libsemanage-2.7-3

* Tue Jun 26 2018 Paul Moore <pmoore@redhat.com> - 2.7-3
- Disable expand-check (#1595316)

libsemanage-fedora.patch

@@ -1,5 +1,18 @@
+diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h
+index a50db2b..199a1e1 100644
+--- libsemanage-2.7/include/semanage/fcontexts_policy.h
++++ libsemanage-2.7/include/semanage/fcontexts_policy.h
+@@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle,
+ 				  semanage_fcontext_t *** records,
+ 				  unsigned int *count);
+ 
++extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
++				  semanage_fcontext_t *** records,
++				  unsigned int *count);
++
+ #endif
 diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c
-index 65842df..ed11a7c 100644
+index 65842df..31fcada 100644
 --- libsemanage-2.7/src/direct_api.c
 +++ libsemanage-2.7/src/direct_api.c
 @@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
@@ -12,7 +25,28 @@ index 65842df..ed11a7c 100644
  	sh->u.direct.translock_file_fd = -1;
  	sh->u.direct.activelock_file_fd = -1;
  
-@@ -373,10 +370,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
+@@ -210,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
+ 				     semanage_fcontext_dbase_local(sh)) < 0)
+ 		goto err;
+ 
++	if (fcontext_file_dbase_init(sh,
++				     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS),
++				     semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
++				     semanage_fcontext_dbase_homedirs(sh)) < 0)
++		goto err;
++
+ 	if (seuser_file_dbase_init(sh,
+ 				   semanage_path(SEMANAGE_ACTIVE,
+ 						 SEMANAGE_SEUSERS_LOCAL),
+@@ -349,6 +352,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
+ 	iface_file_dbase_release(semanage_iface_dbase_local(sh));
+ 	bool_file_dbase_release(semanage_bool_dbase_local(sh));
+ 	fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh));
++	fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh));
+ 	seuser_file_dbase_release(semanage_seuser_dbase_local(sh));
+ 	node_file_dbase_release(semanage_node_dbase_local(sh));
+ 
+@@ -373,10 +377,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
  
  static int semanage_direct_begintrans(semanage_handle_t * sh)
  {
@@ -23,7 +57,7 @@ index 65842df..ed11a7c 100644
  	if (semanage_get_trans_lock(sh) < 0) {
  		return -1;
  	}
-@@ -1545,33 +1538,27 @@ rebuild:
+@@ -1545,43 +1545,46 @@ rebuild:
  	}
  
  	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
@@ -72,11 +106,131 @@ index 65842df..ed11a7c 100644
  	}
  
  	/* run genhomedircon if its enabled, this should be the last operation
+ 	 * which requires the out policydb */
+ 	if (!sh->conf->disable_genhomedircon) {
+-		if (out && (retval =
+-			semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
+-			ERR(sh, "semanage_genhomedircon returned error code %d.",
+-			    retval);
+-			goto cleanup;
++		if (out){
++			if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd,
++								sh->conf->ignoredirs)) != 0) {
++				ERR(sh, "semanage_genhomedircon returned error code %d.", retval);
++				goto cleanup;
++			}
++			/* file_contexts.homedirs was created in SEMANAGE_TMP store */
++			retval = semanage_copy_file(
++						semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
++						semanage_final_path(SEMANAGE_FINAL_TMP,	SEMANAGE_FC_HOMEDIRS),
++						sh->conf->file_mode);
++			if (retval < 0) {
++				goto cleanup;
++			}
+ 		}
+ 	} else {
+ 		WARN(sh, "WARNING: genhomedircon is disabled. \
+diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c
+index 0b063b1..98490ab 100644
+--- libsemanage-2.7/src/fcontexts_policy.c
++++ libsemanage-2.7/src/fcontexts_policy.c
+@@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
+ 	dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle);
+ 	return dbase_list(handle, dconfig, records, count);
+ }
++
++int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
++			   semanage_fcontext_t *** records, unsigned int *count)
++{
++
++	dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle);
++	return dbase_list(handle, dconfig, records, count);
++}
+diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c
+index b9a74b7..d09d82f 100644
+--- libsemanage-2.7/src/genhomedircon.c
++++ libsemanage-2.7/src/genhomedircon.c
+@@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
+ 
+ 	s.homedir_template_path =
+ 	    semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL);
+-	s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP,
+-					   SEMANAGE_FC_HOMEDIRS);
++	s.fcfilepath =
++		semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS);
+ 
+ 	s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t));
+ 	if (s.fallback == NULL) {
+@@ -1385,7 +1385,9 @@ done:
+ 	if (out != NULL)
+ 		fclose(out);
+ 
+-	pop_user_entry(&(s.fallback));
++	while (s.fallback)
++		pop_user_entry(&(s.fallback));
++
+ 	ignore_free();
+ 
+ 	return retval;
+diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h
+index 889871d..1780ac8 100644
+--- libsemanage-2.7/src/handle.h
++++ libsemanage-2.7/src/handle.h
+@@ -79,7 +79,7 @@ struct semanage_handle {
+ 	struct semanage_policy_table *funcs;
+ 
+ 	/* Object databases */
+-#define DBASE_COUNT      23
++#define DBASE_COUNT      24
+ 
+ /* Local modifications */
+ #define DBASE_LOCAL_USERS_BASE  0
+@@ -102,13 +102,14 @@ struct semanage_handle {
+ #define DBASE_POLICY_INTERFACES  15
+ #define DBASE_POLICY_BOOLEANS    16
+ #define DBASE_POLICY_FCONTEXTS   17
+-#define DBASE_POLICY_SEUSERS     18
+-#define DBASE_POLICY_NODES       19
+-#define DBASE_POLICY_IBPKEYS     20
+-#define DBASE_POLICY_IBENDPORTS  21
++#define DBASE_POLICY_FCONTEXTS_H 18
++#define DBASE_POLICY_SEUSERS     19
++#define DBASE_POLICY_NODES       20
++#define DBASE_POLICY_IBPKEYS     21
++#define DBASE_POLICY_IBENDPORTS  22
+ 
+ /* Active kernel policy */
+-#define DBASE_ACTIVE_BOOLEANS    22
++#define DBASE_ACTIVE_BOOLEANS    23
+ 	dbase_config_t dbase[DBASE_COUNT];
+ };
+ 
+@@ -236,6 +237,12 @@ static inline
+ }
+ 
+ static inline
++    dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle)
++{
++	return &handle->dbase[DBASE_POLICY_FCONTEXTS_H];
++}
++
++static inline
+     dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle)
+ {
+ 	return &handle->dbase[DBASE_POLICY_SEUSERS];
 diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c
-index 6158d08..d2d7e3e 100644
+index 6158d08..320fa7b 100644
 --- libsemanage-2.7/src/semanage_store.c
 +++ libsemanage-2.7/src/semanage_store.c
-@@ -537,7 +537,6 @@ char *semanage_conf_path(void)
+@@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
+ 	"/modules/disabled",
+ 	"/policy.kern",
+ 	"/file_contexts.local",
++	"/file_contexts.homedirs",
+ 	"/file_contexts",
+ 	"/seusers"
+ };
+@@ -537,7 +538,6 @@ char *semanage_conf_path(void)
  int semanage_create_store(semanage_handle_t * sh, int create)
  {
  	struct stat sb;
@@ -84,7 +238,7 @@ index 6158d08..d2d7e3e 100644
  	const char *path = semanage_files[SEMANAGE_ROOT];
  	int fd;
  
