40 changed files with 711 additions and 1043 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,20 @@
-SOURCES/4.3.0.tar.gz
+setools-3.3.7.tar.bz2
 setools-3.3.8.tar.bz2
 setools-3.3.8-f1e5b20.tar.bz2
 /4.1.0.tar.gz
 /4.1.1.tar.gz
 /4.2.0-beta.tar.gz
 /4.2.0-rc.tar.gz
 /4.2.0.tar.gz
 /4.2.1.tar.gz
 /4.2.2.tar.gz
 /4.3.0.tar.gz
 /05e90ee.tar.gz
 /16c0696.tar.gz
 /4.4.0.tar.gz
 /4.4.1.tar.gz
 /4.4.2.tar.gz
 /4.4.3.tar.gz
 /4.4.4.tar.gz
 /4.5.0.tar.gz
 /4.5.1.tar.gz
--- a/.setools.metadata
+++ b/.setools.metadata
@ -1 +0,0 @@
 7b4a07a20ecee70da558bfe4ad26edf7eb6ca103 SOURCES/4.3.0.tar.gz
--- a/SOURCES/0001-Support-old-boolean-names-in-policy-queries.patch
+++ b/SOURCES/0001-Support-old-boolean-names-in-policy-queries.patch
@ -1,94 +0,0 @@
 From 97bd46865e12246c00517d1e07aabca530a305ac Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 17 Jun 2020 13:34:19 +0200
 Subject: [PATCH] Support old boolean names in policy queries
 Translate old boolean names based on /etc/selinux/*/booleans.subs_dist
 file. The translation is only attempted when "policy" was not specified
 to avoid influencing queries of policies from other systems.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 seinfo                        |  6 +++++-
 sesearch                      |  7 ++++++-
 setools/policyrep/selinux.pxd |  1 +
 setools/policyrep/util.pxi    | 22 ++++++++++++++++++++++
 4 files changed, 34 insertions(+), 2 deletions(-)
 diff --git a/seinfo b/seinfo
 index d2caf7c..bc33e12 100755
 --- a/seinfo
 +++ b/seinfo
@@ -125,7 +125,11 @@ try:
     if args.boolquery or args.all:
         q = setools.BoolQuery(p)
         if isinstance(args.boolquery, str):
 -            q.name = args.boolquery
 +            if args.policy:
 +                q.name = args.boolquery
 +            else:
 +                # try to find substitutions for old boolean names
 +                q.name = setools.policyrep.lookup_boolean_name_sub(args.boolquery)
         components.append(("Booleans", q, lambda x: x.statement()))
 diff --git a/sesearch b/sesearch
 index c4b1d38..733f3d3 100755
 --- a/sesearch
 +++ b/sesearch
@@ -189,7 +189,12 @@ try:
             if args.boolean_regex:
                 q.boolean = args.boolean
             else:
 -                q.boolean = args.boolean.split(",")
 +                if args.policy:
 +                    q.boolean = args.boolean.split(",")
 +                else:
 +                    # try to find substitutions for old boolean names
 +                    q.boolean = map(setools.policyrep.lookup_boolean_name_sub,
 +                                    args.boolean.split(","))
         for r in sorted(q.results()):
             print(r)
 diff --git a/setools/policyrep/selinux.pxd b/setools/policyrep/selinux.pxd
 index a2e8af0..1686831 100644
 --- a/setools/policyrep/selinux.pxd
 +++ b/setools/policyrep/selinux.pxd
@@ -24,3 +24,4 @@ cdef extern from "<selinux/selinux.h>":
     bint selinuxfs_exists()
     const char* selinux_current_policy_path()
     const char* selinux_binary_policy_path()
 +    char* selinux_boolean_sub(const char *boolean_name);
 diff --git a/setools/policyrep/util.pxi b/setools/policyrep/util.pxi
 index 40f21a7..abc7be8 100644
 --- a/setools/policyrep/util.pxi
 +++ b/setools/policyrep/util.pxi
@@ -230,3 +230,25 @@ cdef flatten_list(input_list):
             ret.append(i)
     return ret
 +
 +
 +def lookup_boolean_name_sub(name):
 +    """
 +    Read the /etc/selinux/TYPE/booleans.subs_dist file looking
 +    for a record with 'name'.
 +    Return the translated name if a corresponding substitution exists,
 +    otherwise return the original name.
 +    """
 +    cdef:
 +        char *_name = selinux.selinux_boolean_sub(name)
 +        str new_name = name
 +
 +    if _name == NULL:
 +        raise MemoryError
 +    # cast "char *" to "str" and free
 +    try:
 +        new_name = _name
 +    finally:
 +        free(_name)
 +
 +    return new_name
 -- 
 2.25.4
--- a/SOURCES/0002-Make-seinfo-output-predictable.patch
+++ b/SOURCES/0002-Make-seinfo-output-predictable.patch
@ -1,90 +0,0 @@
 From 4e6f6c95cfe7ca4a3a9d9e0dbd6e23e4bac2449c Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 18 Nov 2021 13:59:08 +0100
 Subject: [PATCH] Make seinfo output predictable
 There are few places where frozenset is used. Given that frozenset is an unordered
 collection the output generated from this is unpredictable.
 The following command outputs are fixed using sorted() on frozensets:
    seinfo --constrain
    seinfo --common
    seinfo -c -x
    seinfo -r -x
    seinfo -u -x
 Fixes: https://github.com/SELinuxProject/setools/issues/65
 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 setools/policyrep/constraint.pxi | 2 +-
 setools/policyrep/objclass.pxi   | 4 ++--
 setools/policyrep/role.pxi       | 2 +-
 setools/policyrep/user.pxi       | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)
 diff --git a/setools/policyrep/constraint.pxi b/setools/policyrep/constraint.pxi
 index d5221a1..77c3e2e 100644
 --- a/setools/policyrep/constraint.pxi
 +++ b/setools/policyrep/constraint.pxi
@@ -66,7 +66,7 @@ cdef class Constraint(BaseConstraint):
     def statement(self):
         if len(self.perms) > 1:
 -            perms = "{{ {0} }}".format(' '.join(self.perms))
 +            perms = "{{ {0} }}".format(' '.join(sorted(self.perms)))
         else:
             # convert to list since sets cannot be indexed
             perms = list(self.perms)[0]
 diff --git a/setools/policyrep/objclass.pxi b/setools/policyrep/objclass.pxi
 index b7ec7b7..8ed2be5 100644
 --- a/setools/policyrep/objclass.pxi
 +++ b/setools/policyrep/objclass.pxi
@@ -75,7 +75,7 @@ cdef class Common(PolicySymbol):
         return other in self.perms
     def statement(self):
 -        return "common {0}\n{{\n\t{1}\n}}".format(self, '\n\t'.join(self.perms))
 +        return "common {0}\n{{\n\t{1}\n}}".format(self, '\n\t'.join(sorted(self.perms)))
 cdef class ObjClass(PolicySymbol):
@@ -204,7 +204,7 @@ cdef class ObjClass(PolicySymbol):
         # a class that inherits may not have additional permissions
         if len(self.perms) > 0:
 -            stmt += "{{\n\t{0}\n}}".format('\n\t'.join(self.perms))
 +            stmt += "{{\n\t{0}\n}}".format('\n\t'.join(sorted(self.perms)))
         return stmt
 diff --git a/setools/policyrep/role.pxi b/setools/policyrep/role.pxi
 index 9a0dd39..3af8a3f 100644
 --- a/setools/policyrep/role.pxi
 +++ b/setools/policyrep/role.pxi
@@ -58,7 +58,7 @@ cdef class Role(PolicySymbol):
         if count == 1:
             stmt += " types {0}".format(types[0])
         else:
 -            stmt += " types {{ {0} }}".format(' '.join(types))
 +            stmt += " types {{ {0} }}".format(' '.join(sorted(types)))
         stmt += ";"
         return stmt
 diff --git a/setools/policyrep/user.pxi b/setools/policyrep/user.pxi
 index 9c82aa9..e37af29 100644
 --- a/setools/policyrep/user.pxi
 +++ b/setools/policyrep/user.pxi
@@ -81,7 +81,7 @@ cdef class User(PolicySymbol):
         if count == 1:
             stmt += roles[0]
         else:
 -            stmt += "{{ {0} }}".format(' '.join(roles))
 +            stmt += "{{ {0} }}".format(' '.join(sorted(roles)))
         if self._level:
             stmt += " level {0.mls_level} range {0.mls_range};".format(self)
 -- 
 2.30.2
--- a/SOURCES/0003-Disable-remove-neverallow-options-in-frontends.patch
+++ b/SOURCES/0003-Disable-remove-neverallow-options-in-frontends.patch
@ -1,114 +0,0 @@
 From 92b692452d07d67b1d901baf36798cab8e36077a Mon Sep 17 00:00:00 2001
 From: Chris PeBenito <chpebeni@linux.microsoft.com>
 Date: Mon, 3 Apr 2023 09:13:31 -0400
 Subject: [PATCH] Disable/remove neverallow options in frontends.
