setools-4.4.2-4

- Disable/remove neverallow options in sediff.
- Improve man pages
- seinfoflow: Add -r option to get flows into the source type.
- seinfoflow.1: Remove references to sepolgen permission map.
- AVRule/AVRuleXperm: Treat rules with no permissions as invalid policy.
- SELinuxPolicy: Add explicit cast for libspol message

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2226424

0001-Disable-remove-neverallow-options-in-sediff.patch

@@ -0,0 +1,92 @@
+From edf1a80fa41fa34ad849fbf5098eddd4c5339c18 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Tue, 9 May 2023 19:22:01 +0200
+Subject: [PATCH] Disable/remove neverallow options in sediff.
+Content-type: text/plain
+
+Apply change from commit 06335957b701 ("Disable/remove neverallow
+options in frontends.") to sediff
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ man/ru/sediff.1 |  4 ----
+ man/sediff.1    |  4 ----
+ sediff          | 10 +++++++---
+ 3 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/man/ru/sediff.1 b/man/ru/sediff.1
+index c6bf2939443f..af5d8efcf82c 100644
+--- a/man/ru/sediff.1
++++ b/man/ru/sediff.1
+@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi
+ Найти различия правил включения журналирования событий.
+ .IP "--dontaudit"
+ Найти различия правил запрета журналирования событий.
+-.IP "--neverallow"
+-Найти различия запрещающих правил.
+ .IP "--allowxperm"
+ Найти различия расширенных разрешительных правил.
+ .IP "--auditallowxperm"
+ Найти различия расширенных правил включения журналирования событий.
+ .IP "--dontauditxperm"
+ Найти различия расширенных правил запрета журналирования событий.
+-.IP "--neverallowxperm"
+-Найти различия расширенных запрещающих правил.
+ .IP "-T, --type_trans"
+ Найти различия правил перехода типов.
+ .IP "--type_member"
+diff --git a/man/sediff.1 b/man/sediff.1
+index ed3b497db2c4..18466d8aeb68 100644
+--- a/man/sediff.1
++++ b/man/sediff.1
+@@ -50,16 +50,12 @@ Find differences in allow rules.
+ Find differences in auditallow rules.
+ .IP "--dontaudit"
+ Find differences in dontaudit rules.
+-.IP "--neverallow"
+-Find differences in neverallow rules.
+ .IP "--allowxperm"
+ Find differences in allowxperm rules.
+ .IP "--auditallowxperm"
+ Find differences in auditallowxperm rules.
+ .IP "--dontauditxperm"
+ Find differences in dontauditxperm rules.
+-.IP "--neverallowxperm"
+-Find differences in neverallowxperm rules.
+ .IP "-T, --type_trans"
+ Find differences in type_transition rules.
+ .IP "--type_member"
+diff --git a/sediff b/sediff
+index b2fef9771f18..a39d6f5c8f57 100755
+--- a/sediff
++++ b/sediff
+@@ -45,12 +45,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti
+ terule = parser.add_argument_group("type enforcement rule differences")
+ terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences")
+ terule.add_argument("--allow", action="store_true", help="Print allow rule differences")
+-terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
++# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
+ terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences")
+ terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences")
+ terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences")
+-terule.add_argument("--neverallowxperm", action="store_true",
+-                    help="Print neverallowxperm rule differences")
++# terule.add_argument("--neverallowxperm", action="store_true",
++#                     help="Print neverallowxperm rule differences")
+ terule.add_argument("--auditallowxperm", action="store_true",
+                     help="Print auditallowxperm rule differences")
+ terule.add_argument("--dontauditxperm", action="store_true",
+@@ -97,6 +97,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d
+ 
+ args = parser.parse_args()
+ 
++# neverallow and neverallowxperm options are disabled
++args.neverallow = False
++args.neverallowxperm = False
++
+ if args.A:
+     args.allow = True
+     args.allowxperm = True
+-- 
+2.41.0
+