-@@ -556,9 +555,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+@@ -556,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
  			return -1;
  		}
  	} else {
@@ -96,7 +250,7 @@ index 6158d08..d2d7e3e 100644
  			    path);
  			return -1;
  		}
-@@ -579,9 +578,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+@@ -579,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
  			return -1;
  		}
  	} else {
@@ -108,7 +262,7 @@ index 6158d08..d2d7e3e 100644
  			    path);
  			return -1;
  		}
-@@ -602,9 +601,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+@@ -602,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
  			return -1;
  		}
  	} else {
@@ -120,7 +274,7 @@ index 6158d08..d2d7e3e 100644
  			    path);
  			return -1;
  		}
-@@ -623,8 +622,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+@@ -623,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
  			return -1;
  		}
  	} else {
@@ -131,3 +285,15 @@ index 6158d08..d2d7e3e 100644
  			return -1;
  		}
  	}
+diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h
+index fcaa505..34bf852 100644
+--- libsemanage-2.7/src/semanage_store.h
++++ libsemanage-2.7/src/semanage_store.h
+@@ -61,6 +61,7 @@ enum semanage_sandbox_defs {
+ 	SEMANAGE_MODULES_DISABLED,
+ 	SEMANAGE_STORE_KERNEL,
+ 	SEMANAGE_STORE_FC_LOCAL,
++	SEMANAGE_STORE_FC_HOMEDIRS,
+ 	SEMANAGE_STORE_FC,
+ 	SEMANAGE_STORE_SEUSERS,
+ 	SEMANAGE_STORE_NUM_PATHS

libsemanage.spec

@@ -1,20 +1,21 @@
 %global with_python3 1
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib(1))")}
 
-%define libsepolver 2.7-1
-%define libselinuxver 2.7-1
+%define libsepolver 2.7-2
+%define libselinuxver 2.7-3
 
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.7
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/libsemanage-2.7.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
-# $ VERSION=2.7 ./make-fedora-selinux-patch.sh libsemanage
-# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9
+# $ VERSION=2.7 BRANCH=f27 ./make-fedora-selinux-patch.sh libsemanage
+# HEAD https://github.com/fedora-selinux/selinux/commit/e5a6540888e254b245d42b7cecf0b895d64ddc43
+
 Patch1: libsemanage-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@@ -195,6 +196,14 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif # if with_python3
 
 %changelog
+* Tue Jun 26 2018 Paul Moore <pmoore@redhat.com> - 2.7-3
+- Disable expand-check (#1595316)
+
+* Fri Nov 24 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
+- free genhomedircon fallback user
+- Add support for listing fcontext.homedirs file
+- Keep copy of file_contexts.homedirs in policy store
+
 * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
 - Update to upstream release 2017-08-04
 - Use 'sefcontext_compile -r' when it's run during SELinux policy build

semanage.conf

@@ -39,7 +39,7 @@ module-store = direct
 # expand-check check neverallow rules when executing all semanage
 # commands. There might be a penalty in execution time if this
 # option is enabled.
-expand-check = 1
+expand-check=0
 
 # usepasswd check tells semanage to scan all pass word records for home directories
 # and setup the labeling correctly.  If this is turned off, SELinux will label /home 

tests/semanage-handle-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libsemanage/Sanity/semanage-handle-functions
+#   Description: Test functions from handle.h
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libsemanage/Sanity/semanage-handle-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE functions.c test_*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test functions from handle.h" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libsemanage" >> $(METADATA)
+	@echo "Requires:        libsemanage libsemanage-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/semanage-handle-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libsemanage/Sanity/semanage-handle-functions
+Description: Test functions from handle.h
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/semanage-handle-functions/functions.c

@@ -0,0 +1,132 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+void check_result_int(const char *expected, int real) {
+    int exp = strtol(expected, NULL, 10);
+
+    if (exp != real) {
+        fprintf(stderr, "Expected %d but got %d\n", exp, real);
+        exit(1);
+    }
+}
+
+semanage_handle_t *test_handle_create() {
+    semanage_handle_t *sh = NULL;
+
+    sh = semanage_handle_create();
+    printf("semanage_handle_create(): %p\n", (void *) sh);
+
+    if (sh == NULL) {
+        perror("semanage_handle_create");
+        exit(1);
+    }
+
+    return sh;
+}
+
+int test_connect(semanage_handle_t *sh) {
+    int result = semanage_connect(sh);
+    printf("semanage_connect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_connect");
+        exit(1);
+    }
+
+    return result;
+}
+
+int test_disconnect(semanage_handle_t *sh) {
+    int result = semanage_disconnect(sh);
+    printf("semanage_disconnect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_disconnect");
+        exit(1);
+    }
+
+    return result;
+}
+
+int test_begin_transaction(semanage_handle_t *sh) {
+    int result = semanage_begin_transaction(sh);
+    printf("semanage_begin_transaction(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_begin_transaction");
+        exit(1);
+    }
+
+    return result;
+}
+
+int test_commit(semanage_handle_t *sh) {
+    int result = semanage_commit(sh);
+    printf("semanage_commit(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_commit");
+        exit(1);
+    }
+
+    return result;
+}
+
+#define STATE_INIT      1
+#define STATE_HANDLE    2
+#define STATE_CONN      3
+#define STATE_TRANS     4
+
+int get_state(const char *state_str) {
+    if (strcmp(state_str, "init") == 0)
+        return STATE_INIT;
+    if (strcmp(state_str, "handle") == 0)
+        return STATE_HANDLE;
+    if (strcmp(state_str, "conn") == 0)
+        return STATE_CONN;
+    if (strcmp(state_str, "trans") == 0)
+        return STATE_TRANS;
+
+    return 0;
+}
+
+semanage_handle_t * get_handle(const char *state_str) {
+    int state;
+    semanage_handle_t *sh = NULL;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_INIT)
+        sh = NULL;
+
+    if (state >= STATE_HANDLE)
+        sh = test_handle_create();
+
+    if (state >= STATE_CONN)
+        test_connect(sh);
+
+    if (state >= STATE_TRANS)
+        test_begin_transaction(sh);
+
+    return sh;
+}
+
+void destroy_handle(semanage_handle_t *sh, const char *state_str) {
+    int state;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_TRANS)
+        test_commit(sh);
+
+    if (state >= STATE_CONN)
+        test_disconnect(sh);
+
+    if (state >= STATE_HANDLE) {
+        semanage_handle_destroy(sh);
+        printf("semanage_handle_destroy(%p)\n", (void *) sh);
+    }
+}

tests/semanage-handle-functions/plan.txt

@@ -0,0 +1,29 @@
+                                        init    handle  conn    trans
+semanage_set_root                   x   ok      ok      ok      -
+semanage_root                       x   ok      ok      ok      -
+semanage_handle_create              x   ok      -       -       -        
+semanage_set_rebuild                    fail    ok      ok      -
+semanage_set_reload                     fail    ok      ok      -
+semanage_get_hll_compiler_path          fail    ?       ?       -
+semanage_set_create_store               fail    ok      ok      -       should be called after connect
+semanage_get_disable_dontaudit          fail    ?       ?       -
+semanage_set_disable_dontaudit          fail    ?       ?       -
+semanage_get_preserve_tunables          fail    ?       ?       -
+semanage_set_preserve_tunables          fail    ?       ?       -
+semanage_get_ignore_module_cache        fail    ?       ?       -
+semanage_set_ignore_module_cache        fail    ?       ?       -
+semanage_set_check_contexts             fail    ok      ok      -
+semanage_get_default_priority           fail    ok      ok      -
+semanage_set_default_priority           fail    ok      ok      -
+semanage_is_connected               x   fail    ok      ok      -
+semanage_select_store                   fail    ok      ok      -       should be called before connect
+semanage_set_store_root                 fail    ok      ok      -
+semanage_is_managed                 x   fail    ok      fail    -
+semanage_mls_enabled                x   fail    ?       ok      -
+semanage_connect                    x   fail    ok      ?       -
+semanage_access_check               x   fail    ok      ?       -
+semanage_disconnect                 x   fail    fail    ok      -       ok when disconnected twice
+semanage_handle_destroy             x   fail    ok      ok      -
+semanage_begin_transaction          x   fail    fail    ok      ok      ok when begin twice
+semanage_commit                     x   fail    fail    fail    ok
+semanage_reload_policy                  fail    ?       ?       ?

