libsemanage-3.1-5

- Drop and obsolete libsemanage-compat
- genhomedircon: check usepasswd

.gitignore

@@ -116,3 +116,33 @@ libsemanage-2.0.40.tgz
 libsemanage-2.0.41.tgz
 libsemanage-2.0.42.tgz
 libsemanage-2.0.43.tgz
+libsemanage-2.0.44.tgz
+libsemanage-2.0.45.tgz
+/libsemanage-2.0.46.tgz
+/libsemanage-2.1.0.tgz
+/libsemanage-2.1.2.tgz
+/libsemanage-2.1.3.tgz
+/libsemanage-2.1.4.tgz
+/libsemanage-2.1.5.tgz
+/libsemanage-2.1.6.tgz
+/libsemanage-2.1.7.tgz
+/libsemanage-2.1.8.tgz
+/libsemanage-2.1.9.tgz
+/libsemanage-2.1.10.tgz
+/libsemanage-2.2.tgz
+/libsemanage-2.3.tgz
+/libsemanage-2.4.tar.gz
+/libsemanage-2.5-rc1.tar.gz
+/libsemanage-2.5.tar.gz
+/libsemanage-2.6.tar.gz
+/libsemanage-2.7.tar.gz
+/libsemanage-2.8-rc1.tar.gz
+/libsemanage-2.8-rc2.tar.gz
+/libsemanage-2.8-rc3.tar.gz
+/libsemanage-2.8.tar.gz
+/libsemanage-2.9-rc1.tar.gz
+/libsemanage-2.9-rc2.tar.gz
+/libsemanage-2.9.tar.gz
+/libsemanage-3.0-rc1.tar.gz
+/libsemanage-3.0.tar.gz
+/libsemanage-3.1.tar.gz

0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch

@@ -0,0 +1,233 @@
+From b46406de8a93abe10e685c422597516517c0bff3 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:50 +0200
+Subject: [PATCH] libsemanage: Remove legacy and duplicate symbols
+
+Versioned duplicate symbols cause problems for LTO. These symbols were
+introduced during the CIL integration several releases ago and were only
+consumed by other SELinux userspace components.
+
+Related: https://github.com/SELinuxProject/selinux/issues/245
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsemanage/include/semanage/modules.h |   2 +-
+ libsemanage/src/libsemanage.map        |   5 --
+ libsemanage/src/modules.c              | 100 +------------------------
+ libsemanage/src/modules.h              |   9 +--
+ libsemanage/src/semanageswig_python.i  |   2 -
+ 5 files changed, 4 insertions(+), 114 deletions(-)
+
+diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h
+index ac4039314857..b51f61f033d5 100644
+--- a/libsemanage/include/semanage/modules.h
++++ b/libsemanage/include/semanage/modules.h
+@@ -33,7 +33,7 @@ typedef struct semanage_module_key semanage_module_key_t;
+  */
+ 
+ extern int semanage_module_install(semanage_handle_t *,
+-				   char *module_data, size_t data_len, char *name, char *ext_lang);
++				   char *module_data, size_t data_len, const char *name, const char *ext_lang);
+ extern int semanage_module_install_file(semanage_handle_t *,
+ 					const char *module_name);
+ extern int semanage_module_remove(semanage_handle_t *, char *module_name);
+diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
+index 1375a8ca0ea7..4bec06aaae27 100644
+--- a/libsemanage/src/libsemanage.map
++++ b/libsemanage/src/libsemanage.map
+@@ -167,18 +167,13 @@ LIBSEMANAGE_1.0 {
+     semanage_mls_enabled;
+     semanage_module_disable;
+     semanage_module_enable;
+-    semanage_module_get_enabled;
+     semanage_module_get_name;
+     semanage_module_get_version;
+     semanage_module_info_datum_destroy;
+-    semanage_module_install;
+-    semanage_module_install_base;
+-    semanage_module_install_base_file;
+     semanage_module_install_file;
+     semanage_module_list;
+     semanage_module_list_nth;
+     semanage_module_remove;
+-    semanage_module_upgrade;
+     semanage_module_upgrade_file;
+     semanage_msg_get_channel;
+     semanage_msg_get_fname;
+diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
+index 6d3eb60ae462..8b36801038df 100644
+--- a/libsemanage/src/modules.c
++++ b/libsemanage/src/modules.c
+@@ -42,70 +42,7 @@
+ #include "modules.h"
+ #include "debug.h"
+ 
+-asm(".symver semanage_module_get_enabled_1_1,semanage_module_get_enabled@@LIBSEMANAGE_1.1");
+-asm(".symver semanage_module_get_enabled_1_0,semanage_module_get_enabled@LIBSEMANAGE_1.0");
+-asm(".symver semanage_module_install_pp,semanage_module_install@LIBSEMANAGE_1.0");
+-asm(".symver semanage_module_install_hll,semanage_module_install@@LIBSEMANAGE_1.1");
+-
+-/* Takes a module stored in 'module_data' and parses its headers.
+- * Sets reference variables 'module_name' to module's name and
+- * 'version' to module's version. The caller is responsible for
+- * free()ing 'module_name' and 'version'; they will be
+- * set to NULL upon entering this function.  Returns 0 on success, -1
+- * if out of memory, or -2 if data did not represent a module.
+- */
+-static int parse_module_headers(semanage_handle_t * sh, char *module_data,
+-				size_t data_len, char **module_name, char **version)
+-{
+-	struct sepol_policy_file *pf;
+-	int file_type;
+-	*version = NULL;
+-
+-	if (sepol_policy_file_create(&pf)) {
+-		ERR(sh, "Out of memory!");
+-		return -1;
+-	}
+-	sepol_policy_file_set_mem(pf, module_data, data_len);
+-	sepol_policy_file_set_handle(pf, sh->sepolh);
+-	if (module_data == NULL ||
+-	    data_len == 0 ||
+-	    sepol_module_package_info(pf, &file_type, module_name, version) == -1) {
+-		sepol_policy_file_free(pf);
+-		ERR(sh, "Could not parse module data.");
+-		return -2;
+-	}
+-	sepol_policy_file_free(pf);
+-	if (file_type != SEPOL_POLICY_MOD) {
+-		ERR(sh, "Data did not represent a pp module. Please upgrade to the latest version of libsemanage to support hll modules.");
+-		return -2;
+-	}
+-
+-	return 0;
+-}
+-
+-/* This function is used to preserve ABI compatibility with
+- * versions of semodule using LIBSEMANAGE_1.0
+- */
+-int semanage_module_install_pp(semanage_handle_t * sh,
+-			    char *module_data, size_t data_len)
+-{
+-	char *name = NULL;
+-	char *version = NULL;
+-	int status;
+-
+-	if ((status = parse_module_headers(sh, module_data, data_len, &name, &version)) != 0) {
+-		goto cleanup;
+-	}
+-
+-	status = semanage_module_install_hll(sh, module_data, data_len, name, "pp");
+-
+-cleanup:
+-	free(name);
+-	free(version);
+-	return status;
+-}
+-
+-int semanage_module_install_hll(semanage_handle_t * sh,
++int semanage_module_install(semanage_handle_t * sh,
+ 			    char *module_data, size_t data_len, const char *name, const char *ext_lang)
+ {
+ 	if (sh->funcs->install == NULL) {
+@@ -160,16 +97,6 @@ int semanage_module_extract(semanage_handle_t * sh,
+ 	return sh->funcs->extract(sh, modkey, extract_cil, mapped_data, data_len, modinfo);
+ }
+ 
+-/* Legacy function that remains to preserve ABI
+- * compatibility. Please use semanage_module_install instead.
+- */
+-int semanage_module_upgrade(semanage_handle_t * sh,
+-			    char *module_data, size_t data_len)
+-{
+-	return semanage_module_install_pp(sh, module_data, data_len);
+-	
+-}
+-
+ /* Legacy function that remains to preserve ABI
+  * compatibility. Please use semanage_module_install_file instead.
+  */
+@@ -179,24 +106,6 @@ int semanage_module_upgrade_file(semanage_handle_t * sh,
+ 	return semanage_module_install_file(sh, module_name);
+ }
+ 
+-/* Legacy function that remains to preserve ABI
+- * compatibility. Please use semanage_module_install instead.
+- */
+-int semanage_module_install_base(semanage_handle_t * sh,
+-				 char *module_data, size_t data_len)
+-{
+-	return semanage_module_install_pp(sh, module_data, data_len);
+-}
+-
+-/* Legacy function that remains to preserve ABI
+- * compatibility. Please use semanage_module_install_file instead.
+- */
+-int semanage_module_install_base_file(semanage_handle_t * sh,
+-				 const char *module_name)
+-{
+-	return semanage_module_install_file(sh, module_name);
+-}
+-
+ int semanage_module_remove(semanage_handle_t * sh, char *module_name)
+ {
+ 	if (sh->funcs->remove == NULL) {
+@@ -780,7 +689,7 @@ int semanage_module_key_set_priority(semanage_handle_t *sh,
+ }
+ 
+ 
+-int semanage_module_get_enabled_1_1(semanage_handle_t *sh,
++int semanage_module_get_enabled(semanage_handle_t *sh,
+ 				const semanage_module_key_t *modkey,
+ 				int *enabled)
+ {
+@@ -800,11 +709,6 @@ int semanage_module_get_enabled_1_1(semanage_handle_t *sh,
+ 	return sh->funcs->get_enabled(sh, modkey, enabled);
+ }
+ 
+-int semanage_module_get_enabled_1_0(semanage_module_info_t *modinfo)
+-{
+-	return modinfo->enabled;
+-}
+-
+ int semanage_module_set_enabled(semanage_handle_t *sh,
+ 				const semanage_module_key_t *modkey,
+ 				int enabled)
+diff --git a/libsemanage/src/modules.h b/libsemanage/src/modules.h
+index 2d3576fb15df..64d4a157f5ca 100644
+--- a/libsemanage/src/modules.h
++++ b/libsemanage/src/modules.h
+@@ -26,16 +26,9 @@
+ 
+ #include "semanage/modules.h"
+ 
+-int semanage_module_install_pp(semanage_handle_t * sh,
+-			    char *module_data, size_t data_len);
+-int semanage_module_install_hll(semanage_handle_t * sh,
+-			    char *module_data, size_t data_len, const char *name, const char *ext_lang);
+-int semanage_module_upgrade(semanage_handle_t * sh,
+-			    char *module_data, size_t data_len);
++
+ int semanage_module_upgrade_file(semanage_handle_t * sh,
+ 				 const char *module_name);
+-int semanage_module_install_base(semanage_handle_t * sh,
+-				 char *module_data, size_t data_len);
+ int semanage_module_install_base_file(semanage_handle_t * sh,
+ 				 const char *module_name);
+ 
+diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i
+index 8dd79fc24213..5f0113966962 100644
+--- a/libsemanage/src/semanageswig_python.i
++++ b/libsemanage/src/semanageswig_python.i
+@@ -30,8 +30,6 @@
+ %}
+ 
+ %include "stdint.i"
+-%ignore semanage_module_install_pp;
+-%ignore semanage_module_install_hll;
+ 
+ %wrapper %{
+ 
+-- 
+2.29.0
+

0002-libsemanage-Drop-deprecated-functions.patch

@@ -0,0 +1,100 @@
+From c08b73d7183e2dbab0ba43c3df32f4214abbc9c6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:51 +0200
+Subject: [PATCH] libsemanage: Drop deprecated functions
+
+semanage_module_enable() and semanage_module_disable() were deprecated
+by commit 9fbc6d14418f ("libsemanage: add back original module
+enable/disable functions for ABI compatability") in 2014 in order to
+preserve ABI compatibility. As we the libsemanage ABI is changed by the
+previous commit, it makes sense to drop them completely.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsemanage/src/libsemanage.map |  2 --
+ libsemanage/src/modules.c       | 56 ---------------------------------
+ 2 files changed, 58 deletions(-)
+
+diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
+index 4bec06aaae27..3ea7b60f97bb 100644
+--- a/libsemanage/src/libsemanage.map
++++ b/libsemanage/src/libsemanage.map
+@@ -165,8 +165,6 @@ LIBSEMANAGE_1.0 {
+     semanage_is_connected;
+     semanage_is_managed;
+     semanage_mls_enabled;
+-    semanage_module_disable;
+-    semanage_module_enable;
+     semanage_module_get_name;
+     semanage_module_get_version;
+     semanage_module_info_datum_destroy;
+diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
+index 8b36801038df..b6dd456cac32 100644
+--- a/libsemanage/src/modules.c
++++ b/libsemanage/src/modules.c
+@@ -734,62 +734,6 @@ int semanage_module_set_enabled(semanage_handle_t *sh,
+ }
+ 
+ 
+-/* This function exists only for ABI compatibility. It has been deprecated and
+- * should not be used. Instead, use semanage_module_set_enabled() */
+-int semanage_module_enable(semanage_handle_t *sh, char *module_name)
+-{
+-	int rc = -1;
+-	semanage_module_key_t *modkey = NULL;
+-
+-	rc = semanage_module_key_create(sh, &modkey);
+-	if (rc != 0)
+-		goto exit;
+-
+-	rc = semanage_module_key_set_name(sh, modkey, module_name);
+-	if (rc != 0)
+-		goto exit;
+-
+-	rc = semanage_module_set_enabled(sh, modkey, 1);
+-	if (rc != 0)
+-		goto exit;
+-
+-	rc = 0;
+-
+-exit:
+-	semanage_module_key_destroy(sh, modkey);
+-	free(modkey);
+-
+-	return rc;
+-}
+-
+-/* This function exists only for ABI compatibility. It has been deprecated and
+- * should not be used. Instead, use semanage_module_set_enabled() */
+-int semanage_module_disable(semanage_handle_t *sh, char *module_name)
+-{
+-	int rc = -1;
+-	semanage_module_key_t *modkey = NULL;
+-
+-	rc = semanage_module_key_create(sh, &modkey);
+-	if (rc != 0)
+-		goto exit;
+-
+-	rc = semanage_module_key_set_name(sh, modkey, module_name);
+-	if (rc != 0)
+-		goto exit;
+-
+-	rc = semanage_module_set_enabled(sh, modkey, 0);
+-	if (rc != 0)
+-		goto exit;
+-
+-	rc = 0;
+-
+-exit:
+-	semanage_module_key_destroy(sh, modkey);
+-	free(modkey);
+-
+-	return rc;
+-}
+-
+ /* Converts a string to a priority
+  *
+  * returns -1 if str is not a valid priority.
+-- 
+2.29.0
+