 These rules are not available in the binary policy. Keep library support in
 case this changes in the future.
 Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 ---
 man/ru/sesearch.1              |  4 ----
 man/sesearch.1                 |  4 ----
 sesearch                       | 12 ++++++------
 setoolsgui/apol/terulequery.ui | 12 ++++++++++++
 4 files changed, 18 insertions(+), 14 deletions(-)
 diff --git a/man/ru/sesearch.1 b/man/ru/sesearch.1
 index df6f449..2f86f9c 100644
 --- a/man/ru/sesearch.1
 +++ b/man/ru/sesearch.1
@@ -35,16 +35,12 @@ sesearch \- утилита опроса политики SELinux
 Найти правила включения журналирования событий.
 .IP "--dontaudit"
 Найти правила запрета журналирования событий.
 -.IP "--neverallow"
 -Найти запрещающие правила.
 .IP "--allowxperm"
 Найти расширенные разрешительные правила.
 .IP "--auditallowxperm"
 Найти расширенные правила включения журналирования событий.
 .IP "--dontauditxperm"
 Найти расширенные правила запрета журналирования событий.
 -.IP "--neverallowxperm"
 -Найти расширенные запрещающие правила.
 .IP "-T, --type_trans"
 Найти правила перехода типов.
 .IP "--type_member"
 diff --git a/man/sesearch.1 b/man/sesearch.1
 index 65eebf9..97e9110 100644
 --- a/man/sesearch.1
 +++ b/man/sesearch.1
@@ -30,16 +30,12 @@ Find allow rules.
 Find auditallow rules.
 .IP "--dontaudit"
 Find dontaudit rules.
 -.IP "--neverallow"
 -Find neverallow rules.
 .IP "--allowxperm"
 Find allowxperm rules.
 .IP "--auditallowxperm"
 Find auditallowxperm rules.
 .IP "--dontauditxperm"
 Find dontauditxperm rules.
 -.IP "--neverallowxperm"
 -Find neverallowxperm rules.
 .IP "-T, --type_trans"
 Find type_transition rules.
 .IP "--type_member"
 diff --git a/sesearch b/sesearch
 index 733f3d3..7caa41d 100755
 --- a/sesearch
 +++ b/sesearch
@@ -54,12 +54,12 @@ rtypes.add_argument("--dontaudit", action="append_const",
 rtypes.add_argument("--dontauditxperm", action="append_const",
                     const=setools.TERuletype.dontauditxperm, dest="tertypes",
                     help="Search dontauditxperm rules.")
 -rtypes.add_argument("--neverallow", action="append_const",
 -                    const=setools.TERuletype.neverallow, dest="tertypes",
 -                    help="Search neverallow rules.")
 -rtypes.add_argument("--neverallowxperm", action="append_const",
 -                    const=setools.TERuletype.neverallowxperm, dest="tertypes",
 -                    help="Search neverallowxperm rules.")
 +# rtypes.add_argument("--neverallow", action="append_const",
 +#                    const=setools.TERuletype.neverallow, dest="tertypes",
 +#                    help="Search neverallow rules.")
 +# rtypes.add_argument("--neverallowxperm", action="append_const",
 +#                    const=setools.TERuletype.neverallowxperm, dest="tertypes",
 +#                    help="Search neverallowxperm rules.")
 rtypes.add_argument("-T", "--type_trans", action="append_const",
                     const=setools.TERuletype.type_transition, dest="tertypes",
                     help="Search type_transition rules.")
 diff --git a/setoolsgui/apol/terulequery.ui b/setoolsgui/apol/terulequery.ui
 index 950c590..6c6f14f 100644
 --- a/setoolsgui/apol/terulequery.ui
 +++ b/setoolsgui/apol/terulequery.ui
@@ -465,6 +465,12 @@
           </item>
           <item row="0" column="1">
            <widget class="QCheckBox" name="neverallow">
 +            <property name="enabled">
 +             <bool>false</bool>
 +            </property>
 +            <property name="toolTip">
 +             <string>Neverallow is not available in binary policies.</string>
 +            </property>
             <property name="text">
              <string>Neverallow</string>
             </property>
@@ -482,6 +488,12 @@
           </item>
           <item row="1" column="1">
            <widget class="QCheckBox" name="neverallowxperm">
 +            <property name="enabled">
 +             <bool>false</bool>
 +            </property>
 +            <property name="toolTip">
 +             <string>Neverallowxperms is not available in binary policies.</string>
 +            </property>
             <property name="text">
              <string>Neverallowxperms</string>
             </property>
 -- 
 2.40.0
--- a/SOURCES/0004-Disable-remove-neverallow-options-in-sediff.patch
+++ b/SOURCES/0004-Disable-remove-neverallow-options-in-sediff.patch
@ -1,91 +0,0 @@
 From 158283058160f4ae40d0b215e0ff2e5045de5a28 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <lautrbach@redhat.com>
 Date: Tue, 9 May 2023 19:22:01 +0200
 Subject: [PATCH] Disable/remove neverallow options in sediff.
 Apply change from commit 06335957b701 ("Disable/remove neverallow
 options in frontends.") to sediff
 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
 ---
 man/ru/sediff.1 |  4 ----
 man/sediff.1    |  4 ----
 sediff          | 10 +++++++---
 3 files changed, 7 insertions(+), 11 deletions(-)
 diff --git a/man/ru/sediff.1 b/man/ru/sediff.1
 index c6bf293..af5d8ef 100644
 --- a/man/ru/sediff.1
 +++ b/man/ru/sediff.1
@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi
 Найти различия правил включения журналирования событий.
 .IP "--dontaudit"
 Найти различия правил запрета журналирования событий.
 -.IP "--neverallow"
 -Найти различия запрещающих правил.
 .IP "--allowxperm"
 Найти различия расширенных разрешительных правил.
 .IP "--auditallowxperm"
 Найти различия расширенных правил включения журналирования событий.
 .IP "--dontauditxperm"
 Найти различия расширенных правил запрета журналирования событий.
 -.IP "--neverallowxperm"
 -Найти различия расширенных запрещающих правил.
 .IP "-T, --type_trans"
 Найти различия правил перехода типов.
 .IP "--type_member"
 diff --git a/man/sediff.1 b/man/sediff.1
 index ed3b497..18466d8 100644
 --- a/man/sediff.1
 +++ b/man/sediff.1
@@ -50,16 +50,12 @@ Find differences in allow rules.
 Find differences in auditallow rules.
 .IP "--dontaudit"
 Find differences in dontaudit rules.
 -.IP "--neverallow"
 -Find differences in neverallow rules.
 .IP "--allowxperm"
 Find differences in allowxperm rules.
 .IP "--auditallowxperm"
 Find differences in auditallowxperm rules.
 .IP "--dontauditxperm"
 Find differences in dontauditxperm rules.
 -.IP "--neverallowxperm"
 -Find differences in neverallowxperm rules.
 .IP "-T, --type_trans"
 Find differences in type_transition rules.
 .IP "--type_member"
 diff --git a/sediff b/sediff
 index d31fa3a..93af837 100755
 --- a/sediff
 +++ b/sediff
@@ -57,12 +57,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti
 terule = parser.add_argument_group("type enforcement rule differences")
 terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences")
 terule.add_argument("--allow", action="store_true", help="Print allow rule differences")
 -terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
 +# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
 terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences")
 terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences")
 terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences")
 -terule.add_argument("--neverallowxperm", action="store_true",
 -                    help="Print neverallowxperm rule differences")
 +# terule.add_argument("--neverallowxperm", action="store_true",
 +#                     help="Print neverallowxperm rule differences")
 terule.add_argument("--auditallowxperm", action="store_true",
                     help="Print auditallowxperm rule differences")
 terule.add_argument("--dontauditxperm", action="store_true",
@@ -109,6 +109,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d
 args = parser.parse_args()
 +# neverallow and neverallowxperm options are disabled
 +args.neverallow = False
 +args.neverallowxperm = False
 +
 if args.A:
     args.allow = True
     args.allowxperm = True
 -- 
 2.41.0
--- a/SOURCES/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
+++ b/SOURCES/0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
@ -1,259 +0,0 @@
 From ec4f5e19ea94e42416fda103d94118577eb18b95 Mon Sep 17 00:00:00 2001
 From: Chris PeBenito <chpebeni@linux.microsoft.com>
 Date: Tue, 30 Aug 2022 13:58:54 -0400
 Subject: [PATCH] AVRuleXperm: Fix permission set creation for
 AVTAB_XPERMS_IOCTLDRIVER.