0002-Improve-man-pages.patch

@@ -0,0 +1,225 @@
+From 2fea8eb0d4aedbbdca2209ee904eb10df69737b8 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 11 May 2023 18:38:21 +0200
+Subject: [PATCH] Improve man pages
+Content-type: text/plain
+
+- Add missing parameters
+- Add examples
+- Fix typos
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ man/sechecker.1  |  6 +++---
+ man/sediff.1     | 12 ++++++++++++
+ man/sedta.1      |  9 +++++++++
+ man/seinfo.1     | 25 +++++++++++++++++++++++++
+ man/seinfoflow.1 |  9 +++++++++
+ man/sesearch.1   | 12 ++++++++++++
+ 6 files changed, 70 insertions(+), 3 deletions(-)
+
+diff --git a/man/sechecker.1 b/man/sechecker.1
+index 507b8615c26f..e32d6d6114ba 100644
+--- a/man/sechecker.1
++++ b/man/sechecker.1
+@@ -81,7 +81,7 @@ A space-separated list of object class criteria for the query.
+ A space-separated list of permissions for the query.
+ 
+ .PP
+-\fBA least one of the above options must be set in this check.\fR
++\fBAt least one of the above options must be set in this check.\fR
+ 
+ .PP
+ Additional Options:
+@@ -123,7 +123,7 @@ The source role criteria for the query.
+ The target role criteria for the query.
+ 
+ .PP
+-\fBA least one of the above options must be set in this check.\fR
++\fBAt least one of the above options must be set in this check.\fR
+ 
+ .PP
+ Additional Options:
+@@ -205,7 +205,7 @@ executable types are read-only.\fR
+ .\}
+ .nf
+ [ro_execs]
+-check_type = empty_typeattr
++check_type = ro_execs
+ desc = Verify that the all executables and libraries are read-only.
+ .fi
+ .if n \{\
+diff --git a/man/sediff.1 b/man/sediff.1
+index 18466d8aeb68..9b189885ff3c 100644
+--- a/man/sediff.1
++++ b/man/sediff.1
+@@ -84,6 +84,10 @@ Find differences in validatetrans rules.
+ Find differences in mlsvalidatetrans rules.
+ 
+ .SS Labeling Statement Differences
++.IP "--ibendportcon"
++Find differences in ibendportcon (InfiniBand endport context) statements.
++.IP "--ibpkeycon"
++Find differences in ibpkeycon (InfiniBand parition key context) statements.
+ .IP "--initialsid"
+ Find differences in initial SID statements.
+ .IP "--fs_use"
+@@ -136,6 +140,14 @@ For example, a class is modified if one or more permissions are added or removed
+ .RE
+ .PP
+ 
++.SH EXAMPLE
++.nf
++Show differences in boolean settings
++# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
++Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
++#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33
++
++
+ .SH AUTHOR
+ Chris PeBenito <pebenito@ieee.org>
+ 
+diff --git a/man/sedta.1 b/man/sedta.1
+index 1d84d92664e0..d3d21db6f172 100644
+--- a/man/sedta.1
++++ b/man/sedta.1
+@@ -49,6 +49,8 @@ Specify the maximum number of domain transitions to output. The default is unlim
+ A space-separated list of types to exclude from the analysis.
+ 
+ .SS General Options
++.IP "--full"
++Print rule lists for transitions.
+ .IP "--stats"
+ Print domain transition graph statistics at the end of the analysis.
+ .IP "-h, --help"
+@@ -60,6 +62,13 @@ Print additional informational messages.
+ .IP "--debug"
+ Enable debugging output.
+ 
++.SH EXAMPLE
++.nf
++Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t
++# sedta -s httpd_t -t unconfined_t -S container_runtime_t
++List all domain transition paths shorter than 3 steps from init_t to smbd_t
++# sedta -s init_t -t smbd_t -A 3
++
+ .SH AUTHOR
+ Chris PeBenito <pebenito@ieee.org>
+ 
+diff --git a/man/seinfo.1 b/man/seinfo.1
+index 1adea9868d66..9e7cbde8c06e 100644
+--- a/man/seinfo.1
++++ b/man/seinfo.1
+@@ -56,6 +56,10 @@ There is no expanded information for this component.
+ .IP "--genfscon [FS_TYPE]"
+ Print a list of genfscon statements or, if FS_TYPE is provided, print the statement for the named filesystem type.
+ There is no expanded information for this component.
++.IP "--ibpkeycon [PKEY[-PKEY]]"
++Print a list of InfiniBand parition key contexts.
++.IP "--ibendportcon [NAME]"
++Print a list of InfiniBand endport contexts.
+ .IP "--initialsid [NAME]"
+ Print a list of initial SIDs or, if NAME is provided, print the named initial SID.
+ With \fI-x\fR, print the context assigned to each displayed SID.
+@@ -86,6 +90,18 @@ There is no expanded information for this component.
+ .IP "--all"
+ Print all components.
+ 
++.IP "\fB Xen Component Queries: \fR"
++.IP "--ioportcon"
++Print all ioportcon statements.
++.IP "--iomemcon"
++Print all iomemcon statements.
++.IP "--pcidevicecon"
++Print all pcidevicecon statements.
++.IP "--pirqcon"
++Print all pirqcon statements.
++.IP "--devicetreecon"
++Print all devicetreecon statements.
++
+ .SH OPTIONS
+ .IP "-x, --expand"
+ Print additional details for each component matching the expression.
+@@ -101,6 +117,15 @@ Print additional informational messages.
+ .IP "--debug"
+ Enable debugging output.
+ 
++.SH EXAMPLE
++.nf
++List aliases of and attributes assigned to type httpd_t
++# seinfo -t httpd_t -x
++List all executable types (all types assigned to "exec_type" attribute)
++# seinfo -a exec_type -x
++List all constrains and mlsconstrains for class "file"
++# seinfo --constrain file
++
+ .SH AUTHOR
+ Chris PeBenito <pebenito@ieee.org>
+ 
+diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
+index 2e4a261606bf..75763d6f2378 100644
+--- a/man/seinfoflow.1
++++ b/man/seinfoflow.1
+@@ -54,6 +54,8 @@ A space-separated list of types to exclude from the analysis.
+ Print information flow graph statistics at the end of the analysis.
+ .IP "-h, --help"
+ Print help information and exit.
++.IP "--full"
++Print full rule lists for information flows.
+ .IP "--version"
+ Print version information and exit.
+ .IP "-v, --verbose"
+@@ -61,6 +63,13 @@ Print additional informational messages.
+ .IP "--debug"
+ Enable debugging output.
+ 
++.SH EXAMPLE
++.nf
++Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map
++# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S
++List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
++# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
++
+ .SH AUTHOR
+ Chris PeBenito <pebenito@ieee.org>
+ 
+diff --git a/man/sesearch.1 b/man/sesearch.1
+index 35f16c4ba33e..edc18346673c 100644
+--- a/man/sesearch.1
++++ b/man/sesearch.1
+@@ -48,6 +48,7 @@ Find type_change rules.
+ Find role allow rules.
+ .IP "--role_trans"
+ Find role_transition rules.
++.IP "Note: TE/MLS rule searches cannot be mixed with RBAC rule searches"
+ 
+ .SS MLS Rule Types
+ .IP "--range_trans"
+@@ -80,6 +81,8 @@ A matching rule must have the specified target attribute/type/role explicitly, i
+ A matching rule must have all specified Booleans, instead of matching any of the specified Boolean.
+ .IP "-ep"
+ A matching rule must have exactly the specified permissions, instead of matching any of the specified permission.
++.IP "-ex"
++A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission.
+ .IP "-Sp"
+ A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions.
+ .IP "-rs"
+@@ -103,6 +106,15 @@ Print additional informational messages.
+ .IP "--debug"
+ Enable debugging output.
+ 
++.SH EXAMPLE
++.nf
++List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
++# sesearch -A -s container_domain -t container_file_t -c file
++List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
++# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
++List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
++# sesearch --dontaudit -s application_domain_type -ds
++
+ .SH AUTHOR
+ Chris PeBenito <pebenito@ieee.org>
+ 
+-- 
+2.41.0
+