0003-libsemanage-Bump-libsemanage.so-version.patch

@@ -0,0 +1,45 @@
+From 6ebb35d261eaa8701b53b9f68184b05de8dfd868 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:52 +0200
+Subject: [PATCH] libsemanage: Bump libsemanage.so version
+
+Previous commits removed some symbols and broke ABI, therefore we need to change
+SONAME.
+
+See the following quotes from distribution guidelines:
+
+https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
+
+Every time the shared library ABI changes in a way that may break
+binaries linked against older versions of the shared library, the SONAME
+of the library and the corresponding name for the binary package
+containing the runtime shared library should change.
+
+https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
+
+When new versions of the library are released, you should use an ABI
+comparison tool to check for ABI differences in the built shared
+libraries. If it detects any incompatibilities, bump the n number by
+one.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsemanage/src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
+index a0eb3747d74b..ab6cae51f5c3 100644
+--- a/libsemanage/src/Makefile
++++ b/libsemanage/src/Makefile
+@@ -32,7 +32,7 @@ YACC = bison
+ YFLAGS = -d
+ 
+ VERSION = $(shell cat ../VERSION)
+-LIBVERSION = 1
++LIBVERSION = 2
+ 
+ LIBA=libsemanage.a
+ TARGET=libsemanage.so
+-- 
+2.29.0
+

0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch

@@ -0,0 +1,66 @@
+From fc966a746653cc15a14d1e1a80f01fc2f567ee08 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 7 Nov 2018 18:17:34 +0100
+Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity
+ scan defects
+
+---
+ libsemanage/src/direct_api.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index d2b91fb24292..f445cd4d6fb5 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -1028,7 +1028,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh,
+ 
+ 	fp = NULL;
+ 
+-	ret = 0;
++	return 0;
+ 
+ cleanup:
+ 	if (fp != NULL) fclose(fp);
+@@ -2184,7 +2184,6 @@ cleanup:
+ 	semanage_module_info_destroy(sh, modinfo);
+ 	free(modinfo);
+ 
+-	if (fp != NULL) fclose(fp);
+ 	return status;
+ }
+ 
+@@ -2349,16 +2348,6 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
+ 	free(tmp);
+ 	tmp = NULL;
+ 
+-	if (fclose(fp) != 0) {
+-		ERR(sh,
+-		    "Unable to close %s module lang ext file.",
+-		    (*modinfo)->name);
+-		status = -1;
+-		goto cleanup;
+-	}
+-
+-	fp = NULL;
+-
+ 	/* lookup enabled/disabled status */
+ 	ret = semanage_module_get_path(sh,
+ 				       *modinfo,
+@@ -2402,7 +2391,13 @@ cleanup:
+ 		free(modinfos);
+ 	}
+ 
+-	if (fp != NULL) fclose(fp);
++	if (fp != NULL && fclose(fp) != 0) {
++		ERR(sh,
++		    "Unable to close %s module lang ext file.",
++		    (*modinfo)->name);
++		status = -1;
++	}
++
+ 	return status;
+ }
+ 
+-- 
+2.29.0
+

0005-libsemanage-genhomedircon-check-usepasswd.patch

@@ -0,0 +1,35 @@
+From 511f8bbf779e10152d5af491e8b6a408b8ad666c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 30 Oct 2020 17:42:17 +0100
+Subject: [PATCH] libsemanage/genhomedircon: check usepasswd
+
+Only add user homedir contexts when usepasswd = True
+
+Resolves:
+   # grep usepasswd /etc/selinux/semanage.conf
+   usepasswd=False
+   # useradd -Z unconfined_u -d /tmp test
+   # matchpathcon /tmp
+   /tmp	unconfined_u:object_r:user_home_dir_t:s0
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libsemanage/src/genhomedircon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
+index d08c88de99a7..18d3d99a1254 100644
+--- a/libsemanage/src/genhomedircon.c
++++ b/libsemanage/src/genhomedircon.c
+@@ -1332,7 +1332,7 @@ static int write_context_file(genhomedircon_settings_t * s, FILE * out)
+ 			s->fallback->home = NULL;
+ 		}
+ 	}
+-	if (user_context_tpl || username_context_tpl) {
++	if ((s->usepasswd) && (user_context_tpl || username_context_tpl)) {
+ 		if (write_username_context(s, out, username_context_tpl,
+ 					   s->fallback) != STATUS_SUCCESS) {
+ 			retval = STATUS_ERR;
+-- 
+2.29.2
+

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: libsemanage
-# $Id$
-NAME := libsemanage
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+

libsemanage-genhomedircon.patch

@@ -1,32 +0,0 @@
-Index: libsemanage/src/semanage_store.c
-===================================================================
-RCS file: /cvsroot/selinux/nsa/selinux-usr/libsemanage/src/semanage_store.c,v
-retrieving revision 1.21
-diff -u -r1.21 semanage_store.c
---- libsemanage/src/semanage_store.c	9 Nov 2005 14:52:55 -0000	1.21
-+++ libsemanage/src/semanage_store.c	14 Nov 2005 21:43:09 -0000
-@@ -950,11 +950,6 @@
- 		goto cleanup;
- 	}
- 
--	if ((r = semanage_exec_prog(sh, sh->conf->genhomedircon, sh->conf->store_path, "")) != 0) {
--		ERR(sh, "genhomedircon returned error code %d.", r);
--		goto cleanup;
--	}
--
- 	retval = 0;
- cleanup:
- 	free(storepath);
-@@ -1070,6 +1065,12 @@
- 		goto cleanup;
- 	}
- 
-+	if ((retval = semanage_exec_prog(sh, sh->conf->genhomedircon, sh->conf->store_path, "")) != 0) {
-+		ERR(sh, "genhomedircon returned error code %d.", retval);
-+		goto cleanup;
-+	}
-+
-+
- cleanup:
- 	return retval;
- 