 Closes #74
 Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 ---
 setools/policyrep/terule.pxi        |   8 +-
 tests/policyrep/terule.py           |  26 +++++
 tests/policyrep/terule_issue74.conf | 159 ++++++++++++++++++++++++++++
 3 files changed, 189 insertions(+), 4 deletions(-)
 create mode 100644 tests/policyrep/terule_issue74.conf
 diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi
 index 59aeea5..8b2659b 100644
 --- a/setools/policyrep/terule.pxi
 +++ b/setools/policyrep/terule.pxi
@@ -282,22 +282,22 @@ cdef class AVRuleXperm(BaseTERule):
             set perms = set()
             size_t curr = 0
             size_t len = sizeof(xperms.perms) * sepol.EXTENDED_PERMS_LEN
 +            size_t base_value = 0
         #
         # Build permission set
         #
 -        while curr < len:
 +        for curr in range(len):
             if sepol.xperm_test(curr, xperms.perms):
                 if xperms.specified & sepol.AVTAB_XPERMS_IOCTLFUNCTION:
                     perms.add(xperms.driver << 8 | curr)
                 elif xperms.specified & sepol.AVTAB_XPERMS_IOCTLDRIVER:
 -                    perms.add(curr << 8)
 +                    base_value = curr << 8
 +                    perms.update(range(base_value, base_value + 0x100))
                 else:
                     raise LowLevelPolicyError("Unknown extended permission: {}".format(
                                               xperms.specified))
 -            curr += 1
 -
         #
         # Determine xperm type
         #
 diff --git a/tests/policyrep/terule.py b/tests/policyrep/terule.py
 index 0f24054..30afd4b 100644
 --- a/tests/policyrep/terule.py
 +++ b/tests/policyrep/terule.py
@@ -24,6 +24,8 @@ from setools import SELinuxPolicy
 from setools.exception import InvalidTERuleType, RuleNotConditional, RuleUseError, \
     TERuleNoFilename
 +from .util import compile_policy
 +
 @unittest.skip("Needs to be reworked for cython")
 @patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y)
@@ -262,6 +264,30 @@ class AVRuleXpermTest(unittest.TestCase):
         self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0003-0x0005 0x0007-0x0009 };")
 +class AVRuleXpermTestIssue74(unittest.TestCase):
 +
 +    """
 +    Regression test for xperm ranges starting with 0x00 not being loaded.
 +    https://github.com/SELinuxProject/setools/issues/74
 +    """
 +
 +    @classmethod
 +    def setUpClass(cls):
 +        cls.p = compile_policy("tests/policyrep/terule_issue74.conf")
 +
 +    def test_issue74_regression(self):
 +        """Regression test for GitHub issue 74."""
 +        rules = sorted(self.p.terules())
 +        print(rules)
 +        self.assertEqual(2, len(rules))
 +
 +        # expect 2 rules:
 +        # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 };
 +        # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff };
 +        self.assertSetEqual(set(range(0x100)), rules[0].perms)
 +        self.assertSetEqual(set([0x8910]), rules[1].perms)
 +
 +
 @unittest.skip("Needs to be reworked for cython")
 @patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y)
 @patch('setools.policyrep.typeattr.type_factory', lambda x, y: y)
 diff --git a/tests/policyrep/terule_issue74.conf b/tests/policyrep/terule_issue74.conf
 new file mode 100644
 index 0000000..158a38e
 --- /dev/null
 +++ b/tests/policyrep/terule_issue74.conf
@@ -0,0 +1,159 @@
 +class infoflow
 +class infoflow2
 +class infoflow3
 +class infoflow4
 +class infoflow5
 +class infoflow6
 +class infoflow7
 +class infoflow8
 +class infoflow9
 +class infoflow10
 +class unix_dgram_socket
 +
 +sid kernel
 +sid security
 +
 +common infoflow
 +{
 +	low_w
 +	med_w
 +	hi_w
 +	low_r
 +	med_r
 +	hi_r
 +}
 +
 +common com_a
 +{
 +    hi_w
 +    hi_r
 +    super_r
 +    super_w
 +}
 +
 +common com_b
 +{
 +    send
 +    recv
 +}
 +
 +common com_c
 +{
 +    getattr
 +    setattr
 +    read
 +    write
 +}
 +
 +class infoflow
 +inherits infoflow
 +
 +class infoflow2
 +inherits infoflow
 +{
 +	super_w
 +	super_r
 +}
 +
 +class infoflow3
 +{
 +	null
 +}
 +
 +class infoflow4
 +inherits infoflow
 +{
 +	super_w
 +	super_r
 +	super_none
 +	super_both
 +	super_unmapped
 +}
 +
 +class infoflow5
 +inherits com_a
 +
 +class infoflow6
 +inherits com_b
 +
 +class infoflow7
 +inherits infoflow
 +{
 +    unmapped
 +}
 +
 +class infoflow8
 +{
 +	super_w
 +	super_r
 +}
 +
 +class infoflow9
 +inherits com_c
 +
 +class infoflow10
 +{
 +    read
 +    write
 +}
 +
 +class unix_dgram_socket
 +{
 +    ioctl
 +}
 +
 +sensitivity low_s;
 +sensitivity medium_s alias med;
 +sensitivity high_s;
 +
 +dominance { low_s med high_s }
 +
 +category here;
 +category there;
 +category elsewhere alias lost;
 +
 +#level decl
 +level low_s:here.there;
 +level med:here, elsewhere;
 +level high_s:here.lost;
 +
 +#some constraints
 +mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
 +
 +attribute mls_exempt;
 +
 +type system;
 +role system;
 +role system types system;
 +
 +type init_type_t;
 +allowxperm init_type_t self:unix_dgram_socket ioctl 0x8910;
 +allowxperm init_type_t self:unix_dgram_socket ioctl { 0x0000 - 0x00ff };
 +
 +#users
 +user system roles system level med range low_s - high_s:here.lost;
 +
 +#normal constraints
 +constrain infoflow hi_w (u1 == u2);
 +
 +#isids
 +sid kernel system:system:system:medium_s:here
 +sid security system:system:system:high_s:lost
 +
 +#fs_use
 +fs_use_trans devpts system:object_r:system:low_s;
 +fs_use_xattr ext3 system:object_r:system:low_s;
 +fs_use_task pipefs system:object_r:system:low_s;
 +
 +#genfscon
 +genfscon proc / system:object_r:system:med
 +genfscon proc /sys system:object_r:system:low_s
 +genfscon selinuxfs / system:object_r:system:high_s:here.there
 +
 +portcon tcp 80 system:object_r:system:low_s
 +
 +netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
 +
 +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
 +
 -- 
 2.41.0
--- a/SOURCES/1001-Do-not-use-Werror-during-build.patch
+++ b/SOURCES/1001-Do-not-use-Werror-during-build.patch
@ -1,49 +0,0 @@
 From 8d98b324fabcad6b09f9c734f79e6da9f9e85786 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Thu, 23 Feb 2017 08:17:07 +0100
 Subject: [PATCH] Do not use -Werror during build
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 There are new warnings when setools are built with gcc 7 therefore we
 want to suppress -Werror for now
 Fixes:
 libqpol/policy_extend.c: In function ‘policy_extend’:
 libqpol/policy_extend.c:161:27: error: ‘%04zd’ directive output may be truncated writing between 4 and 10 bytes into a region of size 5 [-Werror=format-truncation=]
    snprintf(buff, 9, "@ttr%04zd", i + 1);
                           ^~~~~
 libqpol/policy_extend.c:161:22: note: directive argument in the range [1, 4294967295]
    snprintf(buff, 9, "@ttr%04zd", i + 1);
                      ^~~~~~~~~~~
 In file included from /usr/include/stdio.h:939:0,
                 from /usr/include/sepol/policydb/policydb.h:53,
                 from libqpol/policy_extend.c:29:
 /usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 9 and 15 bytes into a destination of size 9
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 cc1: all warnings being treated as errors
 error: command 'gcc' failed with exit status 1
 ---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/setup.py b/setup.py
 index 457c830..4dcb301 100644
 --- a/setup.py
 +++ b/setup.py
@@ -106,7 +106,7 @@ ext_py_mods = [Extension('setools.policyrep', ['setools/policyrep.pyx'],
                          libraries=['selinux', 'sepol'],
                          library_dirs=lib_dirs,
                          define_macros=macros,
 -                         extra_compile_args=['-Werror', '-Wextra',
 +                         extra_compile_args=['-Wextra',
                                              '-Waggregate-return',
                                              '-Wfloat-equal',
                                              '-Wformat', '-Wformat=2',
 -- 
 2.25.1
--- a/SOURCES/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
+++ b/SOURCES/1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
@ -1,139 +0,0 @@
 From 52f5f911c4ae481530a57b6a0dd42067406a9d36 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Fri, 26 Apr 2019 15:27:25 +0200
 Subject: [PATCH] Do not export/use setools.InfoFlowAnalysis and
 setools.DomainTransitionAnalysis
 dta and infoflow modules require networkx which brings lot of dependencies.
 These dependencies are not necessary for setools module itself as it's
 used in policycoreutils.
