fixed sediff issue where properties header would display when not requested.
+- Fixed sediff issue with type_transition file name comparison.
+- Fixed permission map socket sendto information flow direction.
+- Added methods to TypeAttribute class to make it a complete Python collection.
+- Genfscon now will look up classes rather than using fixed values which
+  were dropped from libsepol.
+- setools requires -console, -console-analyses and -gui packages (#1820078)
+
 * Sat Nov 30 2019 Petr Lautrbach <plautrba@redhat.com> - 4.2.2-2
 - Build setools-console-analyses and setools-gui (#1731519)