libsemanage-rhat.patch

@@ -1,471 +0,0 @@
-diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/modules.h libsemanage-2.0.43/include/semanage/modules.h
---- nsalibsemanage/include/semanage/modules.h	2009-01-13 08:45:35.000000000 -0500
-+++ libsemanage-2.0.43/include/semanage/modules.h	2009-12-16 16:07:43.000000000 -0500
-@@ -40,10 +40,12 @@
- 				 char *module_data, size_t data_len);
- int semanage_module_install_base_file(semanage_handle_t *,
- 				      const char *module_name);
-+int semanage_module_enable(semanage_handle_t *, char *module_name);
-+int semanage_module_disable(semanage_handle_t *, char *module_name);
- int semanage_module_remove(semanage_handle_t *, char *module_name);
- 
- /* semanage_module_info is for getting information on installed
--   modules, only name and version at this time */
-+   modules, only name and version, and enabled/disabled flag at this time */
- typedef struct semanage_module_info semanage_module_info_t;
- 
- int semanage_module_list(semanage_handle_t *,
-@@ -53,5 +55,6 @@
- 						 int n);
- const char *semanage_module_get_name(semanage_module_info_t *);
- const char *semanage_module_get_version(semanage_module_info_t *);
-+int semanage_module_get_enabled(semanage_module_info_t *);
- 
- #endif
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.43/src/direct_api.c
---- nsalibsemanage/src/direct_api.c	2009-09-17 08:59:43.000000000 -0400
-+++ libsemanage-2.0.43/src/direct_api.c	2009-12-16 16:07:43.000000000 -0500
-@@ -66,6 +66,8 @@
- static int semanage_direct_install_base(semanage_handle_t * sh, char *base_data,
- 					size_t data_len);
- static int semanage_direct_install_base_file(semanage_handle_t * sh, const char *module_name);
-+static int semanage_direct_enable(semanage_handle_t * sh, char *module_name);
-+static int semanage_direct_disable(semanage_handle_t * sh, char *module_name);
- static int semanage_direct_remove(semanage_handle_t * sh, char *module_name);
- static int semanage_direct_list(semanage_handle_t * sh,
- 				semanage_module_info_t ** modinfo,
-@@ -83,6 +85,8 @@
- 	.upgrade_file = semanage_direct_upgrade_file,
- 	.install_base = semanage_direct_install_base,
- 	.install_base_file = semanage_direct_install_base_file,
-+	.enable = semanage_direct_enable,
-+	.disable = semanage_direct_disable,
- 	.remove = semanage_direct_remove,
- 	.list = semanage_direct_list
- };
-@@ -348,10 +352,17 @@
- 	     semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES)) == NULL) {
- 		return -1;
- 	}
--	if (asprintf(filename, "%s/%s.pp", module_path, *module_name) == -1) {
-+	if (asprintf(filename, "%s/%s.pp%s", module_path, *module_name, DISABLESTR) == -1) {
- 		ERR(sh, "Out of memory!");
- 		return -1;
- 	}
-+
-+	if (access(*filename, F_OK) == -1) {
-+		char *ptr = *filename;
-+		int len = strlen(ptr) - strlen(DISABLESTR);
-+		if (len > 0) ptr[len]='\0';
-+	}
-+
- 	return 0;
- }
- 
-@@ -1273,6 +1284,107 @@
- 	return retval;
- }
- 
-+/* Enables a module from the sandbox.  Returns 0 on success, -1 if out
-+ * of memory, -2 if module not found or could not be enabled. */
-+static int semanage_direct_enable(semanage_handle_t * sh, char *module_name)
-+{
-+	int i, retval = -1;
-+	char **module_filenames = NULL;
-+	int num_mod_files;
-+	size_t name_len = strlen(module_name);
-+	if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) ==
-+	    -1) {
-+		return -1;
-+	}
-+	for (i = 0; i < num_mod_files; i++) {
-+		char *base = strrchr(module_filenames[i], '/');
-+		if (base == NULL) {
-+			ERR(sh, "Could not read module names.");
-+			retval = -2;
-+			goto cleanup;
-+		}
-+		base++;
-+		if (memcmp(module_name, base, name_len) == 0 &&
-+		    strcmp(base + name_len + 3, DISABLESTR) == 0) {
-+			int len = strlen(module_filenames[i]) - strlen(DISABLESTR);
-+			char *enabled_name = calloc(1, len+1);
-+			if (!enabled_name) {
-+				ERR(sh, "Could not allocate memory");
-+				retval = -1;
-+				goto cleanup;
-+			}
-+
-+			strncpy(enabled_name, module_filenames[i],len);
-+
-+			if (rename(module_filenames[i], enabled_name) == -1) {
-+				ERR(sh, "Could not enable module file %s.",
-+				    enabled_name);
-+				retval = -2;
-+			}
-+			retval = 0;
-+			free(enabled_name);
-+			goto cleanup;
-+		}
-+	}
-+	ERR(sh, "Module %s was not found.", module_name);
-+	retval = -2;		/* module not found */
-+      cleanup:
-+	for (i = 0; module_filenames != NULL && i < num_mod_files; i++) {
-+		free(module_filenames[i]);
-+	}
-+	free(module_filenames);
-+	return retval;
-+}
-+
-+/* Enables a module from the sandbox.  Returns 0 on success, -1 if out
-+ * of memory, -2 if module not found or could not be enabled. */
-+static int semanage_direct_disable(semanage_handle_t * sh, char *module_name)
-+{
-+	int i, retval = -1;
-+	char **module_filenames = NULL;
-+	int num_mod_files;
-+	size_t name_len = strlen(module_name);
-+	if (semanage_get_modules_names(sh, &module_filenames, &num_mod_files) ==
-+	    -1) {
-+		return -1;
-+	}
-+	for (i = 0; i < num_mod_files; i++) {
-+		char *base = strrchr(module_filenames[i], '/');
-+		if (base == NULL) {
-+			ERR(sh, "Could not read module names.");
-+			retval = -2;
-+			goto cleanup;
-+		}
-+		base++;
-+		if (memcmp(module_name, base, name_len) == 0 &&
-+		    strcmp(base + name_len, ".pp") == 0) {
-+			char disabled_name[PATH_MAX];
-+			if (snprintf(disabled_name, PATH_MAX, "%s%s", 
-+				     module_filenames[i], DISABLESTR) == PATH_MAX) {
-+				ERR(sh, "Could not disable module file %s.",
-+				    module_filenames[i]);
-+				retval = -2;
-+				goto cleanup;
-+			}
-+			if (rename(module_filenames[i], disabled_name) == -1) {
-+				ERR(sh, "Could not disable module file %s.",
-+				    module_filenames[i]);
-+				retval = -2;
-+			}
-+			retval = 0;
-+			goto cleanup;
-+		}
-+	}
-+	ERR(sh, "Module %s was not found.", module_name);
-+	retval = -2;		/* module not found */
-+      cleanup:
-+	for (i = 0; module_filenames != NULL && i < num_mod_files; i++) {
-+		free(module_filenames[i]);
-+	}
-+	free(module_filenames);
-+	return retval;
-+}
-+
- /* Removes a module from the sandbox.  Returns 0 on success, -1 if out
-  * of memory, -2 if module not found or could not be removed. */
- static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
-@@ -1293,8 +1405,7 @@
- 			goto cleanup;
- 		}
- 		base++;
--		if (memcmp(module_name, base, name_len) == 0 &&
--		    strcmp(base + name_len, ".pp") == 0) {
-+		if (memcmp(module_name, base, name_len) == 0) {
- 			if (unlink(module_filenames[i]) == -1) {
- 				ERR(sh, "Could not remove module file %s.",
- 				    module_filenames[i]);
-@@ -1369,6 +1480,7 @@
- 		}
- 		ssize_t size;
- 		char *data = NULL;
-+		int enabled = semanage_module_enabled(module_filenames[i]);
- 
- 		if ((size = bunzip(sh, fp, &data)) > 0) {
- 			fclose(fp);
-@@ -1393,6 +1505,7 @@
- 		if (type == SEPOL_POLICY_MOD) {
- 			(*modinfo)[*num_modules].name = name;
- 			(*modinfo)[*num_modules].version = version;
-+			(*modinfo)[*num_modules].enabled = enabled;
- 			(*num_modules)++;
- 		} else {
- 			/* file was not a module, so don't report it */
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.43/src/genhomedircon.c
---- nsalibsemanage/src/genhomedircon.c	2009-09-17 08:59:43.000000000 -0400
-+++ libsemanage-2.0.43/src/genhomedircon.c	2009-12-16 16:07:43.000000000 -0500
-@@ -310,6 +310,10 @@
- 		}
- 		if (strcmp(pwbuf->pw_dir, "/") == 0)
- 			continue;
-+		if (strcmp(pwbuf->pw_dir, "/root") == 0) {
-+			continue;
-+		}
-+
- 		if (semanage_str_count(pwbuf->pw_dir, '/') <= 1)
- 			continue;
- 		if (!(path = strdup(pwbuf->pw_dir))) {
-@@ -803,6 +807,9 @@
- 			 * /root */
- 			continue;
- 		}
-+		if (strcmp(pwent->pw_dir, "/root") == 0) {
-+			continue;
-+		}
- 		if (push_user_entry(&head, name, seuname,
- 				    prefix, pwent->pw_dir) != STATUS_SUCCESS) {
- 			*errors = STATUS_ERR;
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libsemanage-2.0.43/src/libsemanage.map
---- nsalibsemanage/src/libsemanage.map	2009-10-29 15:21:39.000000000 -0400
-+++ libsemanage-2.0.43/src/libsemanage.map	2009-12-16 16:07:43.000000000 -0500
-@@ -6,10 +6,13 @@
- 	  semanage_module_install; semanage_module_install_file;
- 	  semanage_module_upgrade; semanage_module_upgrade_file;
- 	  semanage_module_install_base; semanage_module_install_base_file;
-+	  semanage_module_enable;
-+	  semanage_module_disable;
- 	  semanage_module_remove;
- 	  semanage_module_list; semanage_module_info_datum_destroy;
- 	  semanage_module_list_nth; semanage_module_get_name;
- 	  semanage_module_get_version; semanage_select_store;
-+	  semanage_module_get_enabled;
- 	  semanage_reload_policy; semanage_set_reload; semanage_set_rebuild;
- 	  semanage_user_*; semanage_bool_*; semanage_seuser_*;
- 	  semanage_iface_*; semanage_port_*; semanage_context_*;
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/Makefile libsemanage-2.0.43/src/Makefile
---- nsalibsemanage/src/Makefile	2009-12-01 15:46:50.000000000 -0500
-+++ libsemanage-2.0.43/src/Makefile	2009-12-16 16:07:47.000000000 -0500
-@@ -47,7 +47,7 @@
- LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo
- CFLAGS ?= -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter
- 
--override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE 
-+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -fPIC
- 
- SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
- 
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/module_internal.h libsemanage-2.0.43/src/module_internal.h
---- nsalibsemanage/src/module_internal.h	2008-08-28 09:34:24.000000000 -0400
-+++ libsemanage-2.0.43/src/module_internal.h	2009-12-16 16:07:43.000000000 -0500
-@@ -6,6 +6,7 @@
- 
- hidden_proto(semanage_module_get_name)
-     hidden_proto(semanage_module_get_version)
-+    hidden_proto(semanage_module_get_enabled)
-     hidden_proto(semanage_module_info_datum_destroy)
-     hidden_proto(semanage_module_list_nth)
- #endif
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/modules.c libsemanage-2.0.43/src/modules.c
---- nsalibsemanage/src/modules.c	2009-09-17 08:59:43.000000000 -0400
-+++ libsemanage-2.0.43/src/modules.c	2009-12-16 16:07:43.000000000 -0500
-@@ -154,6 +154,40 @@
- 	return sh->funcs->install_base_file(sh, module_name);
- }
- 
-+int semanage_module_enable(semanage_handle_t * sh, char *module_name)
-+{
-+	if (sh->funcs->enable == NULL) {
-+		ERR(sh, "No enable function defined for this connection type.");
-+		return -1;
-+	} else if (!sh->is_connected) {
-+		ERR(sh, "Not connected.");
-+		return -1;
-+	} else if (!sh->is_in_transaction) {
-+		if (semanage_begin_transaction(sh) < 0) {
-+			return -1;
-+		}
-+	}
-+	sh->modules_modified = 1;
-+	return sh->funcs->enable(sh, module_name);
-+}
-+
-+int semanage_module_disable(semanage_handle_t * sh, char *module_name)
-+{
-+	if (sh->funcs->disable == NULL) {
-+		ERR(sh, "No disable function defined for this connection type.");
-+		return -1;
-+	} else if (!sh->is_connected) {
-+		ERR(sh, "Not connected.");
-+		return -1;
-+	} else if (!sh->is_in_transaction) {
-+		if (semanage_begin_transaction(sh) < 0) {
-+			return -1;
-+		}
-+	}
-+	sh->modules_modified = 1;
-+	return sh->funcs->disable(sh, module_name);
-+}
-+
- int semanage_module_remove(semanage_handle_t * sh, char *module_name)
- {
- 	if (sh->funcs->remove == NULL) {
-@@ -209,6 +243,13 @@
- 
- hidden_def(semanage_module_get_name)
- 
-+int semanage_module_get_enabled(semanage_module_info_t * modinfo)
-+{
-+	return modinfo->enabled;
-+}
-+
-+hidden_def(semanage_module_get_enabled)
-+
- const char *semanage_module_get_version(semanage_module_info_t * modinfo)
- {
- 	return modinfo->version;
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/modules.h libsemanage-2.0.43/src/modules.h
---- nsalibsemanage/src/modules.h	2008-08-28 09:34:24.000000000 -0400
-+++ libsemanage-2.0.43/src/modules.h	2009-12-16 16:07:43.000000000 -0500
-@@ -26,6 +26,7 @@
- struct semanage_module_info {
- 	char *name;		/* Key */
- 	char *version;
-+	int enabled;
- };
- 
- #endif
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/policy.h libsemanage-2.0.43/src/policy.h
---- nsalibsemanage/src/policy.h	2009-01-13 08:45:35.000000000 -0500
-+++ libsemanage-2.0.43/src/policy.h	2009-12-16 16:07:43.000000000 -0500
-@@ -58,6 +58,12 @@
- 	/* Upgrade a policy module */
- 	int (*upgrade_file) (struct semanage_handle *, const char *);
- 
-+	/* Enable a policy module */
-+	int (*enable) (struct semanage_handle *, char *);
-+
-+	/* Disable a policy module */
-+	int (*disable) (struct semanage_handle *, char *);
-+
- 	/* Remove a policy module */
- 	int (*remove) (struct semanage_handle *, char *);
- 
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.43/src/semanage.conf
---- nsalibsemanage/src/semanage.conf	2008-08-28 09:34:24.000000000 -0400
-+++ libsemanage-2.0.43/src/semanage.conf	2009-12-16 16:07:43.000000000 -0500
-@@ -35,4 +35,4 @@
- # given in <sepol/policydb.h>.  Change this setting if a different
- # version is necessary.
- #policy-version = 19
--
-+expand-check=0
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.43/src/semanage_store.c
---- nsalibsemanage/src/semanage_store.c	2009-10-29 15:21:39.000000000 -0400
-+++ libsemanage-2.0.43/src/semanage_store.c	2009-12-16 16:07:43.000000000 -0500
-@@ -57,6 +57,8 @@
- 
- #include "debug.h"
- 
-+const char *DISABLESTR=".disabled";
-+
- #define SEMANAGE_CONF_FILE "semanage.conf"
- /* relative path names to enum semanage_paths to special files and
-  * directories for the module store */
-@@ -433,6 +435,21 @@
- 	return 1;
- }
- 
-+int semanage_module_enabled(const char *file) {
-+	int len = strlen(file) - strlen(DISABLESTR);
-+	return (len < 0 || strcmp(&file[len], DISABLESTR) != 0);
-+}
-+
-+static int semanage_modulename_select(const struct dirent *d)
-+{
-+	if (d->d_name[0] == '.'
-+	    && (d->d_name[1] == '\0'
-+		|| (d->d_name[1] == '.' && d->d_name[2] == '\0')))
-+		return 0;
-+
-+	return semanage_module_enabled(d->d_name);
-+}
-+
- /* Copies a file from src to dst.  If dst already exists then
-  * overwrite it.  Returns 0 on success, -1 on error. */
- static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
-@@ -599,15 +616,8 @@
- 	return -1;
- }
- 
--/* Scans the modules directory for the current semanage handler.  This
-- * might be the active directory or sandbox, depending upon if the
-- * handler has a transaction lock.  Allocates and fills in *filenames
-- * with an array of module filenames; length of array is stored in
-- * *len.  The caller is responsible for free()ing *filenames and its
-- * individual elements.	 Upon success returns 0, -1 on error.
-- */
--int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
--			       int *len)
-+static int semanage_get_modules_names_filter(semanage_handle_t * sh, char ***filenames,
-+				      int *len, int (*filter)(const struct dirent *))
- {
- 	const char *modules_path;
- 	struct dirent **namelist = NULL;
-@@ -622,7 +632,7 @@
- 	*filenames = NULL;
- 	*len = 0;
- 	if ((num_files = scandir(modules_path, &namelist,
--				 semanage_filename_select, alphasort)) == -1) {
-+				 filter, alphasort)) == -1) {
- 		ERR(sh, "Error while scanning directory %s.", modules_path);
- 		goto cleanup;
- 	}
-@@ -663,6 +673,34 @@
- 	return retval;
- }
- 
-+/* Scans the modules directory for the current semanage handler.  This
-+ * might be the active directory or sandbox, depending upon if the
-+ * handler has a transaction lock.  Allocates and fills in *filenames
-+ * with an array of module filenames; length of array is stored in
-+ * *len.  The caller is responsible for free()ing *filenames and its
-+ * individual elements.	 Upon success returns 0, -1 on error.
-+ */
-+int semanage_get_modules_names(semanage_handle_t * sh, char ***filenames,
-+			       int *len)
-+{
-+	return semanage_get_modules_names_filter(sh, filenames,
-+						 len, semanage_filename_select);
-+}
-+
-+/* Scans the modules directory for the current semanage handler.  This
-+ * might be the active directory or sandbox, depending upon if the
-+ * handler has a transaction lock.  Allocates and fills in *filenames
-+ * with an array of module filenames; length of array is stored in
-+ * *len.  The caller is responsible for free()ing *filenames and its
-+ * individual elements.	 Upon success returns 0, -1 on error.
-+ */
-+int semanage_get_active_modules_names(semanage_handle_t * sh, char ***filenames,
-+			       int *len)
-+{
-+	return semanage_get_modules_names_filter(sh, filenames,
-+						 len, semanage_modulename_select);
-+}
-+
- /******************* routines that run external programs *******************/
- 
- /* Appends a single character to a string.  Returns a pointer to the
-@@ -1589,7 +1627,7 @@
- 	}
- 
- 	/* get list of modules and load them */
--	if (semanage_get_modules_names(sh, &module_filenames, &num_modules) ==
-+	if (semanage_get_active_modules_names(sh, &module_filenames, &num_modules) ==
- 	    -1 || semanage_load_module(sh, base_filename, base) == -1) {
- 		goto cleanup;
- 	}
-diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.43/src/semanage_store.h
---- nsalibsemanage/src/semanage_store.h	2009-07-07 15:32:32.000000000 -0400
-+++ libsemanage-2.0.43/src/semanage_store.h	2009-12-16 16:07:43.000000000 -0500
-@@ -128,4 +128,6 @@
- 		     size_t buf_len,
- 		     char **sorted_buf, size_t * sorted_buf_len);
- 
-+extern const char *DISABLESTR;
-+
- #endif

libsemanage.spec

@@ -1,20 +1,36 @@
-%define libsepolver 2.0.37-1
-%define libselinuxver 2.0.0-1
-Summary: SELinux binary policy manipulation library 
-Name: libsemanage
-Version: 2.0.43
-Release: 4%{?dist}
-License: LGPLv2+
-Group: System Environment/Libraries
-Source: http://www.nsa.gov/selinux/archives/libsemanage-%{version}.tgz
-Patch: libsemanage-rhat.patch
-URL: http://www.selinuxproject.org
+%define libsepolver 3.1-5
+%define libselinuxver 3.1-5
 
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: libselinux-devel >= %{libselinuxver} swig ustr-devel
+Summary: SELinux binary policy manipulation library
+Name: libsemanage
+Version: 3.1
+Release: 5%{?dist}
+License: LGPLv2+
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsemanage-3.1.tar.gz
+# fedora-selinux/selinux: git format-patch -N libsemanage-3.1 -- libsemanage
+# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+# Patch list start
+Patch0001: 0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch
+Patch0002: 0002-libsemanage-Drop-deprecated-functions.patch
+Patch0003: 0003-libsemanage-Bump-libsemanage.so-version.patch
+Patch0004: 0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch
+Patch0005: 0005-libsemanage-genhomedircon-check-usepasswd.patch
+# Patch list end
+URL: https://github.com/SELinuxProject/selinux/wiki
+Source1: semanage.conf
+
+BuildRequires: gcc make
+BuildRequires: libselinux-devel >= %{libselinuxver} swig
 BuildRequires: libsepol-devel >= %{libsepolver} 
-BuildRequires: python-devel bison flex bzip2-devel
-Requires: bzip2-libs
+BuildRequires: audit-libs-devel
+BuildRequires: bison flex bzip2-devel
+
+BuildRequires: python3
+BuildRequires: python3-devel
+
+Requires: bzip2-libs audit-libs
+Requires: libselinux%{?_isa} >= %{libselinuxver}
+Obsoletes: libsemanage-compat = 3.1-4
 
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
@@ -34,8 +50,7 @@ on binary policies such as customizing policy boolean settings.
 
 %package static
 Summary: Static library used to build policy manipulation tools
-Group: Development/Libraries
-Requires: libsemanage-devel = %{version}-%{release}
+Requires: libsemanage-devel%{_isa} = %{version}-%{release}
 
 %description static
 The semanage-static package contains the static libraries 
@@ -43,69 +58,620 @@ needed for developing applications that manipulate binary policies.
 