 Therefore it's better to use setools.infoflow.InfoFlowAnalysis and
 setools.dta.DomainTransitionAnalysis and let the package containing
 sedta and seinfoflow to require python3-networkx
 ---
 sedta                       | 4 ++--
 seinfoflow                  | 4 ++--
 setools/__init__.py         | 4 ----
 setoolsgui/apol/dta.py      | 2 +-
 setoolsgui/apol/infoflow.py | 2 +-
 tests/dta.py                | 2 +-
 tests/infoflow.py           | 2 +-
 7 files changed, 8 insertions(+), 12 deletions(-)
 diff --git a/sedta b/sedta
 index 60861ca..41e38a2 100755
 --- a/sedta
 +++ b/sedta
@@ -22,7 +22,7 @@ import argparse
 import logging
 import signal
 -import setools
 +import setools.dta
 def print_transition(trans):
@@ -114,7 +114,7 @@ else:
 try:
     p = setools.SELinuxPolicy(args.policy)
 -    g = setools.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
 +    g = setools.dta.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
     if args.shortest_path or args.all_paths:
         if args.shortest_path:
 diff --git a/seinfoflow b/seinfoflow
 index f10c39d..fee749a 100755
 --- a/seinfoflow
 +++ b/seinfoflow
@@ -17,7 +17,7 @@
 # along with SETools.  If not, see <http://www.gnu.org/licenses/>.
 #
 -import setools
 +import setools.infoflow
 import argparse
 import sys
 import logging
@@ -101,7 +101,7 @@ elif args.booleans is not None:
 try:
     p = setools.SELinuxPolicy(args.policy)
     m = setools.PermissionMap(args.map)
 -    g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude,
 +    g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude,
                                  booleans=booleans)
     if args.shortest_path or args.all_paths:
 diff --git a/setools/__init__.py b/setools/__init__.py
 index 26fa5aa..b7e51c4 100644
 --- a/setools/__init__.py
 +++ b/setools/__init__.py
@@ -75,12 +75,8 @@ from .pcideviceconquery import PcideviceconQuery
 from .devicetreeconquery import DevicetreeconQuery
 # Information Flow Analysis
 -from .infoflow import InfoFlowAnalysis
 from .permmap import PermissionMap
 -# Domain Transition Analysis
 -from .dta import DomainTransitionAnalysis
 -
 # Policy difference
 from .diff import PolicyDifference
 diff --git a/setoolsgui/apol/dta.py b/setoolsgui/apol/dta.py
 index 4608b9d..2cde44c 100644
 --- a/setoolsgui/apol/dta.py
 +++ b/setoolsgui/apol/dta.py
@@ -23,7 +23,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
 from PyQt5.QtGui import QPalette, QTextCursor
 from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
     QTreeWidgetItem
 -from setools import DomainTransitionAnalysis
 +from setools.dta import DomainTransitionAnalysis
 from ..logtosignal import LogHandlerToSignal
 from .analysistab import AnalysisTab
 diff --git a/setoolsgui/apol/infoflow.py b/setoolsgui/apol/infoflow.py
 index 7bca299..7fee277 100644
 --- a/setoolsgui/apol/infoflow.py
 +++ b/setoolsgui/apol/infoflow.py
@@ -26,7 +26,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
 from PyQt5.QtGui import QPalette, QTextCursor
 from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
     QTreeWidgetItem
 -from setools import InfoFlowAnalysis
 +from setools.infoflow import InfoFlowAnalysis
 from setools.exception import UnmappedClass, UnmappedPermission
 from ..logtosignal import LogHandlerToSignal
 diff --git a/tests/dta.py b/tests/dta.py
 index a0cc938..177e6fb 100644
 --- a/tests/dta.py
 +++ b/tests/dta.py
@@ -18,7 +18,7 @@
 import os
 import unittest
 -from setools import DomainTransitionAnalysis
 +from setools.dta import DomainTransitionAnalysis
 from setools import TERuletype as TERT
 from setools.exception import InvalidType
 from setools.policyrep import Type
 diff --git a/tests/infoflow.py b/tests/infoflow.py
 index aa0e44a..fca2848 100644
 --- a/tests/infoflow.py
 +++ b/tests/infoflow.py
@@ -18,7 +18,7 @@
 import os
 import unittest
 -from setools import InfoFlowAnalysis
 +from setools.infoflow import InfoFlowAnalysis
 from setools import TERuletype as TERT
 from setools.exception import InvalidType
 from setools.permmap import PermissionMap
 -- 
 2.25.1
--- a/SOURCES/1003-Require-networkx-on-package-level.patch
+++ b/SOURCES/1003-Require-networkx-on-package-level.patch
@ -1,24 +0,0 @@
 From 67067b6df7139cc38cf33d3cb2c66434cf4e89e4 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 2 Apr 2020 16:06:14 +0200
 Subject: [PATCH] Require networkx on package level
 It allows us to ship python3-setools without dependency on python3-networkx
 ---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/setup.py b/setup.py
 index 4dcb301..9333e0c 100644
 --- a/setup.py
 +++ b/setup.py
@@ -170,5 +170,5 @@ setup(name='setools',
       # setup also requires libsepol and libselinux
       # C libraries and headers to compile.
       setup_requires=['setuptools', 'Cython>=0.27'],
 -      install_requires=['setuptools', 'networkx>=2.0']
 +      install_requires=['setuptools']
       )
 -- 
 2.25.1
--- a/SOURCES/1004-Do-not-use-NoteNotFound-as-it-s-not-implemented-in-n.patch
+++ b/SOURCES/1004-Do-not-use-NoteNotFound-as-it-s-not-implemented-in-n.patch
@ -1,93 +0,0 @@
 From d249ea3316fcfaa203055d2b1f2c52423216e7e7 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 30 Jul 2019 17:13:44 +0200
 Subject: [PATCH] Do not use NoteNotFound as it's not implemented in networkx-1
 ---
 setools/dta.py      | 8 ++++----
 setools/infoflow.py | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)
 diff --git a/setools/dta.py b/setools/dta.py
 index 3239d2d..e15d8b8 100644
 --- a/setools/dta.py
 +++ b/setools/dta.py
@@ -24,7 +24,7 @@ from collections import defaultdict, namedtuple
 from contextlib import suppress
 import networkx as nx
 -from networkx.exception import NetworkXError, NetworkXNoPath, NodeNotFound
 +from networkx.exception import NetworkXError, NetworkXNoPath
 from .descriptors import EdgeAttrDict, EdgeAttrList
 from .policyrep import TERuletype
@@ -111,7 +111,7 @@ class DomainTransitionAnalysis:
         self.log.info("Generating one domain transition path from {0} to {1}...".format(s, t))
 -        with suppress(NetworkXNoPath, NodeNotFound):
 +        with suppress(NetworkXNoPath):
             # NodeNotFound: the type is valid but not in graph, e.g. excluded
             # NetworkXNoPath: no paths or the target type is
             # not in the graph
@@ -146,7 +146,7 @@ class DomainTransitionAnalysis:
         self.log.info("Generating all domain transition paths from {0} to {1}, max length {2}...".
                       format(s, t, maxlen))
 -        with suppress(NetworkXNoPath, NodeNotFound):
 +        with suppress(NetworkXNoPath):
             # NodeNotFound: the type is valid but not in graph, e.g. excluded
             # NetworkXNoPath: no paths or the target type is
             # not in the graph
@@ -177,7 +177,7 @@ class DomainTransitionAnalysis:
         self.log.info("Generating all shortest domain transition paths from {0} to {1}...".
                       format(s, t))
 -        with suppress(NetworkXNoPath, NodeNotFound):
 +        with suppress(NetworkXNoPath):
             # NodeNotFound: the type is valid but not in graph, e.g. excluded
             # NetworkXNoPath: no paths or the target type is
             # not in the graph
 diff --git a/setools/infoflow.py b/setools/infoflow.py
 index 579e064..89e5c8e 100644
 --- a/setools/infoflow.py
 +++ b/setools/infoflow.py
@@ -21,7 +21,7 @@ import logging
 from contextlib import suppress
 import networkx as nx
 -from networkx.exception import NetworkXError, NetworkXNoPath, NodeNotFound
 +from networkx.exception import NetworkXError, NetworkXNoPath
 from .descriptors import EdgeAttrIntMax, EdgeAttrList
 from .exception import RuleNotConditional
@@ -124,7 +124,7 @@ class InfoFlowAnalysis:
         self.log.info("Generating one shortest information flow path from {0} to {1}...".
                       format(s, t))
 -        with suppress(NetworkXNoPath, NodeNotFound):
 +        with suppress(NetworkXNoPath):
             # NodeNotFound: the type is valid but not in graph, e.g.
             # excluded or disconnected due to min weight
             # NetworkXNoPath: no paths or the target type is
@@ -163,7 +163,7 @@ class InfoFlowAnalysis:
         self.log.info("Generating all information flow paths from {0} to {1}, max length {2}...".
