From 4d5984379b6c9e3b4da89c2068dc2d45420a9d72 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 21 Aug 2023 18:41:29 +0200
Subject: [PATCH] setools-4.3.0-5

- Disable/remove neverallow options in sediff

Resolves: rhbz#2184141
---
 ...-remove-neverallow-options-in-sediff.patch | 91 +++++++++++++++++++
 ...permission-set-creation-for-AVTAB_XP.patch |  4 +-
 setools.spec                                  |  8 +-
 3 files changed, 99 insertions(+), 4 deletions(-)
 create mode 100644 0004-Disable-remove-neverallow-options-in-sediff.patch
 rename 0004-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch => 0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch (98%)

diff --git a/0004-Disable-remove-neverallow-options-in-sediff.patch b/0004-Disable-remove-neverallow-options-in-sediff.patch
new file mode 100644
index 0000000..7694428
--- /dev/null
+++ b/0004-Disable-remove-neverallow-options-in-sediff.patch
@@ -0,0 +1,91 @@
+From 158283058160f4ae40d0b215e0ff2e5045de5a28 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Tue, 9 May 2023 19:22:01 +0200
+Subject: [PATCH] Disable/remove neverallow options in sediff.
+
+Apply change from commit 06335957b701 ("Disable/remove neverallow
+options in frontends.") to sediff
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ man/ru/sediff.1 |  4 ----
+ man/sediff.1    |  4 ----
+ sediff          | 10 +++++++---
+ 3 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/man/ru/sediff.1 b/man/ru/sediff.1
+index c6bf293..af5d8ef 100644
+--- a/man/ru/sediff.1
++++ b/man/ru/sediff.1
+@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi
+ Найти различия правил включения журналирования событий.
+ .IP "--dontaudit"
+ Найти различия правил запрета журналирования событий.
+-.IP "--neverallow"
+-Найти различия запрещающих правил.
+ .IP "--allowxperm"
+ Найти различия расширенных разрешительных правил.
+ .IP "--auditallowxperm"
+ Найти различия расширенных правил включения журналирования событий.
+ .IP "--dontauditxperm"
+ Найти различия расширенных правил запрета журналирования событий.
+-.IP "--neverallowxperm"
+-Найти различия расширенных запрещающих правил.
+ .IP "-T, --type_trans"
+ Найти различия правил перехода типов.
+ .IP "--type_member"
+diff --git a/man/sediff.1 b/man/sediff.1
+index ed3b497..18466d8 100644
+--- a/man/sediff.1
++++ b/man/sediff.1
+@@ -50,16 +50,12 @@ Find differences in allow rules.
+ Find differences in auditallow rules.
+ .IP "--dontaudit"
+ Find differences in dontaudit rules.
+-.IP "--neverallow"
+-Find differences in neverallow rules.
+ .IP "--allowxperm"
+ Find differences in allowxperm rules.
+ .IP "--auditallowxperm"
+ Find differences in auditallowxperm rules.
+ .IP "--dontauditxperm"
+ Find differences in dontauditxperm rules.
+-.IP "--neverallowxperm"
+-Find differences in neverallowxperm rules.
+ .IP "-T, --type_trans"
+ Find differences in type_transition rules.
+ .IP "--type_member"
+diff --git a/sediff b/sediff
+index d31fa3a..93af837 100755
+--- a/sediff
++++ b/sediff
+@@ -57,12 +57,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti
+ terule = parser.add_argument_group("type enforcement rule differences")
+ terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences")
+ terule.add_argument("--allow", action="store_true", help="Print allow rule differences")
+-terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
++# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
+ terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences")
+ terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences")
+ terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences")
+-terule.add_argument("--neverallowxperm", action="store_true",
+-                    help="Print neverallowxperm rule differences")
++# terule.add_argument("--neverallowxperm", action="store_true",
++#                     help="Print neverallowxperm rule differences")
+ terule.add_argument("--auditallowxperm", action="store_true",
+                     help="Print auditallowxperm rule differences")
+ terule.add_argument("--dontauditxperm", action="store_true",
+@@ -109,6 +109,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d
+ 
+ args = parser.parse_args()
+ 
++# neverallow and neverallowxperm options are disabled
++args.neverallow = False
++args.neverallowxperm = False
++
+ if args.A:
+     args.allow = True
+     args.allowxperm = True
+-- 
+2.41.0
+
diff --git a/0004-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch b/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
similarity index 98%
rename from 0004-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
rename to 0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
index f7a534d..bcab3ac 100644
--- a/0004-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
+++ b/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
@@ -1,4 +1,4 @@
-From e03afa579aa1c450d51a967702994f4e9548a4e0 Mon Sep 17 00:00:00 2001
+From ec4f5e19ea94e42416fda103d94118577eb18b95 Mon Sep 17 00:00:00 2001
 From: Chris PeBenito <chpebeni@linux.microsoft.com>
 Date: Tue, 30 Aug 2022 13:58:54 -0400
 Subject: [PATCH] AVRuleXperm: Fix permission set creation for
@@ -255,5 +255,5 @@ index 0000000..158a38e
 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
 +
 -- 
-2.40.0
+2.41.0
 
diff --git a/setools.spec b/setools.spec
index 90919b4..79e08e4 100644
--- a/setools.spec
+++ b/setools.spec
@@ -8,7 +8,7 @@
 
 Name:           setools
 Version:        4.3.0
-Release:        4%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist}
+Release:        5%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist}
 Summary:        Policy analysis tools for SELinux
 
 License:        GPLv2
@@ -19,7 +19,8 @@ Source2:        apol.desktop
 Patch0001:      0001-Support-old-boolean-names-in-policy-queries.patch
 Patch0002:      0002-Make-seinfo-output-predictable.patch
 Patch0003:      0003-Disable-remove-neverallow-options-in-frontends.patch
-Patch0004:      0004-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
+Patch0004:      0004-Disable-remove-neverallow-options-in-sediff.patch
+Patch0005:      0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
 Patch1001:      1001-Do-not-use-Werror-during-build.patch
 Patch1002:      1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
 Patch1003:      1003-Require-networkx-on-package-level.patch
@@ -178,6 +179,9 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 %endif
 
 %changelog
+* Mon Aug 21 2023 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-5
+- Disable/remove neverallow options in sediff (#2184141)
+
 * Mon Jun 19 2023 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-4
 - Disable/remove neverallow options in frontends (#2184141)
 - AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376)