 %package devel
 Summary: Header files and libraries used to build policy manipulation tools
-Group: Development/Libraries
-Requires: libsemanage = %{version}-%{release} ustr
+Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description devel
 The semanage-devel package contains the libraries and header files
 needed for developing applications that manipulate binary policies. 
 
-%package python
-Summary: semanage python bindings for libsemanage
-Group: Development/Libraries
-Requires: libsemanage = %{version}-%{release} 
+%package -n python3-libsemanage
+Summary: semanage python 3 bindings for libsemanage
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: libselinux-python3
+%{?python_provide:%python_provide python3-libsemanage}
+# Remove before F30
+Provides: %{name}-python3 = %{version}-%{release}
+Provides: %{name}-python3%{?_isa} = %{version}-%{release}
+Obsoletes: %{name}-python3 < %{version}-%{release}
 
-%description python
-The libsemanage-python package contains the python bindings for developing 
-SELinux management applications. 
+%description -n python3-libsemanage
+The libsemanage-python3 package contains the python 3 bindings for developing
+SELinux management applications.
 
 %prep
-%setup -q
-%patch -p1 -b .rhat
+%autosetup -n libsemanage-%{version} -p 2
+
 
 %build
-make clean
-make CFLAGS="%{optflags}" swigify
-make CFLAGS="%{optflags}" LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all pywrap
+%set_build_flags
+CFLAGS="$CFLAGS -fno-semantic-interposition"
 
+# To support building the Python wrapper against multiple Python runtimes
+# Define a function, for how to perform a "build" of the python wrapper against
+# a specific runtime:
+BuildPythonWrapper() {
+  BinaryName=$1
+
+  # Perform the build from the upstream Makefile:
+  make \
+    PYTHON=$BinaryName \
+    LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" \
+    pywrap
+}
+
+make clean
+make swigify
+%make_build LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all
+
+BuildPythonWrapper \
+  %{__python3}
 
 %install
-rm -rf ${RPM_BUILD_ROOT}
-mkdir -p ${RPM_BUILD_ROOT}/%{_lib} 
-mkdir -p ${RPM_BUILD_ROOT}/%{_libdir} 
-mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
-make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="${RPM_BUILD_ROOT}%{_libdir}" SHLIBDIR="${RPM_BUILD_ROOT}/%{_lib}" install install-pywrap
-ln -sf  /%{_lib}/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so
+InstallPythonWrapper() {
+  BinaryName=$1
 
-%clean
-rm -rf ${RPM_BUILD_ROOT}
+  make \
+    PYTHON=$BinaryName \
+    DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" \
+    install-pywrap
+}
+
+mkdir -p ${RPM_BUILD_ROOT}%{_libdir}
+mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
+mkdir -p ${RPM_BUILD_ROOT}%{_sharedstatedir}/selinux
+mkdir -p ${RPM_BUILD_ROOT}%{_sharedstatedir}/selinux/tmp
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
+
+InstallPythonWrapper \
+  %{__python3} \
+  $(python3-config --extension-suffix)
+  
+cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/selinux/semanage.conf
 
 %files
-%defattr(-,root,root)
-%config(noreplace) /etc/selinux/semanage.conf
-/%{_lib}/libsemanage.so.1
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%dir %{_sysconfdir}/selinux
+%config(noreplace) %{_sysconfdir}/selinux/semanage.conf
+%{_libdir}/libsemanage.so.2
+%{_mandir}/man5/*
+%{_mandir}/ru/man5/*
+%dir %{_libexecdir}/selinux
+%dir %{_sharedstatedir}/selinux
+%dir %{_sharedstatedir}/selinux/tmp
 
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
+%ldconfig_scriptlets
 
 %files static
-%defattr(-,root,root)
 %{_libdir}/libsemanage.a
 
 %files devel
-%defattr(-,root,root)
 %{_libdir}/libsemanage.so
 %{_libdir}/pkgconfig/libsemanage.pc
 %dir %{_includedir}/semanage
 %{_includedir}/semanage/*.h
 %{_mandir}/man3/*
 
-%files python
-%defattr(-,root,root)
-%{_libdir}/python*/site-packages/*
+%files -n python3-libsemanage
+%{python3_sitearch}/*.so
+%{python3_sitearch}/semanage.py*
+%{python3_sitearch}/__pycache__/semanage*
+%{_libexecdir}/selinux/semanage_migrate_store
 
 %changelog
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- Drop and obsolete libsemanage-compat
+- genhomedircon: check usepasswd
+
+* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
+- Drop deprecated functions and duplicated symbols
+- Change library version to libsemanage.so.2
+- Temporary ship -compat with libsemanage.so.1
+- Based on upstream db0f2f382e31
+- Re-enable lto flags
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+- Use -fno-semantic-interposition and more make macros
+
+* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
+- SELinux userspace 3.1 release
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-4
+- Rebuilt for Python 3.9
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jan 22 2020 Ondrej Mosnacek <omosnace@redhat.com> - 3.0-2
+- Enable policy optimization
+
+* Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
+- SELinux userspace 3.0 release
+
+* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc1.1
+- SELinux userspace 3.0-rc1 release candidate
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-5
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Sun Aug 18 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.9-4
+- Rebuilt for Python 3.8
+
+* Tue Aug 13 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
+- Drop python2-libsemanage (#1738466)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
+- SELinux userspace 2.9 release
+
+* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
+- SELinux userspace 2.9-rc2 release
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
+- SELinux userspace 2.9-rc1 release
+
+* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
+- Always set errno to 0 before calling getpwent()
+- Set selinux policy root around calls to selinux_boolean_sub
+
+* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
+- genhomedircon - improve handling large groups
+
+* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
+- Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects
+
+* Mon Sep 17 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
+- Include user name in ROLE_REMOVE audit events
+
+* Tue Sep  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
+- Reset umask before creating directories (#1186422)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
+- Rebuilt for Python 3.7
+
+* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
+- SELinux userspace 2.8 release
+
+* Mon May 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
+- SELinux userspace 2.8-rc3 release candidate
+
+* Fri May  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
+- SELinux userspace 2.8-rc2 release candidate
+
+* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
+- SELinux userspace 2.8-rc1 release candidate
+
+* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-12
+- build: Replace PYSITEDIR with PYTHONLIBDIR
+- direct_api.c: Fix iterating over array (#1557468)
+
+* Fri Mar 16 2018 Petr Lautrbach <plautrba@workstation> - 2.7-11
+- Revert "remove access() check to make setuid programs work" (#1557468)
+
+* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-10
+- properly check return value of iterate function
+- Use umask(0077) for fopen() write operations
+- Return commit number if save-previous false
+- Allow tmp files to be kept if a compile fails
+- build: follow standard semantics for DESTDIR and PREFIX
+- Improve warning for installing disabled module
+- silence clang static analyzer report
+- remove access() check to make setuid programs work
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-9
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-7
+- Switch to %%ldconfig_scriptlets
+
+* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.7-6
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
+- free genhomedircon fallback user
+- Rebuild with libsepol-2.7-3 and libselinux-2.7-6
+
+* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-4
+- Add support for listing fcontext.homedirs file (#1409813)
+
+* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-3
+- Add Provides for the old names without %%_isa
+
+* Thu Aug 10 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-2
+- Python 2 binary package renamed to python2-libsemanage
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+- Python 3 binary package renamed to python3-libsemanage
+
+* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
+- Update to upstream release 2017-08-04
+- Use 'sefcontext_compile -r' when it's run during SELinux policy build
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Apr 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-4
+- Follow upstream and rename _semanage.so to _semanage.cpython-36m-x86_64-linux-gnu.so
+
+* Tue Apr 18 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
+- Do not list duplicate port entries after setting a boolean (#1439875)
+
+* Thu Mar 02 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2
+- Fix FTBFS - fatal error (#1427903)
+
+* Mon Feb 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1.1
+- Update to upstream release 2016-10-14
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Dec 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.5-9
+- Rebuild for Python 3.6
+
+* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-8
+- Fixes bug preventing the installation of base modules
+- make distclean target work
+- Do not always print a module name warning
+- Use pp module name instead of filename when installing module
+- tests: Do not force using gcc
+- genhomedircon: remove hardcoded refpolicy strings
+- genhomedircon: add support for %%group syntax
+- genhomedircon: generate contexts for logins mapped to the default user
+- Validate and compile file contexts before installing
+- Swap tcp and udp protocol numbers
+
+* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-7
+- Rebuilt with libsepol-2.5-9 and libselinux-2.5-11
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-6
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
+- Sort object files for deterministic linking order
+- Support overriding Makefile RANLIB
+- Respect CC and PKG_CONFIG environment variable
+
+* Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
+- Fix multiple spelling errors
+- genhomedircon: %%{USERID} and %%{USERNAME} support and code cleanup
+
+* Mon Mar 21 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Enable expand-check by default (#1319652)
+
+* Sun Feb 28 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
+- Use fully versioned arch-specific requires
+
+* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
+- Update to upstream release 2016-02-23
+
+* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-0.1.rc1
+- Update to upstream rc1 release 2016-01-07
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 2.4-5
+- Rebuilt for Python3.5 rebuild
+
+* Fri Sep 04 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-4
+- Save homedir_template in the policy store for genhomedircon
+  https://bugs.gentoo.org/558686
+
+* Fri Aug 14 2015 Adam Jackson <ajax@redhat.com> 2.4-3
+- Pass ldflags into the build so hardening works
+
+* Thu Jul 30 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-2
+- semanage_migrate_store: use /usr/bin/python3
+- move semanage_migrate_store script to libsemanage-python3
+
+* Wed Jun 24 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-0.6
+- Allow to use compressed modules without a compression extension
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 16 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-0.5
+- add /var/lib/selinux/tmp directory
+
+* Tue May 12 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-0.4
+- semanage_migrate_store: add -r <root> option for migrating inside chroots
+
+* Mon Apr 13 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-0.3
+- Update to upstream release 2.4
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jul 30 2014 Miroslav Grepl <mgrepl@fedoraproject.org> - 2.3-5
+- Skip policy module re-link when only setting booleans.
+    * patch from Stephen Smalley
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.3-4
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Kalev Lember <kalevlember@gmail.com> - 2.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
+
+* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
+- Update to upstream 
+	* Fix memory leak in semanage_genhomedircon from Thomas Hurd.
+
+* Sun Mar 30 2014 Dan Walsh <dwalsh@redhat.com> - 2.2-3
+- libsemanage: fix memory leak in semanage_genhomedircon
+- Patch from THomas Hurd
+
+* Tue Feb 11 2014 Dan Walsh <dwalsh@redhat.com> - 2.2-2
+- Move semanage.conf man page from devel package to main package
+
+* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
+- Update to upstream 
+	* Avoid duplicate list entries from Dan Walsh.
+	* Add audit support to libsemanage from Dan Walsh.
+	* Remove policy.kern and replace with symlink from Dan Walsh.
+	* Apply a MAX_UID check for genhomedircon from Laurent Bigonville.
+	* Fix man pages from Laurent Bigonville.
+
+* Wed Oct 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-14
+- Cleanup handling of missing mls_range to fix problems with useradd -Z
+- Fix auditing of login record changes, roles were not working correctly.
+Resolves: #952237
+
+* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-13
+- Fix errors found by coverity
+Resolves: #952237
+
+* Wed Sep 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-12
+- Do not fail on missing SELinux User Record when adding login record
+
+* Mon Sep 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-11
+- Add msg to audit records
+
+* Thu Sep 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-10
+- Do not write error message to screen when looking for previous record for auditing.
+- Add mls_range from user record if the MLS range is not specified by the seuser add record.
+- Error out if seuser or mls range is not specified when adding user records
+
+* Mon Sep 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-9
+- Create symlink from policy.kern to active kernel.
+
+* Fri Sep 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-8
+- Unlink policy.kern when done to save space.
+
+* Fri Jul 26 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-7
+- Move handling of role audit records into the library
+- Patch stops semanage from removing user record while in use
+
+* Tue Jul 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-6
+- Remove dependance on selinux-policy, /etc/selinux should be owned by libsemanage, and selinux-policy can require it.
+
+* Fri Jun 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-5
+- Allways build python3 version
+
+* Mon Apr 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
+- 
+
+* Thu Apr 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
+- Fix test suite to build
+
+* Thu Feb 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-2
+- Revert some changes which are causing the wrong policy version file to be created
+
+* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
+- Update to upstream 
+	* Add sefcontext_compile to compile regex everytime policy is rebuilt
+	* Cleanup/fix enable/disable/remove module.
+	* redo genhomedircon minuid
+	* fixes from coverity
+	* semanage_store: do not leak memory in semanage_exec_prog
+	* genhomedircon: remove useless conditional in get_home_dirs
+	* genhomedircon: double free in get_home_dirs
+	* fcontext_record: do not leak on error in semanage_fcontext_key_create
+	* genhomedircon: do not leak on failure in write_gen_home_dir_context
+	* semanage_store: do not leak fd 
+	* genhomedircon: do not leak shells list
+	* semanage_store: do not leak on strdup failure 
+	* semanage_store: rewrite for readability
+
+* Wed Jan 16 2013 Dan Walsh <dwalsh@redhat.com> 2.1.9-4
+- Add selinux-policy as a requires to get /etc/selinux owned
+
+* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> 2.1.9-3
+- Update to latest patches from eparis/Upstream
+-    libsemanage: fixes from coverity
+-    libsemange: redo genhomedircon minuid
+
+* Wed Nov 21 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
+- Fix handling of missing semanage permissive -d foo, not failing correctly
+- Previous to this fix the first module beginning with foo would get deleted.
+
+* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
+- Update to upstream 
+	* libsemanage: do not set soname needlessly
+	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
+	* do boolean name substitution
+	* Fix segfault for building standard policies.
+
+* Fri Aug 03 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.8-6
+- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3
+
+* Wed Aug  1 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.8-5
+- remove rhel logic from with_python3 conditional
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jul 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
+- Attempt to allocate memory for selinux_binary_policy_path and free memory 
+- allocated by asprintf.
+
+* Thu Jul 12 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-2
+- Fix asprintf within an asprintf call
+
+* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
+- Update to upstream 
+	* remove build warning when build swig c files
+	* additional makefile support for rubywrap
+	* ignore 80 column limit for readability
+	* semanage_store: fix snprintf length argument by using asprintf
+	* Use default semanage.conf as a fallback
+	* use after free in python bindings
+
+* Tue May 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
+- Apply patch from Sven Vermeulen to fix problem with python3 bindings.
+
+* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
+- Update to upstream 
+	* Alternate path for semanage.conf
+	* do not link against libpython, this is considered bad in Debian
+	* Allow to build for several ruby version
+	* fallback-user-level
+
+* Wed Feb 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.6-3
+- Check in correct patch.
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Jan 6 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
+- Add patch form Xin Ouyang to make library use private semanage.conf 
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
+-Update to upstream
+	* add ignoredirs config for genhomedircon
+	* Fallback_user_level can be NULL if you are not using MLS
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-4
+- Rebuild with latest libsepol
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-3
+- Rebuild with latest libsepol
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
+- Add support for ignoredirs param in /etc/selinux/semanage.conf
+
+* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
+- Upgrade to upstream
+	* regenerate .pc on VERSION change
+	* maintain mode even if umask is tighter
+	* semanage.conf man page
+	* create man5dir if not exist
+
+* Wed Oct 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
+-    Fix handling of umask, so files get created with the correct label.
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
+-    Add Guido Trentalancia semanage.conf man page
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-1
+-Update to upstream
+	* Create a new preserve_tunables flag
+	* tree: default make target to all not
+	* fix semanage_store_access_check calling arguments
+
+* Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-2
+- Add support for preserving tunables
+
+* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-1
+-Update to upstream
+	* python wrapper makefile changes
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-1
+-Update to upstream
+2.1.2 2011-08-17
+	* print error debug info for buggy fc
+	* introduce semanage_set_root and friends
+	* throw exceptions in python rather than return
+	* python3 support.
+	* patch for MCS/MLS in user files
+
+2.1.1 2011-08-01
+	* Remove generated files, expand .gitignore
+	* Use -Werror and change a few prototypes to support it
+
+* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
+- Update to upstream
+	* Release, minor version bump
+
+* Wed Jun 8 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.46-6
+- More fixes for disabled modules
+
+* Tue Jun 7 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.46-5
+- Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module 
+indicating the module is disabled.  MODULE.pp.disabled, it will no longer rename the module.  This way we can
+ship active modules in rpm.
+
+* Wed Jun 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.46-4
+- Add semanage_set_selinux_path, to allow semodule to work on alternate selinux pools
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.46-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Dec 30 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.46-2
+- big reworking of the support-multiple-python-builds patch to deal with
+PEP 3149: the latest Python 3.2 onwards uses include paths and library names
+that don't fit prior naming patterns, and so we must query python3-config for
+this information.  To complicate things further, python 2's python-config
+doesn't understand all of the options needed ("--extension-suffix").  I've
+thus added new Makefile variables as needed, to be supplied by the specfile by
+invoking the appropriate config tool (or by hardcoding the old value for
+"--extension-suffix" i.e. ".so")
+- rework python3 manifest for PEP 3149, and rebuild for newer python3
+
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.46-1
+- Update to upstream
+  * Fix compliation under GCC 4.6 by Justin Mattock
+
+* Wed Aug 25 2010 Thomas Spura <tomspur@fedoraproject.org> - 2.0.45-6
+- rebuild with python3.2
+  http://lists.fedoraproject.org/pipermail/devel/2010-August/141368.html
+
+* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.45-5
+- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
+
+* Tue Apr 27 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.45-4
+- add python3 subpackage
+
+* Wed Apr 7 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.45-3
+- Fix -devel package to point at the correct shared library
+
+* Fri Mar 26 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.45-2
+- Move shared library to /usr/lib
+
+* Mon Mar 8 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.45-1
+- Update to upstream
+	* Add enable/disable patch support from Dan Walsh.
+	* Add usepasswd flag to semanage.conf to disable genhomedircon using
+	  passwd from Dan Walsh.
+	* regenerate swig wrappers
+
+* Thu Feb 25 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.44-2
+- Allow disable of usepasswd
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.44-1
+- Update to upstream
+	* Replace usage of fmemopen() with sepol_policy_file_set_mem() since
+	  glibc < 2.9 does not support binary mode ('b') for fmemopen'd
+	  streams.
+
 * Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.43-4
 - Cleanup spec file
 