tests/semanage-handle-functions/runtest.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libsemanage/Sanity/semanage-handle-functions
+#   Description: Test functions from handle.h
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libsemanage"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        if rlIsRHEL ">=7" || rlIsFedora; then
+            rlRun -l "gcc test_root.c           -o test_root            -lsemanage -Wall -Wextra -std=c99"
+        fi
+
+        rlRun -l "gcc test_handle_create.c  -o test_handle_create   -lsemanage -Wall -Wextra -Wno-unused-parameter -std=c99"
+        rlRun -l "gcc test_access_check.c   -o test_access_check    -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_is_managed.c     -o test_is_managed      -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_connect.c        -o test_connect         -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_is_connected.c   -o test_is_connected    -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_mls_enabled.c    -o test_mls_enabled     -lsemanage -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_transaction.c    -o test_transaction     -lsemanage -Wall -Wextra -std=c99"
+
+        ERR_FAIL=1
+        ERR_ABORT=134
+    rlPhaseEnd
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "semanage_root, semanage_test_root"
+        rlRun "./test_root init"
+        rlRun "./test_root handle"
+        rlRun "./test_root conn"
+        rlRun "./test_root init /somepath"
+        rlRun "./test_root handle /somepath"
+        rlRun "./test_root conn /somepath"
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "semanage_handle_create, semanage_handle_destroy"
+        rlRun "./test_handle_create init"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_access_check"
+        rlRun "./test_access_check init" $ERR_ABORT
+        rlRun "./test_access_check handle 2"
+        rlRun "./test_access_check conn 2"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_is_managed"
+        rlRun "./test_is_managed init" $ERR_ABORT
+        rlRun "./test_is_managed handle 1"
+        rlRun "./test_is_managed conn" $ERR_FAIL
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_connect, semanage_disconnect"
+        rlRun "./test_connect init" $ERR_ABORT
+        rlRun "./test_connect init reversed" $ERR_ABORT
+        rlRun "./test_connect handle"
+        rlRun "./test_connect handle twice"
+        rlRun "./test_connect handle reversed" $ERR_ABORT
+        # why does it work??
+        rlRun "./test_connect conn"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_is_connected"
+        rlRun "./test_is_connected init" $ERR_ABORT
+        rlRun "./test_is_connected handle 0"
+        rlRun "./test_is_connected conn 1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_mls_enabled"
+        rlRun "./test_mls_enabled init" $ERR_ABORT
+        rlRun "./test_mls_enabled handle" $ERR_ABORT
+        rlRun "./test_mls_enabled conn 1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_begin_transaction, semanage_commit"
+        rlRun "./test_transaction init" $ERR_ABORT
+        rlRun "./test_transaction init reversed" $ERR_ABORT
+        rlRun "./test_transaction handle" $ERR_ABORT
+        rlRun "./test_transaction handle reversed" $ERR_ABORT
+        rlRun "./test_transaction conn"
+        rlRun "./test_transaction conn twice"
+        rlRun "./test_transaction conn reversed" $ERR_FAIL
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f output test_root test_handle_create test_access_check \
+               test_is_managed test_connect test_is_connected \
+               test_mls_enabled test_transaction"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/semanage-handle-functions/test_access_check.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    int result = semanage_access_check(sh);
+    printf("semanage_access_check(%p): %d\n", (void *) sh, result);
+    
+    if (result < 0 || (result != 0 && result != SEMANAGE_CAN_READ
+                       && result != SEMANAGE_CAN_WRITE)) {
+        perror("semanage_access_check");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_connect.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+    
+    if (argc >= 3 && strcmp(argv[2], "reversed") == 0) {
+        test_disconnect(sh);
+        test_connect(sh);
+    }
+    else {
+        test_connect(sh);
+        test_disconnect(sh);
+    }
+
+    if (argc >= 3 && strcmp(argv[2], "twice") == 0) {
+        test_disconnect(sh);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_handle_create.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh = test_handle_create();
+
+    semanage_handle_destroy(sh);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_is_connected.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_is_connected(sh);
+    printf("semanage_is_connected(%p): %d\n", (void *) sh, result);
+
+    if (result != 0 && result != 1) {
+        perror("semanage_is_connected");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_is_managed.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+    
+    result = semanage_is_managed(sh);
+    printf("semanage_is_managed(%p): %d\n", (void *) sh, result);
+
+    if (result != 0 && result != 1) {
+        perror("semanage_is_managed");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_mls_enabled.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_mls_enabled(sh);
+    printf("semanage_mls_enabled(%p): %d\n", (void *) sh, result);
+
+    if (result != 0 && result != 1) {
+        perror("semanage_mls_enabled");
+        exit(1);
+    }
+
+    if (argc >= 4)
+        check_result_int(argv[3], result);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_root.c

@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    const char *root;
+    int result;
+
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+
+    root = semanage_root();
+    printf("semanage_root(): %s\n", root);
+
+    if (root == NULL) {
+        perror("semanage_root");
+        exit(1);
+    }
+
+    if (argc >= 3) {
+        result = semanage_set_root(argv[2]);
+        printf("semanage_set_root(\"%s\"): %d\n", argv[2], result);
+
+        if (root == NULL) {
+            perror("semanage_set_root");
+            exit(1);
+        }
+
+        root = semanage_root();
+        printf("semanage_root(): %s\n", root);
+
+        if (result != 0) {
+            perror("semanage_root");
+            exit(1);
+        }
+
+        if (strcmp(root, argv[2]) != 0) {
+            fprintf(stderr, "Expected \"%s\" but got \"%s\"\n", argv[2], root);
+            exit(1);
+        }
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-handle-functions/test_transaction.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    
+    if (argc < 2)
+        exit(1);
+    
+    sh = get_handle(argv[1]);
+    
+    if (argc >= 3 && strcmp(argv[2], "reversed") == 0) {
+        test_commit(sh);
+        test_begin_transaction(sh);
+    }
+    else if (argc >= 3 && strcmp(argv[2], "twice") == 0) {
+        test_begin_transaction(sh);
+        test_begin_transaction(sh);
+        test_commit(sh);
+    }
+    else {
+        test_begin_transaction(sh);
+        test_commit(sh);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libsemanage/Sanity/semanage-seuser-functions
+#   Description: Test semanage_seuser_* functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libsemanage/Sanity/semanage-seuser-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE functions.c test_*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test semanage_seuser_* functions" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libsemanage" >> $(METADATA)
+	@echo "Requires:        libsemanage libsemanage-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/semanage-seuser-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libsemanage/Sanity/semanage-seuser-functions
+Description: Test semanage_seuser_* functions
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/semanage-seuser-functions/functions.c