                       format(s, t, maxlen))
 -        with suppress(NetworkXNoPath, NodeNotFound):
 +        with suppress(NetworkXNoPath):
             # NodeNotFound: the type is valid but not in graph, e.g.
             # excluded or disconnected due to min weight
             # NetworkXNoPath: no paths or the target type is
@@ -197,7 +197,7 @@ class InfoFlowAnalysis:
         self.log.info("Generating all shortest information flow paths from {0} to {1}...".
                       format(s, t))
 -        with suppress(NetworkXNoPath, NodeNotFound):
 +        with suppress(NetworkXNoPath):
             # NodeNotFound: the type is valid but not in graph, e.g.
             # excluded or disconnected due to min weight
             # NetworkXNoPath: no paths or the target type is
 -- 
 2.25.1
--- a/apol.console
+++ b/apol.console
@ -0,0 +1,4 @@
 USER=root
 PROGRAM=/usr/sbin/apol
 SESSION=true
 FALLBACK=true
--- a/SOURCES/apol.desktop
+++ b/SOURCES/apol.desktop
--- a/apol.png
+++ b/apol.png
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/plans/selinux.fmf
+++ b/plans/selinux.fmf
@ -0,0 +1,7 @@
 summary: selinux tests - Tier 1 | policycoreutils | checkpolicy
 discover:
    how: fmf
    url: https://src.fedoraproject.org/tests/selinux
    filter: "tier: 1 | component: policycoreutils | component: checkpolicy"
 execute:
    how: tmt
--- a/plans/tests.fmf
+++ b/plans/tests.fmf
@ -0,0 +1,5 @@
 summary: setools test plan
 discover:
    how: fmf
 execute:
    how: tmt
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,3 @@
 emptyrpm:
    expected_empty:
        - setools
--- a/seaudit.console
+++ b/seaudit.console
@ -0,0 +1,3 @@
 USER=root
 PROGRAM=/usr/sbin/seaudit
 SESSION=true
--- a/seaudit.desktop
+++ b/seaudit.desktop
@ -0,0 +1,11 @@
 [Desktop Entry]
 Name=SELinux Audit Log Analysis
 GenericName=SELinux Audit Log Analysis Tool
 Comment=The tool parses syslog files and extracts all policy , AVC and change of boolean messages. 
 Icon=seaudit.png
 Exec=/usr/bin/seaudit
 Type=Application
 Terminal=false
 Categories=System;
 X-Desktop-File-Install-Version=0.2
 StartupNotify=true
--- a/seaudit.png
+++ b/seaudit.png
--- a/sediffx.console
+++ b/sediffx.console
@ -0,0 +1,3 @@
 USER=root
 PROGRAM=/usr/sbin/sediffx
 SESSION=true
--- a/sediffx.desktop
+++ b/sediffx.desktop
@ -0,0 +1,11 @@
 [Desktop Entry]
 Name=SELinux Policy Difference
 GenericName=SELinux Policy Difference tool
 Comment=This tool allows you to compare two policy files
 Exec=/usr/bin/sediffx
 Type=Application
 Terminal=false
 Categories=System;
 X-Desktop-File-Install-Version=0.2
 StartupNotify=true
 Icon=sediffx.png
--- a/sediffx.png
+++ b/sediffx.png
--- a/SOURCES/setools.pam
+++ b/SOURCES/setools.pam
--- a/SPECS/setools.spec
+++ b/SPECS/setools.spec
@ -1,48 +1,30 @@
-# % global setools_pre_ver rc
+%global sepol_ver 3.6
-# % global gitver f1e5b20
+%global selinux_ver 3.6
 %global sepol_ver 2.9-1
 %global selinux_ver 2.9-1
 %bcond_without     networkx
 Name:           setools
-Version:        4.3.0
+Version:        4.5.1
-Release:        5%{?setools_pre_ver:.%{setools_pre_ver}}%{?dist}
+Release:        3%{?dist}
 Summary:        Policy analysis tools for SELinux
-License:        GPLv2
+License:        GPL-2.0-only AND LGPL-2.1-only
 URL:            https://github.com/SELinuxProject/setools/wiki
-Source0:        https://github.com/SELinuxProject/setools/archive/%{version}%{?setools_pre_ver:-%{setools_pre_ver}}.tar.gz
+Source0:        https://github.com/SELinuxProject/setools/archive/%{version}.tar.gz
 Source1:        setools.pam
 Source2:        apol.desktop
 Patch0001:      0001-Support-old-boolean-names-in-policy-queries.patch
 Patch0002:      0002-Make-seinfo-output-predictable.patch
 Patch0003:      0003-Disable-remove-neverallow-options-in-frontends.patch
 Patch0004:      0004-Disable-remove-neverallow-options-in-sediff.patch
 Patch0005:      0005-AVRuleXperm-Fix-permission-set-creation-for-AVTAB_XP.patch
 Patch1001:      1001-Do-not-use-Werror-during-build.patch
 Patch1002:      1002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
 Patch1003:      1003-Require-networkx-on-package-level.patch
 Patch1004:      1004-Do-not-use-NoteNotFound-as-it-s-not-implemented-in-n.patch
 Obsoletes:      setools < 4.0.0, setools-devel < 4.0.0
 BuildRequires:  flex,  bison
-BuildRequires:  glibc-devel, gcc, git
+BuildRequires:  glibc-devel, gcc, git-core
 BuildRequires:  libsepol-devel >= %{sepol_ver}, libsepol-static >= %{sepol_ver}
 BuildRequires:  qt5-qtbase-devel
 BuildRequires:  swig
 BuildRequires:  python3-Cython
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 BuildRequires:  libselinux-devel
 # BuildArch:      
 Requires:       %{name}-console = %{version}-%{release}
 %if %{with networkx}
 Requires:       %{name}-console-analyses = %{version}-%{release}
 Requires:       %{name}-gui = %{version}-%{release}
 %endif
 %description
 SETools is a collection of graphical tools, command-line tools, and
@ -50,7 +32,7 @@ Python modules designed to facilitate SELinux policy analysis.
 %package     console
 Summary:     Policy analysis command-line tools for SELinux
-License:     GPLv2
+License:     GPL-2.0-only
 Requires:    python3-setools = %{version}-%{release}
 Requires:    libselinux >= %{selinux_ver}
@ -65,10 +47,9 @@ This package includes the following console tools:
  sesearch     Search rules (allow, type_transition, etc.)
 %if %{with networkx}
 %package     console-analyses
 Summary:     Policy analysis command-line tools for SELinux
-License:     GPLv2
+License:     GPL-2.0-only
 Requires:    python3-setools = %{version}-%{release}
 Requires:    libselinux >= %{selinux_ver}
 Requires:    python3-networkx
@ -81,60 +62,42 @@ This package includes the following console tools:
  sedta        Perform domain transition analyses.
  seinfoflow   Perform information flow analyses.
 %endif
 %package     -n python3-setools
 Summary:     Policy analysis tools for SELinux
-Obsoletes:   setools-libs < 4.0.0, setools-libs-tcl
+License:     LGPL-2.1-only
-Recommends:  libselinux-python3
+Obsoletes:   setools-libs < 4.0.0
-# Remove before F30
+%{?python_provide:%python_provide python3-setools}
 Provides: %{name}-python3 = %{version}-%{release}
 Provides: %{name}-python3%{?_isa} = %{version}-%{release}
 Obsoletes: %{name}-python3 < %{version}-%{release}
 %if 0%{?rhel} && 0%{?rhel} >= 8
 Requires:    platform-python-setuptools
 %else
 Requires:    python3-setuptools
 %endif
 %description -n python3-setools
 SETools is a collection of graphical tools, command-line tools, and
 Python 3 modules designed to facilitate SELinux policy analysis.
 %if %{with networkx}
 %package     gui
 Summary:     Policy analysis graphical tools for SELinux
 License:     GPL-2.0-only
 Requires:    python3-setools = %{version}-%{release}
-Requires:    python3-qt5
+Requires:    python3-pyqt6 python3-pyqt6-sip
 Requires:    python3-networkx
 %description gui
 SETools is a collection of graphical tools, command-line tools, and
 Python modules designed to facilitate SELinux policy analysis.