@@ -161,11 +727,11 @@ rm -rf ${RPM_BUILD_ROOT}
 - Make sure /root is not used in genhomedircon
 
 * Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.35-1
-  * Revert hard linking of files between tmp/active/previous.
-  * Enable configuration of bzip behavior from Stephen Smalley.
-    bzip-blocksize=0 to disable compression and decompression support.
-    bzip-blocksize=1..9 to set the blocksize for compression.
-    bzip-small=true to reduce memory usage for decompression.
+- Revert hard linking of files between tmp/active/previous.
+- Enable configuration of bzip behavior from Stephen Smalley.
+-   bzip-blocksize=0 to disable compression and decompression support.
+-   bzip-blocksize=1..9 to set the blocksize for compression.
+-   bzip-small=true to reduce memory usage for decompression.
 
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.33-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
@@ -204,7 +770,7 @@ rm -rf ${RPM_BUILD_ROOT}
 - Rebuild for Python 2.6
 
 * Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.30-1
-  * Add semanage_mls_enabled() interface from Stephen Smalley.
+- Add semanage_mls_enabled() interface from Stephen Smalley.
 
 * Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.0.29-2
 - Rebuild for Python 2.6
@@ -231,12 +797,12 @@ rm -rf ${RPM_BUILD_ROOT}
   * Modify genhomedircon to skip groupname entries.
   Ultimately we need to expand them to the list of users to support per-role homedir labeling when using the groupname syntax.
 
-* Wed Jul 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.26-1
+* Tue Jul 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.26-1
 - Update to upstream
   * Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
   Strip any trailing slash before appending /*$.
 
-* Thu Jun 17 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.25-3
+* Tue Jun 17 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.25-3
 - Another fix for genhomedircon
 
 * Wed May 28 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.0.25-2
@@ -364,18 +930,18 @@ rm -rf ${RPM_BUILD_ROOT}
 
 * Wed Apr 25 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
 - Upgrade to latest from NSA
-  * Merged optimizations from Stephen Smalley.
-    - do not set all booleans upon commit, only those whose values have changed
-    - only install the sandbox upon commit if something was rebuilt
+- Merged optimizations from Stephen Smalley.
+-    do not set all booleans upon commit, only those whose values have changed
+-    only install the sandbox upon commit if something was rebuilt
 
 * Sat Mar 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-2
 - Add SELinux to Man page Names so man -k will work
 
 * Mon Mar 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
-  * Merged dbase_file_flush patch from Dan Walsh.
-    This removes any mention of specific tools (e.g. semanage)
-    from the comment header of the auto-generated files,
-    since there are multiple front-end tools.
+- Merged dbase_file_flush patch from Dan Walsh.
+- This removes any mention of specific tools (e.g. semanage)
+- from the comment header of the auto-generated files,
+- since there are multiple front-end tools.
 
 * Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
 - Upgrade to latest from NSA
@@ -606,14 +1172,14 @@ rm -rf ${RPM_BUILD_ROOT}
     bug noticed by Steve Grubb.
   * Merged cleanups after add/set removal patch from Ivan Gyurdiev.
 
-* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.5.9-1
+* Sat Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.5.9-1
 - Upgrade to latest from NSA
   * Merged const in APIs patch from Ivan Gyurdiev.
   * Merged validation of local file contexts patch from Ivan Gyurdiev.
   * Merged compare2 function patch from Ivan Gyurdiev.
   * Merged hidden def/proto update patch from Ivan Gyurdiev.
 
-* Thu Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.5.8-1
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.5.8-1
 - Upgrade to latest from NSA
   * Re-applied string and file optimization patch from Russell Coker,
     with bug fix.
@@ -621,7 +1187,7 @@ rm -rf ${RPM_BUILD_ROOT}
   * Clarified error messages from parse_module_headers and 
     parse_base_headers for base/module mismatches.
 
-* Thu Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.5.6-1
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.5.6-1
 - Upgrade to latest from NSA
   * Clarified error messages from parse_module_headers and 
     parse_base_headers for base/module mismatches.
@@ -634,10 +1200,10 @@ rm -rf ${RPM_BUILD_ROOT}
   * Merged man pages for dbase functions patch from Ivan Gyurdiev.
   * Merged pywrap tests patch from Ivan Gyurdiev.
 
-* Wed Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.5.4-2
+* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.5.4-2
 - Patch to fix add
 
-* Wed Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.5.4-1
+* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.5.4-1
 - Upgrade to latest from NSA
   * Merged patch series from Ivan Gyurdiev.
     This includes patches to:
@@ -714,7 +1280,7 @@ rm -rf ${RPM_BUILD_ROOT}
 * Wed Nov 23 2005 Dan Walsh <dwalsh@redhat.com> 1.3.56-2
 - Add additional swig objects
 
-* Fri Nov 16 2005 Dan Walsh <dwalsh@redhat.com> 1.3.56-1
+* Wed Nov 16 2005 Dan Walsh <dwalsh@redhat.com> 1.3.56-1
 - Upgrade to latest from NSA
   * Fixed free->key_free bug.
   * Merged clear obsolete patch from Ivan Gyurdiev.
@@ -976,5 +1542,3 @@ rm -rf ${RPM_BUILD_ROOT}
 
 - Initial version
 - Created by Stephen Smalley <sds@epoch.ncsc.mil> 
-
-

semanage.conf

@@ -0,0 +1,58 @@
+# Authors: Jason Tang <jtang@tresys.com>
+#
+# Copyright (C) 2004-2005 Tresys Technology, LLC
+#
+#  This library is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 2.1 of the License, or (at your option) any later version.
+#
+#  This library is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public
+#  License along with this library; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+# Specify how libsemanage will interact with a SELinux policy manager.
+# The four options are:
+#
+#  "source"     - libsemanage manipulates a source SELinux policy
+#  "direct"     - libsemanage will write directly to a module store.
+#  /foo/bar     - Write by way of a policy management server, whose
+#                 named socket is at /foo/bar.  The path must begin
+#                 with a '/'.
+#  foo.com:4242 - Establish a TCP connection to a remote policy
+#                 management server at foo.com.  If there is a colon
+#                 then the remainder is interpreted as a port number;
+#                 otherwise default to port 4242.
+module-store = direct
+
+# When generating the final linked and expanded policy, by default
+# semanage will set the policy version to POLICYDB_VERSION_MAX, as
+# given in <sepol/policydb.h>.  Change this setting if a different
+# version is necessary.
+#policy-version = 19
+
+# expand-check check neverallow rules when executing all semanage
+# commands. There might be a penalty in execution time if this
+# option is enabled.
+expand-check=0
+
+# usepasswd check tells semanage to scan all pass word records for home directories
+# and setup the labeling correctly.  If this is turned off, SELinux will label /home 
+# correctly only.  You will need to use semanage fcontext command.  
+# For example, if you had home dirs in /althome directory you would have to execute
+# semanage fcontext -a -e /home /althome
+usepasswd=False
+bzip-small=true
+bzip-blocksize=5
+ignoredirs=/root
+optimize-policy=true
+
+[sefcontext_compile]
+path = /usr/sbin/sefcontext_compile
+args = -r $@
+[end]

sources

@@ -1 +1 @@
-fb11e8dfb69cefbd014419804df82294  libsemanage-2.0.43.tgz
+SHA512 (libsemanage-3.1.tar.gz) = 8609ca7d13b5c603677740f2b14558fea3922624af182d20d618237ba11fcf2559fab82fc68d1efa6ff118f064d426f005138521652c761de92cd66150102197

tests/semanage-handle-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libsemanage/Sanity/semanage-handle-functions
+#   Description: Test functions from handle.h
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libsemanage/Sanity/semanage-handle-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE functions.c test_*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test functions from handle.h" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libsemanage" >> $(METADATA)
+	@echo "Requires:        libsemanage libsemanage-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/semanage-handle-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libsemanage/Sanity/semanage-handle-functions
+Description: Test functions from handle.h
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/semanage-handle-functions/functions.c