@@ -0,0 +1,263 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+void check_result_int(const char *expected, int real) {
+    int exp = strtol(expected, NULL, 10);
+
+    if (exp != real) {
+        fprintf(stderr, "Expected %d but got %d\n", exp, real);
+        exit(1);
+    }
+}
+
+semanage_handle_t *test_handle_create() {
+    semanage_handle_t *sh = NULL;
+
+    sh = semanage_handle_create();
+    printf("semanage_handle_create(): %p\n", (void *) sh);
+
+    if (sh == NULL) {
+        perror("semanage_handle_create");
+        exit(2);
+    }
+
+    return sh;
+}
+
+int test_connect(semanage_handle_t *sh) {
+    int result = semanage_connect(sh);
+    printf("semanage_connect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_connect");
+        exit(2);
+    }
+
+    return result;
+}
+
+int test_disconnect(semanage_handle_t *sh) {
+    int result = semanage_disconnect(sh);
+    printf("semanage_disconnect(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_disconnect");
+        exit(2);
+    }
+
+    return result;
+}
+
+int test_begin_transaction(semanage_handle_t *sh) {
+    int result = semanage_begin_transaction(sh);
+    printf("semanage_begin_transaction(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_begin_transaction");
+        exit(2);
+    }
+
+    return result;
+}
+
+int test_commit(semanage_handle_t *sh) {
+    int result = semanage_commit(sh);
+    printf("semanage_commit(%p): %d\n", (void *) sh, result);
+
+    if (result != 0) {
+        perror("semanage_commit");
+        exit(2);
+    }
+
+    return result;
+}
+
+semanage_seuser_key_t *test_get_key(semanage_handle_t *sh, const char *name) {
+    semanage_seuser_key_t *key;
+    int result = semanage_seuser_key_create(sh, name, &key);
+    printf("semanage_seuser_key_create(%p, %s, %p): %d\n",
+           (void *) sh, name, (void *) &key, result);
+
+    if (key == NULL || result < 0) {
+        perror("semanage_seuser_key_create");
+        exit(2);
+    }
+
+    return key;
+}
+
+semanage_seuser_t *test_get_seuser_nth(semanage_handle_t *sh, unsigned int index) {
+    int result;
+    semanage_seuser_t **records;
+    unsigned int count;
+
+    result = semanage_seuser_list(sh, &records, &count);
+    printf("semanage_seuser_list(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list");
+        exit(2);
+    }
+
+    if (count < index + 1)
+        exit(2);
+
+    return records[index];
+}
+
+semanage_seuser_t *test_get_seuser_new(semanage_handle_t *sh) {
+    int result;
+    semanage_seuser_t *seuser;
+
+    result = semanage_seuser_create(sh, &seuser);
+    printf("semanage_seuser_create(%p, %p): %d\n",
+           (void *) sh, (void *) seuser, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_create");
+        exit(2);
+    }
+
+    return seuser;
+}
+
+semanage_seuser_t *test_get_seuser(semanage_handle_t *sh, const char *param) {
+    if (strcmp(param, "new") == 0)
+        return test_get_seuser_new(sh);
+    
+    if (strcmp(param, "first") == 0)
+        return test_get_seuser_nth(sh, 0);
+
+    if (strcmp(param, "second") == 0)
+        return test_get_seuser_nth(sh, 1);
+
+    fprintf(stderr, "Unknown seuser \"%s\" specified\n", param);
+    exit(2);
+}
+
+void test_add_local_seuser(semanage_handle_t *sh, semanage_seuser_t *seuser) {
+    int result;
+    semanage_seuser_key_t *key;
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_modify_local(sh, key, seuser);
+    printf("semanage_seuser_modify_local(%p, %p, %p): %d\n",
+           (void *) seuser, (void *) key, (void *) seuser, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_modify_local");
+        exit(2);
+    }
+}
+
+void test_del_local_seuser(semanage_handle_t *sh, semanage_seuser_t *seuser) {
+    int result;
+    semanage_seuser_key_t *key;
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_del_local(sh, key);
+    printf("semanage_seuser_del_local(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_del_local");
+        exit(2);
+    }
+}
+
+#define STATE_INIT      1
+#define STATE_HANDLE    2
+#define STATE_CONN      3
+#define STATE_TRANS     4
+
+int get_state(const char *state_str) {
+    if (strcmp(state_str, "init") == 0)
+        return STATE_INIT;
+    if (strcmp(state_str, "handle") == 0)
+        return STATE_HANDLE;
+    if (strcmp(state_str, "conn") == 0)
+        return STATE_CONN;
+    if (strcmp(state_str, "trans") == 0)
+        return STATE_TRANS;
+
+    return 0;
+}
+
+semanage_handle_t * get_handle(const char *state_str) {
+    int state;
+    semanage_handle_t *sh = NULL;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_INIT)
+        sh = NULL;
+
+    if (state >= STATE_HANDLE)
+        sh = test_handle_create();
+
+    if (state >= STATE_CONN)
+        test_connect(sh);
+
+    if (state >= STATE_TRANS)
+        test_begin_transaction(sh);
+
+    return sh;
+}
+
+void destroy_handle(semanage_handle_t *sh, const char *state_str) {
+    int state;
+
+    state = get_state(state_str);
+
+    if (state >= STATE_TRANS)
+        test_commit(sh);
+
+    if (state >= STATE_CONN)
+        test_disconnect(sh);
+
+    if (state >= STATE_HANDLE) {
+        semanage_handle_destroy(sh);
+        printf("semanage_handle_destroy(%p)\n", (void *) sh);
+    }
+}
+
+int strcmp_null(const char *str1, const char *str2) {
+    if (str1 == NULL && str2 == NULL)
+        return 0;
+
+    if (str1 == NULL) {
+        if (strcmp(str2, "NULL") == 0)
+            return 0;
+        else
+            return -1;
+    }
+
+    if (str2 == NULL) {
+        if (strcmp(str1, "NULL") == 0)
+            return 0;
+        else
+            return 1;
+    }
+
+    return strcmp(str1, str2);
+}