 %endif
 %prep
-%autosetup -p 1 -S git -n setools-%{version}%{?setools_pre_ver:-%{setools_pre_ver}}
+%autosetup -p 1 -S git -n setools-%{version}
 %build
-# Remove CFLAGS=... for noarch packages (unneeded)
+%py3_build
 %set_build_flags
 %{__python3} setup.py build
 %install
-%{__python3} setup.py install --root %{buildroot}
+%py3_install
 %if %{without networkx}
 rm -f %{buildroot}%{_bindir}/sedta %{buildroot}%{_bindir}/seinfoflow \
  %{buildroot}%{_mandir}*/man1/sedta* %{buildroot}%{_mandir}*/man1/sedinfoflow* \
 rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
  %{buildroot}%{_mandir}*/man1/apol*
 %endif
 %check
 %if %{?_with_check:1}%{!?_with_check:0}
@ -145,9 +108,12 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 %files
 %files console
 %license COPYING.GPL
 %{_bindir}/sechecker
 %{_bindir}/sediff
 %{_bindir}/seinfo
 %{_bindir}/sesearch
 %{_mandir}/man1/sechecker*
 %{_mandir}/man1/sediff*
 %{_mandir}/man1/seinfo*
 %{_mandir}/man1/sesearch*
@ -155,45 +121,135 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 %{_mandir}/ru/man1/seinfo*
 %{_mandir}/ru/man1/sesearch*
 %if %{with networkx}
 %files console-analyses
 %license COPYING.GPL
 %{_bindir}/sedta
 %{_bindir}/seinfoflow
 %{_mandir}/man1/sedta*
 %{_mandir}/man1/seinfoflow*
 %{_mandir}/ru/man1/sedta*
 %{_mandir}/ru/man1/seinfoflow*
 %endif
 %files -n python3-setools
-%license COPYING COPYING.GPL COPYING.LGPL
+%license COPYING COPYING.LGPL
 %{python3_sitearch}/setools
 %{python3_sitearch}/setools-*
 %if %{with networkx}
 %files gui
 %license COPYING.GPL
 %{_bindir}/apol
 %{python3_sitearch}/setoolsgui
 %{_mandir}/man1/apol*
 %{_mandir}/ru/man1/apol*
 %endif
 %changelog
-* Mon Aug 21 2023 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-5
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.5.1-3
- Disable/remove neverallow options in sediff (#2184141)
+- Bump release for June 2024 mass rebuild
-* Mon Jun 19 2023 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-4
+* Thu May 02 2024 Petr Lautrbach <lautrbach@redhat.com> - 4.5.1-2
- Disable/remove neverallow options in frontends (#2184141)
+- Fix License tag
 - AVRuleXperm: Fix permission set creation for AVTAB_XPERMS_IOCTLDRIVER (#2174376)
-* Tue Nov 30 2021 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-3
+* Thu May 02 2024 Petr Lautrbach <lautrbach@redhat.com> - 4.5.1-1
- Make seinfo output predictable (#2019961)
+- SETools 4.5.1
-* Tue Jun 30 2020 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-2
+* Thu Apr 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 4.5.0-1
- Support old boolean names in policy queries (#1595572, #1581848)
+- SETools 4.5.0
-* Fri Apr 03 2020 Vit Mojzis <vmojzis@redhat.com> - 4.3.0-1
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.4-2
- SETools 4.3.0 release (#1820079)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Mon Dec 11 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.4-1
 - SETools 4.4.4 release
 * Mon Aug 28 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.3-2
 - Use Qt 6
 * Wed Aug  9 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.3-1
 - SETools 4.4.3 release
 * Wed Jul 26 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.2-4
 - Disable/remove neverallow options in sediff.
 - Improve man pages
 - seinfoflow: Add -r option to get flows into the source type.
 - seinfoflow.1: Remove references to sepolgen permission map.
 - AVRule/AVRuleXperm: Treat rules with no permissions as invalid policy.
 - SELinuxPolicy: Add explicit cast for libspol message
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 4.4.2-2
 - Rebuilt for Python 3.12
 * Thu Apr 20 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.2-1
 - SETools 4.4.2 release
 * Mon Feb  6 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.1-1
 - SETools 4.4.1 release
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Thu Jun 16 2022 Python Maint <python-maint@redhat.com> - 4.4.0-8
 - Rebuilt for Python 3.11
 * Mon Jun 13 2022 Petr Lautrbach <plautrba@redhat.com> - 4.4.0-7
 - Update required userspace versions to 3.4
 - Drop unnecessary Recommends
 * Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 4.4.0-6
 - Rebuilt for Python 3.11
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Fri Nov 19 2021 Petr Lautrbach <plautrba@redhat.com> - 4.4.0-4
 - Make seinfo output predictable
  https://github.com/SELinuxProject/setools/issues/65
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 4.4.0-2
 - Rebuilt for Python 3.10
 * Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 4.4.0-1
 - SETools 4.4.0 release
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-0.3.20210121git16c0696
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Thu Jan 21 2021 Petr Lautrbach <plautrba@redhat.com> - 4.4.0-0.2.20210121git16c0696
 - Rebuild with SELinux userspace 3.2-rc1
 - Update to 16c0696
 * Thu Dec 10 2020 Petr Lautrbach <plautrba@redhat.com> - 4.4.0-0.2.20201102git05e90ee
 - Fix imports in /usr/bin/sedta
 * Tue Nov  3 2020 Petr Lautrbach <plautrba@redhat.com> - 4.4.0-0.1.20201102git05e90ee
 - Update to 05e90ee
 - Add /usr/bin/sechecker
 - Adapt to new libsepol filename transition structures
 - Rebuild with libsepol.so.2
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.0-5
 - Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.0-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Thu Jul 16 2020 Petr Lautrbach <plautrba@redhat.com> - 4.3.0-3
 - rebuild with SELinux userspace 3.1 release
 * Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 4.3.0-2
 - Rebuilt for Python 3.9
 * Thu Apr  2 2020 Petr Lautrbach <plautrba@redhat.com> - 4.3.0-1
 - SETools 4.3.0 release
 - Revised sediff method for TE rules. This drastically reduced memory and run time.
 - Added infiniband context support to seinfo, sediff, and apol.
 - Added apol configuration for location of Qt assistant.
@ -203,12 +259,20 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 - Added methods to TypeAttribute class to make it a complete Python collection.
 - Genfscon now will look up classes rather than using fixed values which
    were dropped from libsepol.
 - setools requires -console, -console-analyses and -gui packages (#1820078)
-* Sat Nov 30 2019 Petr Lautrbach <plautrba@redhat.com> - 4.2.2-2
+* Mon Mar 23 2020 Petr Lautrbach <plautrba@redhat.com> - 4.2.2-5
- Build setools-console-analyses and setools-gui (#1731519)
+- setools requires -console, -console-analyses and -gui packages (#1794314)
-* Mon Jul 08 2019 Vit Mojzis <vmojzis@redhat.com> - 4.2.2-1
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 4.2.2-3
 - Rebuilt for Python 3.8.0rc1 (#1748018)
 * Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 4.2.2-2
 - Rebuilt for Python 3.8
 * Mon Jul 08 2019 Vit Mojzis <vmojzis@redhat.com> - 4.2.2-1}
 - SETools 4.2.2 release
 * Mon May 13 2019 Vit Mojzis <vmojzis@redhat.com> - 4.2.1-3
@ -220,25 +284,33 @@ rm -rf %{buildroot}%{_bindir}/apol %{buildroot}%{python3_sitearch}/setoolsgui \
 * Tue Mar 26 2019 Petr Lautrbach <plautrba@redhat.com> - 4.2.1-1
 - SETools 4.2.1 release (#1581761, #1595582)
-* Fri Nov 16 2018 Lumír Balhar <lbalhar@redhat.com> - 4.2.0-2
+* Wed Nov 14 2018 Vit Mojzis <vmojzis@redhat.com> - 4.2.0-1
- Require platform-python-setuptools instead of python3-setuptools
+- Update source to SETools 4.2.0 release
 - Resolves: rhbz#1650548
 * Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 4.2.0-1
 - SETools 4.2.0 release
 * Mon Oct 01 2018 Vit Mojzis <vmojzis@redhat.com> - 4.2.0-0.3.rc
 - Update upstream source to 4.2.0-rc
-* Wed Aug 22 2018 Petr Lautrbach <plautrba@redhat.com> - 4.1.1-11
+* Wed Sep 19 2018 Vit Mojzis <vmojzis@redhat.com> - 4.2.0-0.2.beta
 - Require userspace release 2.8
 - setools-gui requires python3-setools
 - Add Requires for python[23]-setuptools - no longer required (just recommended) by python[23] (#1623371)
 - Drop python2 subpackage (4.2.0 no longer supports python2)
 * Wed Aug 29 2018 Vit Mojzis <vmojzis@redhat.com> - 4.1.1-13
 - Add Requires for python[23]-setuptools - no longer required (just recommended)
  by python[23] (#1623371)
 * Wed Aug 22 2018 Petr Lautrbach <plautrba@redhat.com> - 4.1.1-12.1
 - Fix SCTP patch - https://github.com/SELinuxProject/setools/issues/9
-* Thu Jun 14 2018 Petr Lautrbach <plautrba@redhat.com> - 4.1.1-10
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.1-11
- Move gui python files to -gui subpackage
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 - Do not build gui and console-analyses by default
-* Wed Jun  6 2018 Petr Lautrbach <plautrba@redhat.com> - 4.1.1-9
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 4.1.1-10
- Don't build the Python 2 subpackage (#1567362)
+- Rebuilt for Python 3.7
 * Thu Jun 14 2018 Petr Lautrbach <plautrba@redhat.com> - 4.1.1-9
 - Move gui python files to -gui subpackage
 * Thu Apr 26 2018 Vit Mojzis <vmojzis@redhat.com> - 4.1.1-8
 - Add support for SCTP protocol (#1568333)
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (4.5.1.tar.gz) = 6aef2e12495f980a0b71cf888170ee2f1de94785404b578d416d9720f2441ff3ef14c7ac434310e421c7fa885b8c8ef99aff6438ecfb5e8687d0ff4875127824
--- a/tests/Regression/The-setools-package-doesn-t-install-any-tools/Makefile
+++ b/tests/Regression/The-setools-package-doesn-t-install-any-tools/Makefile
@ -0,0 +1,63 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Makefile of /CoreOS/setools/Regression/The-setools-package-doesn-t-install-any-tools