@@ -0,0 +1,132 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+void check_result_int(const char *expected, int real) {
+    int exp = strtol(expected, NULL, 10);
+
+    if (exp != real) {
+        fprintf(stderr, "Expected %d but got %d\n", exp, real);
+        exit(1);
+    }
+}
+
+semanage_handle_t *test_handle_create() {
+    semanage_handle_t *sh = NULL;
+
+    sh = semanage_handle_create();
+    printf("semanage_handle_create(): %p\n", (void *) sh);
+
+    if (sh == NULL) {
+        perror("semanage_handle_create");
+        exit(1);
+    }
+
+    return sh;
+}
+
+int test_connect(semanage_handle_t *sh) {
+    int result = semanage_connect(sh);
+    printf("semanage_connect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_connect");
+        exit(1);
+    }
+
+    return result;
+}
+
+int test_disconnect(semanage_handle_t *sh) {
+    int result = semanage_disconnect(sh);
+    printf("semanage_disconnect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_disconnect");
+        exit(1);
+    }
+
+    return result;
+}
+
+int test_begin_transaction(semanage_handle_t *sh) {
+    int result = semanage_begin_transaction(sh);
+    printf("semanage_begin_transaction(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_begin_transaction");
+        exit(1);
+    }
+
+    return result;
+}
+
+int test_commit(semanage_handle_t *sh) {
+    int result = semanage_commit(sh);
+    printf("semanage_commit(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_commit");
+        exit(1);
+    }
+
+    return result;
+}
+
+#define STATE_INIT      1
+#define STATE_HANDLE    2
+#define STATE_CONN      3
+#define STATE_TRANS     4
+
+int get_state(const char *state_str) {
+    if (strcmp(state_str, "init") == 0)
+        return STATE_INIT;
+    if (strcmp(state_str, "handle") == 0)
+        return STATE_HANDLE;
+    if (strcmp(state_str, "conn") == 0)
+        return STATE_CONN;
+    if (strcmp(state_str, "trans") == 0)
+        return STATE_TRANS;
+
+    return 0;
+}
+
+semanage_handle_t * get_handle(const char *state_str) {
+    int state;
+    semanage_handle_t *sh = NULL;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_INIT)
+        sh = NULL;
+
+    if (state >= STATE_HANDLE)
+        sh = test_handle_create();
+
+    if (state >= STATE_CONN)
+        test_connect(sh);
+
+    if (state >= STATE_TRANS)
+        test_begin_transaction(sh);
+
+    return sh;
+}
+
+void destroy_handle(semanage_handle_t *sh, const char *state_str) {
+    int state;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_TRANS)
+        test_commit(sh);
+
+    if (state >= STATE_CONN)
+        test_disconnect(sh);
+
+    if (state >= STATE_HANDLE) {
+        semanage_handle_destroy(sh);
+        printf("semanage_handle_destroy(%p)\n", (void *) sh);
+    }
+}

tests/semanage-handle-functions/plan.txt

@@ -0,0 +1,29 @@
+                                        init    handle  conn    trans
+semanage_set_root                   x   ok      ok      ok      -
+semanage_root                       x   ok      ok      ok      -
+semanage_handle_create              x   ok      -       -       -        
+semanage_set_rebuild                    fail    ok      ok      -
+semanage_set_reload                     fail    ok      ok      -
+semanage_get_hll_compiler_path          fail    ?       ?       -
+semanage_set_create_store               fail    ok      ok      -       should be called after connect
+semanage_get_disable_dontaudit          fail    ?       ?       -
+semanage_set_disable_dontaudit          fail    ?       ?       -
+semanage_get_preserve_tunables          fail    ?       ?       -
+semanage_set_preserve_tunables          fail    ?       ?       -
+semanage_get_ignore_module_cache        fail    ?       ?       -
+semanage_set_ignore_module_cache        fail    ?       ?       -
+semanage_set_check_contexts             fail    ok      ok      -
+semanage_get_default_priority           fail    ok      ok      -
+semanage_set_default_priority           fail    ok      ok      -
+semanage_is_connected               x   fail    ok      ok      -
+semanage_select_store                   fail    ok      ok      -       should be called before connect
+semanage_set_store_root                 fail    ok      ok      -
+semanage_is_managed                 x   fail    ok      fail    -
+semanage_mls_enabled                x   fail    ?       ok      -
+semanage_connect                    x   fail    ok      ?       -
+semanage_access_check               x   fail    ok      ?       -
+semanage_disconnect                 x   fail    fail    ok      -       ok when disconnected twice
+semanage_handle_destroy             x   fail    ok      ok      -
+semanage_begin_transaction          x   fail    fail    ok      ok      ok when begin twice
+semanage_commit                     x   fail    fail    fail    ok
+semanage_reload_policy                  fail    ?       ?       ?

tests/semanage-handle-functions/runtest.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libsemanage/Sanity/semanage-handle-functions
+#   Description: Test functions from handle.h
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libsemanage"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        if rlIsRHEL ">=7" || rlIsFedora; then
+            rlRun -l "gcc test_root.c           -o test_root            -lsemanage -Wall -Wextra -std=c99"
+        fi
+
+        rlRun -l "gcc test_handle_create.c  -o test_handle_create   -lsemanage -Wall -Wextra -Wno-unused-parameter -std=c99"
+        rlRun -l "gcc test_access_check.c   -o test_access_check    -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_is_managed.c     -o test_is_managed      -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_connect.c        -o test_connect         -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_is_connected.c   -o test_is_connected    -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_mls_enabled.c    -o test_mls_enabled     -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_transaction.c    -o test_transaction     -lsemanage -Wall -Wextra -std=c99"
+
+        ERR_FAIL=1
+        ERR_ABORT=134
+    rlPhaseEnd
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "semanage_root, semanage_test_root"
+        rlRun "./test_root init"
+        rlRun "./test_root handle"
+        rlRun "./test_root conn"
+        rlRun "./test_root init /somepath"
+        rlRun "./test_root handle /somepath"
+        rlRun "./test_root conn /somepath"
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "semanage_handle_create, semanage_handle_destroy"
+        rlRun "./test_handle_create init"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_access_check"
+        rlRun "./test_access_check init" $ERR_ABORT
+        rlRun "./test_access_check handle 2"
+        rlRun "./test_access_check conn 2"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_is_managed"
+        rlRun "./test_is_managed init" $ERR_ABORT
+        rlRun "./test_is_managed handle 1"
+        rlRun "./test_is_managed conn" $ERR_FAIL
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_connect, semanage_disconnect"
+        rlRun "./test_connect init" $ERR_ABORT
+        rlRun "./test_connect init reversed" $ERR_ABORT
+        rlRun "./test_connect handle"
+        rlRun "./test_connect handle twice"
+        rlRun "./test_connect handle reversed" $ERR_ABORT
+        # why does it work??
+        rlRun "./test_connect conn"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_is_connected"
+        rlRun "./test_is_connected init" $ERR_ABORT
+        rlRun "./test_is_connected handle 0"
+        rlRun "./test_is_connected conn 1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_mls_enabled"
+        rlRun "./test_mls_enabled init" $ERR_ABORT
+        rlRun "./test_mls_enabled handle" $ERR_ABORT
+        rlRun "./test_mls_enabled conn 1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_begin_transaction, semanage_commit"
+        rlRun "./test_transaction init" $ERR_ABORT
+        rlRun "./test_transaction init reversed" $ERR_ABORT
+        rlRun "./test_transaction handle" $ERR_ABORT
+        rlRun "./test_transaction handle reversed" $ERR_ABORT
+        rlRun "./test_transaction conn"
+        rlRun "./test_transaction conn twice"
+        rlRun "./test_transaction conn reversed" $ERR_FAIL
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f output test_root test_handle_create test_access_check \
+               test_is_managed test_connect test_is_connected \
+               test_mls_enabled test_transaction"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/semanage-handle-functions/test_access_check.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    int result = semanage_access_check(sh);
+    printf("semanage_access_check(%p): %d\n", (void *) sh, result);
+    
+    if (result < 0 || (result != 0 && result != SEMANAGE_CAN_READ
+                       && result != SEMANAGE_CAN_WRITE)) {
+        perror("semanage_access_check");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_connect.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+    
+    if (argc >= 3 && strcmp(argv[2], "reversed") == 0) {
+        test_disconnect(sh);
+        test_connect(sh);
+    }
+    else {
+        test_connect(sh);
+        test_disconnect(sh);
+    }
+
+    if (argc >= 3 && strcmp(argv[2], "twice") == 0) {
+        test_disconnect(sh);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_handle_create.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh = test_handle_create();
+
+    semanage_handle_destroy(sh);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_is_connected.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_is_connected(sh);
+    printf("semanage_is_connected(%p): %d\n", (void *) sh, result);
+
+    if (result != 0 && result != 1) {
+        perror("semanage_is_connected");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_is_managed.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+    
+    result = semanage_is_managed(sh);
+    printf("semanage_is_managed(%p): %d\n", (void *) sh, result);
+
+    if (result != 0 && result != 1) {
+        perror("semanage_is_managed");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_mls_enabled.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_mls_enabled(sh);
+    printf("semanage_mls_enabled(%p): %d\n", (void *) sh, result);
+
+    if (result != 0 && result != 1) {
+        perror("semanage_mls_enabled");
+        exit(1);
+    }
+
+    if (argc >= 4)
+        check_result_int(argv[3], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_root.c

@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    const char *root;
+    int result;
+
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    root = semanage_root();
+    printf("semanage_root(): %s\n", root);
+
+    if (root == NULL) {
+        perror("semanage_root");
+        exit(1);
+    }
+
+    if (argc >= 3) {
+        result = semanage_set_root(argv[2]);
+        printf("semanage_set_root(\"%s\"): %d\n", argv[2], result);
+
+        if (root == NULL) {
+            perror("semanage_set_root");
+            exit(1);
+        }
+
+        root = semanage_root();
+        printf("semanage_root(): %s\n", root);
+
+        if (result != 0) {
+            perror("semanage_root");
+            exit(1);
+        }
+
+        if (strcmp(root, argv[2]) != 0) {
+            fprintf(stderr, "Expected \"%s\" but got \"%s\"\n", argv[2], root);
+            exit(1);
+        }
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_transaction.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+    
+    if (argc >= 3 && strcmp(argv[2], "reversed") == 0) {
+        test_commit(sh);
+        test_begin_transaction(sh);
+    }
+    else if (argc >= 3 && strcmp(argv[2], "twice") == 0) {
+        test_begin_transaction(sh);
+        test_begin_transaction(sh);
+        test_commit(sh);
+    }
+    else {
+        test_begin_transaction(sh);
+        test_commit(sh);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libsemanage/Sanity/semanage-seuser-functions
+#   Description: Test semanage_seuser_* functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libsemanage/Sanity/semanage-seuser-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE functions.c test_*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test semanage_seuser_* functions" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libsemanage" >> $(METADATA)
+	@echo "Requires:        libsemanage libsemanage-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/semanage-seuser-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libsemanage/Sanity/semanage-seuser-functions
+Description: Test semanage_seuser_* functions
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/semanage-seuser-functions/functions.c

@@ -0,0 +1,263 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+void check_result_int(const char *expected, int real) {
+    int exp = strtol(expected, NULL, 10);
+
+    if (exp != real) {
+        fprintf(stderr, "Expected %d but got %d\n", exp, real);
+        exit(1);
+    }
+}
+
+semanage_handle_t *test_handle_create() {
+    semanage_handle_t *sh = NULL;
+
+    sh = semanage_handle_create();
+    printf("semanage_handle_create(): %p\n", (void *) sh);
+
+    if (sh == NULL) {
+        perror("semanage_handle_create");
+        exit(2);
+    }
+
+    return sh;
+}
+
+int test_connect(semanage_handle_t *sh) {
+    int result = semanage_connect(sh);
+    printf("semanage_connect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_connect");
+        exit(2);
+    }
+
+    return result;
+}
+
+int test_disconnect(semanage_handle_t *sh) {
+    int result = semanage_disconnect(sh);
+    printf("semanage_disconnect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_disconnect");
+        exit(2);
+    }
+
+    return result;
+}
+
+int test_begin_transaction(semanage_handle_t *sh) {
+    int result = semanage_begin_transaction(sh);
+    printf("semanage_begin_transaction(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_begin_transaction");
+        exit(2);
+    }
+
+    return result;
+}
+
+int test_commit(semanage_handle_t *sh) {
+    int result = semanage_commit(sh);
+    printf("semanage_commit(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_commit");
+        exit(2);
+    }
+
+    return result;
+}
+
+semanage_seuser_key_t *test_get_key(semanage_handle_t *sh, const char *name) {
+    semanage_seuser_key_t *key;
+    int result = semanage_seuser_key_create(sh, name, &key);
+    printf("semanage_seuser_key_create(%p, %s, %p): %d\n",
+           (void *) sh, name, (void *) &key, result);
+
+    if (key == NULL || result < 0) {
+        perror("semanage_seuser_key_create");
+        exit(2);
+    }
+
+    return key;
+}
+
+semanage_seuser_t *test_get_seuser_nth(semanage_handle_t *sh, unsigned int index) {
+    int result;
+    semanage_seuser_t **records;
+    unsigned int count;
+
+    result = semanage_seuser_list(sh, &records, &count);
+    printf("semanage_seuser_list(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list");
+        exit(2);
+    }
+
+    if (count < index + 1)
+        exit(2);
+
+    return records[index];
+}
+
+semanage_seuser_t *test_get_seuser_new(semanage_handle_t *sh) {
+    int result;
+    semanage_seuser_t *seuser;
+
+    result = semanage_seuser_create(sh, &seuser);
+    printf("semanage_seuser_create(%p, %p): %d\n",
+           (void *) sh, (void *) seuser, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_create");
+        exit(2);
+    }
+
+    return seuser;
+}
+
+semanage_seuser_t *test_get_seuser(semanage_handle_t *sh, const char *param) {
+    if (strcmp(param, "new") == 0)
+        return test_get_seuser_new(sh);
+    
+    if (strcmp(param, "first") == 0)
+        return test_get_seuser_nth(sh, 0);
+
+    if (strcmp(param, "second") == 0)
+        return test_get_seuser_nth(sh, 1);
+
+    fprintf(stderr, "Unknown seuser \"%s\" specified\n", param);
+    exit(2);
+}
+
+void test_add_local_seuser(semanage_handle_t *sh, semanage_seuser_t *seuser) {
+    int result;
+    semanage_seuser_key_t *key;
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_modify_local(sh, key, seuser);
+    printf("semanage_seuser_modify_local(%p, %p, %p): %d\n",
+           (void *) seuser, (void *) key, (void *) seuser, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_modify_local");
+        exit(2);
+    }
+}
+
+void test_del_local_seuser(semanage_handle_t *sh, semanage_seuser_t *seuser) {
+    int result;
+    semanage_seuser_key_t *key;
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_del_local(sh, key);
+    printf("semanage_seuser_del_local(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_del_local");
+        exit(2);
+    }
+}
+
+#define STATE_INIT      1
+#define STATE_HANDLE    2
+#define STATE_CONN      3
+#define STATE_TRANS     4
+
+int get_state(const char *state_str) {
+    if (strcmp(state_str, "init") == 0)
+        return STATE_INIT;
+    if (strcmp(state_str, "handle") == 0)
+        return STATE_HANDLE;
+    if (strcmp(state_str, "conn") == 0)
+        return STATE_CONN;
+    if (strcmp(state_str, "trans") == 0)
+        return STATE_TRANS;
+
+    return 0;
+}
+
+semanage_handle_t * get_handle(const char *state_str) {
+    int state;
+    semanage_handle_t *sh = NULL;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_INIT)
+        sh = NULL;
+
+    if (state >= STATE_HANDLE)
+        sh = test_handle_create();
+
+    if (state >= STATE_CONN)
+        test_connect(sh);
+
+    if (state >= STATE_TRANS)
+        test_begin_transaction(sh);
+
+    return sh;
+}
+
+void destroy_handle(semanage_handle_t *sh, const char *state_str) {
+    int state;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_TRANS)
+        test_commit(sh);
+
+    if (state >= STATE_CONN)
+        test_disconnect(sh);
+
+    if (state >= STATE_HANDLE) {
+        semanage_handle_destroy(sh);
+        printf("semanage_handle_destroy(%p)\n", (void *) sh);
+    }
+}
+
+int strcmp_null(const char *str1, const char *str2) {
+    if (str1 == NULL && str2 == NULL)
+        return 0;
+
+    if (str1 == NULL) {
+        if (strcmp(str2, "NULL") == 0)
+            return 0;
+        else
+            return -1;
+    }
+
+    if (str2 == NULL) {
+        if (strcmp(str1, "NULL") == 0)
+            return 0;
+        else
+            return 1;
+    }
+
+    return strcmp(str1, str2);
+}