tests/semanage-seuser-functions/runtest.sh

@@ -0,0 +1,255 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libsemanage/Sanity/semanage-seuser-functions
+#   Description: Test semanage_seuser_* functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libsemanage"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        for f in test_*.c ; do 
+            out=$(echo -n $f | cut -d'.' -f1)
+            rlRun "gcc $f -o $out -lsemanage -Wall -Wextra -Werror -std=c99"
+        done
+
+        POLICY_TYPE="$(grep -E '^SELINUXTYPE=' /etc/selinux/config | cut -d'=' -f2 | tr '[:upper:]' '[:lower:]' | tr -d ' ')"
+
+        if rlIsFedora; then
+            SEUSERS_PATH="/var/lib/selinux/$POLICY_TYPE/active/seusers"
+        elif rlIsRHEL '>=7'; then
+            SEUSERS_PATH="/etc/selinux/$POLICY_TYPE/active/seusers"
+        else
+            SEUSERS_PATH="/etc/selinux/$POLICY_TYPE/seusers"
+        fi
+
+        rlRun "cat $SEUSERS_PATH"
+
+        SEUSERS_COUNT="$(cat $SEUSERS_PATH | grep -vE '^#|^$' | wc -l)"
+        rlRun "[[ \"$SEUSERS_COUNT\" -gt 0 ]]"
+
+        SEUSERS="$(cat $SEUSERS_PATH | grep -vE '^#|^$' | cut -d':' -f1 | tr '\n' ' ')"
+        rlRun "[[ -n \"$SEUSERS\" ]]"
+
+        first_line="$(cat $SEUSERS_PATH | grep -vE '^#|^$' | head -n 1)"
+        SEUSER="$(echo -n $first_line | cut -d':' -f1)"
+        rlRun "[[ -n \"$SEUSER\" ]]"
+        SEUSER_SENAME="$(echo -n $first_line | cut -d':' -f2)"
+        rlRun "[[ -n \"$SEUSER_SENAME\" ]]"
+        SEUSER_MLSRANGE="$(echo -n $first_line | cut -d':' -f3-4)"
+        rlRun "[[ -n \"$SEUSER_MLSRANGE\" ]]"
+
+        SEUSER_NONEXISTENT="nonuser"
+        SEUSER_DEFAULT="__default__"
+
+        ERR_FAIL=1
+        ERR_ABORT=134
+        ERR_SEGFAULT=139
+
+        # note: each test_*.c program takes first argument which specifies setup
+        #       before executing specified function
+        #       init      semanage handle == NULL
+        #       handle    semanage handle obtained via semanage_handle_create
+        #       conn      connected via semanage_connect
+        #       trans     inside transaction, via semanage_begin_transaction
+        # program returns 1 on error in function, 2 on error in setup
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_key_create, semanage_seuser_key_free"
+        # FIXME
+        # rlRun "./test_key_create init   $SEUSER" $ERR_ABORT,$ERR_SEGFAULT
+        # rlRun "./test_key_create handle $SEUSER" $ERR_FAIL
+        rlRun "./test_key_create conn   $SEUSER"
+        rlRun "./test_key_create trans  $SEUSER"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_key_extract"
+        # FIXME
+        #rlRun "./test_key_extract conn  new"
+        rlRun "./test_key_extract conn  first"
+        # FIXME
+        #rlRun "./test_key_extract trans new"
+        rlRun "./test_key_extract trans first"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_compare"
+        rlRun "./test_compare conn  $SEUSER             same"
+        rlRun "./test_compare conn  $SEUSER_NONEXISTENT different"
+        rlRun "./test_compare trans $SEUSER             same"
+        rlRun "./test_compare trans $SEUSER_NONEXISTENT different"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_compare2"
+        rlRun "./test_compare2 conn  NULL 0"    $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 conn  0    NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 conn  NULL NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 conn  0    0"
+        rlRun "./test_compare2 conn  0    1"
+        rlRun "./test_compare2 trans NULL 0"    $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 trans 0    NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 trans NULL NULL" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_compare2 trans 0    0"
+        rlRun "./test_compare2 trans 0    1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_count"
+        rlRun "./test_count init"   $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_count handle" $ERR_FAIL
+        rlRun "./test_count conn  $SEUSERS_COUNT"
+        rlRun "./test_count trans $SEUSERS_COUNT"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_list"
+        rlRun "./test_list init"   $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_list handle" $ERR_FAIL
+        rlRun "./test_list conn  $SEUSERS_COUNT $SEUSERS"
+        rlRun "./test_list trans $SEUSERS_COUNT $SEUSERS"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_iterate"
+        rlRun "./test_iterate init"   $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_iterate handle" $ERR_FAIL
+        rlRun "./test_iterate conn  $SEUSERS"
+        rlRun "./test_iterate trans $SEUSERS"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_exists"
+        rlRun "./test_exists conn  $SEUSER_NONEXISTENT 0"
+        rlRun "./test_exists conn  $SEUSER_DEFAULT     1"
+        rlRun "./test_exists conn  $USER               1"
+        rlRun "./test_exists trans $SEUSER_NONEXISTENT 0"
+        rlRun "./test_exists trans $SEUSER_DEFAULT     1"
+        rlRun "./test_exists trans $SEUSER             1"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_query"
+        rlRun "./test_query conn  $SEUSER_NONEXISTENT" $ERR_FAIL
+        rlRun "./test_query conn  $SEUSER_DEFAULT"
+        rlRun "./test_query conn  $SEUSER"
+        rlRun "./test_query trans $SEUSER_NONEXISTENT" $ERR_FAIL
+        rlRun "./test_query trans $SEUSER_DEFAULT"
+        rlRun "./test_query trans $SEUSER"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_get_name"
+        rlRun "./test_get_name conn  new   NULL"
+        rlRun "./test_get_name conn  first $SEUSER"
+        rlRun "./test_get_name trans new   NULL"
+        rlRun "./test_get_name trans first $SEUSER"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_set_name"
+        name="someuser"
+        rlRun "./test_set_name conn  $name"
+        rlRun "./test_set_name trans $name"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_get_sename"
+        rlRun "./test_get_sename conn  new   NULL"
+        rlRun "./test_get_sename conn  first $SEUSER_SENAME"
+        rlRun "./test_get_sename trans new   NULL"
+        rlRun "./test_get_sename trans first $SEUSER_SENAME"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_set_sename"
+        sename="someuser_u"
+        rlRun "./test_set_sename conn  $sename"
+        rlRun "./test_set_sename trans $sename"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_get_mlsrange"
+        rlRun "./test_get_mlsrange conn  new   NULL"
+        rlRun "./test_get_mlsrange conn  first $SEUSER_MLSRANGE"
+        rlRun "./test_get_mlsrange trans new   NULL"
+        rlRun "./test_get_mlsrange trans first $SEUSER_MLSRANGE"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_set_mlsrange"
+        mlsrange="c0-s1:c0.c42"
+        rlRun "./test_set_mlsrange conn  $mlsrange"
+        rlRun "./test_set_mlsrange trans $mlsrange"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_clone"
+        # FIXME
+        #rlRun "./test_clone conn  new"
+        rlRun "./test_clone conn  first"
+        # FIXME
+        #rlRun "./test_clone trans new"
+        rlRun "./test_clone trans first"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_create"
+        # FIXME
+        #rlRun "./test_create init" $ERR_ABORT,$ERR_SEGFAULT
+        #rlRun "./test_create handle" $ERR_ABORT,$ERR_SEGFAULT
+        rlRun "./test_create conn"
+        rlRun "./test_create trans"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_modify_local"
+        # function requires transaction
+        #rlRun "./test_modify_local conn  new"   $ERR_FAIL
+        #rlRun "./test_modify_local conn  first" $ERR_FAIL
+        #rlRun "./test_modify_local trans new"   $ERR_FAIL
+        rlRun "./test_modify_local trans first"
+    rlPhaseEnd
+    
+    rlPhaseStartTest "semanage_seuser_del_local"
+        # adding local seuser requires transaction
+        # FIXME
+        #rlRun "./test_del_local trans first new"
+        #rlRun "./test_del_local trans first second"
+        rlRun "./test_del_local trans first first"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_exists_local"
+        # adding local seuser requires transaction
+        rlRun "./test_exists_local trans first first  1"
+        rlRun "./test_exists_local trans first second 0"
+    rlPhaseEnd
+
+    rlPhaseStartTest "semanage_seuser_count_local"
+        # adding local seuser requires transaction
+        # FIXME
+        #rlRun "./test_count_local trans 0"
+        rlRun "./test_count_local trans 1"
+        rlRun "./test_count_local trans 2"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        testfiles="$(ls -1 test_* | grep -v '\.c' | tr '\n' ' ')"
+        rlRun "rm -f $testfiles"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/semanage-seuser-functions/test_clone.c