 #   Description: Make sure setools requires setools-console and setools-gui
 #   Author: Vit Mojzis <vmojzis@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2020 Red Hat, Inc.
 #
 #   This program is free software: you can redistribute it and/or
 #   modify it under the terms of the GNU General Public License as
 #   published by the Free Software Foundation, either version 2 of
 #   the License, or (at your option) any later version.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE.  See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program. If not, see http://www.gnu.org/licenses/.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 export TEST=/CoreOS/setools/Regression/The-setools-package-doesn-t-install-any-tools
 export TESTVERSION=1.0
 BUILT_FILES=
 FILES=$(METADATA) runtest.sh Makefile
 .PHONY: all install download clean
 run: $(FILES) build
 	./runtest.sh
 build: $(BUILT_FILES)
 	test -x runtest.sh || chmod a+x runtest.sh
 clean:
 	rm -f *~ $(BUILT_FILES)
 include /usr/share/rhts/lib/rhts-make.include
 $(METADATA): Makefile
 	@echo "Owner:           Vit Mojzis <vmojzis@redhat.com>" > $(METADATA)
 	@echo "Name:            $(TEST)" >> $(METADATA)
 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
 	@echo "Description:     Make sure setools requires setools-console and setools-gui" >> $(METADATA)
 	@echo "Type:            Regression" >> $(METADATA)
 	@echo "TestTime:        5m" >> $(METADATA)
 	@echo "RunFor:          setools" >> $(METADATA)
 	@echo "Priority:        Normal" >> $(METADATA)
 	@echo "License:         GPLv2+" >> $(METADATA)
 	@echo "Confidential:    no" >> $(METADATA)
 	@echo "Destructive:     no" >> $(METADATA)
 	@echo "Bug:             1820078" >> $(METADATA)
 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5 -RHEL6 -RHEL7" >> $(METADATA)
 	rhts-lint $(METADATA)
--- a/tests/Regression/The-setools-package-doesn-t-install-any-tools/main.fmf
+++ b/tests/Regression/The-setools-package-doesn-t-install-any-tools/main.fmf
@ -0,0 +1,11 @@
 summary: Make sure setools requires setools-console and setools-gui
 contact: Vit Mojzis <vmojzis@redhat.com>
 component:
  - setools
 test: ./runtest.sh
 framework: beakerlib
 duration: 5m
 link:
  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1820078
 extra-summary: /CoreOS/setools/Regression/The-setools-package-doesn-t-install-any-tools
 extra-task: /CoreOS/setools/Regression/The-setools-package-doesn-t-install-any-tools
--- a/tests/Regression/The-setools-package-doesn-t-install-any-tools/runtest.sh
+++ b/tests/Regression/The-setools-package-doesn-t-install-any-tools/runtest.sh
@ -0,0 +1,53 @@
 #!/bin/bash
 # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   runtest.sh of /CoreOS/setools/Regression/bz1820078-The-setools-package-doesn-t-install-any-tools
 #   Description: Make sure setools requires setools-console and setools-gui
 #   Author: Vit Mojzis <vmojzis@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2020 Red Hat, Inc.
 #
 #   This program is free software: you can redistribute it and/or
 #   modify it under the terms of the GNU General Public License as
 #   published by the Free Software Foundation, either version 2 of
 #   the License, or (at your option) any later version.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE.  See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program. If not, see http://www.gnu.org/licenses/.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Include Beaker environment
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 PACKAGE="setools"
 rlJournalStart
    rlPhaseStartSetup
        rlRun "dnf -y remove ${PACKAGE} ${PACKAGE}-gui ${PACKAGE}-console"
        OUTPUT_FILE=`mktemp`
    rlPhaseEnd
    rlPhaseStartTest "bz#1820078"
        rlRun "dnf -y install ${PACKAGE}" 0
        rlAssertRpm "${PACKAGE}-gui"
        rlAssertRpm "${PACKAGE}-console"
        # make sure that setools-* packages do not require setools
        rlRun "rpm -q --whatrequires ${PACKAGE} >& ${OUTPUT_FILE}" 0,1
        rlRun "grep -i \"${PACKAGE}-\" ${OUTPUT_FILE}" 1
        if [ $? -ne 1 ]; then rlRun "cat \"${OUTPUT_FILE}\""; fi
    rlPhaseEnd
    rlPhaseStartCleanup
        rm -f ${OUTPUT_FILE}
    rlPhaseEnd
 rlJournalPrintText
 rlJournalEnd
--- a/tests/Sanity/sedta/Makefile
+++ b/tests/Sanity/sedta/Makefile
@ -0,0 +1,63 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Makefile of /CoreOS/setools/Sanity/sedta
 #   Description: Does sedta work as expected? Does it support all features?
 #   Author: Milos Malik <mmalik@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2019 Red Hat, Inc.
 #
 #   This program is free software: you can redistribute it and/or
 #   modify it under the terms of the GNU General Public License as
 #   published by the Free Software Foundation, either version 2 of
 #   the License, or (at your option) any later version.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE.  See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program. If not, see http://www.gnu.org/licenses/.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 export TEST=/CoreOS/setools/Sanity/sedta
 export TESTVERSION=1.0
 BUILT_FILES=
 FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.cil
 .PHONY: all install download clean
 run: $(FILES) build
 	./runtest.sh
 build: $(BUILT_FILES)
 	test -x runtest.sh || chmod a+x runtest.sh
 clean:
 	rm -f *~ $(BUILT_FILES)
 include /usr/share/rhts/lib/rhts-make.include
 $(METADATA): Makefile
 	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
 	@echo "Name:            $(TEST)" >> $(METADATA)
 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
 	@echo "Description:     Does sedta work as expected? Does it support all features?" >> $(METADATA)
 	@echo "Type:            Sanity" >> $(METADATA)
 	@echo "TestTime:        1h" >> $(METADATA)
 	@echo "RunFor:          setools" >> $(METADATA)
 	@echo "Requires:        policycoreutils setools-console-analyses" >> $(METADATA)
 	@echo "Priority:        Normal" >> $(METADATA)
 	@echo "License:         GPLv2+" >> $(METADATA)
 	@echo "Confidential:    no" >> $(METADATA)
 	@echo "Destructive:     no" >> $(METADATA)
 	@echo "Releases:        -RHEL4 -RHEL6 -RHEL7 -RHELClient5 -RHELServer5" >> $(METADATA)
 	rhts-lint $(METADATA)
--- a/tests/Sanity/sedta/PURPOSE
+++ b/tests/Sanity/sedta/PURPOSE
@ -0,0 +1,3 @@
 PURPOSE of /CoreOS/setools/Sanity/sedta
 Description: Does sedta work as expected? Does it support all features?
 Author: Milos Malik <mmalik@redhat.com>
--- a/tests/Sanity/sedta/main.fmf
+++ b/tests/Sanity/sedta/main.fmf
@ -0,0 +1,30 @@
 summary: Does sedta work as expected? Does it support all features?
 description: ''
 contact: Milos Malik <mmalik@redhat.com>
 component:
  - setools
 test: ./runtest.sh
 framework: beakerlib
 recommend:
  - git
  - policycoreutils
  - setools-console-analyses
 duration: 1h
 enabled: true
 tag:
  - CI-Tier-1
  - NoRHEL4
  - NoRHEL5
  - NoRHEL6
  - NoRHEL7
  - TIPfail_Security
  - f32friendly
  - f33friendly
  - targeted
 adjust:
  - enabled: false
    when: distro == rhel-4, rhel-5, rhel-6, rhel-7
    continue: false
 extra-nitrate: TC#0604139
 extra-summary: /CoreOS/setools/Sanity/sedta
 extra-task: /CoreOS/setools/Sanity/sedta
--- a/tests/Sanity/sedta/runtest.sh
+++ b/tests/Sanity/sedta/runtest.sh
@ -0,0 +1,87 @@
 #!/bin/bash
 # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   runtest.sh of /CoreOS/setools/Sanity/sedta