tests/semanage-seuser-functions/runtest.sh

@@ -0,0 +1,255 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libsemanage/Sanity/semanage-seuser-functions
+#   Description: Test semanage_seuser_* functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libsemanage"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        for f in test_*.c ; do 
+            out=$(echo -n $f | cut -d'.' -f1)
+            rlRun "gcc $f -o $out -lsemanage -Wall -Wextra -Werror -std=c99"
+        done
+
+        POLICY_TYPE="$(grep -E '^SELINUXTYPE=' /etc/selinux/config | cut -d'=' -f2 | tr '[:upper:]' '[:lower:]' | tr -d ' ')"
+
+        if rlIsFedora; then
+            SEUSERS_PATH="/var/lib/selinux/$POLICY_TYPE/active/seusers"
+        elif rlIsRHEL '>=7'; then
+            SEUSERS_PATH="/etc/selinux/$POLICY_TYPE/active/seusers"
+        else
+            SEUSERS_PATH="/etc/selinux/$POLICY_TYPE/seusers"
+        fi
+
+        rlRun "cat $SEUSERS_PATH"
+
+        SEUSERS_COUNT="$(cat $SEUSERS_PATH | grep -vE '^#|^$' | wc -l)"
+        rlRun "[[ \"$SEUSERS_COUNT\" -gt 0 ]]"
+
+        SEUSERS="$(cat $SEUSERS_PATH | grep -vE '^#|^$' | cut -d':' -f1 | tr '\n' ' ')"
+        rlRun "[[ -n \"$SEUSERS\" ]]"
+
+        first_line="$(cat $SEUSERS_PATH | grep -vE '^#|^$' | head -n 1)"
+        SEUSER="$(echo -n $first_line | cut -d':' -f1)"
+        rlRun "[[ -n \"$SEUSER\" ]]"
+        SEUSER_SENAME="$(echo -n $first_line | cut -d':' -f2)"
+        rlRun "[[ -n \"$SEUSER_SENAME\" ]]"
+        SEUSER_MLSRANGE="$(echo -n $first_line | cut -d':' -f3-4)"
+        rlRun "[[ -n \"$SEUSER_MLSRANGE\" ]]"
+
+        SEUSER_NONEXISTENT="nonuser"
+        SEUSER_DEFAULT="__default__"
+
+        ERR_FAIL=1
+        ERR_ABORT=134
+        ERR_SEGFAULT=139
+
+        # note: each test_*.c program takes first argument which specifies setup
+        #       before executing specified function
+        #       init      semanage handle == NULL
+        #       handle    semanage handle obtained via semanage_handle_create
+        #       conn      connected via semanage_connect
+        #       trans     inside transaction, via semanage_begin_transaction
+        # program returns 1 on error in function, 2 on error in setup
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_key_create, semanage_seuser_key_free"
+        # FIXME
+        # rlRun "./test_key_create init   $SEUSER" $ERR_ABORT,$ERR_SEGFAULT
+        # rlRun "./test_key_create handle $SEUSER" $ERR_FAIL
+        rlRun "./test_key_create conn   $SEUSER"
+        rlRun "./test_key_create trans  $SEUSER"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_key_extract"
+        # FIXME
+        #rlRun "./test_key_extract conn  new"
+        rlRun "./test_key_extract conn  first"
+        # FIXME
+        #rlRun "./test_key_extract trans new"
+        rlRun "./test_key_extract trans first"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_compare"
+        rlRun "./test_compare conn  $SEUSER             same"
+        rlRun "./test_compare conn  $SEUSER_NONEXISTENT different"
+        rlRun "./test_compare trans $SEUSER             same"
+        rlRun "./test_compare trans $SEUSER_NONEXISTENT different"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_compare2"
+        rlRun "./test_compare2 conn  NULL 0"    $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 conn  0    NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 conn  NULL NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 conn  0    0"
+        rlRun "./test_compare2 conn  0    1"
+        rlRun "./test_compare2 trans NULL 0"    $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 trans 0    NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 trans NULL NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 trans 0    0"
+        rlRun "./test_compare2 trans 0    1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_count"
+        rlRun "./test_count init"   $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_count handle" $ERR_FAIL
+        rlRun "./test_count conn  $SEUSERS_COUNT"
+        rlRun "./test_count trans $SEUSERS_COUNT"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_list"
+        rlRun "./test_list init"   $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_list handle" $ERR_FAIL
+        rlRun "./test_list conn  $SEUSERS_COUNT $SEUSERS"
+        rlRun "./test_list trans $SEUSERS_COUNT $SEUSERS"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_iterate"
+        rlRun "./test_iterate init"   $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_iterate handle" $ERR_FAIL
+        rlRun "./test_iterate conn  $SEUSERS"
+        rlRun "./test_iterate trans $SEUSERS"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_exists"
+        rlRun "./test_exists conn  $SEUSER_NONEXISTENT 0"
+        rlRun "./test_exists conn  $SEUSER_DEFAULT     1"
+        rlRun "./test_exists conn  $USER               1"
+        rlRun "./test_exists trans $SEUSER_NONEXISTENT 0"
+        rlRun "./test_exists trans $SEUSER_DEFAULT     1"
+        rlRun "./test_exists trans $SEUSER             1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_query"
+        rlRun "./test_query conn  $SEUSER_NONEXISTENT" $ERR_FAIL
+        rlRun "./test_query conn  $SEUSER_DEFAULT"
+        rlRun "./test_query conn  $SEUSER"
+        rlRun "./test_query trans $SEUSER_NONEXISTENT" $ERR_FAIL
+        rlRun "./test_query trans $SEUSER_DEFAULT"
+        rlRun "./test_query trans $SEUSER"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_get_name"
+        rlRun "./test_get_name conn  new   NULL"
+        rlRun "./test_get_name conn  first $SEUSER"
+        rlRun "./test_get_name trans new   NULL"
+        rlRun "./test_get_name trans first $SEUSER"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_set_name"
+        name="someuser"
+        rlRun "./test_set_name conn  $name"
+        rlRun "./test_set_name trans $name"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_get_sename"
+        rlRun "./test_get_sename conn  new   NULL"
+        rlRun "./test_get_sename conn  first $SEUSER_SENAME"
+        rlRun "./test_get_sename trans new   NULL"
+        rlRun "./test_get_sename trans first $SEUSER_SENAME"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_set_sename"
+        sename="someuser_u"
+        rlRun "./test_set_sename conn  $sename"
+        rlRun "./test_set_sename trans $sename"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_get_mlsrange"
+        rlRun "./test_get_mlsrange conn  new   NULL"
+        rlRun "./test_get_mlsrange conn  first $SEUSER_MLSRANGE"
+        rlRun "./test_get_mlsrange trans new   NULL"
+        rlRun "./test_get_mlsrange trans first $SEUSER_MLSRANGE"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_set_mlsrange"
+        mlsrange="c0-s1:c0.c42"
+        rlRun "./test_set_mlsrange conn  $mlsrange"
+        rlRun "./test_set_mlsrange trans $mlsrange"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_clone"
+        # FIXME
+        #rlRun "./test_clone conn  new"
+        rlRun "./test_clone conn  first"
+        # FIXME
+        #rlRun "./test_clone trans new"
+        rlRun "./test_clone trans first"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_create"
+        # FIXME
+        #rlRun "./test_create init" $ERR_ABORT,$ERR_SEGFAULT
+        #rlRun "./test_create handle" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_create conn"
+        rlRun "./test_create trans"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_modify_local"
+        # function requires transaction
+        #rlRun "./test_modify_local conn  new"   $ERR_FAIL
+        #rlRun "./test_modify_local conn  first" $ERR_FAIL
+        #rlRun "./test_modify_local trans new"   $ERR_FAIL
+        rlRun "./test_modify_local trans first"
+    rlPhaseEnd
+    
+    rlPhaseStartTest "semanage_seuser_del_local"
+        # adding local seuser requires transaction
+        # FIXME
+        #rlRun "./test_del_local trans first new"
+        #rlRun "./test_del_local trans first second"
+        rlRun "./test_del_local trans first first"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_exists_local"
+        # adding local seuser requires transaction
+        rlRun "./test_exists_local trans first first  1"
+        rlRun "./test_exists_local trans first second 0"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_count_local"
+        # adding local seuser requires transaction
+        # FIXME
+        #rlRun "./test_count_local trans 0"
+        rlRun "./test_count_local trans 1"
+        rlRun "./test_count_local trans 2"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        testfiles="$(ls -1 test_* | grep -v '\.c' | tr '\n' ' ')"
+        rlRun "rm -f $testfiles"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/semanage-seuser-functions/test_clone.c

@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser_clone;
+    int result;
+    const char *str;
+    const char *str_clone;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    result = semanage_seuser_clone(sh, seuser, &seuser_clone);
+    printf("semanage_seuser_clone(%p, %p): %d\n",
+           (void *) seuser, (void *) seuser_clone, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_clone");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_name(seuser);
+    str_clone = semanage_seuser_get_name(seuser_clone);
+
+    if (strcmp(str, str_clone) != 0) {
+        fprintf(stderr, "Different in get_name\n");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_sename(seuser);
+    str_clone = semanage_seuser_get_sename(seuser_clone);
+
+    if (strcmp(str, str_clone) != 0) {
+        fprintf(stderr, "Different in get_sename\n");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_mlsrange(seuser);
+    str_clone = semanage_seuser_get_mlsrange(seuser_clone);
+
+    if (strcmp(str, str_clone) != 0) {
+        fprintf(stderr, "Different in get_mlsrange\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_compare.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_key_t *key;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, "first");
+
+    key = test_get_key(sh, argv[2]);
+
+    result = semanage_seuser_compare(seuser, key);
+    printf("semanage_seuser_compare(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (argc >= 4) {
+        if (strcmp(argv[3], "same") == 0 && result != 0) {
+            fprintf(stderr, "Expected same but got different\n");
+            exit(1);
+        }
+        else if (strcmp(argv[3], "different") == 0 && result == 0) {
+            fprintf(stderr, "Expected different but got same\n");
+            exit(1);
+        }
+    }
+
+    semanage_seuser_key_free(key);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_compare2.c

@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser2;
+    int result;
+    int first = -1;
+    int second = -1;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    if (strcmp(argv[2], "NULL") == 0) {
+        seuser = NULL;
+    }
+    else {
+        first = strtol(argv[2], NULL, 10);
+        seuser = test_get_seuser_nth(sh, first);
+    }
+
+    if (strcmp(argv[3], "NULL") == 0) {
+        seuser2 = NULL;
+    }
+    else {
+        second = strtol(argv[3], NULL, 10);
+        seuser2 = test_get_seuser_nth(sh, second);
+    }
+
+    result = semanage_seuser_compare2(seuser, seuser2);
+    printf("semanage_seuser_compare(%p, %p): %d\n",
+           (void *) seuser, (void *) seuser2, result);
+
+    if (first == second && result != 0) {
+        fprintf(stderr, "Expected same but got different\n");
+        exit(1);
+    }
+    else if (first != second && result == 0) {
+        fprintf(stderr, "Expected different but got same\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_count.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    unsigned int response;
+    int result;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_count(sh, &response);
+    printf("semanage_seuser_count(%p, %p): %d, response: %u\n",
+           (void *) sh, (void *) &response, result, response);
+    
+    if (result < 0) {
+        perror("semanage_seuser_count");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], response);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_count_local.c

@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    int result;
+    unsigned int response;
+    int num;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    num = strtol(argv[2], NULL, 10);
+
+    for (int i = 0; i < num; i++) {
+        seuser = test_get_seuser_nth(sh, i);
+
+        test_add_local_seuser(sh, seuser);
+    }
+
+    result = semanage_seuser_count_local(sh, &response);
+    printf("semanage_seuser_count_local(%p, %p): %d, response: %d\n",
+           (void *) sh, (void *) &response, result, response);
+
+    if (result < 0) {
+        perror("semanage_seuser_count_local");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], response);
+
+    test_del_local_seuser(sh, seuser);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_create.c

@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    int result;
+    const char *str;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_create(sh, &seuser);
+    printf("semanage_seuser_create(%p, %p): %d\n",
+           (void *) sh, (void *) seuser, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_create");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_name(seuser);
+
+    if (str != NULL) {
+        fprintf(stderr, "Expected name == NULL, got %s\n", str);
+        exit(1);
+    }
+
+    str = semanage_seuser_get_sename(seuser);
+
+    if (str != NULL) {
+        fprintf(stderr, "Expected sename == NULL, got %s\n", str);
+        exit(1);
+    }
+
+    str = semanage_seuser_get_mlsrange(seuser);
+
+    if (str != NULL) {
+        fprintf(stderr, "Expected mlsrange == NULL, got %s\n", str);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_del_local.c

@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser_del;
+    semanage_seuser_key_t *key;
+    semanage_seuser_t **records;
+    int result;
+    unsigned int count;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    test_add_local_seuser(sh, seuser);
+
+    seuser_del = test_get_seuser(sh, argv[3]);
+
+    result = semanage_seuser_key_extract(sh, seuser_del, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser_del, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_del_local(sh, key);
+    printf("semanage_seuser_del_local(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_del_local");
+        exit(1);
+    }
+
+    result = semanage_seuser_list_local(sh, &records, &count);
+    printf("semanage_seuser_list_local(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list_local");
+        exit(2);
+    }
+
+    if (count != 0) {
+        fprintf(stderr, "Number of local seusers is not 0!\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_exists.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_key_t *key;
+    int result;
+    int response;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    key = test_get_key(sh, argv[2]);
+
+    result = semanage_seuser_exists(sh, key, &response);
+    printf("semanage_seuser_exists(%p, %p, %p): %d, response: %d\n",
+           (void *) sh, (void *) key, (void *) &response, result, response);
+    
+    if (result < 0) {
+        perror("semanage_seuser_exists");
+        exit(1);
+    }
+
+    if (argc >= 4)
+        check_result_int(argv[3], response);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_exists_local.c