@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser_clone;
+    int result;
+    const char *str;
+    const char *str_clone;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    result = semanage_seuser_clone(sh, seuser, &seuser_clone);
+    printf("semanage_seuser_clone(%p, %p): %d\n",
+           (void *) seuser, (void *) seuser_clone, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_clone");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_name(seuser);
+    str_clone = semanage_seuser_get_name(seuser_clone);
+
+    if (strcmp(str, str_clone) != 0) {
+        fprintf(stderr, "Different in get_name\n");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_sename(seuser);
+    str_clone = semanage_seuser_get_sename(seuser_clone);
+
+    if (strcmp(str, str_clone) != 0) {
+        fprintf(stderr, "Different in get_sename\n");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_mlsrange(seuser);
+    str_clone = semanage_seuser_get_mlsrange(seuser_clone);
+
+    if (strcmp(str, str_clone) != 0) {
+        fprintf(stderr, "Different in get_mlsrange\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_compare.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_key_t *key;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, "first");
+
+    key = test_get_key(sh, argv[2]);
+
+    result = semanage_seuser_compare(seuser, key);
+    printf("semanage_seuser_compare(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (argc >= 4) {
+        if (strcmp(argv[3], "same") == 0 && result != 0) {
+            fprintf(stderr, "Expected same but got different\n");
+            exit(1);
+        }
+        else if (strcmp(argv[3], "different") == 0 && result == 0) {
+            fprintf(stderr, "Expected different but got same\n");
+            exit(1);
+        }
+    }
+
+    semanage_seuser_key_free(key);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_compare2.c

@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser2;
+    int result;
+    int first = -1;
+    int second = -1;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    if (strcmp(argv[2], "NULL") == 0) {
+        seuser = NULL;
+    }
+    else {
+        first = strtol(argv[2], NULL, 10);
+        seuser = test_get_seuser_nth(sh, first);
+    }
+
+    if (strcmp(argv[3], "NULL") == 0) {
+        seuser2 = NULL;
+    }
+    else {
+        second = strtol(argv[3], NULL, 10);
+        seuser2 = test_get_seuser_nth(sh, second);
+    }
+
+    result = semanage_seuser_compare2(seuser, seuser2);
+    printf("semanage_seuser_compare(%p, %p): %d\n",
+           (void *) seuser, (void *) seuser2, result);
+
+    if (first == second && result != 0) {
+        fprintf(stderr, "Expected same but got different\n");
+        exit(1);
+    }
+    else if (first != second && result == 0) {
+        fprintf(stderr, "Expected different but got same\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_count.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    unsigned int response;
+    int result;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_count(sh, &response);
+    printf("semanage_seuser_count(%p, %p): %d, response: %u\n",
+           (void *) sh, (void *) &response, result, response);
+    
+    if (result < 0) {
+        perror("semanage_seuser_count");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], response);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_count_local.c

@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    int result;
+    unsigned int response;
+    int num;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    num = strtol(argv[2], NULL, 10);
+
+    for (int i = 0; i < num; i++) {
+        seuser = test_get_seuser_nth(sh, i);
+
+        test_add_local_seuser(sh, seuser);
+    }
+
+    result = semanage_seuser_count_local(sh, &response);
+    printf("semanage_seuser_count_local(%p, %p): %d, response: %d\n",
+           (void *) sh, (void *) &response, result, response);
+
+    if (result < 0) {
+        perror("semanage_seuser_count_local");
+        exit(1);
+    }
+
+    if (argc >= 3)
+        check_result_int(argv[2], response);
+
+    test_del_local_seuser(sh, seuser);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_create.c

@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    int result;
+    const char *str;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_create(sh, &seuser);
+    printf("semanage_seuser_create(%p, %p): %d\n",
+           (void *) sh, (void *) seuser, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_create");
+        exit(1);
+    }
+
+    str = semanage_seuser_get_name(seuser);
+
+    if (str != NULL) {
+        fprintf(stderr, "Expected name == NULL, got %s\n", str);
+        exit(1);
+    }
+
+    str = semanage_seuser_get_sename(seuser);
+
+    if (str != NULL) {
+        fprintf(stderr, "Expected sename == NULL, got %s\n", str);
+        exit(1);
+    }
+
+    str = semanage_seuser_get_mlsrange(seuser);
+
+    if (str != NULL) {
+        fprintf(stderr, "Expected mlsrange == NULL, got %s\n", str);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_del_local.c

@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser_del;
+    semanage_seuser_key_t *key;
+    semanage_seuser_t **records;
+    int result;
+    unsigned int count;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    test_add_local_seuser(sh, seuser);
+
+    seuser_del = test_get_seuser(sh, argv[3]);
+
+    result = semanage_seuser_key_extract(sh, seuser_del, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser_del, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_del_local(sh, key);
+    printf("semanage_seuser_del_local(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_del_local");
+        exit(1);
+    }
+
+    result = semanage_seuser_list_local(sh, &records, &count);
+    printf("semanage_seuser_list_local(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list_local");
+        exit(2);
+    }
+
+    if (count != 0) {
+        fprintf(stderr, "Number of local seusers is not 0!\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_exists.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_key_t *key;
+    int result;
+    int response;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    key = test_get_key(sh, argv[2]);
+
+    result = semanage_seuser_exists(sh, key, &response);
+    printf("semanage_seuser_exists(%p, %p, %p): %d, response: %d\n",
+           (void *) sh, (void *) key, (void *) &response, result, response);
+    
+    if (result < 0) {
+        perror("semanage_seuser_exists");
+        exit(1);
+    }
+
+    if (argc >= 4)
+        check_result_int(argv[3], response);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_exists_local.c

@@ -0,0 +1,59 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_t *seuser_exists;
+    semanage_seuser_key_t *key;
+    int result;
+    int response;
+    int exp;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+    seuser_exists = test_get_seuser(sh, argv[3]);
+
+    test_add_local_seuser(sh, seuser);
+
+    result = semanage_seuser_key_extract(sh, seuser_exists, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser_exists, (void *) &key, result); 
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_exists_local(sh, key, &response);
+    printf("semanage_seuser_exists_local(%p, %p, %p): %d\n",
+           (void *) sh, (void *) key, (void *) &response, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_exists_local");
+        exit(1);
+    }
+
+    if (argc >= 5) {
+        exp = strtol(argv[4], NULL, 10);
+
+        if (response != exp) {
+            fprintf(stderr, "Expected %d but got %d\n", exp, response);
+            exit(1);
+        }
+    }
+
+    test_del_local_seuser(sh, seuser);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_get_mlsrange.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    const char *name = semanage_seuser_get_mlsrange(seuser);
+    printf("semanage_seuser_get_mlsrange(%p): %s\n",
+           (void *) seuser, name);
+
+    if (strcmp_null(argv[3], name) != 0) {
+        fprintf(stderr, "Expected %s but got %s\n", argv[2], name);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_get_name.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    const char *name = semanage_seuser_get_name(seuser);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) seuser, name);
+
+    if (strcmp_null(argv[3], name) != 0) {
+        fprintf(stderr, "Expected %s but got %s\n", argv[2], name);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_get_sename.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    
+    if (argc < 4)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    const char *name = semanage_seuser_get_sename(seuser);
+    printf("semanage_seuser_get_sename(%p): %s\n",
+           (void *) seuser, name);
+
+    if (strcmp_null(argv[3], name) != 0) {
+        fprintf(stderr, "Expected %s but got %s\n", argv[2], name);
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_iterate.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int counter = 0;
+
+int handler(const semanage_seuser_t *record, void *varg) {
+    char **args = (char **) varg;
+    
+    const char *name = semanage_seuser_get_name(record);
+
+    if (strcmp(name, args[2 + counter++]) != 0)
+        return -1;
+
+    return 0;
+}
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    int result;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    char **param = NULL;
+
+    if (argc >= 3) {
+        param = argv;
+    }
+
+    result = semanage_seuser_iterate(sh, &handler, (void *) param);
+    printf("semanage_seuser_iterate(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &handler, (void *) param, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_iterate");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_key_create.c