0003-tox.ini-Change-environments-to-use-python-instead-of.patch

@@ -0,0 +1,62 @@
+From 6425b45e2748605b99d4e45b286fbf5bb8e8243e Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Mon, 17 Jul 2023 16:45:01 -0400
+Subject: [PATCH] tox.ini: Change environments to use "python" instead of "py".
+Content-type: text/plain
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ .github/workflows/tests.yml | 12 ++++++------
+ tox.ini                     |  8 ++++----
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
+index eb443ae7f0f7..c3c8d552ca15 100644
+--- a/.github/workflows/tests.yml
++++ b/.github/workflows/tests.yml
+@@ -27,12 +27,12 @@ jobs:
+ 
+       matrix:
+         build-opts:
+-          - {python: '3.6', tox: py36}
+-          - {python: '3.7', tox: py37}
+-          - {python: '3.8', tox: py38}
+-          - {python: '3.9', tox: py39}
+-          - {python: '3.10', tox: py310}
+-          - {python: '3.11', tox: py311}
++          - {python: '3.6', tox: python3.6}
++          - {python: '3.7', tox: python3.7}
++          - {python: '3.8', tox: python3.8}
++          - {python: '3.9', tox: python3.9}
++          - {python: '3.10', tox: python3.10}
++          - {python: '3.11', tox: python3.11}
+           - {python: '3.6', tox: pep8}
+           - {python: '3.6', tox: lint}
+           - {python: '3.6', tox: mypy}
+diff --git a/tox.ini b/tox.ini
+index b2f6b51858e6..a668bb3de425 100644
+--- a/tox.ini
++++ b/tox.ini
+@@ -1,6 +1,6 @@
+ [tox]
+ minversion      = 1.4
+-envlist         = py3, pep8, lint, mypy
++envlist         = python3, pep8, lint, mypy
+ 
+ [pycodestyle]
+ max-line-length = 100
+@@ -53,8 +53,8 @@ passenv         = USERSPACE_SRC
+ deps            = networkx>=2.0
+                   cython>=0.27
+                   pytest
+-                  py38: cython>=0.29.14
+-                  py39: networkx>=2.6
+-                  py39: cython>=0.29.14
++                  python38: cython>=0.29.14
++                  python39: networkx>=2.6
++                  python39: cython>=0.29.14
+ commands_pre    = {envpython} setup.py build_ext -i
+ commands        = pytest tests
+-- 
+2.41.0
+