 #   Description: Does sedta work as expected? Does it support all features?
 #   Author: Milos Malik <mmalik@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2019 Red Hat, Inc.
 #
 #   This program is free software: you can redistribute it and/or
 #   modify it under the terms of the GNU General Public License as
 #   published by the Free Software Foundation, either version 2 of
 #   the License, or (at your option) any later version.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE.  See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program. If not, see http://www.gnu.org/licenses/.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Include Beaker environment
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 PACKAGE="setools"
 rlJournalStart
    rlPhaseStartSetup
        rlAssertRpm ${PACKAGE}-console-analyses
        OUTPUT_FILE=`mktemp`
        rlRun "semodule -i testpolicy.cil"
        rlRun "semodule -l | grep testpolicy"
    rlPhaseEnd
    rlPhaseStartTest "invalid values"
        rlRun "sedta -s unknown_t >& ${OUTPUT_FILE}" 1
        rlRun "grep -i 'not a valid type' ${OUTPUT_FILE}"
        rlRun "sedta -s apmd_t -t unknown_t -S >& ${OUTPUT_FILE}" 1
        rlRun "grep -i 'not a valid type' ${OUTPUT_FILE}"
        rlRun "sedta -s unknown_t -p /etc/selinux/unknown/policy/policy.31 >& ${OUTPUT_FILE}" 1
        rlRun "grep -i 'no such file or directory' ${OUTPUT_FILE}"
        rlRun "sedta -s apmd_t -t var_lib_t -A -1 >& ${OUTPUT_FILE}" 1
        rlRun "grep -i 'must be positive' ${OUTPUT_FILE}"
        rlRun "sedta -s xyz_t >& ${OUTPUT_FILE}"
        rlRun "grep -i '^0.*transition.*found' ${OUTPUT_FILE}"
    rlPhaseEnd
    rlPhaseStartTest "valid values"
        # transitivity
        rlRun "sedta -s first_t -t second_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}"
        rlRun "sedta -s second_t -t third_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}"
        rlRun "sedta -s first_t -t third_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}"
        # reflexivity
        rlRun "sedta -s first_t -t first_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}"
        rlRun "sedta -s second_t -t second_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}"
        rlRun "sedta -s third_t -t third_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}"
        # path is longer than limit
        rlRun "sedta -s first_t -t third_t -A 1 >& ${OUTPUT_FILE}"
        rlRun "grep -i '^0 domain transition path.*found' ${OUTPUT_FILE}"
        # non-existent relation
        rlRun "sedta -s first_t -t third_t -S -r >& ${OUTPUT_FILE}"
        rlRun "grep -i '^0 domain transition path.*found' ${OUTPUT_FILE}"
        # non-existent relation
        rlRun "sedta -s third_t -t first_t -S >& ${OUTPUT_FILE}"
        rlRun "grep -i '^0 domain transition path.*found' ${OUTPUT_FILE}"
    rlPhaseEnd
    rlPhaseStartCleanup
        rlRun "semodule -r testpolicy"
        rlRun "semodule -l | grep testpolicy" 1
        rm -f ${OUTPUT_FILE}
    rlPhaseEnd
 rlJournalPrintText
 rlJournalEnd
--- a/tests/Sanity/sedta/testpolicy.cil
+++ b/tests/Sanity/sedta/testpolicy.cil
@ -0,0 +1,21 @@
 ( type xyz_t )
 ( type first_t )
 ( type first_exec_t )
 ( type second_t )
 ( type second_exec_t )
 ( type third_t )
 ( type third_exec_t )
 ( typetransition first_t second_exec_t process second_t )
 ( typetransition second_t third_exec_t process third_t )
 ( allow first_t second_exec_t ( file ( getattr open read execute )))
 ( allow first_t second_t ( process ( transition )))
 ( allow second_t third_exec_t ( file ( getattr open read execute )))
 ( allow second_t third_t ( process ( transition )))
 ( allow first_t first_exec_t ( file ( entrypoint )))
 ( allow second_t second_exec_t ( file ( entrypoint )))
 ( allow third_t third_exec_t ( file ( entrypoint )))
--- a/tests/Sanity/seinfo-consistent-output/Makefile
+++ b/tests/Sanity/seinfo-consistent-output/Makefile
@ -0,0 +1,64 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Makefile of Sanity/seinfo-consistent-output
 #   Description: Check whether different 2 or more runs of same seinfo commands produce same output
 #   Author: Petr Lautrbach <plautrba@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2021 Red Hat, Inc.
 #
 #   This program is free software: you can redistribute it and/or
 #   modify it under the terms of the GNU General Public License as
 #   published by the Free Software Foundation, either version 2 of
 #   the License, or (at your option) any later version.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE.  See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program. If not, see http://www.gnu.org/licenses/.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 export TEST=Sanity/seinfo-consistent-output
 export TESTVERSION=1.0
 BUILT_FILES=
 FILES=$(METADATA) runtest.sh Makefile PURPOSE
 .PHONY: all install download clean
 run: $(FILES) build
 	./runtest.sh
 build: $(BUILT_FILES)
 	test -x runtest.sh || chmod a+x runtest.sh
 clean:
 	rm -f *~ $(BUILT_FILES)
 include /usr/share/rhts/lib/rhts-make.include
 $(METADATA): Makefile
 	@echo "Owner:           Petr Lautrbach <plautrba@redhat.com>" > $(METADATA)
 	@echo "Name:            $(TEST)" >> $(METADATA)
 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
 	@echo "Description:     Check whether different 2 or more runs of same seinfo commands produce same output" >> $(METADATA)
 	@echo "Type:            Sanity" >> $(METADATA)
 	@echo "TestTime:        5m" >> $(METADATA)
 	@echo "RunFor:          setools" >> $(METADATA)
 	@echo "Requires:        setools-console" >> $(METADATA)
 	@echo "Priority:        Normal" >> $(METADATA)
 	@echo "License:         GPLv2+" >> $(METADATA)
 	@echo "Confidential:    no" >> $(METADATA)
 	@echo "Destructive:     no" >> $(METADATA)
 	@echo "Bug:             2019962" >> $(METADATA)
 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
 	rhts-lint $(METADATA)
--- a/tests/Sanity/seinfo-consistent-output/PURPOSE
+++ b/tests/Sanity/seinfo-consistent-output/PURPOSE
@ -0,0 +1,3 @@
 PURPOSE of Sanity/seinfo-consistent-output
 Description: Check whether different 2 or more runs of same seinfo commands produce same output
 Author: Petr Lautrbach <plautrba@redhat.com>
--- a/tests/Sanity/seinfo-consistent-output/main.fmf
+++ b/tests/Sanity/seinfo-consistent-output/main.fmf
@ -0,0 +1,15 @@
 summary: Check whether different 2 or more runs of same seinfo commands produce same
    output
 description: ''
 contact: Petr Lautrbach <plautrba@redhat.com>
 component:
  - setools
 test: ./runtest.sh
 framework: beakerlib
 recommend:
  - setools-console
 duration: 5m
 link:
  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=2019962
 extra-summary: Sanity/seinfo-consistent-output
 extra-task: Sanity/seinfo-consistent-output
--- a/tests/Sanity/seinfo-consistent-output/runtest.sh
+++ b/tests/Sanity/seinfo-consistent-output/runtest.sh
@ -0,0 +1,63 @@
 #!/bin/bash
 # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   runtest.sh of Sanity/seinfo-consistent-output
 #   Description: Check whether different 2 or more runs of same seinfo commands produce same output
 #   Author: Petr Lautrbach <plautrba@redhat.com>
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 #   Copyright (c) 2021 Red Hat, Inc.
 #
 #   This program is free software: you can redistribute it and/or
 #   modify it under the terms of the GNU General Public License as
 #   published by the Free Software Foundation, either version 2 of
 #   the License, or (at your option) any later version.
 #
 #   This program is distributed in the hope that it will be
 #   useful, but WITHOUT ANY WARRANTY; without even the implied
 #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 #   PURPOSE.  See the GNU General Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License
 #   along with this program. If not, see http://www.gnu.org/licenses/.
 #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Include Beaker environment
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 PACKAGE="setools-console"
 rlJournalStart
    rlPhaseStartSetup
        rlAssertRpm $PACKAGE
        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
        rlRun "pushd $TmpDir"
    rlPhaseEnd
    commands=(
        "seinfo --all -x"
        "seinfo --constrain"
        "seinfo --common"
        "seinfo -c -x"
        "seinfo -r -x"
        "seinfo -u -x"
    )
    for c in "${commands[@]}"; do
        rlPhaseStartTest "$c"
            rlRun "$c > 1.out"
            rlRun "$c > 2.out"
            rlRun "cmp 1.out 2.out" 0
        rlPhaseEnd
    done
    rlPhaseStartCleanup
        rlRun "popd"
        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
    rlPhaseEnd
 rlJournalPrintText
 rlJournalEnd
		`@ -1 +0,0 @@`
			`7b4a07a20ecee70da558bfe4ad26edf7eb6ca103 SOURCES/4.3.0.tar.gz`
		`@ -0,0 +1 @@`
							`SHA512 (4.5.1.tar.gz) = 6aef2e12495f980a0b71cf888170ee2f1de94785404b578d416d9720f2441ff3ef14c7ac434310e421c7fa885b8c8ef99aff6438ecfb5e8687d0ff4875127824`