@@ -0,0 +1,39 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_key_t *key;
+    const char *name;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    if (strcmp(argv[2], "NULL") == 0)
+        name = NULL;
+    else
+        name = argv[2];
+
+    result = semanage_seuser_key_create(sh, name, &key);
+    printf("semanage_seuser_key_create(%p, %s, %p): %d\n",
+           (void *) sh, name, (void *) &key, result);
+
+    if (result < 0 || key == NULL) {
+        perror("semanage_seuser_key_create");
+        exit(1);
+    }
+
+    semanage_seuser_key_free(key);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_key_extract.c

@@ -0,0 +1,45 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_key_t *key;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(1);
+    }
+
+    result = semanage_seuser_compare(seuser, key);
+    printf("semanage_seuser_compare(%p, %p): %d\n",
+           (void *) seuser, (void *) key, result);
+
+    if (result != 0) {
+        perror("semanage_seuser_compare");
+        exit(1);
+    }
+
+    semanage_seuser_key_free(key);
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_list.c

@@ -0,0 +1,63 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t **records;
+    unsigned int count;
+    int result;
+    
+    if (argc < 2)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_list(sh, &records, &count);
+    printf("semanage_seuser_list(%p, %p, %p): %d",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list");
+        exit(1);
+    }
+
+    printf(", count: %u, records: ", count);
+
+    const char *name;
+
+    for (unsigned int i = 0; i < count; i++) {
+        name = semanage_seuser_get_name(records[i]);
+        printf("%p (%s), ", (void *) records[i], name);
+    }
+
+    printf("\n");
+
+    if (argc >= 3) {
+        unsigned int exp_count = strtoul(argv[2], NULL, 10);
+        
+        if (count != exp_count) {
+            printf("Expected %u but got %u\n", exp_count, count);
+            exit(1);
+        }
+
+        const char *name;
+
+        for (unsigned int i = 0; i < count; i++) {
+            name = semanage_seuser_get_name(records[i]);
+
+            if (strcmp(name, argv[3 + i]) != 0) {
+                printf("Expected %s but got %s\n", name, argv[3 + i]);
+                exit(1);
+            }
+        }
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_modify_local.c

@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *seuser;
+    semanage_seuser_key_t *key;
+    semanage_seuser_t **records;
+    int result;
+    unsigned int count;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    seuser = test_get_seuser(sh, argv[2]);
+
+    result = semanage_seuser_key_extract(sh, seuser, &key);
+    printf("semanage_seuser_key_extract(%p, %p, %p): %d\n",
+           (void *) sh, (void *) seuser, (void *) &key, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_key_extract");
+        exit(2);
+    }
+
+    result = semanage_seuser_modify_local(sh, key, seuser);
+    printf("semanage_seuser_modify_local(%p, %p, %p): %d\n",
+           (void *) seuser, (void *) key, (void *) seuser, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_modify_local");
+        exit(1);
+    }
+
+    result = semanage_seuser_list_local(sh, &records, &count);
+    printf("semanage_seuser_list_local(%p, %p, %p): %d\n",
+           (void *) sh, (void *) &records, (void *) &count, result);
+    
+    if (result < 0) {
+        perror("semanage_seuser_list_local");
+        exit(2);
+    }
+
+    if (count != 1) {
+        fprintf(stderr, "Number of local seusers is %u, expected 1!\n", count);
+        exit(1);
+    }
+
+    if (semanage_seuser_compare(records[0], key) != 0) {
+        fprintf(stderr, "Local seuser is different!\n");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_query.c

@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_key_t *key;
+    semanage_seuser_t *response;
+    int result;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    result = semanage_seuser_key_create(sh, argv[2], &key);
+    printf("semanage_seuser_key_create(%p, %s, %p): %d\n",
+           (void *) sh, argv[2], (void *) &key, result);
+
+    if (result < 0 || key == NULL) {
+        perror("semanage_seuser_key_create");
+        exit(2);
+    }
+
+    result = semanage_seuser_query(sh, key, &response);
+    printf("semanage_seuser_query(%p, %p, %p): %d, response: %p\n",
+           (void *) sh, (void *) key, (void *) &response, result, (void *) response);
+    
+    if (result < 0) {
+        perror("semanage_seuser_query");
+        exit(1);
+    }
+
+    const char *name = semanage_seuser_get_name(response);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) response, name);
+
+    if (strcmp(argv[2], name) != 0) {
+        perror("semanage_seuser_get_name");
+        exit(2);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_set_mlsrange.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *user;
+    int result;
+    const char *mlsrange;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    user = test_get_seuser(sh, "first");
+
+    if (strcmp(argv[2], "NULL") == 0)
+        mlsrange = NULL;
+    else 
+        mlsrange = argv[2];
+
+    const char *old_mlsrange = semanage_seuser_get_mlsrange(user);
+    printf("semanage_seuser_get_mlsrange(%p): %s\n",
+           (void *) user, old_mlsrange);
+
+    if (old_mlsrange == NULL) {
+        perror("semanage_seuser_get_mlsrange");
+        exit(2);
+    }
+
+    if (strcmp(old_mlsrange, mlsrange) == 0) {
+        printf("New mlsrange is the same\n");
+        exit(2);
+    }
+
+    result = semanage_seuser_set_mlsrange(sh, user, mlsrange);
+    printf("semanage_seuser_set_mlsrange(%p, %p, %s): %d\n",
+           (void *) sh, (void *) user, mlsrange, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_set_mlsrange");
+        exit(1);
+    }
+
+    const char *new_mlsrange = semanage_seuser_get_mlsrange(user);
+    printf("semanage_seuser_get_mlsrange(%p): %s\n",
+           (void *) user, new_mlsrange);
+
+    if (strcmp(new_mlsrange, mlsrange) != 0) {
+        perror("semanage_seuser_get_mlsrange");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_set_name.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *user;
+    int result;
+    const char *name;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    user = test_get_seuser(sh, "first");
+
+    if (strcmp(argv[2], "NULL") == 0)
+        name = NULL;
+    else 
+        name = argv[2];
+
+    const char *old_name = semanage_seuser_get_name(user);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) user, old_name);
+
+    if (old_name == NULL) {
+        perror("semanage_seuser_get_name");
+        exit(2);
+    }
+
+    if (strcmp(old_name, name) == 0) {
+        printf("New name is the same\n");
+        exit(2);
+    }
+
+    result = semanage_seuser_set_name(sh, user, name);
+    printf("semanage_seuser_set_name(%p, %p, %s): %d\n",
+           (void *) sh, (void *) user, name, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_set_name");
+        exit(1);
+    }
+
+    const char *new_name = semanage_seuser_get_name(user);
+    printf("semanage_seuser_get_name(%p): %s\n",
+           (void *) user, new_name);
+
+    if (strcmp(new_name, name) != 0) {
+        perror("semanage_seuser_get_name");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/semanage-seuser-functions/test_set_sename.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <semanage/semanage.h>
+
+#include "functions.c"
+
+int main (int argc, char **argv) {
+    semanage_handle_t *sh;
+    semanage_seuser_t *user;
+    int result;
+    const char *name;
+    
+    if (argc < 3)
+        exit(2);
+    
+    sh = get_handle(argv[1]);
+
+    user = test_get_seuser(sh, "first");
+
+    if (strcmp(argv[2], "NULL") == 0)
+        name = NULL;
+    else 
+        name = argv[2];
+
+    const char *old_name = semanage_seuser_get_sename(user);
+    printf("semanage_seuser_get_sename(%p): %s\n",
+           (void *) user, old_name);
+
+    if (old_name == NULL) {
+        perror("semanage_seuser_get_sename");
+        exit(2);
+    }
+
+    if (strcmp(old_name, name) == 0) {
+        printf("New name is the same\n");
+        exit(2);
+    }
+
+    result = semanage_seuser_set_sename(sh, user, name);
+    printf("semanage_seuser_set_sename(%p, %p, %s): %d\n",
+           (void *) sh, (void *) user, name, result);
+
+    if (result < 0) {
+        perror("semanage_seuser_set_sename");
+        exit(1);
+    }
+
+    const char *new_name = semanage_seuser_get_sename(user);
+    printf("semanage_seuser_get_sename(%p): %s\n",
+           (void *) user, new_name);
+
+    if (strcmp(new_name, name) != 0) {
+        perror("semanage_seuser_get_sename");
+        exit(1);
+    }
+
+    destroy_handle(sh, argv[1]);
+
+    exit(0);
+}