0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch

@@ -0,0 +1,51 @@
+From 8ec295066289cf74df0e3f2c6e068abe503f1121 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Wed, 21 Jun 2023 08:56:08 -0400
+Subject: [PATCH] seinfoflow: Add -r option to get flows into the source type.
+Content-type: text/plain
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ man/seinfoflow.1 | 2 ++
+ seinfoflow       | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
+index 75763d6f2378..63c70c0e7b14 100644
+--- a/man/seinfoflow.1
++++ b/man/seinfoflow.1
+@@ -50,6 +50,8 @@ Specify the maximum number of information flows to output. The default is unlimi
+ A space-separated list of types to exclude from the analysis.
+ 
+ .SS General Options
++.IP "-r, --reverse"
++Display information flows into the source type. No effect if a target type is specified.
+ .IP "--stats"
+ Print information flow graph statistics at the end of the analysis.
+ .IP "-h, --help"
+diff --git a/seinfoflow b/seinfoflow
+index 5f4e7642ecf9..9bd1bec41da8 100755
+--- a/seinfoflow
++++ b/seinfoflow
+@@ -42,6 +42,9 @@ alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS",
+                  help="Calculate all paths, with the specified maximum path length. (Expensive)")
+ 
+ opts = parser.add_argument_group("Analysis options")
++opts.add_argument("-r", "--reverse", action="store_false",
++                  help="Display information flows into the source type. "
++                  "No effect if a target type is specified.")
+ opts.add_argument("-w", "--min_weight", default=3, type=int,
+                   help="Minimum permission weight.  Default is 3.")
+ opts.add_argument("-l", "--limit_flows", default=0, type=int,
+@@ -119,7 +122,7 @@ try:
+ 
+     else:  # single direct info flow
+         flownum = 0
+-        for flownum, flow in enumerate(g.infoflows(args.source), start=1):
++        for flownum, flow in enumerate(g.infoflows(args.source, out=args.reverse), start=1):
+             print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target))
+ 
+             if args.full:
+-- 
+2.41.0
+

0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch

@@ -0,0 +1,34 @@
+From 32ebd2c802ca0fcf3b920b298f0d2d8b2972cfa9 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Wed, 21 Jun 2023 08:56:53 -0400
+Subject: [PATCH] seinfoflow.1: Remove references to sepolgen permission map.
+Content-type: text/plain
+
+SETools ships with its own so that it is usable on non-SELinux systems.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ man/seinfoflow.1 | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
+index 63c70c0e7b14..e482520a8b82 100644
+--- a/man/seinfoflow.1
++++ b/man/seinfoflow.1
+@@ -67,10 +67,10 @@ Enable debugging output.
+ 
+ .SH EXAMPLE
+ .nf
+-Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map
+-# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S
++Show the shortest paths for process running as httpd_t to access user home files, using the default permission map:
++# seinfoflow -s httpd_t -t user_home_t -S
+ List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
+-# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
++# seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
+ 
+ .SH AUTHOR
+ Chris PeBenito <pebenito@ieee.org>
+-- 
+2.41.0
+