@@ -0,0 +1,59 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser_exists;
+    semanage_seuser_key_t *key;
+    int result;
+    int response;
+    int exp;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+    seuser_exists = test_get_seuser(sh, argv[3]);
+
+    test_add_local_seuser(sh, seuser);
+
+    result = semanage_seuser_key_extract(sh, seuser_exists, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser_exists, (void *) &key, result); 
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_exists_local(sh, key, &response);
+    printf("semanage_seuser_exists_local(%p, %p, %p): %d\n",
+           (void *) sh, (void *) key, (void *) &response, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_exists_local");
+        exit(1);
+    }
+
+    if (argc >= 5) {
+        exp = strtol(argv[4], NULL, 10);
+
+        if (response != exp) {
+            fprintf(stderr, "Expected %d but got %d\n", exp, response);
+            exit(1);
+        }
+    }
+
+    test_del_local_seuser(sh, seuser);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_get_mlsrange.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    const char *name = semanage_seuser_get_mlsrange(seuser);
+    printf("semanage_seuser_get_mlsrange(%p): %s\n",
+           (void *) seuser, name);
+
+    if (strcmp_null(argv[3], name) != 0) {
+        fprintf(stderr, "Expected %s but got %s\n", argv[2], name);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_get_name.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    const char *name = semanage_seuser_get_name(seuser);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) seuser, name);
+
+    if (strcmp_null(argv[3], name) != 0) {
+        fprintf(stderr, "Expected %s but got %s\n", argv[2], name);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_get_sename.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    const char *name = semanage_seuser_get_sename(seuser);
+    printf("semanage_seuser_get_sename(%p): %s\n",
+           (void *) seuser, name);
+
+    if (strcmp_null(argv[3], name) != 0) {
+        fprintf(stderr, "Expected %s but got %s\n", argv[2], name);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_iterate.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int counter = 0;
+
+int handler(const semanage_seuser_t *record, void *varg) {
+    char **args = (char **) varg;
+    
+    const char *name = semanage_seuser_get_name(record);
+
+    if (strcmp(name, args[2 + counter++]) != 0)
+        return -1;
+
+    return 0;
+}
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    char **param = NULL;
+
+    if (argc >= 3) {
+        param = argv;
+    }
+
+    result = semanage_seuser_iterate(sh, &handler, (void *) param);
+    printf("semanage_seuser_iterate(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &handler, (void *) param, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_iterate");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_key_create.c

@@ -0,0 +1,39 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_key_t *key;
+    const char *name;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    if (strcmp(argv[2], "NULL") == 0)
+        name = NULL;
+    else
+        name = argv[2];
+
+    result = semanage_seuser_key_create(sh, name, &key);
+    printf("semanage_seuser_key_create(%p, %s, %p): %d\n",
+           (void *) sh, name, (void *) &key, result);
+
+    if (result < 0 || key == NULL) {
+        perror("semanage_seuser_key_create");
+        exit(1);
+    }
+
+    semanage_seuser_key_free(key);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_key_extract.c

@@ -0,0 +1,45 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_key_t *key;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(1);
+    }
+
+    result = semanage_seuser_compare(seuser, key);
+    printf("semanage_seuser_compare(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (result != 0) {
+        perror("semanage_seuser_compare");
+        exit(1);
+    }
+
+    semanage_seuser_key_free(key);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_list.c

@@ -0,0 +1,63 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t **records;
+    unsigned int count;
+    int result;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_list(sh, &records, &count);
+    printf("semanage_seuser_list(%p, %p, %p): %d",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list");
+        exit(1);
+    }
+
+    printf(", count: %u, records: ", count);
+
+    const char *name;
+
+    for (unsigned int i = 0; i < count; i++) {
+        name = semanage_seuser_get_name(records[i]);
+        printf("%p (%s), ", (void *) records[i], name);
+    }
+
+    printf("\n");
+
+    if (argc >= 3) {
+        unsigned int exp_count = strtoul(argv[2], NULL, 10);
+        
+        if (count != exp_count) {
+            printf("Expected %u but got %u\n", exp_count, count);
+            exit(1);
+        }
+
+        const char *name;
+
+        for (unsigned int i = 0; i < count; i++) {
+            name = semanage_seuser_get_name(records[i]);
+
+            if (strcmp(name, argv[3 + i]) != 0) {
+                printf("Expected %s but got %s\n", name, argv[3 + i]);
+                exit(1);
+            }
+        }
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_modify_local.c

@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_key_t *key;
+    semanage_seuser_t **records;
+    int result;
+    unsigned int count;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_modify_local(sh, key, seuser);
+    printf("semanage_seuser_modify_local(%p, %p, %p): %d\n",
+           (void *) seuser, (void *) key, (void *) seuser, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_modify_local");
+        exit(1);
+    }
+
+    result = semanage_seuser_list_local(sh, &records, &count);
+    printf("semanage_seuser_list_local(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list_local");
+        exit(2);
+    }
+
+    if (count != 1) {
+        fprintf(stderr, "Number of local seusers is %u, expected 1!\n", count);
+        exit(1);
+    }
+
+    if (semanage_seuser_compare(records[0], key) != 0) {
+        fprintf(stderr, "Local seuser is different!\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_query.c

@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_key_t *key;
+    semanage_seuser_t *response;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_key_create(sh, argv[2], &key);
+    printf("semanage_seuser_key_create(%p, %s, %p): %d\n",
+           (void *) sh, argv[2], (void *) &key, result);
+
+    if (result < 0 || key == NULL) {
+        perror("semanage_seuser_key_create");
+        exit(2);
+    }
+
+    result = semanage_seuser_query(sh, key, &response);
+    printf("semanage_seuser_query(%p, %p, %p): %d, response: %p\n",
+           (void *) sh, (void *) key, (void *) &response, result, (void *) response);
+    
+    if (result < 0) {
+        perror("semanage_seuser_query");
+        exit(1);
+    }
+
+    const char *name = semanage_seuser_get_name(response);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) response, name);
+
+    if (strcmp(argv[2], name) != 0) {
+        perror("semanage_seuser_get_name");
+        exit(2);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_set_mlsrange.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *user;
+    int result;
+    const char *mlsrange;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    user = test_get_seuser(sh, "first");
+
+    if (strcmp(argv[2], "NULL") == 0)
+        mlsrange = NULL;
+    else 
+        mlsrange = argv[2];
+
+    const char *old_mlsrange = semanage_seuser_get_mlsrange(user);
+    printf("semanage_seuser_get_mlsrange(%p): %s\n",
+           (void *) user, old_mlsrange);
+
+    if (old_mlsrange == NULL) {
+        perror("semanage_seuser_get_mlsrange");
+        exit(2);
+    }
+
+    if (strcmp(old_mlsrange, mlsrange) == 0) {
+        printf("New mlsrange is the same\n");
+        exit(2);
+    }
+
+    result = semanage_seuser_set_mlsrange(sh, user, mlsrange);
+    printf("semanage_seuser_set_mlsrange(%p, %p, %s): %d\n",
+           (void *) sh, (void *) user, mlsrange, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_set_mlsrange");
+        exit(1);
+    }
+
+    const char *new_mlsrange = semanage_seuser_get_mlsrange(user);
+    printf("semanage_seuser_get_mlsrange(%p): %s\n",
+           (void *) user, new_mlsrange);
+
+    if (strcmp(new_mlsrange, mlsrange) != 0) {
+        perror("semanage_seuser_get_mlsrange");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_set_name.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *user;
+    int result;
+    const char *name;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    user = test_get_seuser(sh, "first");
+
+    if (strcmp(argv[2], "NULL") == 0)
+        name = NULL;
+    else 
+        name = argv[2];
+
+    const char *old_name = semanage_seuser_get_name(user);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) user, old_name);
+
+    if (old_name == NULL) {
+        perror("semanage_seuser_get_name");
+        exit(2);
+    }
+
+    if (strcmp(old_name, name) == 0) {
+        printf("New name is the same\n");
+        exit(2);
+    }
+
+    result = semanage_seuser_set_name(sh, user, name);
+    printf("semanage_seuser_set_name(%p, %p, %s): %d\n",
+           (void *) sh, (void *) user, name, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_set_name");
+        exit(1);
+    }
+
+    const char *new_name = semanage_seuser_get_name(user);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) user, new_name);
+
+    if (strcmp(new_name, name) != 0) {
+        perror("semanage_seuser_get_name");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_set_sename.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *user;
+    int result;
+    const char *name;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    user = test_get_seuser(sh, "first");
+
+    if (strcmp(argv[2], "NULL") == 0)
+        name = NULL;
+    else 
+        name = argv[2];
+
+    const char *old_name = semanage_seuser_get_sename(user);
+    printf("semanage_seuser_get_sename(%p): %s\n",
+           (void *) user, old_name);
+
+    if (old_name == NULL) {
+        perror("semanage_seuser_get_sename");
+        exit(2);
+    }
+
+    if (strcmp(old_name, name) == 0) {
+        printf("New name is the same\n");
+        exit(2);
+    }
+
+    result = semanage_seuser_set_sename(sh, user, name);
+    printf("semanage_seuser_set_sename(%p, %p, %s): %d\n",
+           (void *) sh, (void *) user, name, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_set_sename");
+        exit(1);
+    }
+
+    const char *new_name = semanage_seuser_get_sename(user);
+    printf("semanage_seuser_get_sename(%p): %s\n",
+           (void *) user, new_name);
+
+    if (strcmp(new_name, name) != 0) {
+        perror("semanage_seuser_get_sename");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/tests.yml

@@ -0,0 +1,25 @@
+---
+# Tests that run in all contexts
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+      - repo: "https://src.fedoraproject.org/tests/selinux.git"
+        dest: "selinux"
+        fmf_filter: "tier: 1 | component: libsemanage & tags: generic"
+    required_packages:
+    - libsemanage             # Required for sanity-tests
+    - libsemanage-devel       # Required for sanity-tests
+    - glibc                   # Required for sanity-tests
+    - gcc                     # Required for sanity-tests
+    - CUnit-devel             # Required for sanity-tests
+    - libselinux              # Required for verify-options-in-semanage-conf
+    - libselinux-utils        # Required for verify-options-in-semanage-conf
+    - policycoreutils         # Required for verify-options-in-semanage-conf
+    - policycoreutils-python-utils  # Required for verify-options-in-semanage-conf
+    - selinux-policy          # Required for verify-options-in-semanage-conf
+    - selinux-policy-devel    # Required for verify-options-in-semanage-conf
+    - lksctp-tools            # sctp_test
+    - psmisc                  # sctp_test

tests/verify-options-in-semanage-conf/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+#   Description: Are the verify options in semanage.conf honored?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE empty.te
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Are the verify options in semanage.conf honored?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          libsemanage" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-utils libsemanage policycoreutils policycoreutils-python selinux-policy selinux-policy-devel" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+

tests/verify-options-in-semanage-conf/PURPOSE

@@ -0,0 +1,9 @@
+PURPOSE of /CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+Author: Milos Malik <mmalik@redhat.com>
+
+Are the verify options in semanage.conf honored?
+Tested options: verify kernel, verify module, verify linked
+Tested tools: semodule, semanage
+Positive and negative cases are tested.
+Original information found at http://selinuxproject.org/page/PolicyValidate
+

tests/verify-options-in-semanage-conf/empty.te

@@ -0,0 +1,2 @@
+policy_module(empty,1.0)
+

tests/verify-options-in-semanage-conf/runtest.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+#   Description: Are the verify options in semanage.conf honored?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libsemanage"
+MODULE_NAME="empty"
+SEMANAGE_CONF="/etc/selinux/semanage.conf"
+
+rlJournalStart
+	rlPhaseStartSetup
+		rlAssertRpm ${PACKAGE}
+		rlAssertRpm policycoreutils
+		rlAssertRpm selinux-policy
+		rlFileBackup ${SEMANAGE_CONF}
+		rlRun "rpm -qf /usr/sbin/semanage"
+		rlRun "grep -v -e '^#' -e '^$' ${SEMANAGE_CONF}"
+		OUTPUT_FILE=`mktemp`
+		
+		rlRun "setenforce 1"
+		rlRun "sestatus"
+		rlRun "ls -l ${MODULE_NAME}.te"
+		rlRun "make -f /usr/share/selinux/devel/Makefile"
+		rlRun "ls -l ${MODULE_NAME}.pp"
+    rlPhaseEnd
+
+	rlLog "positive cases follow"
+	# TODO: /bin/true could be replaced a script, which prints the supplied arguments into a file for further inspection
+
+	rlPhaseStartTest "verify kernel"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify kernel]\npath = /bin/true\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}"
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}"
+	rlPhaseEnd
+
+	rlPhaseStartTest "verify module"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify module]\npath = /bin/true\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}"
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}"
+	rlPhaseEnd
+
+    if rlIsRHEL '<7.3' ; then # because "[verify linked]" was dropped
+	rlPhaseStartTest "verify linked"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify linked]\npath = /bin/true\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}"
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}"
+	rlPhaseEnd
+    fi
+
+	rlLog "negative cases follow"
+	# TODO: /bin/false could be replaced a script, which prints the supplied arguments into a file for further inspection
+
+	rlPhaseStartTest "verify kernel"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify kernel]\npath = /bin/false\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}" 1
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}" 1
+	rlPhaseEnd
+
+	rlPhaseStartTest "verify module"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify module]\npath = /bin/false\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}" 1
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}" 1
+	rlPhaseEnd
+
+    if rlIsRHEL '<7.3' ; then # because "[verify linked]" was dropped
+	rlPhaseStartTest "verify linked"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify linked]\npath = /bin/false\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}" 1
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}" 1
+	rlPhaseEnd
+    fi
+
+	rlPhaseStartCleanup
+		rlRun "rm -f ${MODULE_NAME}.pp ${OUTPUT_FILE}"
+		rlFileRestore	
+	rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+