tests/tests.yml

@@ -0,0 +1,25 @@
+---
+# Tests that run in all contexts
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+      - repo: "https://src.fedoraproject.org/tests/selinux.git"
+        dest: "selinux"
+    tests:
+    - selinux/libsemanage/semanage-handle-functions
+    - selinux/libsemanage/semanage-seuser-functions
+    - selinux/libsemanage/verify-options-in-semanage-conf
+    required_packages:
+    - libsemanage             # Required for semanage-*-functions tests
+    - libsemanage-devel       # Required for semanage-*-functions tests
+    - glibc                   # Required for semanage-*-functions tests
+    - gcc                     # Required for semanage-*-functions tests
+    - libselinux              # Required for verify-options-in-semanage-conf
+    - libselinux-utils        # Required for verify-options-in-semanage-conf
+    - policycoreutils         # Required for verify-options-in-semanage-conf
+    - policycoreutils-python  # Required for verify-options-in-semanage-conf when running on RHEL
+    - selinux-policy          # Required for verify-options-in-semanage-conf
+    - selinux-policy-devel    # Required for verify-options-in-semanage-conf

tests/verify-options-in-semanage-conf/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+#   Description: Are the verify options in semanage.conf honored?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE empty.te
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Are the verify options in semanage.conf honored?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          libsemanage" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-utils libsemanage policycoreutils policycoreutils-python selinux-policy selinux-policy-devel" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+

tests/verify-options-in-semanage-conf/PURPOSE

@@ -0,0 +1,9 @@
+PURPOSE of /CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+Author: Milos Malik <mmalik@redhat.com>
+
+Are the verify options in semanage.conf honored?
+Tested options: verify kernel, verify module, verify linked
+Tested tools: semodule, semanage
+Positive and negative cases are tested.
+Original information found at http://selinuxproject.org/page/PolicyValidate
+

tests/verify-options-in-semanage-conf/empty.te

@@ -0,0 +1,2 @@
+policy_module(empty,1.0)
+

tests/verify-options-in-semanage-conf/runtest.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libsemanage/Sanity/verify-options-in-semanage-conf
+#   Description: Are the verify options in semanage.conf honored?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libsemanage"
+MODULE_NAME="empty"
+SEMANAGE_CONF="/etc/selinux/semanage.conf"
+
+rlJournalStart
+	rlPhaseStartSetup
+		rlAssertRpm ${PACKAGE}
+		rlAssertRpm policycoreutils
+		rlAssertRpm selinux-policy
+		rlFileBackup ${SEMANAGE_CONF}
+		rlRun "rpm -qf /usr/sbin/semanage"
+		rlRun "grep -v -e '^#' -e '^$' ${SEMANAGE_CONF}"
+		OUTPUT_FILE=`mktemp`
+		
+		rlRun "setenforce 1"
+		rlRun "sestatus"
+		rlRun "ls -l ${MODULE_NAME}.te"
+		rlRun "make -f /usr/share/selinux/devel/Makefile"
+		rlRun "ls -l ${MODULE_NAME}.pp"
+    rlPhaseEnd
+
+	rlLog "positive cases follow"
+	# TODO: /bin/true could be replaced a script, which prints the supplied arguments into a file for further inspection
+
+	rlPhaseStartTest "verify kernel"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify kernel]\npath = /bin/true\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}"
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}"
+	rlPhaseEnd
+
+	rlPhaseStartTest "verify module"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify module]\npath = /bin/true\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}"
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}"
+	rlPhaseEnd
+
+    if rlIsRHEL '<7.3' ; then # because "[verify linked]" was dropped
+	rlPhaseStartTest "verify linked"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify linked]\npath = /bin/true\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}"
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertNotGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}"
+	rlPhaseEnd
+    fi
+
+	rlLog "negative cases follow"
+	# TODO: /bin/false could be replaced a script, which prints the supplied arguments into a file for further inspection
+
+	rlPhaseStartTest "verify kernel"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify kernel]\npath = /bin/false\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}" 1
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}" 1
+	rlPhaseEnd
+
+	rlPhaseStartTest "verify module"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify module]\npath = /bin/false\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}" 1
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}" 1
+	rlPhaseEnd
+
+    if rlIsRHEL '<7.3' ; then # because "[verify linked]" was dropped
+	rlPhaseStartTest "verify linked"
+		rlRun "semodule -r ${MODULE_NAME}" 0,1
+		rlFileRestore
+		rlRun "echo -en '[verify linked]\npath = /bin/false\nargs = \$@\n[end]\n' >> ${SEMANAGE_CONF}"
+		rlRun "semodule -i ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "semodule.*failed" ${OUTPUT_FILE} -i
+		rlRun "semodule -l | grep ${MODULE_NAME}" 1
+		rlRun "semanage module -a ${MODULE_NAME}.pp 2>&1 | tee ${OUTPUT_FILE}"
+		rlAssertGrep "could not commit semanage transaction|no such file or directory" ${OUTPUT_FILE} -Ei
+		rlRun "semanage module -l | grep ${MODULE_NAME}" 1
+	rlPhaseEnd
+    fi
+
+	rlPhaseStartCleanup
+		rlRun "rm -f ${MODULE_NAME}.pp ${OUTPUT_FILE}"
+		rlFileRestore	
+	rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+