0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch

@@ -0,0 +1,55 @@
+From 725d224e8dd8af3a5a56c71b9de7936d098cae61 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Tue, 16 May 2023 13:21:09 -0400
+Subject: [PATCH] AVRule/AVRuleXperm: Treat rules with no permissions as
+ invalid policy.
+Content-type: text/plain
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ setools/policyrep/terule.pxi | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi
+index 6c869ed08ad9..4f4a95f553bc 100644
+--- a/setools/policyrep/terule.pxi
++++ b/setools/policyrep/terule.pxi
+@@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule):
+         r._conditional = conditional
+         r._conditional_block = conditional_block
+         r.origin = None
++
++        if not r.perms:
++            rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};"
++            try:
++                rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
++            except RuleNotConditional:
++                pass
++
++            raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: "
++                                      f"{rule_string}")
++
+         return r
+ 
+     def __hash__(self):
+@@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule):
+         r._conditional = conditional
+         r._conditional_block = conditional_block
+         r.origin = None
++
++        if not perms:
++            rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};"
++            try:
++                rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
++            except RuleNotConditional:
++                pass
++
++            raise LowLevelPolicyError(
++                f"Invalid policy: Found a rule with no extended permissions: {rule_string}.")
++
+         return r
+ 
+     def __hash__(self):
+-- 
+2.41.0
+

0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch

@@ -0,0 +1,52 @@
+From fc443b5a0379f3644e071a458e996ea6115ccba3 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Mon, 17 Jul 2023 16:08:21 -0400
+Subject: [PATCH] SELinuxPolicy: Add explicit cast for libspol message
+ callback.
+Content-type: text/plain
+
+Cython 3.0 is more strict.  The change fixes this issue:
+
+setools/policyrep/selinuxpolicy.pxi:685:46: Cannot assign type 'void (void *, sepol_handle_t *, const char *, ...) except *' to 'msg_callback'
+
+Additionally, the msg_callback is not typedef-ed in sepol/debug.h, so it must
+be explicitly defined in sepol.pxd for the casting to work.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ setools/policyrep/selinuxpolicy.pxi | 2 +-
+ setools/policyrep/sepol.pxd         | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi
+index 9267a0c43abc..236316f1c6c5 100644
+--- a/setools/policyrep/selinuxpolicy.pxi
++++ b/setools/policyrep/selinuxpolicy.pxi
+@@ -668,7 +668,7 @@ cdef class SELinuxPolicy:
+         if self.sh == NULL:
+             raise MemoryError
+ 
+-        sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle)
++        sepol.sepol_msg_set_callback(self.sh, <sepol.msg_callback>sepol_logging_callback, self.handle)
+ 
+         if sepol.sepol_policydb_create(&self.handle) < 0:
+             raise MemoryError
+diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd
+index 769498f2c5fd..36589ed1a607 100644
+--- a/setools/policyrep/sepol.pxd
++++ b/setools/policyrep/sepol.pxd
+@@ -16,8 +16,10 @@ cdef extern from "<sepol/handle.h>":
+     void sepol_handle_destroy(sepol_handle_t *sh)
+ 
+ 
++ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...)
++
++
+ cdef extern from "<sepol/debug.h>":
+-    ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...)
+     void sepol_msg_set_callback(sepol_handle * handle, msg_callback cb, void *cb_arg)
+ 
+ 
+-- 
+2.41.0
+

setools.spec

@@ -3,7 +3,7 @@
 
 Name:           setools
 Version:        4.4.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Policy analysis tools for SELinux
 
 License:        GPL-2.0-only and LGPL-2.1-only
@@ -11,6 +11,14 @@ URL:            https://github.com/SELinuxProject/setools/wiki
 Source0:        https://github.com/SELinuxProject/setools/archive/%{version}.tar.gz
 Source1:        setools.pam
 Source2:        apol.desktop
+Patch0001:      0001-Disable-remove-neverallow-options-in-sediff.patch
+Patch0002:      0002-Improve-man-pages.patch
+Patch0003:      0003-tox.ini-Change-environments-to-use-python-instead-of.patch
+Patch0004:      0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch
+Patch0005:      0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch
+Patch0006:      0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch
+Patch0007:      0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch
+
 Obsoletes:      setools < 4.0.0, setools-devel < 4.0.0
 BuildRequires:  flex,  bison
 BuildRequires:  glibc-devel, gcc, git-core
@@ -143,6 +151,14 @@ Python modules designed to facilitate SELinux policy analysis.
 %{_mandir}/ru/man1/apol*
 
 %changelog
+* Wed Jul 26 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.2-4
+- Disable/remove neverallow options in sediff.
+- Improve man pages
+- seinfoflow: Add -r option to get flows into the source type.
+- seinfoflow.1: Remove references to sepolgen permission map.
+- AVRule/AVRuleXperm: Treat rules with no permissions as invalid policy.
+- SELinuxPolicy: Add explicit cast for libspol message
+
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild